1. Home
  2. Cisco Systems
  3. RSA Ace Server Authentication Problem

RSA Ace Server Authentication Problem

Can someone please help me becasue this is drving me insane!

I'm trying to authenticate via a RSA ACE Radius server (Version 6.0) and I continue to get authentication failures. Anyone have any suggestions please!

Ace Radius debug output (IP 10.2.2.5): adius/ace_radius/ace_radius_dbapi.cpp(133): Preparing... adius/ace_radius/ace_radius_dbapi.cpp(150): Connecting... adius/ace_radius/ace_radius_dbapi.cpp(208): Connected successfully. adius/ace_radius/ace_radius_database.cpp(1748): Search for challenge profile adius/ace_radius/ace_radius_dbapi.cpp(1357): No challenge profile found. adius/ace_radius/ace_radius_receive.cpp(174): Received auth packet adius/ace_radius/ace_radius_database.cpp(416): Attribute 1 Length 6 adius/ace_radius/ace_radius_database.cpp(416): Attribute 2 Length 18 adius/ace_radius/ace_radius_database.cpp(416): Attribute 5 Length 6 adius/ace_radius/ace_radius_database.cpp(416): Attribute 87 Length 7 adius/ace_radius/ace_radius_database.cpp(416): Attribute 61 Length 6 adius/ace_radius/ace_radius_database.cpp(416): Attribute 31 Length 10 adius/ace_radius/ace_radius_database.cpp(416): Attribute 4 Length 6 adius/ace_radius/ace_radius_dbapi.cpp(384): Get NAS Secret - Start. adius/ace_radius/ace_radius_dbapi.cpp(504): No trusted mode adius/ace_radius/ace_radius_dbapi.cpp(513): Search by address (10.2.2.6) adius/ace_radius/ace_radius_dbapi.cpp(557): Found client right away. adius/ace_radius/ace_radius_dbapi.cpp(618): Got secret. adius/ace_radius/ace_radius_database.cpp(704): Request ID of received packet 6 adius/ace_radius/ace_radius_auth.cpp(567): Request is OK adius/ace_radius/ace_radius_auth.cpp(574): Retransmitting request to ourselves. adius/ace_radius/ace_radius_auth.cpp(181): Client address 10.2.2.6 adius/ace_radius/ace_radius_auth.cpp(707): Authentication failed. adius/ace_radius/ace_radius_response.cpp(63): Top of response loop. adius/ace_radius/ace_radius_response.cpp(151): Formatting response to packet ID 6 adius/ace_radius/ace_radius_response.cpp(293): Length of profile 0 adius/ace_radius/ace_radius_response.cpp(71): Response size is 37. adius/ace_radius/ace_radius_response.cpp(92): Sent 37 bytes adius/ace_radius/ace_radius_garbage.cpp(61): Cleaned main hash. adius/ace_radius/ace_radius_garbage.cpp(61): Cleaned main hash.

Router Config: version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! aaa new-model ! aaa authentication login DIALIN group radius aaa authentication ppp DIALIN if-needed group radius ! aaa session-id common ! resource policy ! no network-clock-participate slot 1 no network-clock-participate wic 0 ip subnet-zero ip cef ! no ip dhcp use vrf connected ! no ftp-server write-enable ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 ip address 10.2.2.6 255.0.0.0 duplex auto speed auto ! ip classless ! ip http server ! radius-server host 10.2.2.5 auth-port 1645 acct-port 1646 radius-server key thisisakey ! control-plane ! line con 0 line 33 40 line aux 0 line vty 0 4 login authentication DIALIN ! end

Reply to
RPO83
Loading thread data ...

have you created the IOS ROuter as a agent host in the RSA Server ? Are there any "node secret created" ?

/Martin

Reply to
Martin Bilgrav

Hey Martin,

Thanks for your reply!

I have set the router up as a "Communications Server" and set" Open to all locally known users" to on. All the addresses and ports all line up (I'm pretty sure)

The "Node Secret Created" box is greyed out.

As far as I can tell, the requests get to the Radius server (running on Windows 2003 server with SP1), but get rejected for some reason. Under the Ace Server Log Monitor the error I get is "Node verification failed". They keys set on the router and the Radius server also are the same.

Suggestions?

Steve

Reply to
RPO83

"RPO83" skrev i en meddelelse news: snipped-for-privacy@f14g2000cwb.googlegroups.com...

that is correct

means the router havent talk succesfully with the SDI yet - the very first time it does this, it will create the secret. This is your issue

Means tha the secret is wrong. ... Under the Agent setup screen, what happends if you , only for the test of it, delete the "netwrok address" (IP address) and the "Name", and the just try type in the hostname under "Name" and press TAB-key ? (You should see t hat the name get resolved into a IP address) If notthing happens, then try add the name and IP to the servers hosts-file

Radius keys, right ? are the ports the same as on the server ?

not really ... maybe something with namesolution or filters inbetween. but the fact that you get log entries, indikate that the IOS is ok.

Reply to
Martin Bilgrav

hmmm.....

I take your point with the node secret. So how do I get the router to talk with the SDI and exchange the secret?

The key is definately correct. I've verified this on numerous occasions bot on the router and the ACE Server. So is the name resolution.

I have also tried the configuration with the default ports (1645 and

1646) as well as windows radius ports (1812 and 1813).

Once again thanks for your help!

Reply to
RPO83

could it be your ioS version ?

I have shortly tried to google ... 8)

formatting link
two pdf's listed...

Reply to
Martin Bilgrav

Just for info: Do you have ANY device that are currently operation with the ACE/Server ?

Reply to
Martin Bilgrav

Hey Martin

Again thanks for your assistance!

I've fixed the problem, but I dont know how or why its fixed.

Basically I kept the same Router Config, but rebuilt the RSA ACE server in accordance with the Cisco document called "Cisco Security Associate Design Guide for RSA SecurID"

I still have one small problem, that being I havent worked out the passcode part of the authentication (I've got straight user passwords without the keyfob working) but thats a realtively minor thing.

So in short, IOS was fine, the ACE Server was the drama. I cant put my finger on the exact problem, except since I was using RSA on Windows

2003 with SP1, I patched the RSA server with the approprate fixes. So maybe that was the solution?!?!?

Cheers! Steve

Reply to
RPO83

ok - i have to have look at that - do you have a URL, you could spare ?

8)

If I recall correctly, you have to setup the modem clients to "bring up terminal" after connect, and in there you can authenticate themselfs, and after that continue, by closing the term-window.

I will have to dig into the "old" doc-storage on my PC to find the old, but i will try

Yes, I think you are right - recently I noticed a RSA mail, mention that, in some specific patch had to be installed in a special way, without reboot win2k3sp1 is kinda special - I have my doubts aswell, as I have to get LMS2.5 running on one of these soon ...

SKÅL !

Reply to
Martin Bilgrav

Martin

I cant seem to find the URL of that specific file, but I have a copy of it that I can send to you to your email address if you like.

As for the dialin problem, thats all sorted out now. Now off to see how to integrate this into a PIX firewall More fun! hahahah :)

off to learn firewalls....

Steve

Reply to
RPO83

Please do email it to me - reply to this and edit the email for the obvious PIX firewalls are a peace of cake ... you need this as a VPN RAS User setup or ?

Reply to
Martin Bilgrav

You get the file OK?

Reply to
RPO83

yes, thank you. I did recieve it just fine I am currently working on a Ciscoworks LMS installation, so I have to wait with the RSA upgrade.

Reply to
Martin Bilgrav

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.