09-23-2009 06:06 PM - edited 03-10-2019 04:42 PM
I have problem for authenticar a remote access VPN with ACS 5.0, not work.
When I try with ACS 4.1, the authentication work fine.
I hope someone can help me.
Regards.
09-24-2009 06:45 AM
Hi,
Are we getting any hits on the ACS 5.0? If yes, please let me know?
HTH
Regards,
JK
09-24-2009 07:19 AM
Hi,
Well I don`t see any hits on the ACS 5.0.
could you tell me what probabily missing?
Thank, regards.
09-25-2009 06:08 AM
Ive got a ACS v5.0.0.8 authing with a ASA 5550 and a VPN3060 both to LDAP Active Directory v2k3, what VPN are you using? Are you looking to auth to an internal user or something external(ldap)?
v5 has good monitoring, are you showing any fails?
09-25-2009 06:41 AM
Hello,
A have got ACS V5.0.21 and ASA 5510 with IOS version 8.2.1.
The VPN is IPSec and try to authentication with internal user in ACS.
The trouble I saw the ASA send the authentication information to ACS, but ACS not respond and not show any hit in the monitoring.
The ACS is in inside network and the firewall have conectivy whit ACS by ping.
Regards.
09-25-2009 07:22 AM
So I would review your setup:
Are you on the latest code? 5.0.0.21.8? We found a bug in 5.0.0.21.0, 5.0.0.21.6, and 5.0.0.21.7 that effected our install.
Is your device setup under âNetwork Devices and AAA Clientsâ? Do the shared secrets match? I can't count how many times I have screwed up a shared secret, re-enter it to be safe.
Are there users in your internal identity store? Is the user enabled?
Do you have an access policy for the user? Are there conditions? I would suggest setting all your conditions to âanyâ for testing to make sure one of your conditions isn't causing the problem. Is the result set to âpermit accessâ or some other policy element? Whats the hit count?
I strongly suggest stripping out anything extra like passing attributes or complex conditions(use is in group X from location Y and coming from device Z) for testing. Make sure its working first then turn up the complexity.
On the ASA under device management, users/aaa, aaa server groups you should have a RADIUS entry in the âAAA Server Groupsâ. I set the defaults with protocol set to radius. Then below in your âServers in the Selected Groupâ should have the IP addresses of your ACS with interface âinsideâ. Shared secret is here, re-enter it.
You could go one set further and download a RADIUS testing client, ive used Radlogin, its ok.
e-
09-25-2009 07:58 AM
I see probably the trouble is the code, because only use ACS V 5.0.21 and I test with Radlogin and work fine.
But when I used VPN not work and the firewall log say me AAA Server not found like if ACS was disconnect.
The internal user is enable, the access policy is basic (only any), not special setting condition.
The ASA configuration is OK, because I used ACS 4.2 for Windows and work fine the authentication.
I try the update to V5.0.21.8 with the patch 5-0-0-21-8.tar.gpg but the process end with error (1). Is possible download complete image to version 5.0.21.8?
Best Regards.
09-25-2009 08:12 AM
Not sure on that one, when we DL'd the patch we didnt have any problems. If you FTP the file over to ACS the ACS server is going to want "write" permissions on your FTP server to send backup over.
09-25-2009 08:27 AM
Well I try with FTP because I used tftp only.
When I have some result I must tell you.
Thank you.
10-21-2009 05:20 PM
Just an update for anyone else reading this thread, you must transfer the file with FTP as for some reason TFTP doesn't transfer the file correctly and you'll get a chmod error.
This is just my experiences.
Hope that helps any people wanting to do this update in future.
09-04-2010 06:14 AM
I have the same problem. I'm using ASA v8.21 and ACS v5.0.0.21, which I'm using as tacacs and radius server. I have no problem with accessing devices via tacacs (except that changing pass with first login doesn't work). The problem is with VPN authentication. I tested radius with Radlogin and PAP is working fine, CHAP goes in timeout, but as I know ACS 5.0 doesn't suport CHAP.
Here are some logs from ASA:
the end of debug crypto isakmp:
Sep 04 15:01:35 [IKEv1]: Group = radiusACS, Username = user1, IP = X.X.X.X, Error: Unable to remove PeerTblEntry
Sep 04 15:01:35 [IKEv1 DEBUG]: Deleting active auth handle during SA deletion: handle = 1844
debug radius:
Sep 04 2010 15:08:53: %ASA-7-713906: IP = X.X.X.X, Connection landed on tunnel_group radiusACS
...
Sep 04 2010 15:08:53: %ASA-6-713172: Group = radiusACS, IP = X.X.X.X, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, IP = X.X.X.X, constructing blank hash payload
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, IP = X.X.X.X, constructing qm hash payload
Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=f9163eb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=f9163eb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 86
Sep 04 2010 15:08:53: %ASA-7-715001: Group = radiusACS, IP = X.X.X.X, process_attr(): Enter!
Sep 04 2010 15:08:53: %ASA-7-715001: Group = radiusACS, IP = X.X.X.X, Processing MODE_CFG Reply attributes.
Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, Authentication Failure: Unsupported server type!
Sep 04 2010 15:08:53: %ASA-7-715065: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE TM V6 FSM error history (struct &0xa7b636a8)
Sep 04 2010 15:08:53: %ASA-7-715065: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE AM Responder FSM error history (struct &0xac417310)
Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE SA AM:f7beee8e terminating: flags 0x0105c001, refcnt 0, tuncnt 0
Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, sending delete/delete with reason message
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing blank hash payload
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing IKE delete payload
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing qm hash payload
Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=e0cd7809) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Sep 04 2010 15:08:53: %ASA-3-713902: Group = radiusACS, Username = user1, IP = X.X.X.X, Removing peer from peer table failed, no match!
Sep 04 2010 15:08:53: %ASA-4-713903: Group = radiusACS, Username = user1, IP = X.X.X.X, Error: Unable to remove PeerTblEntry
Sep 04 2010 15:08:53: %ASA-7-715040: Deleting active auth handle during SA deletion: handle = 1861
Sep 04 2010 15:08:53: %ASA-4-113019: Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide