cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2415
Views
0
Helpful
4
Replies

VPN Group Authorization with ACS 5.2

fermendo
Level 1
Level 1

Hi all,

Hope you can help me with this problem.

I'm trying to set a VPN connection to a router using group authorization with the ACS 5.2 but cannot make it work. I configured everything based on the procedure used for ACS 4.2. I created a user that corresponds to the group name, used the password cisco and used all the requiered Cisco AV pairs in an authorization profile. (Based on document: http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml)

While testing with ACS 4.2 this works fine, I can see that the ACS returns the group attibutes correctly (here is a debug output)

Apr  9 16:16:59.256: RADIUS: Received from id 1645/22 192.168.1.212:1645, Access-Accept, len 203
Apr  9 16:16:59.256: RADIUS:  authenticator 02 07 F5 E6 46 78 73 CA - 46 6D 47 90 FE 92 38 9A
Apr  9 16:16:59.256: RADIUS:  Vendor, Cisco       [26]  30 
Apr  9 16:16:59.256: RADIUS:   Cisco AVpair       [1]   24  "ipsec:key-exchange=ike"
Apr  9 16:16:59.256: RADIUS:  Vendor, Cisco       [26]  40 
Apr  9 16:16:59.256: RADIUS:   Cisco AVpair       [1]   34  "ipsec:key-exchange=preshared-key"
Apr  9 16:16:59.256: RADIUS:  Vendor, Cisco       [26]  31 
Apr  9 16:16:59.256: RADIUS:   Cisco AVpair       [1]   25  "ipsec:addr-pool=ferpool"
Apr  9 16:16:59.256: RADIUS:  Vendor, Cisco       [26]  23 
Apr  9 16:16:59.256: RADIUS:   Cisco AVpair       [1]   17  "ipsec:inacl=100"
Apr  9 16:16:59.260: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
Apr  9 16:16:59.260: RADIUS:  Tunnel-Type         [64]  6   01:ESP                    [9]
Apr  9 16:16:59.260: RADIUS:  Tunnel-Password     [69]  21  01:*
Apr  9 16:16:59.260: RADIUS:  Class               [25]  26

Apr  9 16:16:59.260: RADIUS:   43 41 43 53 3A 30 2F 39 61 64 63 2F 63 30 61 38  [CACS:0/9adc/c0a8]
Apr  9 16:16:59.260: RADIUS:   30 31 30 31 2F 35 30 30                          [0101/500]
Apr  9 16:16:59.260: RADIUS: saved authorization data for user 826C7E08 at 822948D8
Apr  9 16:16:59.264: RADIUS: cisco AVPair "ipsec:key-exchange=ike"
Apr  9 16:16:59.264: RADIUS: cisco AVPair "ipsec:key-exchange=preshared-key"
Apr  9 16:16:59.264: RADIUS: cisco AVPair "ipsec:addr-pool=ferpool"
Apr  9 16:16:59.264: RADIUS: cisco AVPair "ipsec:inacl=100"
Apr  9 16:16:59.264: RADIUS: Tunnel-Type, [01] 00 00 09
Apr  9 16:16:59.264: RADIUS: TAS(1) created and enqueued.
Apr  9 16:16:59.264: RADIUS: Tunnel-Password decrypted, [01] cisco123
Apr  9 16:16:59.264: RADIUS: TAS(1) takes precedence over tagged attributes, tunnel_type=esp
Apr  9 16:16:59.264: RADIUS: free TAS(1)
Apr  9 16:16:59.264: AAA/AUTHOR (410269962): Post authorization status = PASS_REPL

When I test using the ACS 5.2 I do see the attributes, but the ACS sends the user as part of the response, and it also sends a Class attribute that is different from the Class sent by ACS 4.2. When the router tries to process the response, it founds a problem with attribute type 1 (the username) and then it fails, here is the output:

Apr  9 16:27:46.185: RADIUS: Received from id 1645/26 192.168.1.210:1645, Access-Accept, len 206
Apr  9 16:27:46.185: RADIUS:  authenticator 65 FA 99 F5 ED EB 54 5A - 81 B1 14 C3 96 6A BD C1
Apr  9 16:27:46.185: RADIUS:  User-Name           [1]   5   "fer"
Apr  9 16:27:46.185: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
Apr  9 16:27:46.185: RADIUS:  Class               [25]  24 
Apr  9 16:27:46.185: RADIUS:   43 41 43 53 3A 41 43 53 35 32 2F 39 33 32 31 31  [CACS:ACS52/93211]
Apr  9 16:27:46.185: RADIUS:   37 36 31 2F 31 34                                [761/14]
Apr  9 16:27:46.185: RADIUS:  Tunnel-Type         [64]  6   01:ESP                    [9]
Apr  9 16:27:46.189: RADIUS:  Tunnel-Password     [69]  21  01:*
Apr  9 16:27:46.189: RADIUS:  Vendor, Cisco       [26]  30 
Apr  9 16:27:46.189: RADIUS:   Cisco AVpair       [1]   24  "ipsec:key-exchange=ike"
Apr  9 16:27:46.189: RADIUS:  Vendor, Cisco       [26]  40 
Apr  9 16:27:46.189: RADIUS:   Cisco AVpair       [1]   34  "ipsec:key-exchange=preshared-key"
Apr  9 16:27:46.189: RADIUS:  Vendor, Cisco       [26]  31 
Apr  9 16:27:46.189: RADIUS:   Cisco AVpair       [1]   25  "ipsec:addr-pool=ferpool"
Apr  9 16:27:46.189: RADIUS:  Vendor, Cisco       [26]  23 
Apr  9 16:27:46.189: RADIUS:   Cisco AVpair       [1]   17  "ipsec:inacl=100"
Apr  9 16:27:46.189: RADIUS: saved authorization data for user 826C61F0 at 822B3F40
Apr  9 16:27:46.193: RADIUS: Bad attribute (unsupported attribute): type 1 len 5 data 0x66657206
Apr  9 16:27:46.193: AAA/AUTHOR (3585678032): Post authorization status = ERROR

I have not been able to find a way to stop the ACS 5.2 from sending the username and to send class 26 as ACS 4.2 does. Do you know a way to do this? Perhaps the procedure changed for the ACS 5.2, if so, is there any documentation to use group authorization? By the way, router is using version Version 12.3(22a)

Hope you can help me.

Thanks a lot!!

Fernando

4 Replies 4

Erick Delgado
Level 1
Level 1

Hello Fernando,

In ACS 5.2 things are a litle bit different.

Please see attchment with a configuration that may help you.

If you have any question feel free to contact me.

Erick Delgado

Cisco CSE

Hello Erick,

Thanks a lot for your response.

I tried with an ASA and ACS 5.2 as the document states, that works quite fine! However this time I'm working with a router and the ACS 5.2. I have found that the RADIUS attributes used for the ASA cannot be used with routers. I thought that the attributes used in ACS 4.2 for routers would work in ACS 5.2 but it seems they don't.

I changed the IOS version to a 12.4, it doesn't recognize all the attributes. This time the attribute that is failing is the IETF RADIUS Tunnel-Password that doesn't work. Do you have a list of the attributes that changed in ACS 5.2?

Thanks a lot!!!

Hello,

Routers requires more work.

If you still need assistance please let me know.

Regards,

Hi Erick,

How much need for a router?

I am setting up a 3925 now, but still can't make this work.

Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: