Re: NPS authentication to ASA not working

tyler.perkey · ‎11-07-2022

Hi All,

We have NPS configured to authenticate access to our ASA and it doesn't not appear to be working properly. The logs for the NPS indication I was granted access, it reflects the policy I created in the log details but the ASA rejects the login. Debug from the ASA is below:

COLO-asa/pri/act# radius mkreq: 0x41
alloc_rip 0x00002aaac34c4980
new request 0x41 --> 51 (0x00002aaac34c4980)
got user 'tylerperkey'
got password
add_req 0x00002aaac34c4980 session 0x41 id 51
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=MYIPADDRESS

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 137).....
01 33 00 89 8d f3 58 92 90 bb 63 e1 27 f7 c7 6b | .3....X...c.'..k
4a 3e 3d 3e 01 0d 74 79 6c 65 72 70 65 72 6b 65 | J>=>..tylerperke
79 02 12 84 27 bb 8d 25 0d c7 4a 1e f2 4c 1f 9d | y...'..%..J..L..
5d 85 76 04 06 43 d4 0b 11 05 06 00 00 00 24 3d | ].v..C........$=
06 00 00 00 05 1a 21 00 00 00 09 01 1b 69 70 3a | ......!......ip:
73 6f 75 72 63 65 2d 69 70 3d 36 34 2e 32 35 32 | source-ip=64.252
2e 35 32 2e 37 30 1f 0e 36 34 2e 32 35 32 2e 35 | .52.70..64.252.5
32 2e 37 30 1a 15 00 00 00 09 01 0f 63 6f 61 2d | 2.70........coa-
70 75 73 68 3d 74 72 75 65 | push=true

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 51 (0x33)
Radius: Length = 137 (0x0089)
Radius: Vector: 8DF3589290BB63E127F7C76B4A3E3D3E
Radius: Type = 1 (0x01) User-Name
Radius: Length = 13 (0x0D)
Radius: Value (String) =
74 79 6c 65 72 70 65 72 6b 65 79 | tylerperkey
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
84 27 bb 8d 25 0d c7 4a 1e f2 4c 1f 9d 5d 85 76 | .'..%..J..L..].v
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = ASA-INSIDE IP(0x43D40B11)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x24
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 33 (0x21)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 27 (0x1B)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 36 34 2e | ip:source-ip=64.
32 35 32 2e 35 32 2e 37 30 | 252.52.70
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 14 (0x0E)
Radius: Value (String) =
36 34 2e 32 35 32 2e 35 32 2e 37 30 | 64.252.52.70
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 21 (0x15)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 15 (0x0F)
Radius: Value (String) =
63 6f 61 2d 70 75 73 68 3d 74 72 75 65 | coa-push=true
send pkt 10.50.99.11/1812
rip 0x00002aaac34c4980 state 7 id 51
rad_vrfy() : response message verified
rip 0x00002aaac34c4980
: chall_state ''
: state 0x7
: reqauth:
8d f3 58 92 90 bb 63 e1 27 f7 c7 6b 4a 3e 3d 3e
: info 0x00002aaac34c4ac0
session_id 0x41
request_id 0x33
user 'tylerperkey'
response '***'
app 0
reason 0
skey 'nomiddleman'
sip 10.50.99.11
type 1

RADIUS packet decode (response)

--------------------------------------
Raw packet data (length = 121).....
02 33 00 79 6c 90 9e 89 5c 6a 45 1c 98 8e a5 37 | .3.yl...\jE....7
31 68 ee 5b 06 06 00 00 00 06 19 2e 51 45 05 3a | 1h.[........QE.:
00 00 01 37 00 01 02 00 0a 32 63 0b 00 00 00 00 | ...7.....2c.....
00 00 00 00 00 00 00 00 01 d8 f3 14 ee 0c ca a6 | ................
00 00 00 00 00 00 00 0a 1a 19 00 00 00 09 01 13 | ................
73 68 65 6c 6c 3a 70 72 69 76 2d 6c 76 6c 3d 31 | shell:priv-lvl=1
35 1a 0c 00 00 01 37 0e 06 00 00 00 32 1a 0c 00 | 5.....7.....2...
00 01 37 0f 06 00 00 00 78 | ..7.....x

Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 51 (0x33)
Radius: Length = 121 (0x0079)
Radius: Vector: 6C909E895C6A451C988EA5373168EE5B
Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x6
Radius: Type = 25 (0x19) Class
Radius: Length = 46 (0x2E)
Radius: Value (String) =
51 45 05 3a 00 00 01 37 00 01 02 00 0a 32 63 0b | QE.:...7.....2c.
00 00 00 00 00 00 00 00 00 00 00 00 01 d8 f3 14 | ................
ee 0c ca a6 00 00 00 00 00 00 00 0a | ............
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 25 (0x19)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 19 (0x13)
Radius: Value (String) =
73 68 65 6c 6c 3a 70 72 69 76 2d 6c 76 6c 3d 31 | shell:priv-lvl=1
35 | 5
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 14 (0x0E) Unknown
Radius: Length = 6 (0x06)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 15 (0x0F) Unknown
Radius: Length = 6 (0x06)
rad_procpkt: ACCEPT
Got AV-Pair with value shell:priv-lvl=15
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0x00002aaac34c4980 session 0x41 id 51
free_rip 0x00002aaac34c4980
radius: send queue empty

Marius Gunnerud · ‎11-07-2022

We need more information on what is "not working". So what is not working? Are you not able to log in? Or you are able to login but not able to login to enable mode?

--
Please remember to select a correct answer and rate helpful posts

tyler.perkey · ‎11-08-2022

The ASA completely rejects the login. When you put the password in it just says "Access Denied" like it was a wrong password, but NPS logs show a valid login.

Marius Gunnerud · ‎11-09-2022

Hmm...Are you trying to authenticate straight into enable mode?

--
Please remember to select a correct answer and rate helpful posts

tyler.perkey · ‎11-09-2022

Yes, that is correct.

Something else to add, we just the same RADIUS server for authentication to other Cisco devices such as a few switches and a WLC and RADIUS authentication works fine on those devices.

Marius Gunnerud · ‎11-09-2022

I suspect that you are not passing the enable password to the ASA device, even though you are going straight to enabled mode you still need to be passing the enable password.

--
Please remember to select a correct answer and rate helpful posts

tyler.perkey · ‎11-09-2022

Here are the AAA settings from our ASA:

Colo-asa/pri/act# sh run | i aaa
aaa-server PNLRADIUS protocol radius
aaa-server PNLRADIUS (inside) host 10.50.99.11
aaa-server Duo-LDAP protocol ldap
aaa-server Duo-LDAP (outside) host api-f4f9fba9.duosecurity.com
aaa-server Duo-RADIUS protocol radius
aaa-server Duo-RADIUS (inside) host 10.50.10.10
aaa authentication enable console PNLRADIUS LOCAL
aaa authentication http console PNLRADIUS LOCAL
aaa authentication ssh console PNLRADIUS LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 5
aaa authorization exec LOCAL auto-enable
aaa authorization http console PNLRADIUS
aaa authentication login-history

Marius Gunnerud · ‎11-09-2022

You need to change:

aaa authorization exec LOCAL auto-enable

to

aaa authorization exec authentication-server auto-enable

When testing do not disconnect from the SSH session you are testing from, instead open a new terminal and test from there. This will ensure that you can change the configuration if you are unable to login.

--
Please remember to select a correct answer and rate helpful posts

tyler.perkey · ‎11-09-2022

No luck, same thing where it just immediately rejects my login attempt after putting my password in.