07-14-2012 02:56 PM - edited 03-10-2019 07:18 PM
Hello team:
We are getting a hard time in trying to make our ACS 4.2 talk to an external FreeRadius token server.
When our ACS sends the Access-Request message, our FreeRadius token server answers with an Access-Accept message with zero atributes on the message. This answer, according to ACS documentation, should be perfectly accepted by ACS when it works as a RADIUS client. However, our ACS considers this answer as an error and so the transaction fails.
In order to compare with another platform working of radius server of our , we replaced our FreeRadius token server by another CS ACS. With this scenario, everything works! So we sniffed the ACS to ACS transaction and found that two RADIUS attributes are sent with the Access-Accept message:
(1) Framed-IP = 255.255.255.255
(2) Class = 0x434143533a302f356662622f37663030303030312f31383133
We got back to our FreeRadius as the external RADIUS server of our ACS, and managed it to generate and return exactly the previous kind of message to the ACS working as radius client, however when our ACS receives the RADIUS Access-Accept with these attributes, it still rejects the answer and fails.
So we are missing something.
¿Did anyone manage to make ACS query an external RADIUS server with success? We would appreciate any hints!!
thank you very much in advance
Rogelio Alvez
Argentina
07-14-2012 04:13 PM
Hi,
Can you post the packet capture of both devices.
Thanks,
Tarik Admani
07-14-2012 05:47 PM
Thanks for the interest Tarik!
Here you have the debug from both sides ACS 4.2 and Freeradius in the same authentication event:
ACS Debug from a terminal monitor
2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='(undef)')
2w1d: AAA/AUTHEN (4096347873): status = GETUSER
2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)
2w1d: AAA/AUTHEN (4096347873): status = GETPASS
2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='camara/829113')
2w1d: AAA/AUTHEN (4096347873): status = GETPASS
2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)
2w1d: RADIUS: ustruct sharecount=1
2w1d: RADIUS: Initial Transmit tty7 id 175 192.168.0.3:1645, Access-Request, len 86
2w1d: Attribute 4 6 C0A800CB
2w1d: Attribute 5 6 00000007
2w1d: Attribute 61 6 00000005
2w1d: Attribute 1 15 63616D61
2w1d: Attribute 31 15 3139322E
2w1d: Attribute 2 18 893A4B64
2w1d: RADIUS: Received from id 175 192.168.0.3:1645, Access-Reject, len 32
2w1d: Attribute 18 12 52656A65
2w1d: RADIUS: saved authorization data for user 80E8A88C at 0
2w1d: AAA/AUTHEN (4096347873): status = FAIL
2w1d: AAA/AUTHEN/ABORT: (4096347873) because Invalid password.
2w1d: AAA/MEMORY: free_user (0x80E8A88C) user='camara/829113' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1
2w1d: AAA: parse name=tty7 idb type=-1 tty=-1
2w1d: AAA: name=tty7 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=7 channel=0
2w1d: AAA/MEMORY: create_user (0x80E8B920) user='' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1
2w1d: AAA/AUTHEN/START (2072451976): port='tty7' list='pepe' action=LOGIN service=LOGIN
2w1d: AAA/AUTHEN/START (2072451976): found list pepe
2w1d: AAA/AUTHEN/START (2072451976): Method=radius (radius)
2w1d: AAA/AUTHEN (2072451976): status = GETUSER
Freeradius Debug
rad_recv: Access-Request packet from host 192.168.0.3 port 3912, id=23, length=94
User-Name = "camara/829113"
NAS-IP-Address = 192.168.0.3
NAS-Port = 6372
NAS-Identifier = "CiscoSecure ACS v4.2(0.124)"
User-Password = "\277\241\340t\312/\2303^;\216\233\3618\2179"
# Executing section authorize from file /etc/freeradius/sites-enabled/vuserver
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714
[auth_log] expand: %t -> Sat Jul 14 18:42:32 2012
++[auth_log] returns ok
[IPASS] Looking up realm "camara" for User-Name = "camara/829113"
[IPASS] Found realm "DEFAULT"
[IPASS] Adding Stripped-User-Name = "829113"
[IPASS] Adding Realm = "DEFAULT"
[IPASS] Authentication realm is LOCAL.
++[IPASS] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
++[files] returns noop
++[control] returns noop
rlm_perl: Response: 201: Succeeded
rlm_perl: Added pair User-Name = camara/829113
rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179
rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)
rlm_perl: Added pair Realm = DEFAULT
rlm_perl: Added pair Stripped-User-Name = 829113
rlm_perl: Added pair NAS-Port = 6372
rlm_perl: Added pair NAS-IP-Address = 192.168.0.3
rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133
rlm_perl: Added pair Framed-IP-Address = 255.255.255.255
rlm_perl: Added pair Auth-Type = Perl
++[perl] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = Perl
# Executing group from file /etc/freeradius/sites-enabled/vuserver
+- entering group Perl {...}
rlm_perl: Added pair User-Name = camara/829113
rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)
rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179
rlm_perl: Added pair Realm = DEFAULT
rlm_perl: Added pair NAS-IP-Address = 192.168.0.3
rlm_perl: Added pair NAS-Port = 6372
rlm_perl: Added pair Stripped-User-Name = 829113
rlm_perl: Added pair Framed-IP-Address = 255.255.255.255
rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133
rlm_perl: Added pair Auth-Type = Perl
++[perl] returns ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /etc/freeradius/sites-enabled/vuserver
Sending Access-Accept of id 23 to 192.168.0.3 port 3912
Framed-IP-Address = 255.255.255.255
Class = 0x434143533a302f3265662f37663030303030312f31383133
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 23 with timestamp +575
Ready to process requests.
Inside the file archive.zip you`ll find
cap_freeradius.cap (communication sniffed between the ACS and the Freeradius)
captura2acsOK.pcapng (communication sniffed between the ACS 1 and the ACS 2 where everything its ok)
If you need more information or output please let me know.
Rogelio
07-14-2012 07:16 PM
Rogelio,
So here is what I follow in the pcap:
In the pcap that you sent "cap_freeradius.cap", are you using a radius test utility? because the nas-ip-address is the loopback. I just wanted to see if that could be an issue, since I know there are issues with devices that are natted and when the nas-ip-address and the source of the radius request dont match that can cause some issues.
What we need in this case is the debug logs from the ACS and not the terminal monitor or the device you sent in the first message. Can you please see if the full level logging is configured on the ACS: Service Control > Logging > Full (this will restart the acs services if you make the change), once you reproduce the issue please take another pcap, if this is on a windows server you can search for RDS.log file or if this is an appliance, then take a support package, and make sure the log box is checked. Here is more info on this:
Thanks,
Tarik Admani
07-15-2012 09:20 AM
Hi Tarik! Thanks Again.
The ACS2 is the 192.168.0.200
We are using the radtest command or the telnet command to the 192.168.0.203 (AAA Client). We have a little (and old) 1700 router that we are using as a AAA client, may be this is what you are seeing, if you want we can connect direct to the ACS.
I checked the log level and now is set to Full.
And I made a telnet trough the router, that telnet connects to the ACS 1 and this forward the authentication to the Freeradius.
Right now we are working remotely (the facilities are far from here) and have a cut to the remote site, when the site goes online again I´ll attach the files. so sorry, but on sunday security dont have access to the datacenter. We really appreciate your help.
Thanks!
07-15-2012 10:03 AM
No problem, send those over when you can.
07-16-2012 05:10 AM
Hi Tarik! Where are online again,
Here you have all the debug files from two unsucessfull authentication tests:
RDS.log - the full log from the ACS 4.2
captureACS42server.pcapng - Live sniff from the process
Failed Attempts active.csv - The authentication error at the ACS 4.2
output.rtf - Both Freeradius and the Terminal Monitor from the 1700 router so you can double check
The user was "camara" both times.
Please let us know if you need something more, and thank you!
Rogelio
07-16-2012 08:15 AM
Rogelio,
It looks like you are hitting a bug on the ACS side, in the pcap we see the packet coming in, but the rds.logs do not show the packet leaving the ACS and reports and error condition. Please open a tac case and provide the same information that you sent to me.
Thanks,
Tarik Admani
*Please rate helpful posts*
07-16-2012 08:34 AM
Thanks Tarik, this is a big issue! would have to be proud of? =)
Can you please tell me wich is the packet so I can give the detailed information to the TAC rep?
Thanks again!
Rogelio
07-16-2012 08:40 AM
Sure,
Packets 407,420,422,423, and 427 is the conversation we are tracking:
Here is the conversation in the rds.log (please follow up with us on what tac finds so this can be archive for future users_
RDS 07/16/2012 08:54:53 D 7457 3340 0x0 NAS: First Request (RequestID:Port) 178:27910 inserted to the lookup table.
RDS 07/16/2012 08:54:53 D 0300 3340 0x0 Request from host 192.168.0.203:1645 code=1, id=178, length=86 on port 1645
RDS 07/16/2012 08:54:53 I 3433 3340 0x0 [004] NAS-IP-Address value: 192.168.0.203
RDS 07/16/2012 08:54:53 I 3408 3340 0x0 [005] NAS-Port value: 6
RDS 07/16/2012 08:54:53 I 3408 3340 0x0 [061] NAS-Port-Type value: 5
RDS 07/16/2012 08:54:53 I 3390 3340 0x0 [001] User-Name value: camara/127519
RDS 07/16/2012 08:54:53 I 3390 3340 0x0 [031] Calling-Station-Id value: 192.168.0.202
RDS 07/16/2012 08:54:53 I 3390 3340 0x0 [002] User-Password value: B0 DC 3D 06 49 05 98 03 EB 9E 15 83 E6 15 9C 1B
RDS 07/16/2012 08:54:53 I 0303 3340 0x0 ExtensionPoint: Initiating scan of configured extension points...
RDS 07/16/2012 08:54:53 I 0322 3340 0x0 ExtensionPoint: Supplier [Cisco Aironet] not associated with vendor [RADIUS (IETF)], skipping...
RDS 07/16/2012 08:54:53 I 0336 3340 0x0 ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Generic EAP]
RDS 07/16/2012 08:54:53 I 0581 3340 0x0 ExtensionPoint: [Generic EAP] Missing EAP-Message, ignoring...
RDS 07/16/2012 08:54:53 I 0356 3340 0x0 ExtensionPoint: [GenericEAP.dll->AuthenticationExtension] returned [1 - ignored]
RDS 07/16/2012 08:54:53 I 0322 3340 0x0 ExtensionPoint: Supplier [Cisco Downloadable ACLs] not associated with vendor [RADIUS (IETF)], skipping...
RDS 07/16/2012 08:54:53 I 0336 3340 0x0 ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Shared RACs]
RDS 07/16/2012 08:54:53 I 0356 3340 0x0 ExtensionPoint: [RadiusSpc.dll->AuthenticationExtension] returned [1 - ignored]
RDS 07/16/2012 08:54:53 I 0336 3340 0x0 ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Dynamic Session Dll]
RDS 07/16/2012 08:54:53 I 0356 3340 0x0 ExtensionPoint: [DynaSession.dll->AuthenticationExtension] returned [1 - ignored]
RDS 07/16/2012 08:54:58 D 7524 3348 0x0 NAS: 192.168.0.203:27910 re-trying message 178 (count 2), Ignoring
RDS 07/16/2012 08:55:03 D 7524 3348 0x0 NAS: 192.168.0.203:27910 re-trying message 178 (count 3), Ignoring
RDS 07/16/2012 08:55:03 P 2980 3340 0x0 User:camara/127519 - External database reported error during authentication
RDS 07/16/2012 08:55:03 D 4668 3340 0x0 Sending response code 3, id 178 to 192.168.0.203 on port 1645
RDS 07/16/2012 08:55:03 I 3390 3340 0x0 [018] Reply-Message value: Rejected..
RDS 07/16/2012 08:55:03 D 7559 3340 0x0 NAS: 192.168.0.203:27910:178 Cleaning lookup entry.
Thanks and good luck!
Tarik Admani
*Please rate helpful posts*
07-16-2012 08:52 AM
Be sure of that, I keep all informed.
Thanks a lot!
Rogelio
07-16-2012 08:54 AM
Just to complete the information:
Resume about the infraesctructure:
Client computer -> Cisco 1700 Router -> Cisco Secure ACS 4.2 –> Freeradius + Token Server -> Active Directory
Telnet AAA Client AAA Server Radius Server AD
Software versiones and modules:
ACS SERVER
CiscoSecure ACS
Release 4.2(0) Build 124 Patch 17
Microsoft Windows Server 2003 R2
Enterprise Edition
Service Pack 2
RADIUS SERVER
Distributor ID: Debian
Description: Debian GNU/Linux 6.0.3 (squeeze)
Release: 6.0.3
Codename: squeeze
Linux 2.6.32-5-686 i686
Freeradius
Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010 at 20:41:03
07-16-2012 02:41 PM
Tarik,
The advise was to move to 4.2.1 so we gonna do that tonight. Let you know tomorrow.
Rogelio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide