ACS Express radius authentication AD authorization

joedemarest · ‎01-06-2011

I work at a University and for some reason we have multiple systems for authentication and authorization. That being said I am trying to use radius to do authentication and AD for authorization for VPNs. I have the radius authentication working against our radius server. I have my ACS express setup to join the AD domain and everything looks good there. I setup the AD server as a radius object in AAA server groups on my ASA. Then I add the server below in the servers in selected groups window. I put all the info in there and when I hit test I click authorization and put in the username that I know is in the domain group I have associated with this on the ACS. The test fails and with authorization failed with invalid password. When I look at the logs on the ACS I see

01/06/2011 20:14:26 acsxp/server Warning Server 0 AD Agent Plain Text Authentication Failed for user: username@domain

01/06/2011 20:14:26 acsxp/server Warning Server 0 Authentication for user username failed for reason = 0

01/06/2011 20:14:26 acsxp/server Error Protocol 0 Request from 172.20.5.2: User username rejected . by RemoteServer: AD (InvalidPassword).

Username and domain are correct I just edited them for posting. It seems like it is trying to authenticate rather than authorize. All I want it to do is say yes the user is in this group or no the user is not in this group? You can't even fill in the password when testing authorization? Maybe I have something setup wrong on the ACS side but when I look at AD under users and identity stores, it says it is joined to the domain. When I do AD domain diagnostics under troubleshooting everything looks good. I have the ASA I am testing from defined as a device and in the ASA device group. Under access services in Radius access services I have one service that I setup that connects to the AD and it found the group so I know it is connecting. Any idea what I am doing wrong or where to look?
Any help would be GREATLY appreciated!

Thanks

Joe

Federico Ziliotto · ‎01-07-2011

Hi Joe,

We could take a deeper look at what is happening through some logs and debugs:

1. On ACS Express, under

Reports & Troubleshooting > Troubleshooting > Server Logs

please set the Express Server Trace Level to 5 and the Web Server Trace Level to 4.
Also, for the Log Level under OS Logging, please set its value to "Debug".
If previous old logs are not essential to you, you may also wanna delete all the log files first, so that we capture logs for the last day only.

2. On the ASA, please enable the following debugs

debug aaa authentication
debug aaa authorization
debug radius

3. Then please first recreate a successful authentication attempt, and then recreate the authorization test issue with the same user account for which you tested the successful authentication.

4. After the issue is recreated, please attach the debugs from the ASA and following files from the ACS Server Logs:

acsxp_adagent.log
acsxp_agent_server.log
acsxp_mcd.log
acsxp_server.log
acsxp_server_trace.log

Regards,

Fede

--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

joedemarest · ‎01-12-2011

OK, so I got this to work kind of... Is there anyway to have the ACS Express just check the AD for authorization and NOT authentication. It works as expected as long as you are checking authentication as well. This seems silly but as I was saying before, we have two systems. One the radius system is widely used for logging into most university things and the the second, the AD system is used for mail and maybe a couple of other things. Some people use different passwords for both systems and for them it will not work. If you use the same password for both systems, the ASA checks the radius for authentication then checks AD for authentication and for authorization. If you use different passwords for both then you use your radius password login and get through radius but when it checks AD it first uses that same password to check authentication then authorization. Since it is a different password it fails. I want it to check radius for authentication from the ASA and only check AD for group authorization from the ACS express. Any help here would be greatly appreciated!

Thank you!

Joe

Federico Ziliotto · ‎01-12-2011

Hi Joe,

With RADIUS we cannot separate authentication from authorization: this is as per protocol definition.
Authorization via RADIUS is done through attributes passed back by the RADIUS server in the access-accept, so it is part of the final message of the authentication process.

Regards,

Fede

--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

edwardzeng · ‎01-12-2011

Becuase ACS only can accept one AD.

In your case, you need to have two raidus or ACS servers.

You put each ACS server point to different AD.

Like ACS-1 use AD-1, ACS-2 uses AD-2

Just put the different conditions like any requests coming from Mail server will use local ACS-1 and all other Apps send to it extend proxy radius server ACS-2 which uses AD2.

Then it should works.

Put the conditions into the "

Service Selection Rules

"