12-10-2010 04:57 AM - edited 03-10-2019 05:38 PM
G'Day Guys!
We're running 2 Cisco Secure ACS v4.2. In the CSRadius-logs about 90 percent of it looks like this:
...
RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
RDS 04/12/2010 00:03:16 E 3666 5704 0x0 Received unknown attribute 102
RDS 04/12/2010 00:03:16 E 3666 2832 0x0 Received unknown attribute 102
RDS 04/12/2010 00:03:16 E 3666 2832 0x0 Received unknown attribute 102
RDS 04/12/2010 00:03:16 E 3666 2832 0x0 Received unknown attribute 102
...
I'd appreciate it if someone could help us to understand those entries and the behaviour!
Can you guys give us ideas what to do about it and where to look for it's cause?!
Thanks alot!
Solved! Go to Solution.
12-12-2010 11:53 PM
Hi, you can check this on the csradius file, from where you copied that messages.
If you want me to take a look, please set the ACS loglevel to "Full", wait a few hours and then collect and upload here the complete file and I can take a look.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
12-13-2010 02:08 AM
Hi,
Those messages look like a DDTS that was found on the 4.2.0.124.0 ACS.
Basically:
Logged-In-Users not updated for Ext-DB users with Disable dynamic users. The users are mapped to the correct group during authentication.
But during radius accounting the group mapping fails and it gets mapped to default group.
As it was never reported by any customer it is marked as internal found, so not visible to customers.
However, the latest patch has this issue fixed, so if you are running 4.2.0.124.0, you may want to apply the latest patch.
Regarding the IDs in bold, there is no decoding for those as they are are incremental IDs to simply identify the internal acs processes ans authnetication attempts. There is no specific decoding for them.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
12-10-2010 09:51 AM
Hi,
Tthe attribute ACS is complaining about is attr. 102 which corresponds to the attribute EAP-Key-Name [RFC4072].
Unfortunately it does not exist in the ACS Radius attributes library, and that is why the ACS complains it does not know it.
Tthe Radius attribute 102 (EAP-Key-Name) is defined in the RFC 4072 for "Diameter Extensible Authentication Protocol (EAP) Application" and it is not supported in ACS (Radius server). Since ACS does not support this attribute, we are getting the following error in the rds.log,
"E 3432 80152 0x0 Received unknown attribute 102"
Even in 5.x, this attribute is not supported.
Here you can find all the supported attributes in ACS 4.2:
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
12-12-2010 11:02 PM
Thank you for your response!
Do you have any idea about how to find out what device(s) are talking to the ACS using 'Attribue 102'?
Thanks mate!
12-12-2010 11:53 PM
Hi, you can check this on the csradius file, from where you copied that messages.
If you want me to take a look, please set the ACS loglevel to "Full", wait a few hours and then collect and upload here the complete file and I can take a look.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
12-13-2010 01:45 AM
G'day!
We ran the log level on "full" and, as you said, now we can see what devices use the attribute 102. We'll take a look into the reason why these devices behave that way.
Thank you very much! I appreciate your quick and sophisticated help!
There's another kind of Log-events we're trying to figure out. Maybe you've also got an idea how to interpret these events?!
The following events happend some time ago. Hopefully they'll happen again while we're running on the "full" log level...
RDS 05/10/2010 00:01:28 E 6108 3864 0x0 Failed to get group info about user:host/HOSTNAME.prod.lokal - CSAuth client has passed userID with invalid id info
RDS 05/10/2010 00:01:28 E 5947 3864 0x0 Failed to update logged on list for host/HOSTNAME.prod.lokal (AS_ERR_USERID_INVALID)
We're using client certificates - that's why the username is "host/...".
And while I'm at it, I'd like to ask if there's some documentation where we can look up the meaning of those IDs marked with bold letters? Or at least I'd like to learn what they represent at all!?
Again, thanx for your support!!
Greetz
Roman
12-13-2010 02:08 AM
Hi,
Those messages look like a DDTS that was found on the 4.2.0.124.0 ACS.
Basically:
Logged-In-Users not updated for Ext-DB users with Disable dynamic users. The users are mapped to the correct group during authentication.
But during radius accounting the group mapping fails and it gets mapped to default group.
As it was never reported by any customer it is marked as internal found, so not visible to customers.
However, the latest patch has this issue fixed, so if you are running 4.2.0.124.0, you may want to apply the latest patch.
Regarding the IDs in bold, there is no decoding for those as they are are incremental IDs to simply identify the internal acs processes ans authnetication attempts. There is no specific decoding for them.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
12-13-2010 02:39 AM
Hi!
We updated the ACS recently to version to 4.2.1.15.3.
Though I don't know what version was running when the mentioned events were logged, I guess we won't get that message anymore in the future...
Thank you very much!
Greetz
Roman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide