Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2577
Views
3
Helpful
6
Replies

User authentication in Cisco ACS by adding external RADIUS database

rahulpratheek
Level 1
Level 1

‎02-29-2012 12:41 AM

Hi,

I would like to configure the below setup:

End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.

Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in

ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.

Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?

Any help on this would be really grateful to me.

Thanks and Regards,

Rahul.

Labels:
0 Helpful
6 Replies 6

ajay chauhan
Level 7
Level 7

‎02-29-2012 03:56 AM

Once TACACS is configured on ASA box all authentication will go to ACS box now if ACS is configured as you said for external auth this will happen automatically . You dont need to configure anything for this on ASA box.

For example if you look at properties of username- you normally get option -

Password auth- ACS internal DB

                            External

Here you can change the way you want to use.

Thanks

Ajay

0 Helpful

rahulpratheek
Level 1
Level 1
In response to ajay chauhan

‎02-29-2012 05:24 AM

Thanks Ajay,

As you said nothing needs to be done on ASA side, if we are using an external user database for authentication.

Im a newbie to ACS and this is the first time i'm trying to perform a two factor authenticaton in Cisco ACS using external user database.

By two factor authentication i mean, username + password serves as first factor (validated by RADIUS server), username + security code (validated by RADIUS server) serves as second factor.So, during user authentication i enter only username in username field and in "password" field i enter both "password + security code". Our RADIUS server has already been configured with AD as user store, so we dont have to specify AD details in ACS. I have done the following in ACS to perform this two factor authentication.

-> In external user databases, i have added a external RADIUS token server.

-> In unknown user policy , i have added the external data base that i configured in ACS into the selected databases list.

-> under network configuration, i have added the Cisco ASA as AAA client (authenticate using RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)).

Just to check whether user authentication is successful, i launched the ACS webVPN using https://IP:2002, it asked me to enter username and password. So, i entered username and in password field i entered "password + security code". But, the page throws an error saying "login failed...Try again".I cant find any logs in external RADIUS server.

Here is what i found in "Failed attempts" logs under Reports and activities.

Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,Network Access Profile Name,Authen-Failure-Code,Author-Failure-Code,Author-Data,NAS-Port,NAS-IP-Address,Filter Information,PEAP/EAP-FAST-Clear-Name,EAP Type,EAP Type Name,Reason,Access Device,Network Device Group

02/28/2012,00:31:52,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,

02/28/2012,00:41:33,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,

02/28/2012,00:42:18,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,

Filtering is not applied.

Date Time Message-Type User-Name Group-Name Caller-ID Network Access Profile Name Authen-Failure-Code Author-Failure-Code Author-Data NAS-Port NAS-IP-Address Filter Information PEAP/EAP-FAST-Clear-Name EAP Type EAP Type Name Reason Access Device Network Device Group
02/28/201200:42:18Unknown NAS......(Unknown)........10.204.124.71..............
02/28/201200:41:33Unknown NAS......(Unknown)........10.204.124.71..............
02/28/201200:31:52Unknown NAS......

Am i missing any thing in configuration side with respect to ACS?

Thanks

0 Helpful

ajay chauhan
Level 7
Level 7
In response to rahulpratheek

‎02-29-2012 05:35 AM

The error simply means device has not been configured on ACS and requesting for authentication.Other ways around you frist do it ACS internal auth when sucussfull then change method to external.

rahulpratheek
Level 1
Level 1
In response to ajay chauhan

‎03-01-2012 01:57 AM

Thanks,

The IP of AAA client entered in the server was wrong. I corrected it, and tried to authenticate. But this time Failed attempts logs "Authentication failed" in Message -type, and in "Auth-Failure-code" it says "ACS user unknown". I tried to do an internal authentication. For this i have added an AAA server (ACS ) in the client using TACACS as protocol, but the test for this server failed in ASA .In ACS, i changed the server type to TACACS and while adding the AAA client i selected authenticate using "TACACS (Cisco IOS)" and added a user "user2" (can be seen in logs) in the internal database by providing a cisco secure PAP password. (Do i have to change the authentication port number for AAA server? Default is 1645, so i added an AAA server in ASA with the same port? )

Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,Network Access Profile Name,Authen-Failure-Code,Author-Failure-Code,Author-Data,NAS-Port,NAS-IP-Address,Filter Information,PEAP/EAP-FAST-Clear-Name,EAP Type,EAP Type Name,Reason,Access Device,Network Device Group

02/29/2012,22:12:15,Authen failed,user2,Default Group,,new_profile,ACS user unknown,,,86,10.204.124.71,,,,,,ASA5520,

02/29/2012,22:23:24,Authen failed,user2,Default Group,,new_profile,ACS user unknown,,,87,10.204.124.71,,,,,,ASA5520,

I tried to change authentication protocol from TACACS to RADIUS in both ASA and ACS. But the Failed attempt logs were no longer getting populated when i tried to login (internal auth) again.

0 Helpful

rahulpratheek
Level 1
Level 1
In response to rahulpratheek

‎03-01-2012 04:21 AM

AAA server test from ASA is successful.i have provided the ACS server details in ASA, with server port 49 (default) and TACACS as protocol. In ACS, i have changed the AAA client to TACACS.

Test from ASA is successful. But when i try logging into ACS through browser it still says "login failed...Try again".

I cant find any Failed attempt logs in ACS. But i would get logs saying "unknown NAS" whenever i specify a wrong IP for the client.

Any ideas why the logs aren't getting populated?

0 Helpful

ajay chauhan
Level 7
Level 7
In response to rahulpratheek

‎03-01-2012 10:25 AM

Authentication fails; the error "Unknown NAS" appears in the Failed Attempts log.

Verify the following:

AAA client is configured under the Network Configuration section.

If you have RADIUS/TACACS source-interface command configured on the AAA client, make sure the client on ACS is configured using the IP address of the interface specified.

Alternatively, you can configure a default NAS in the NAS configuration area by leaving the hostname and IP address blank and entering only the key.

0 Helpful
Customers Also Viewed These Support Documents