Re: ACS authentication with 3750 switch

bws · ‎12-13-2005

Hi all,

i am configured my acs server to act as Tacacs+ AAA Server and configured 3750 SWICTH as AAA client but with dot1x implementation. But when i connect a laptop to this switch dot1x port, it prompts me for username and password and after providing the credentials it keeps on failing to authenticate. This is what i get on switch when user sends credential information.

23:09:21: %TAC+: illegal type=6 for login

23:09:21: TAC+: send AUTHEN/START packet ver=192 id=2079844561

23:09:21: TAC+: Using default tacacs server-group "tacacs+" list.

23:09:21: TAC+: Opening TCP/IP to 10.200.2.2/49 timeout=5

23:09:21: TAC+: Opened TCP/IP handle 0x304E230 to 10.200.2.2/49

23:09:21: TAC+: periodic timer started

23:09:21: TAC+: 10.200.2.2 req=2A32320 Qd id=2079844561 ver=192 handle=0x304E230 expire=5 AUTHEN/START/LOGIN/UNKNOWN queued

23:09:21: TAC+: 10.200.2.2 (2079844561) AUTHEN/START/LOGIN/UNKNOWN queued

23:09:21: TAC+: 10.200.2.2 id=2079844561 wrote 121 of 121 bytes

23:09:21: TAC+: 10.200.2.2 req=2A32320 Qd id=2079844561 ver=192 handle=0x304E230 expire=4 AUTHEN/START/LOGIN/UNKNOWN sent

23:09:21: TAC+: 10.200.2.2 read=12 wanted=12 alloc=12 got=12

23:09:21: TAC+: 10.200.2.2 read=28 wanted=28 alloc=28 got=16

23:09:21: TAC+: 10.200.2.2 received 28 byte reply for 2A32320

23:09:21: TAC+: req=2A32320 Tx id=2079844561 ver=192 handle=0x304E230 expire=4 AUTHEN/START/LOGIN/UNKNOWN processed

23:09:21: TAC+: (2079844561) AUTHEN/START/LOGIN/UNKNOWN processed

23:09:21: TAC+: periodic timer stopped (queue empty)

23:09:21: TAC+: ver=192 id=2079844561 received AUTHEN status = GETPASS

will.shaw · ‎12-13-2005

use radius.

bws · ‎12-13-2005

Dear Shaw,

thanks for your answer but i have to stick with ACS as it supports external databse (i.e. like AD and LDAP) which i will be integrating with dot1x

will.shaw · ‎12-14-2005

Cisco ACS supports Radius. You can't use TACACS+ for dot1x because you can't use EAP over TACACS+

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801f0a44.html

bws · ‎12-14-2005

Thank Shaw for ur reply.

is it possible to integrate radius with LDAP or active directory for authentication?

will.shaw · ‎12-14-2005

yes, the ACS server will still handle the integration with the Active Directory or LDAP, in the same way it does for any autherntication method. Radius is the method of authentication between the ACS server and the client, and the reason it is used instead of TACACS+, is because TACACS+ does 'present' the necessary information needed to authenticate with the windows domain.

bws · ‎12-14-2005

i have just swicthed my configuration to radius but as soon as i connect a laptop to my AAA client i.e 3750 switch it gives me the below error:

My AAA Radius server ip is 10.200.2.2 and

AAA client switch 3750 ip is 10.200.2.1.

1d21h: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to down

1d21h: RADIUS: Pick NAS IP for u=0x2355BC0 tableid=0 cfg_addr=0.0.0.0

1d21h: RADIUS: ustruct sharecount=2

1d21h: Radius: radius_port_info() success=1 radius_nas_port=1

1d21h: RADIUS: EAP-login: length of radius packet = 149 code = 1

1d21h: RADIUS(00000000): Send Access-Request to 10.200.2.2:1812 id 1645/7, len 149

1d21h: RADIUS: authenticator 89 AD D5 29 4F 57 CF 6A - 64 15 29 ED ED B6 02 D7

1d21h: RADIUS: NAS-IP-Address [4] 6 10.200.2.1

1d21h: RADIUS: NAS-Port [5] 6 50101

1d21h: RADIUS: NAS-Port-Type [61] 6 Eth [15]

1d21h: RADIUS: User-Name [1] 19 "DIFC\adil.ibrahim"

1d21h: RADIUS: Called-Station-Id [30] 19 "00-12-7F-72-2F-03"

1d21h: RADIUS: Calling-Station-Id [31] 19 "00-0D-60-FB-89-C0"

1d21h: RADIUS: Service-Type [6] 6 Framed [2]

1d21h: RADIUS: Framed-MTU [12] 6 1500

1d21h: RADIUS: EAP-Message [79] 24

1d21h: RADIUS: 02 00 00 16 01 44 49 46 43 5C 61 64 69 6C 2E 69 [?????DIFC\adil.i]

1d21h: RADIUS: 62 72 61 68 69 6D [brahim]

1d21h: RADIUS: Message-Authenticato[80] 18

1d21h: RADIUS: 89 B1 E7 61 43 EF 6A 7B E5 7D 95 AF 94 12 26 B6 [???aC?j{?}????&?]

1d21h: RADIUS: Received from id 1645/7 10.200.2.2:1812, Access-Reject, len 56

1d21h: RADIUS: authenticator 96 7E 41 5A 20 48 28 F1 - B7 F7 26 21 F5 B0 82 92

1d21h: RADIUS: EAP-Message [79] 6

1d21h: RADIUS: 04 00 00 04 [????]

1d21h: RADIUS: Reply-Message [18] 12

1d21h: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [Rejected??]

1d21h: RADIUS: Message-Authenticato[80] 18

1d21h: RADIUS: 00 D6 71 93 0F 2F 61 FB 01 1A 69 53 B3 3B E5 3A [??q??/a???iS?;?:]

1d21h: RADIUS: EAP-login: length of eap packet = 4

1d21h: RADIUS: EAP-login: got reject from radius

it keeps on giving me below error whenover i connect a laptop to this AAA client.

1d21h: RADIUS: EAP-login: length of eap packet = 4

1d21h: RADIUS: EAP-login: got reject from radius

will.shaw · ‎12-14-2005

have you read through the guide above? or any guide?

I'm a little confused as to how you have your setup configured.

The reason your authentication is failing now, is because either:

a) The user doesn't exist on the radius server

b) Unsupported authentication method (PEAP, PAP, CHAP etc.. not enabled on your acs)_

c) Other user restrictions in place.

If your using the Cisco ACS, you should be able to check the 'failed attempts' log to find out why the authentication wasn't sucessful.

Please can you post the log, along with the dot1x config for your switch up.

bws · ‎12-18-2005

Shaw,

i am able to authenticate users via radius know but only those users which i have created in my ACS manaully. Also i've specified external database of my Active Directory in my ACS BUT the users from AD are not being authenticated. Please advise.

will.shaw · ‎12-19-2005

You need to configure the following:

EXTERNAL USER DATABASES:

- Unknown user policy: make sure the option to check the databse instead of fail attempt is selected.

- Database Group Mapping: ensure that the unknown users are being placed in the correct ACS group when they are automatically added.

You need to check in the failed attempts log to see why the users are not being authenticated.. please post the log so I can better advise you.

bws · ‎12-20-2005

Hi Shaw,

i've gone through the Logs and have found the following errors:

When i firts tried to login using the MD5 Authentication from XP Machine, ACS generated the following error:

"12/19/2005 19:20:59 Authen failed DIFC\adil.ibrahim .. 00-00-39-28-94-B8 Auth type not supported by External DB"

Later when i tried to login with PEAP authentication ACS generated this error:

Date Time Message-Type User-Name Group-Name Caller-ID Authen-Failure-Code Author-Failure-Code Author-Data NAS-Port NAS-IP-Address

12/19/2005 19:27:10 Authen failed DIFC\adil.ibrahim .. 00-0D-60-5F-B8-40 EAP type not configured check Global Authentication Setup page .. .. 50102 10.200.2.1

After all this when i went to System Configuration> Global Authentication Setup and checked marked the

Allow EAP-MSCHAPv2

Allow EAP-GTC under PEAP settings and said submit and restart, it gave me the following error:

Authentication configuration errors

Failed to initialize PEAP or EAP-TLS authentication protocol because ACS certificate is not installed.

Hope this will bring us to final solution of this ACS to be operation. Your comments are really appreciated and helpfull.

will.shaw · ‎12-21-2005

Just select the "allow EAP-MSCHAPv2" option in Global Authentication Setup, and leave EAP-GTC un-checked. This should enable MS-Chap v2 without any problems, and this should now work.

If you want to use any of the certificate based authentication methods (PEAP, EAP-TLS) then you will need obtain a certificate for your server.

Try enabling the EAP-MSCHAPv2 and let me know if it works.

bws · ‎12-21-2005

Shaw,

by just selecting "allow EAP-MSCHAPv2" under PEAP it still keeps on giving me the same error

"Failed to initialize PEAP or EAP-TLS authentication protocol because ACS certificate is not installed."

will.shaw · ‎12-21-2005

If you want to use PEAP then you will need to install a certificate on your server, and all your clients.

You can use Just MD5 for Dot1x..

Ensure the EAP-MD5 box is checked on the Global authentication page, and that the MS-CHAP version 1 version 2 authentication boxes are checkd.

In you client, select the authentication EAP type to be "MD5-Challenge".

bws · ‎12-21-2005

Shaw,

i doubt that under ACS active directory with dot1x authentication, it wont support MD5. Well anyway i'll try that.

further more if i need to install a certificate on server, how can i obtain it both for the client and acs server.