Autonomous AP's support OTP for web console?

mmletzko · ‎02-17-2011

I'm having trouble finding this documented, hoping someone could answer it for me.

Do Cisco Autonomous APs support token authentication (RSA) via ACS for the web console option? I found in some realease notes for Wireless LAN controllers that it's supported for http management, but I cannot find anything documented for APs.

We're seeing a problem in which authenticating to APs using http (with caching enabled) with RSA token is sometimes prompting over and over even though the correct credentials are supplied. It can then put the token in next tokencode mode, or disable it.

Is this dependent on AP model/code version? Is there a setting on the AP or in ACS that can prevent this issue?

Thanks!

Nicolas Darchis · ‎02-17-2011

Hi,

you would need to troubleshoot this on the ACS side. The AP is just sending radius requests and expecting an access-accept from the ACS.

So when it doesn't work, check if ACS is logging a failed or passed attempt, check the authorization as well to see if all went fine.

It could be a bug on the specific version of ACS you are having. What version is that ?

Nicolas

mmletzko · ‎02-18-2011

Well, unfortunately for a few of our infrastructures, we're still running v3.3.4.12.6. We're on our way to v4.2.1.15.3, but still have some work to do.

The failed log just shows the standard "extrernal db password invalid" so it's not much help.

Everything from CLI (APs, routers, switches) works fine, and WLCs work fine - http/ssh. It's only APs via http that are giving us a problem - and may be only some...which is why I was asking if model/code was relevant. I'm working on trying to determine that now. What I am finding so far is that I can get in most without a problem, but after 5/10/15 minutes of being in, I will get prompted for our credentials again. At that point it doesn't matter what's entered...it fails, and if you aren't careful, the token will get disabled.

I'm at the beginning stages of troubleshooting so I need to get more details, but I was wondering if OTP was in fact supported for the http connection to automonomous APs.

Thanks!

mmletzko · ‎02-18-2011

In addition to this, it looks like what happens is when it prompts, it fails multiple times for the same connection, which is in turn disabling our tokens.

For example, I was logged into an AP via http for about 15/20 minutes with no issues...then all of a sudden it popped up with a box to enter credentials. I entered my current token credentials one time and there ended up being 10 entries in the failed log for the one attempt. That disabled my token.

mmletzko · ‎02-18-2011

I was just authenticated to an AP via http using my token for more than an hour, then it popped up with an authentication box. I escaped out and looked in the ACS log and it shows a failed authentication - external db password invalid.

Does the AP http session attempt to reauthenticate? Is there any way to control that or adjust the settings? I'm assuming it tries to authent using the old token and of course fails.

Would a tacacs-timeout setting come into play at all? How about in ACS - are there any settings that could help this?

Thanks!

mmletzko · ‎02-21-2011

I am going to open a TAC case for this as I just confirmed this issue using v4.2.1.15.3 of ACS.