Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4727
Views
10
Helpful
9
Replies

ACS 5.1 failing the first attempt for the user

Go to solution
Ahmad Samir
Level 1
Level 1

‎12-12-2010 04:38 AM - edited ‎03-10-2019 05:38 PM

Dear all

I am facing a problem a strange problem with the ACS. I am using 802.1x on my network to authenticate the users. I found that when I connect my network cable and put my credentials the authentication will fail directly. I will disable my connection and enable it again and apply the same credentials it will work fine. I don't know why for the first attempt it will fail the authentication and it will tell that (24217 The host is not found in the internal hosts identity store). You can see the below table showing the first attempt failed but the second attempt succeeded for the user (testuser).

Dec 6,10 1:31:11.656 PM-
testuser		00-12-AE-7A-69-N6
Default Network Access		PEAP (EAP-MSCHAPv2)
Dot1x-3560-Switch		1.2.3.4
FastEthernet0/8		TESTACS
Dec 6,10 1:30:43.393 PM
testuser		00-12-AE-7A-69-N6
Default Network Access		PEAP
Dot1x-3560-Switch		1.2.3.4
FastEthernet0/8		TESTACS24217 The host is not found in the internal hosts identity store.

Please find the attached image for the (Identity Store Sequence)

Any help is appreciated

Thanks on advance,

Labels:
Preview file
48 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee
In response to Ahmad Samir

‎12-12-2010 11:57 PM

Hi,

in your identity store sequence, I would suggest you remove everything from the textbox below called " additional attributes retrieval".

Nicolas

===

don't forget to rate answers that you find useful

View solution in original post

9 Replies 9

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎12-12-2010 11:32 AM

You'd need to click on the failed attempt to show the details of it so we can figure out the failure reason.

Nicolas

===

Don't forget to rate answers that you find useful

0 Helpful

Go to solution
Ahmad Samir
Level 1
Level 1
In response to Nicolas Darchis

‎12-12-2010 11:49 PM

Dear Nicolas

Please find the below logs. The username = samsung and it is configured on the internal users locally on the ACS.

Authentication Summary
Logged At:
December 13,2010 9:29:45.346 AM
RADIUS Status:
Authentication failed : 24217 The host is not found in the internal hosts identity store.
NAS Failure:
Username:
samsung
MAC/IP Address:
00-23-AE-7A-58-A6
Network Device:
Dot1x-3560-Switch : 1.2.3.5 : FastEthernet0/5
Access Service:
Default Network Access
Identity Store:
Internal Users
Authorization Profiles:
CTS Security Group:
Authentication Method:
PEAP

Steps
11001  Received RADIUS Access-Request
11017  RADIUS created a new session
Evaluating Service Selection Policy
15004  Matched rule
15012  Selected Access Service - Default Network Access
11507  Extracted EAP-Response/Identity
12300  Prepared EAP-Request proposing PEAP with challenge
12625  Valid EAP-Key-Name attribute received.
11006  Returned RADIUS Access-Challenge
11001  Received RADIUS Access-Request
11018  RADIUS is re-using an existing session
12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318  Successfully negotiated PEAP version 0
12800  Extracted first TLS record; TLS handshake started.
12805  Extracted TLS ClientHello message.
12806  Prepared TLS ServerHello message.
12801  Prepared TLS ChangeCipherSpec message.
12802  Prepared TLS Finished message.
12305  Prepared EAP-Request with another PEAP challenge
11006  Returned RADIUS Access-Challenge
11001  Received RADIUS Access-Request
11018  RADIUS is re-using an existing session
12304  Extracted EAP-Response containing PEAP challenge-response
12318  Successfully negotiated PEAP version 0
12804  Extracted TLS Finished message.
12816  TLS handshake succeeded.
12311  PEAP session resumed successfully
Evaluating Identity Policy
15006  Matched Default Rule
15013  Selected Identity Store - Internal Users
24432  Looking up user in Active Directory - samsung
24412  User not found in Active Directory
24210  Looking up User in Internal Users IDStore - samsung
24212  Found User in Internal Users IDStore
22037  Authentication Passed
22023  Proceed to attribute retrieval
24432  Looking up user in Active Directory - samsung
24412  User not found in Active Directory
22038  Skipping the next IDStore for attribute retrieval because it is the one we authenticated against
22015  Identity sequence continues to the next IDStore
24209  Looking up Host in Internal Hosts IDStore - samsung
24217  The host is not found in the internal hosts identity store.
22016  Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
15006  Matched Default Rule
12312  PEAP fast-reconnect - skipping inner method
12305  Prepared EAP-Request with another PEAP challenge
11006  Returned RADIUS Access-Challenge
11001  Received RADIUS Access-Request
11018  RADIUS is re-using an existing session
12304  Extracted EAP-Response containing PEAP challenge-response
12308  Client sent Result TLV indicating failure
12307  PEAP authentication failed
11504  Prepared EAP-Failure
11003  Returned RADIUS Access-Reject


Thanks,

0 Helpful

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee
In response to Ahmad Samir

‎12-12-2010 11:57 PM

Hi,

in your identity store sequence, I would suggest you remove everything from the textbox below called " additional attributes retrieval".

Nicolas

===

don't forget to rate answers that you find useful

Go to solution
Ahmad Samir
Level 1
Level 1
In response to Nicolas Darchis

‎12-13-2010 01:56 AM

Dear Nicolas

It works after I remove the everything from the additional attributes.

What is the use for these "additional attributes"?

Thanks for your great help.

0 Helpful

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee
In response to Ahmad Samir

‎12-13-2010 02:20 AM

It is when the attributes of your user are not in the same database. For example if your user is internal, maybe for some users, you have extra attributes on LDAP or so ...

By design, if you select this feature, it means the ACS should not pay attention to the attributes of the original identity store.

this is why your ACS was finding the user in the internal users list. then went to check AD for extra attributes, skipped the internal user store on purpose and check internal hosts and declare it could not find the extra attributes.

Nicolas

===

Don't forget to rate answers that you find useful

Go to solution
Ahmad Samir
Level 1
Level 1
In response to Nicolas Darchis

‎12-13-2010 10:35 PM

Dear Nicolas

I faced the same issue again but with different scenario.

I am doing machine authentication plus the normal authentication. I have standard policies to force the machine to be authenticated for all groups and I have an exception policy for the Guest group.

I am doing the test with a machine which is linked to the domain so the machine authentication is succeeded but I am trying to authenticate with the guest user. The first attempt is failed and the second attempt is working for the guest group users. The other groups which is not under the exception policy are working from the first attempt.

Here is the log:

Authentication Summary
Logged At:
December 14,2010 9:19:26.676 AM
RADIUS Status:
Authentication failed : 24412 User not found in Active Directory
NAS Failure:
Username:
acsguest
MAC/IP Address:
00-23-AE-7A-58-A6
Network Device:
Dot1x-3560-Switch : 1.2.3.4 : FastEthernet0/5
Access Service:
Default Network Access
Identity Store:
Internal Users
Authorization Profiles:
CTS Security Group:
Authentication Method:
PEAP

11001  Received RADIUS Access-Request
11017  RADIUS created a new session
Evaluating Service Selection Policy
15004  Matched rule
15012  Selected Access Service - Default Network Access
11507  Extracted EAP-Response/Identity
12300  Prepared EAP-Request proposing PEAP with challenge
12625  Valid EAP-Key-Name attribute received.
11006  Returned RADIUS Access-Challenge
11001  Received RADIUS Access-Request
11018  RADIUS is re-using an existing session
12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318  Successfully negotiated PEAP version 0
12800  Extracted first TLS record; TLS handshake started.
12805  Extracted TLS ClientHello message.
12806  Prepared TLS ServerHello message.
12801  Prepared TLS ChangeCipherSpec message.
12802  Prepared TLS Finished message.
12305  Prepared EAP-Request with another PEAP challenge
11006  Returned RADIUS Access-Challenge
11001  Received RADIUS Access-Request
11018  RADIUS is re-using an existing session
12304  Extracted EAP-Response containing PEAP challenge-response
12318  Successfully negotiated PEAP version 0
12804  Extracted TLS Finished message.
12816  TLS handshake succeeded.
12311  PEAP session resumed successfully
Evaluating Identity Policy
15006  Matched Default Rule
15013  Selected Identity Store - Internal Users
24432  Looking up user in Active Directory - acsguest
24412  User not found in Active Directory
24210  Looking up User in Internal Users IDStore - acsguest
24212  Found User in Internal Users IDStore
22037  Authentication Passed
Evaluating Group Mapping Policy
15006  Matched Default Rule
12312  PEAP fast-reconnect - skipping inner method
12305  Prepared EAP-Request with another PEAP challenge
11006  Returned RADIUS Access-Challenge
11001  Received RADIUS Access-Request
11018  RADIUS is re-using an existing session
12304  Extracted EAP-Response containing PEAP challenge-response
12308  Client sent Result TLV indicating failure
12307  PEAP authentication failed
11504  Prepared EAP-Failure
11003  Returned RADIUS Access-Reject

0 Helpful

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee
In response to Ahmad Samir

‎12-13-2010 11:22 PM

Well "client sending TLV indicating failure" means it's the client refusing the authentication ...

So you are saying that the guest user passes the machine authentication because he's on a domain machine but his user auth fails the first time right ?

Nicolas

0 Helpful

Go to solution
Ahmad Samir
Level 1
Level 1
In response to Nicolas Darchis

‎12-13-2010 11:29 PM

yes,

0 Helpful

Go to solution
Ahmad Samir
Level 1
Level 1
In response to Nicolas Darchis

‎12-18-2010 09:05 PM

Dear Nicolas

Any update?

Any help will be appreciated.

Thanks,

0 Helpful
Customers Also Viewed These Support Documents