Solved: Re: ASA as Radius client in ACA

alex goshtaei · ‎01-24-2011

Hi All,

I've added ASA as Radius client (8.0 version) to ACS server (version 4.2). when I do "test aaa authentication" on ASA, and run "debug radius", I got this error message:

test aaa authentication ACS host 10.1.2.25 username test passwo$
INFO: Attempting Authentication test to IP address <10.1.2.25> (timeout: 12 seconds)
radius mkreq: 0x6cb
alloc_rip 0x29f79044
new request 0x6cb --> 221 (0x29f79044)
got user 'test'
got password
add_req 0x29f79044 session 0x6cb id 221
RADIUS_REQUEST
radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 62).....
01 dd 00 3e 11 76 77 e4 4d 02 13 50 49 4e 6f 7c    | ...>.vw.M..PINo|
05 5a 8b 68 01 06 74 65 73 74 02 12 11 ca 28 65    | .Z.h..test....(e
a4 49 ee 8a 76 46 29 10 3e f9 3f 1f 04 06 ac 1b    | .I..vF).>.?.....
fb 02 05 06 00 00 00 28 3d 06 00 00 00 05          | .......(=.....

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 221 (0xDD)
Radius: Length = 62 (0x003E)
Radius: Vector: 117677E44D021350494E6F7C055A8B68
Radius: Type = 1 (0x01) User-Name
Radius: Length = 6 (0x06)
Radius: Value (String) =
74 65 73 74 | test
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
11 ca 28 65 a4 49 ee 8a 76 46 29 10 3e f9 3f 1f | ..(e.I..vF).>.?.
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 172.27.251.2 (0xAC1BFB02)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x28
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 10.1.2.25/1645
rip 0x29f79044 state 7 id 221
rad_vrfy() : bad req auth
rad_procpkt: radvrfy fail
RADIUS_DELETE
remove_req 0x29f79044 session 0x6cb id 221
free_rip 0x29f79044
radius: send queue empty
ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch

and I am sure shared secret is match between ASA and ACS. any suggestion would be very appreciated.

thanks

Alex

andamani · ‎01-24-2011

Hi Alex,

Is the ASA defined in any NDG in the ACS?

If yes, please remove the shared secret of the NDG and try the test authentication again please.

Let me know how it goes.

Regards,

Anisha

P.S.: please mark this thread resolved if you think your query is answered.

View solution in original post

andamani · ‎01-24-2011

Hi Alex,

Is the ASA defined in any NDG in the ACS?

If yes, please remove the shared secret of the NDG and try the test authentication again please.

Let me know how it goes.

Regards,

Anisha

P.S.: please mark this thread resolved if you think your query is answered.

alex goshtaei · ‎01-24-2011

Hi Anisha,

thank you so much. yes it starts working. but why does it add shared key on group?

Alex

andamani · ‎01-24-2011

Hi,

NDG shared secert will take precedence over individual secret.

it is a feature enabled for key management for devices.

the link below describes the same:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/NetCfg.html#wp342699

Regards,

Anisha

P.S.: Please do rate helpfull posts.