cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1359
Views
20
Helpful
6
Replies

Unknown CSRadius Log Entries

radiomoskau
Level 1
Level 1

G'Day Guys!

We're running 2 Cisco Secure ACS v4.2. In the CSRadius-logs about 90 percent of it looks like this:

...

RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
RDS 04/12/2010 00:03:16 E 3666 2832 0x0 Received unknown attribute 102
RDS 04/12/2010 00:03:16 E 3666 2832 0x0 Received unknown attribute 102
RDS 04/12/2010 00:03:16 E 3666 2832 0x0 Received unknown attribute 102

...

I'd appreciate it if someone could help us to understand those entries and the behaviour!

Can you guys give us ideas what to do about it and where to look for it's cause?!

Thanks alot!

2 Accepted Solutions

Accepted Solutions

Hi, you can check this on the csradius file, from where you copied that messages.

If you want me to take a look, please set the ACS loglevel to "Full", wait a few hours and then  collect and upload here the complete file and I can take a look.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

Hi,

Those messages look like a DDTS that was found on the 4.2.0.124.0 ACS.

Basically:


Logged-In-Users not updated for Ext-DB users with Disable dynamic users. The users are mapped to the correct group during authentication.
But during radius accounting the group mapping fails and it gets mapped to default group.
As it was never reported by any customer it is marked as internal found, so not visible to customers.


However, the latest patch has this issue fixed, so if you are running 4.2.0.124.0, you may want to apply the latest patch.

Regarding the IDs in bold, there is no decoding for those as they are are incremental IDs to simply identify the internal acs processes ans authnetication attempts. There is no specific decoding for them.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

6 Replies 6

Tiago Antunes
Cisco Employee
Cisco Employee

Hi,

Tthe attribute ACS is complaining about is attr. 102 which corresponds to the attribute EAP-Key-Name [RFC4072].

Unfortunately it does not exist in the ACS Radius attributes library, and that is why the ACS complains it does not know it.

Tthe Radius attribute 102 (EAP-Key-Name) is defined in the RFC 4072 for "Diameter Extensible Authentication Protocol (EAP) Application" and it is not supported in ACS (Radius server). Since ACS does not support this attribute, we are getting the following error in the rds.log,

"E 3432 80152 0x0 Received unknown attribute 102"

Even in 5.x, this attribute is not supported.

Here you can find all the supported attributes in ACS 4.2:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/A_RADAtr.html#wp148425.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Thank you for your response!

Do you have any idea about how to find out what device(s) are talking to the ACS using 'Attribue 102'?

Thanks mate!

Hi, you can check this on the csradius file, from where you copied that messages.

If you want me to take a look, please set the ACS loglevel to "Full", wait a few hours and then  collect and upload here the complete file and I can take a look.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

G'day!

We ran the log level on "full" and, as you said, now we can see what devices use the attribute 102.  We'll take a look into the reason why these devices behave that way.

Thank you very much! I appreciate your quick and sophisticated help!

There's another kind of Log-events we're trying to figure out. Maybe you've also got an idea how to interpret these events?!

The following events happend some time ago. Hopefully they'll happen again while we're running on the "full" log level...

RDS 05/10/2010 00:01:28 E 6108 3864 0x0 Failed to get group info about user:host/HOSTNAME.prod.lokal - CSAuth client has passed userID with invalid id info
RDS 05/10/2010 00:01:28 E 5947 3864 0x0 Failed to update logged on list for host/HOSTNAME.prod.lokal (AS_ERR_USERID_INVALID)

We're using client certificates - that's why the username is "host/...".

And while I'm at it, I'd like to ask if there's some documentation where we can look up the meaning of those IDs marked with bold letters? Or at least I'd like to learn what they represent at all!?

Again, thanx for your support!!

Greetz

Roman

Hi,

Those messages look like a DDTS that was found on the 4.2.0.124.0 ACS.

Basically:


Logged-In-Users not updated for Ext-DB users with Disable dynamic users. The users are mapped to the correct group during authentication.
But during radius accounting the group mapping fails and it gets mapped to default group.
As it was never reported by any customer it is marked as internal found, so not visible to customers.


However, the latest patch has this issue fixed, so if you are running 4.2.0.124.0, you may want to apply the latest patch.

Regarding the IDs in bold, there is no decoding for those as they are are incremental IDs to simply identify the internal acs processes ans authnetication attempts. There is no specific decoding for them.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hi!

We updated the ACS recently to version to 4.2.1.15.3.

Though I don't know what version was running when the mentioned events were logged, I guess we won't get that message anymore in the future...

Thank you very much!

Greetz

Roman

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: