10-30-2011 11:48 PM
Hi everyone,
I'm using Cisco VPN client 5.0.7 and Cisco ASA 5510 (7.4 and 8.4.2) VPN RAS solution. Clients are authenticated using certificates and AAA RADIUS (ACS 3.3) and AD.
Each time, when client connects, ASA issues 2 RADIUS requests, first - correct one which is successfully authenticated by ACS and immediately - second which always fails. I couldn't find any information related to this strange behaivor. "Double authentication" feature (most likeable to its name) is accessible only to Anyconnect clients which we don't use. When I'm authenicated using group password, there is only one RADIUS request.
What is the source of such behavior??
The negative impact is that my logs are filled with spurious failed auth attempts, and users are incrementig failed attemps counter in AD.
Debug from ASA:
----First request----
RDS 10/24/2011 16:16:01 D 0232 14884 Request from host 172.16.8.1:1645 code=1, id=22, length=145 on port 1025
RDS 10/24/2011 16:16:01 I 2519 14884 [001] User-Name value: user1
RDS 10/24/2011 16:16:01 I 2519 14884 [002] User-Password value: B2 A9 D0 2D 15 5F B8 BB DB 1E 3A 38 F5 24 72 B5
RDS 10/24/2011 16:16:01 I 2538 14884 [005] NAS-Port value: -1072693248
RDS 10/24/2011 16:16:01 I 2538 14884 [006] Service-Type value: 2
RDS 10/24/2011 16:16:01 I 2538 14884 [007] Framed-Protocol value: 1
RDS 10/24/2011 16:16:01 I 2519 14884 [030] Called-Station-Id value: 172.16.8.1
RDS 10/24/2011 16:16:01 I 2519 14884 [031] Calling-Station-Id value: 10.4.14.14
RDS 10/24/2011 16:16:01 I 2538 14884 [061] NAS-Port-Type value: 5
RDS 10/24/2011 16:16:01 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14
RDS 10/24/2011 16:16:01 I 2556 14884 [004] NAS-IP-Address value: 172.16.8.1
RDS 10/24/2011 16:16:01 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 10/24/2011 16:16:01 I 2596 14884 [001] cisco-av-pair value: ip:source-ip=10.4.14.14
RDS 10/24/2011 16:16:01 I 0282 14884 ExtensionPoint: Initiating scan of configured extension points...
RDS 10/24/2011 16:16:01 I 0314 14884 ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Generic EAP]
RDS 10/24/2011 16:16:01 I 0763 14884 ExtensionPoint: [Generic EAP] Missing EAP-Message, ignoring...
RDS 10/24/2011 16:16:01 I 0319 14884 ExtensionPoint: [GenericEAP.dll->AuthenticationExtension] returned [1 - ignored]
RDS 10/24/2011 16:16:01 I 0314 14884 ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Downloadable ACLs]
RDS 10/24/2011 16:16:01 I 0763 14884 ExtensionPoint: [DnldACLs] Not an ACL download request, ignoring...
RDS 10/24/2011 16:16:01 I 0319 14884 ExtensionPoint: [DnldACLs.dll->AuthenticationExtension] returned [1 - ignored]
RDS 10/24/2011 16:16:02 I 0475 14884 AuthorExtensionPoint: Initiating scan of configured extension points...
RDS 10/24/2011 16:16:02 I 0507 14884 AuthorExtensionPoint: Calling [AuthorisationExtension] for Supplier [Cisco Downloadable ACLs]
RDS 10/24/2011 16:16:02 I 0763 14884 ExtensionPoint: [DnldACLs] Starting ACL lookup for [user1]
RDS 10/24/2011 16:16:02 I 0512 14884 AuthorExtensionPoint: [DnldACLs.dll->AuthorisationExtension] returned [1 - ignored]
RDS 10/24/2011 16:16:02 D 3360 14884 Sending response code 2, id 22 to 172.16.8.1 on port 1025
RDS 10/24/2011 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 10/24/2011 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:addr-pool=vpnpool
RDS 10/24/2011 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 10/24/2011 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:wins-servers=10.2.9.12 10.3.9.10 10.4.2.202
RDS 10/24/2011 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 10/24/2011 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:dns-servers=10.2.9.12 10.3.9.10 10.4.2.202
RDS 10/24/2011 16:16:02 I 2538 14884 [006] Service-Type value: 2
RDS 10/24/2011 16:16:02 I 2538 14884 [007] Framed-Protocol value: 1
RDS 10/24/2011 16:16:02 I 2538 14884 [013] Framed-Compression value: 1
RDS 10/24/2011 16:16:02 I 2556 14884 [008] Framed-IP-Address value: 255.255.255.254
RDS 10/24/2011 16:16:02 I 2519 14884 [025] Class value: CISCOACS:002cb2a9/ac100801/3222274048
----Second request----
RDS 10/24/2011 16:16:02 D 0232 14884 Request from host 172.16.8.1:1645 code=1, id=23, length=145 on port 1025
RDS 10/24/2011 16:16:02 I 2519 14884 [001] User-Name value: user1
RDS 10/24/2011 16:16:02 I 2519 14884 [002] User-Password value: 06 EE 08 AB C7 8F 75 D0 A5 E5 AE B7 A8 1B 48 96
RDS 10/24/2011 16:16:02 I 2538 14884 [005] NAS-Port value: -1072693248
RDS 10/24/2011 16:16:02 I 2538 14884 [006] Service-Type value: 2
RDS 10/24/2011 16:16:02 I 2538 14884 [007] Framed-Protocol value: 1
RDS 10/24/2011 16:16:02 I 2519 14884 [030] Called-Station-Id value: 172.16.8.1
RDS 10/24/2011 16:16:02 I 2519 14884 [031] Calling-Station-Id value: 10.4.14.14
RDS 10/24/2011 16:16:02 I 2538 14884 [061] NAS-Port-Type value: 5
RDS 10/24/2011 16:16:02 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14
RDS 10/24/2011 16:16:02 I 2556 14884 [004] NAS-IP-Address value: 172.16.8.1
RDS 10/24/2011 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 10/24/2011 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:source-ip=10.4.14.14
RDS 10/24/2011 16:16:02 I 0282 14884 ExtensionPoint: Initiating scan of configured extension points...
RDS 10/24/2011 16:16:02 I 0314 14884 ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Generic EAP]
RDS 10/24/2011 16:16:02 I 0763 14884 ExtensionPoint: [Generic EAP] Missing EAP-Message, ignoring...
RDS 10/24/2011 16:16:02 I 0319 14884 ExtensionPoint: [GenericEAP.dll->AuthenticationExtension] returned [1 - ignored]
RDS 10/24/2011 16:16:02 I 0314 14884 ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Downloadable ACLs]
RDS 10/24/2011 16:16:02 I 0763 14884 ExtensionPoint: [DnldACLs] Not an ACL download request, ignoring...
RDS 10/24/2011 16:16:02 I 0319 14884 ExtensionPoint: [DnldACLs.dll->AuthenticationExtension] returned [1 - ignored]
RDS 10/24/2011 16:16:02 P 2237 14884 User: user1 - Windows user unknown or password invalid
RDS 10/24/2011 16:16:02 D 3360 14884 Sending response code 3, id 23 to 172.16.8.1 on port 1025
RDS 10/24/2011 16:16:02 I 2519 14884 [018] Reply-Message value: Rejected..
RDS 10/24/2011 16:16:03 D 0232 14884 Request from host 10.2.47.200:1812 code=1, id=254, length=227 on port 32769
RDS 10/24/2011 16:16:03 E 2788 14884 (Unknown VSA Vendor ID 14179)
ACS debug:
----First request----
AUTH 10/24/2011 16:16:01 I 0365 13060 External DB [NTAuthenDLL.dll]: Starting authentication for user [user01]
AUTH 10/24/2011 16:16:01 I 0365 13060 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user user1
AUTH 10/24/2011 16:16:02 I 0365 13060 External DB [NTAuthenDLL.dll]: Windows authentication SUCCESSFUL (by DCCORPMSK04)
AUTH 10/24/2011 16:16:02 I 0365 13060 External DB [NTAuthenDLL.dll]: Obtaining RAS information for user user1 from DCCORPMSK04
----Second request----
AUTH 10/24/2011 16:16:02 I 0365 13060 External DB [NTAuthenDLL.dll]: Starting authentication for user [user1]
AUTH 10/24/2011 16:16:02 I 0365 13060 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user user1
AUTH 10/24/2011 16:16:02 E 0365 13060 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
AUTH 10/24/2011 16:16:02 I 0365 13060 External DB [NTAuthenDLL.dll]: Reattempting authentication at domain CORP
AUTH 10/24/2011 16:16:02 I 0365 13060 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user user1
AUTH 10/24/2011 16:16:02 E 0365 13060 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
ASA config:
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 ipsec-over-tcp port 10000
lifetime 86400
crypto ikev1 policy 65535
authentication rsa-sig
encryption 3des
hash md5
group 2
lifetime 86400
!
group-policy Cert_auth internal
group-policy Cert_auth attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value aclVPN2
address-pools value vpnpool
client-access-rule none
!
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) vpnpool
address-pool vpnpool
authentication-server-group RADIUS01
authorization-server-group RADIUS01
authorization-server-group (inside) RADIUS01
default-group-policy Cert_auth
!
aaa-server RADIUS01 protocol radius
aaa-server RADIUS01 (inside) host 10.2.9.224
key *****
radius-common-pw *****
aaa-server RADIUS01 (inside) host 10.4.2.223
key *****
Solved! Go to Solution.
11-05-2011 04:45 PM
Hi
this is a 'classic' error and has nothing to do with double authentication, but rather with the fact that you do both radius authentication and radius authorization.
If you remove this line:
authorization-server-group RADIUS01
you'll see it starts to work fine
In short: when ASA does radius authorization, it sends a radius access-request with the username as the password, which is why you see the second request fail all the time.
This is because radius authorization is intended to be used when authentication happens using certificates (only) so there is no password.
Also note that in the Radius protocol, authentication and authorization are not separate things, they both happen in one step. So if the ASA does radius authentication, it already gets the user attributes in the authentication step and it does not make sense to also do a separate authorization step (unless in some very rare scenario where you have 2 radius servers, one for authentication and another one for authorization).
hth
Herbert
11-05-2011 04:45 PM
Hi
this is a 'classic' error and has nothing to do with double authentication, but rather with the fact that you do both radius authentication and radius authorization.
If you remove this line:
authorization-server-group RADIUS01
you'll see it starts to work fine
In short: when ASA does radius authorization, it sends a radius access-request with the username as the password, which is why you see the second request fail all the time.
This is because radius authorization is intended to be used when authentication happens using certificates (only) so there is no password.
Also note that in the Radius protocol, authentication and authorization are not separate things, they both happen in one step. So if the ASA does radius authentication, it already gets the user attributes in the authentication step and it does not make sense to also do a separate authorization step (unless in some very rare scenario where you have 2 radius servers, one for authentication and another one for authorization).
hth
Herbert
11-09-2011 01:21 AM
Hi Herbert, thanks for clear answer. You were absolutely right, it's RADIUS authorization request.
After removal, no more bogus requests.
Thanks,
Anton
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide