01-24-2011 04:22 PM - edited 03-10-2019 05:45 PM
Hi All,
I've added ASA as Radius client (8.0 version) to ACS server (version 4.2). when I do "test aaa authentication" on ASA, and run "debug radius", I got this error message:
test aaa authentication ACS host 10.1.2.25 username test passwo$
INFO: Attempting Authentication test to IP address <10.1.2.25> (timeout: 12 seconds)
radius mkreq: 0x6cb
alloc_rip 0x29f79044
new request 0x6cb --> 221 (0x29f79044)
got user 'test'
got password
add_req 0x29f79044 session 0x6cb id 221
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 62).....
01 dd 00 3e 11 76 77 e4 4d 02 13 50 49 4e 6f 7c | ...>.vw.M..PINo|
05 5a 8b 68 01 06 74 65 73 74 02 12 11 ca 28 65 | .Z.h..test....(e
a4 49 ee 8a 76 46 29 10 3e f9 3f 1f 04 06 ac 1b | .I..vF).>.?.....
fb 02 05 06 00 00 00 28 3d 06 00 00 00 05 | .......(=.....
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 221 (0xDD)
Radius: Length = 62 (0x003E)
Radius: Vector: 117677E44D021350494E6F7C055A8B68
Radius: Type = 1 (0x01) User-Name
Radius: Length = 6 (0x06)
Radius: Value (String) =
74 65 73 74 | test
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
11 ca 28 65 a4 49 ee 8a 76 46 29 10 3e f9 3f 1f | ..(e.I..vF).>.?.
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 172.27.251.2 (0xAC1BFB02)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x28
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 10.1.2.25/1645
rip 0x29f79044 state 7 id 221
rad_vrfy() : bad req auth
rad_procpkt: radvrfy fail
RADIUS_DELETE
remove_req 0x29f79044 session 0x6cb id 221
free_rip 0x29f79044
radius: send queue empty
ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch
and I am sure shared secret is match between ASA and ACS. any suggestion would be very appreciated.
thanks
Alex
Solved! Go to Solution.
01-24-2011 05:10 PM
Hi Alex,
Is the ASA defined in any NDG in the ACS?
If yes, please remove the shared secret of the NDG and try the test authentication again please.
Let me know how it goes.
Regards,
Anisha
P.S.: please mark this thread resolved if you think your query is answered.
01-24-2011 05:10 PM
Hi Alex,
Is the ASA defined in any NDG in the ACS?
If yes, please remove the shared secret of the NDG and try the test authentication again please.
Let me know how it goes.
Regards,
Anisha
P.S.: please mark this thread resolved if you think your query is answered.
01-24-2011 05:18 PM
Hi Anisha,
thank you so much. yes it starts working. but why does it add shared key on group?
Alex
01-24-2011 10:43 PM
Hi,
NDG shared secert will take precedence over individual secret.
it is a feature enabled for key management for devices.
the link below describes the same:
Regards,
Anisha
P.S.: Please do rate helpfull posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide