cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2067
Views
20
Helpful
12
Replies

Unsucessful ACS to RADIUS token server exchange

rogelioalvez
Level 1
Level 1

Hello team:

We are getting a hard time in trying to make our ACS 4.2 talk to an external FreeRadius token server.

When our ACS sends the Access-Request message, our FreeRadius token server answers with an Access-Accept message with zero atributes on the message. This answer, according to ACS documentation, should be perfectly accepted by ACS when it works as a RADIUS client. However, our ACS considers this answer as an error and so the transaction fails.

In order to compare with another platform working of radius server of our , we replaced our FreeRadius token server by another CS ACS. With this scenario, everything works! So we sniffed the ACS to ACS transaction and found that two RADIUS attributes are sent with the Access-Accept message:

(1) Framed-IP = 255.255.255.255

(2) Class = 0x434143533a302f356662622f37663030303030312f31383133

We got back to our FreeRadius as the external RADIUS server of our ACS, and managed it to generate and return exactly the previous kind of message to the ACS working as radius client, however when our ACS receives the RADIUS Access-Accept with these attributes, it still rejects the answer and fails.

So we are missing something.

¿Did anyone manage to make ACS query an external RADIUS server with success? We would appreciate any hints!!

thank you very much in advance

Rogelio Alvez

Argentina

12 Replies 12

Tarik Admani
VIP Alumni
VIP Alumni

Hi,

Can you post the packet capture of both devices.

Thanks,

Tarik Admani

Thanks for the interest Tarik!

Here you have the debug from both sides ACS 4.2 and Freeradius in the same authentication event:

ACS Debug from a terminal monitor

2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='(undef)')

2w1d: AAA/AUTHEN (4096347873): status = GETUSER

2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)

2w1d: AAA/AUTHEN (4096347873): status = GETPASS

2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='camara/829113')

2w1d: AAA/AUTHEN (4096347873): status = GETPASS

2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)

2w1d: RADIUS: ustruct sharecount=1

2w1d: RADIUS: Initial Transmit tty7 id 175 192.168.0.3:1645, Access-Request, len 86

2w1d:         Attribute 4 6 C0A800CB

2w1d:         Attribute 5 6 00000007

2w1d:         Attribute 61 6 00000005

2w1d:         Attribute 1 15 63616D61

2w1d:         Attribute 31 15 3139322E

2w1d:         Attribute 2 18 893A4B64

2w1d: RADIUS: Received from id 175 192.168.0.3:1645, Access-Reject, len 32

2w1d:         Attribute 18 12 52656A65

2w1d: RADIUS: saved authorization data for user 80E8A88C at 0

2w1d: AAA/AUTHEN (4096347873): status = FAIL

2w1d: AAA/AUTHEN/ABORT: (4096347873) because Invalid password.

2w1d: AAA/MEMORY: free_user (0x80E8A88C) user='camara/829113' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1

2w1d: AAA: parse name=tty7 idb type=-1 tty=-1

2w1d: AAA: name=tty7 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=7 channel=0

2w1d: AAA/MEMORY: create_user (0x80E8B920) user='' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1

2w1d: AAA/AUTHEN/START (2072451976): port='tty7' list='pepe' action=LOGIN service=LOGIN

2w1d: AAA/AUTHEN/START (2072451976): found list pepe

2w1d: AAA/AUTHEN/START (2072451976): Method=radius (radius)

2w1d: AAA/AUTHEN (2072451976): status = GETUSER

Freeradius Debug

rad_recv: Access-Request packet from host 192.168.0.3 port 3912, id=23, length=94

    User-Name = "camara/829113"

    NAS-IP-Address = 192.168.0.3

    NAS-Port = 6372

    NAS-Identifier = "CiscoSecure ACS v4.2(0.124)"

    User-Password = "\277\241\340t\312/\2303^;\216\233\3618\2179"

# Executing section authorize from file /etc/freeradius/sites-enabled/vuserver

+- entering group authorize {...}

++[preprocess] returns ok

[auth_log]     expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714

[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714

[auth_log]     expand: %t -> Sat Jul 14 18:42:32 2012

++[auth_log] returns ok

[IPASS] Looking up realm "camara" for User-Name = "camara/829113"

[IPASS] Found realm "DEFAULT"

[IPASS] Adding Stripped-User-Name = "829113"

[IPASS] Adding Realm = "DEFAULT"

[IPASS] Authentication realm is LOCAL.

++[IPASS] returns ok

[suffix] Request already proxied.  Ignoring.

++[suffix] returns ok

++[files] returns noop

++[control] returns noop

rlm_perl: Response: 201: Succeeded

rlm_perl: Added pair User-Name = camara/829113

rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179

rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)

rlm_perl: Added pair Realm = DEFAULT

rlm_perl: Added pair Stripped-User-Name = 829113

rlm_perl: Added pair NAS-Port = 6372

rlm_perl: Added pair NAS-IP-Address = 192.168.0.3

rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133

rlm_perl: Added pair Framed-IP-Address = 255.255.255.255

rlm_perl: Added pair Auth-Type = Perl

++[perl] returns ok

++[expiration] returns noop

++[logintime] returns noop

Found Auth-Type = Perl

# Executing group from file /etc/freeradius/sites-enabled/vuserver

+- entering group Perl {...}

rlm_perl: Added pair User-Name = camara/829113

rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)

rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179

rlm_perl: Added pair Realm = DEFAULT

rlm_perl: Added pair NAS-IP-Address = 192.168.0.3

rlm_perl: Added pair NAS-Port = 6372

rlm_perl: Added pair Stripped-User-Name = 829113

rlm_perl: Added pair Framed-IP-Address = 255.255.255.255

rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133

rlm_perl: Added pair Auth-Type = Perl

++[perl] returns ok

  WARNING: Empty post-auth section.  Using default return values.

# Executing section post-auth from file /etc/freeradius/sites-enabled/vuserver

Sending Access-Accept of id 23 to 192.168.0.3 port 3912

    Framed-IP-Address = 255.255.255.255

    Class = 0x434143533a302f3265662f37663030303030312f31383133

Finished request 3.

Going to the next request

Waking up in 4.9 seconds.

Cleaning up request 3 ID 23 with timestamp +575

Ready to process requests.

Inside the file archive.zip you`ll find

cap_freeradius.cap (communication sniffed between the ACS and the Freeradius)

captura2acsOK.pcapng (communication sniffed between the ACS 1 and the ACS 2 where everything its ok)

If you need more information or output please let me know.

Rogelio

Rogelio,

So here is what I follow in the pcap:

  • ACS ip = 192.160.0.3
  • freerad = 192.168.0.202
  • ACS2 = 192.168.0.2

In the pcap that you sent "cap_freeradius.cap", are you using a radius test utility? because the nas-ip-address is the loopback. I just wanted to see if that could be an issue, since I know there are issues with devices that are natted and when the nas-ip-address and the source of the radius request dont match that can cause some issues.

What we need in this case is the debug logs from the ACS and not the terminal monitor or the device you sent in the first message. Can you please see if the full level logging is configured on the ACS: Service Control > Logging > Full (this will restart the acs services if you make the change), once you reproduce the issue please take another pcap, if this is on a windows server you can search for RDS.log file or if this is an appliance, then take a support package, and make sure the log box is checked. Here is more info on this:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCBasic.html#wp288165

Thanks,

Tarik Admani

Hi Tarik! Thanks Again.

The ACS2 is the 192.168.0.200

We are  using the radtest command or the telnet command to the 192.168.0.203  (AAA Client). We have a little (and old) 1700 router that we are using  as a AAA client, may be this is what you are seeing, if you want we can  connect direct to the ACS.

I checked the log level and now is set to Full.

And I made a telnet trough the router, that telnet connects to the ACS 1 and this forward the authentication to the Freeradius.

Right now we are working remotely (the facilities are  far from here) and have a cut to the remote site, when the site goes  online again I´ll attach the files. so sorry, but on sunday security  dont have access to the datacenter. We really appreciate your help.

Thanks!

No problem, send those over when you can.

Hi Tarik! Where are online again,

Here you have all the debug files from two unsucessfull authentication tests:

RDS.log - the full log from the ACS 4.2

captureACS42server.pcapng - Live sniff from the process

Failed Attempts active.csv - The authentication error at the ACS 4.2

output.rtf - Both Freeradius and the Terminal Monitor from the 1700 router so you can double check

The user was "camara" both times.

Please let us know if you need something more, and thank you!

Rogelio

Rogelio,

It looks like you are hitting a bug on the ACS side, in the pcap we see the packet coming in, but the rds.logs do not show the packet leaving the ACS and reports and error condition. Please open a tac case and provide the same information that you sent to me.

Thanks,

Tarik Admani
*Please rate helpful posts*

Thanks Tarik, this is a big issue! would have to be proud of? =)

Can you please tell me wich is the packet so I can give the detailed information to the TAC rep?

Thanks again!

Rogelio

Sure,

Packets 407,420,422,423, and 427 is the conversation we are tracking:

Here is the conversation in the rds.log (please follow up with us on what tac finds so this can be archive for future users_

RDS 07/16/2012 08:54:53 D 7457 3340 0x0 NAS: First Request (RequestID:Port) 178:27910 inserted to the lookup table.

RDS 07/16/2012 08:54:53 D 0300 3340 0x0 Request from host 192.168.0.203:1645 code=1, id=178, length=86 on port 1645

RDS 07/16/2012 08:54:53 I 3433 3340 0x0     [004] NAS-IP-Address                      value:  192.168.0.203

RDS 07/16/2012 08:54:53 I 3408 3340 0x0     [005] NAS-Port                            value:  6

RDS 07/16/2012 08:54:53 I 3408 3340 0x0     [061] NAS-Port-Type                       value:  5

RDS 07/16/2012 08:54:53 I 3390 3340 0x0     [001] User-Name                           value:  camara/127519

RDS 07/16/2012 08:54:53 I 3390 3340 0x0     [031] Calling-Station-Id                  value:  192.168.0.202

RDS 07/16/2012 08:54:53 I 3390 3340 0x0     [002] User-Password                       value:  B0 DC 3D 06 49 05 98 03 EB 9E 15 83 E6 15 9C 1B

RDS 07/16/2012 08:54:53 I 0303 3340 0x0 ExtensionPoint: Initiating scan of configured extension points...

RDS 07/16/2012 08:54:53 I 0322 3340 0x0 ExtensionPoint: Supplier [Cisco Aironet] not associated with vendor [RADIUS (IETF)], skipping...

RDS 07/16/2012 08:54:53 I 0336 3340 0x0 ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Generic EAP]

RDS 07/16/2012 08:54:53 I 0581 3340 0x0 ExtensionPoint: [Generic EAP] Missing EAP-Message, ignoring...

RDS 07/16/2012 08:54:53 I 0356 3340 0x0 ExtensionPoint: [GenericEAP.dll->AuthenticationExtension] returned [1 - ignored]

RDS 07/16/2012 08:54:53 I 0322 3340 0x0 ExtensionPoint: Supplier [Cisco Downloadable ACLs] not associated with vendor [RADIUS (IETF)], skipping...

RDS 07/16/2012 08:54:53 I 0336 3340 0x0 ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Shared RACs]

RDS 07/16/2012 08:54:53 I 0356 3340 0x0 ExtensionPoint: [RadiusSpc.dll->AuthenticationExtension] returned [1 - ignored]

RDS 07/16/2012 08:54:53 I 0336 3340 0x0 ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Dynamic Session Dll]

RDS 07/16/2012 08:54:53 I 0356 3340 0x0 ExtensionPoint: [DynaSession.dll->AuthenticationExtension] returned [1 - ignored]

RDS 07/16/2012 08:54:58 D 7524 3348 0x0 NAS: 192.168.0.203:27910 re-trying message 178 (count 2), Ignoring

RDS 07/16/2012 08:55:03 D 7524 3348 0x0 NAS: 192.168.0.203:27910 re-trying message 178 (count 3), Ignoring

RDS 07/16/2012 08:55:03 P 2980 3340 0x0 User:camara/127519 - External database reported error during authentication

RDS 07/16/2012 08:55:03 D 4668 3340 0x0 Sending response code 3, id 178 to 192.168.0.203 on port 1645

RDS 07/16/2012 08:55:03 I 3390 3340 0x0     [018] Reply-Message                       value:  Rejected..

RDS 07/16/2012 08:55:03 D 7559 3340 0x0 NAS: 192.168.0.203:27910:178 Cleaning lookup entry.

Thanks and good luck!

Tarik Admani
*Please rate helpful posts*

Be sure of that, I keep all informed.

Thanks a lot!

Rogelio

Just to complete the information:

Resume about the infraesctructure:

Client computer -> Cisco 1700 Router -> Cisco Secure ACS 4.2 –> Freeradius + Token Server -> Active Directory

Telnet                                                       AAA Client                                                  AAA Server                                                            Radius Server                                                       AD

Software versiones and modules:

ACS SERVER

CiscoSecure ACS
Release 4.2(0) Build 124 Patch 17

Microsoft Windows Server 2003 R2

Enterprise Edition

Service Pack 2

RADIUS SERVER

Distributor ID:          Debian

Description:          Debian GNU/Linux 6.0.3 (squeeze)

Release:          6.0.3

Codename:          squeeze

Linux 2.6.32-5-686 i686

Freeradius

Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010 at 20:41:03

Tarik,

The advise was to move to 4.2.1 so we gonna do that tonight. Let you know tomorrow.

Rogelio

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: