Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1543
Views
0
Helpful
2
Replies

Bogus RADIUS requests from ASA 5510, Cisco VPN Client

Go to solution
CSCO11115084
Level 1
Level 1

‎10-30-2011 11:48 PM

Hi everyone,

I'm using Cisco VPN client 5.0.7 and Cisco ASA 5510 (7.4 and 8.4.2) VPN RAS solution. Clients are authenticated using certificates and AAA RADIUS (ACS 3.3) and AD.

Each time, when client connects, ASA issues 2 RADIUS requests, first - correct one which is successfully authenticated by ACS and immediately - second which always fails. I couldn't find any information related to this strange behaivor. "Double authentication" feature (most likeable to its name) is accessible only to Anyconnect clients which we don't use. When I'm authenicated using group password, there is only one RADIUS request.

What is the source of  such behavior??

The negative impact is that my logs are filled with spurious failed auth attempts, and users are incrementig failed attemps counter in AD.

Debug from ASA:

----First request----

RDS 10/24/2011 16:16:01 D 0232 14884 Request from host 172.16.8.1:1645 code=1, id=22, length=145 on port 1025

RDS 10/24/2011 16:16:01 I 2519 14884     [001] User-Name                           value:  user1

RDS 10/24/2011 16:16:01 I 2519 14884     [002] User-Password                       value:  B2 A9 D0 2D 15 5F B8 BB DB 1E 3A 38 F5 24 72 B5

RDS 10/24/2011 16:16:01 I 2538 14884     [005] NAS-Port                            value:  -1072693248

RDS 10/24/2011 16:16:01 I 2538 14884     [006] Service-Type                        value:  2

RDS 10/24/2011 16:16:01 I 2538 14884     [007] Framed-Protocol                     value:  1

RDS 10/24/2011 16:16:01 I 2519 14884     [030] Called-Station-Id                   value:  172.16.8.1

RDS 10/24/2011 16:16:01 I 2519 14884     [031] Calling-Station-Id                  value:  10.4.14.14

RDS 10/24/2011 16:16:01 I 2538 14884     [061] NAS-Port-Type                       value:  5

RDS 10/24/2011 16:16:01 I 2533 14884     [066] Tunnel-Client-Endpoint              value:  [T1] 10.4.14.14

RDS 10/24/2011 16:16:01 I 2556 14884     [004] NAS-IP-Address                      value:  172.16.8.1

RDS 10/24/2011 16:16:01 I 2561 14884     [026] Vendor-Specific                     vsa id: 9

RDS 10/24/2011 16:16:01 I 2596 14884           [001] cisco-av-pair                 value:  ip:source-ip=10.4.14.14

RDS 10/24/2011 16:16:01 I 0282 14884 ExtensionPoint: Initiating scan of configured extension points...

RDS 10/24/2011 16:16:01 I 0314 14884 ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Generic EAP]

RDS 10/24/2011 16:16:01 I 0763 14884 ExtensionPoint: [Generic EAP] Missing EAP-Message, ignoring...

RDS 10/24/2011 16:16:01 I 0319 14884 ExtensionPoint: [GenericEAP.dll->AuthenticationExtension] returned [1 - ignored]

RDS 10/24/2011 16:16:01 I 0314 14884 ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Downloadable ACLs]

RDS 10/24/2011 16:16:01 I 0763 14884 ExtensionPoint: [DnldACLs] Not an ACL download request, ignoring...

RDS 10/24/2011 16:16:01 I 0319 14884 ExtensionPoint: [DnldACLs.dll->AuthenticationExtension] returned [1 - ignored]

RDS 10/24/2011 16:16:02 I 0475 14884 AuthorExtensionPoint: Initiating scan of configured extension points...

RDS 10/24/2011 16:16:02 I 0507 14884 AuthorExtensionPoint: Calling [AuthorisationExtension] for Supplier [Cisco Downloadable ACLs]

RDS 10/24/2011 16:16:02 I 0763 14884 ExtensionPoint: [DnldACLs] Starting ACL lookup for [user1]

RDS 10/24/2011 16:16:02 I 0512 14884 AuthorExtensionPoint: [DnldACLs.dll->AuthorisationExtension] returned [1 - ignored]

RDS 10/24/2011 16:16:02 D 3360 14884 Sending response code 2, id 22 to 172.16.8.1 on port 1025

RDS 10/24/2011 16:16:02 I 2561 14884     [026] Vendor-Specific                     vsa id: 9

RDS 10/24/2011 16:16:02 I 2596 14884           [001] cisco-av-pair                 value:  ip:addr-pool=vpnpool

RDS 10/24/2011 16:16:02 I 2561 14884     [026] Vendor-Specific                     vsa id: 9

RDS 10/24/2011 16:16:02 I 2596 14884           [001] cisco-av-pair                 value:  ip:wins-servers=10.2.9.12 10.3.9.10 10.4.2.202

RDS 10/24/2011 16:16:02 I 2561 14884     [026] Vendor-Specific                     vsa id: 9

RDS 10/24/2011 16:16:02 I 2596 14884           [001] cisco-av-pair                 value:  ip:dns-servers=10.2.9.12 10.3.9.10 10.4.2.202

RDS 10/24/2011 16:16:02 I 2538 14884     [006] Service-Type                        value:  2

RDS 10/24/2011 16:16:02 I 2538 14884     [007] Framed-Protocol                     value:  1

RDS 10/24/2011 16:16:02 I 2538 14884     [013] Framed-Compression                  value:  1

RDS 10/24/2011 16:16:02 I 2556 14884     [008] Framed-IP-Address                   value:  255.255.255.254

RDS 10/24/2011 16:16:02 I 2519 14884     [025] Class                               value:  CISCOACS:002cb2a9/ac100801/3222274048

----Second request----

RDS 10/24/2011 16:16:02 D 0232 14884 Request from host 172.16.8.1:1645 code=1, id=23, length=145 on port 1025

RDS 10/24/2011 16:16:02 I 2519 14884     [001] User-Name                           value:  user1

RDS 10/24/2011 16:16:02 I 2519 14884     [002] User-Password                       value:  06 EE 08 AB C7 8F 75 D0 A5 E5 AE B7 A8 1B 48 96

RDS 10/24/2011 16:16:02 I 2538 14884     [005] NAS-Port                            value:  -1072693248

RDS 10/24/2011 16:16:02 I 2538 14884     [006] Service-Type                        value:  2

RDS 10/24/2011 16:16:02 I 2538 14884     [007] Framed-Protocol                     value:  1

RDS 10/24/2011 16:16:02 I 2519 14884     [030] Called-Station-Id                   value:  172.16.8.1

RDS 10/24/2011 16:16:02 I 2519 14884     [031] Calling-Station-Id                  value:  10.4.14.14

RDS 10/24/2011 16:16:02 I 2538 14884     [061] NAS-Port-Type                       value:  5

RDS 10/24/2011 16:16:02 I 2533 14884     [066] Tunnel-Client-Endpoint              value:  [T1] 10.4.14.14

RDS 10/24/2011 16:16:02 I 2556 14884     [004] NAS-IP-Address                      value:  172.16.8.1

RDS 10/24/2011 16:16:02 I 2561 14884     [026] Vendor-Specific                     vsa id: 9

RDS 10/24/2011 16:16:02 I 2596 14884           [001] cisco-av-pair                 value:  ip:source-ip=10.4.14.14

RDS 10/24/2011 16:16:02 I 0282 14884 ExtensionPoint: Initiating scan of configured extension points...

RDS 10/24/2011 16:16:02 I 0314 14884 ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Generic EAP]

RDS 10/24/2011 16:16:02 I 0763 14884 ExtensionPoint: [Generic EAP] Missing EAP-Message, ignoring...

RDS 10/24/2011 16:16:02 I 0319 14884 ExtensionPoint: [GenericEAP.dll->AuthenticationExtension] returned [1 - ignored]

RDS 10/24/2011 16:16:02 I 0314 14884 ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Downloadable ACLs]

RDS 10/24/2011 16:16:02 I 0763 14884 ExtensionPoint: [DnldACLs] Not an ACL download request, ignoring...

RDS 10/24/2011 16:16:02 I 0319 14884 ExtensionPoint: [DnldACLs.dll->AuthenticationExtension] returned [1 - ignored]

RDS 10/24/2011 16:16:02 P 2237 14884 User: user1 - Windows user unknown or password invalid

RDS 10/24/2011 16:16:02 D 3360 14884 Sending response code 3, id 23 to 172.16.8.1 on port 1025

RDS 10/24/2011 16:16:02 I 2519 14884     [018] Reply-Message                       value:  Rejected..

RDS 10/24/2011 16:16:03 D 0232 14884 Request from host 10.2.47.200:1812 code=1, id=254, length=227 on port 32769

RDS 10/24/2011 16:16:03 E 2788 14884 (Unknown VSA Vendor ID 14179)

ACS debug:

----First request----

AUTH 10/24/2011 16:16:01 I 0365 13060 External DB [NTAuthenDLL.dll]: Starting authentication for user [user01]
AUTH 10/24/2011 16:16:01 I 0365 13060 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user user1

AUTH 10/24/2011 16:16:02 I 0365 13060 External DB [NTAuthenDLL.dll]: Windows authentication SUCCESSFUL (by DCCORPMSK04)
AUTH 10/24/2011 16:16:02 I 0365 13060 External DB [NTAuthenDLL.dll]: Obtaining RAS information for user user1 from DCCORPMSK04

----Second request---- 
AUTH 10/24/2011 16:16:02 I 0365 13060 External DB [NTAuthenDLL.dll]: Starting authentication for user [user1]
AUTH 10/24/2011 16:16:02 I 0365 13060 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user  user1
AUTH 10/24/2011 16:16:02 E 0365 13060 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
AUTH 10/24/2011 16:16:02 I 0365 13060 External DB [NTAuthenDLL.dll]: Reattempting authentication at domain CORP
AUTH 10/24/2011 16:16:02 I 0365 13060 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user  user1
AUTH 10/24/2011 16:16:02 E 0365 13060 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)

ASA config:

crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 ipsec-over-tcp port 10000
lifetime 86400
crypto ikev1 policy 65535
authentication rsa-sig
encryption 3des
hash md5
group 2
lifetime 86400

!

group-policy Cert_auth internal
group-policy Cert_auth attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value aclVPN2
address-pools value vpnpool
client-access-rule none

!

tunnel-group DefaultRAGroup general-attributes
address-pool (inside) vpnpool
address-pool vpnpool
authentication-server-group RADIUS01
authorization-server-group RADIUS01
authorization-server-group (inside) RADIUS01
default-group-policy Cert_auth

!

aaa-server RADIUS01 protocol radius
aaa-server RADIUS01 (inside) host 10.2.9.224
key *****
radius-common-pw *****
aaa-server RADIUS01 (inside) host 10.4.2.223
key *****

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎11-05-2011 04:45 PM

Hi

this is a 'classic' error and has nothing to do with double authentication, but rather with the fact that you do both radius authentication and radius authorization.

If you remove this line:

   authorization-server-group RADIUS01

you'll see it starts to work fine

In short: when ASA does radius authorization, it sends a radius access-request with the username as the password, which is why you see the second request fail all the time.

This is because radius authorization is intended to be used when authentication happens using certificates (only) so there is no password.

Also note that in the Radius protocol, authentication and authorization are not separate things, they both happen in one step. So if the ASA does radius authentication, it already gets the user attributes in the authentication step and it does not make sense to also do a separate authorization step (unless in some very rare scenario where you have 2 radius servers, one for authentication and another one for authorization).

hth

Herbert

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎11-05-2011 04:45 PM

Hi

this is a 'classic' error and has nothing to do with double authentication, but rather with the fact that you do both radius authentication and radius authorization.

If you remove this line:

   authorization-server-group RADIUS01

you'll see it starts to work fine

In short: when ASA does radius authorization, it sends a radius access-request with the username as the password, which is why you see the second request fail all the time.

This is because radius authorization is intended to be used when authentication happens using certificates (only) so there is no password.

Also note that in the Radius protocol, authentication and authorization are not separate things, they both happen in one step. So if the ASA does radius authentication, it already gets the user attributes in the authentication step and it does not make sense to also do a separate authorization step (unless in some very rare scenario where you have 2 radius servers, one for authentication and another one for authorization).

hth

Herbert

0 Helpful

Go to solution
CSCO11115084
Level 1
Level 1
In response to Herbert Baerten

‎11-09-2011 01:21 AM

Hi Herbert, thanks for clear answer. You were absolutely right, it's RADIUS authorization request.

After removal, no more bogus requests.

Thanks,

Anton

0 Helpful
Customers Also Viewed These Support Documents