ACS 3.2 PEAP - External DB Account Restriction

oguarisco · ‎01-22-2004

Hi,

I've a W2K Server SP3 that is a member server of a domain on which is running ACS 3.2.

I want to use 802.1X on wired/wireless with PEAP, so I've installed as specified in Cisco Docs the certificates on ACS, I've setup the External DB as AD for External database and Unknown user policy, configuired the AAA client.

I've setup the switch for 802.1 with IOS 12.1(19)EA1a with RADIUS and AAA..Telnet via AAA ACS on AD is working fine.

I've setup the PC for PEAP on wired NIC...but when I try to authenticate ACS Failed log states:

- External DB account Restriction !!!

and

- NAS duplicated authentication attempt

checking the ACS auth.log It states

AUTH 01/22/2004 14:56:35 I 4678 1540 Attempting authentication for Unknown User 'TEST\USERTEST'

AUTH 01/22/2004 14:56:35 I 0425 1540 AuthenProcessResponse: process response for 'TEST\USERTEST' against TEST AD - ACS

...

AUTH 01/22/2004 14:56:35 I 0425 1540 AuthenProcessResponse: process response for 'TEST\USERTEST' against TEST AD - ACS

...

AUTH 01/22/2004 14:56:35 I 0425 1540 AuthenProcessResponse: process response for 'TEST\USERTEST' against TEST AD - ACS

...

AUTH 01/22/2004 14:56:36 I 0425 1540 AuthenProcessResponse: process response for 'TEST\USERTEST' against TEST AD - ACS

...

AUTH 01/22/2004 14:56:41 E 0417 1540 AuthenProcessResponse: response for invalid session 122 received

...

AUTH 01/22/2004 14:56:46 E 0417 1540 AuthenProcessResponse: response for invalid session 122 received

Any idea would be appreciated

Thanks

Omar

umedryk · ‎01-29-2004

You should run v3.2(2) if you are authenticating to the Windows database because of the known issues and bugs in v3.2(1)

jhillend · ‎01-29-2004

If you encounter the error message "NAS duplicated authentication attempt" in the Failed-Attempts Log in ACS, the problem may be due to an issue with the installation of the CA certificate on the client (supplicant) PC.

Option 1 Uncheck the "Validate server certificate" box. This will allow all CA certificates to be accepted. The downside is that this will negate the ability of the supplicant to authenticate the AAA server (ACS).

Option 2 Install the CA certificate on the supplicant:

a. Download the CA certificate from the Certificate Server using Base64 encoding.

b. Once the CA certificate is downloaded, right click the file and select "install certificate"

c. Click next

d. Select "Place all certificates in the following store", then click browse

e. Check the box "show physical stores"

f. Expand "trusted root certification authorities", select local computer, and click ok.

g. Click next, FINISH, and click ok for "the import was successful" box.

h. Open network connections on the control panel (click Start -> control panel)

i. EAP type is "Protected EAP", click properties.

j. Under "trusted root certificate" check the box for the appropriate CA.

k. Click OK until finished.

Other causes for this error include the possibility of too short a client timeout.

oguarisco · ‎02-04-2004

Hi,

Thanks for the answer, I've tried both but no way...the same logging message is still appearing on the failed log of ACS...

I've reinstalled the apps on a W2K Server...but PEAP is still not available...so I've tried EAP-MD5.

Using EAP-MD5 with Account only on the Domain account the ACS failed log it states:

"Auth type not supported by External DB"

but configuring an account user on ACS Database EAP-MD5 the authentication is working with no problem

It seems something related to my AD setup or to my certificate deployment.... Don't you think ???