RSA Ace Server Authentication Problem

Discussion in 'Cisco' started by RPO83, Sep 5, 2005.

  1. RPO83

    RPO83 Guest

    Can someone please help me becasue this is drving me insane!

    I'm trying to authenticate via a RSA ACE Radius server (Version 6.0)
    and I continue to get authentication failures. Anyone have any
    suggestions please!

    Ace Radius debug output (IP
    adius/ace_radius/ace_radius_dbapi.cpp(133): Preparing...
    adius/ace_radius/ace_radius_dbapi.cpp(150): Connecting...
    adius/ace_radius/ace_radius_dbapi.cpp(208): Connected successfully.
    adius/ace_radius/ace_radius_database.cpp(1748): Search for challenge
    adius/ace_radius/ace_radius_dbapi.cpp(1357): No challenge profile
    adius/ace_radius/ace_radius_receive.cpp(174): Received auth packet
    adius/ace_radius/ace_radius_database.cpp(416): Attribute 1 Length 6
    adius/ace_radius/ace_radius_database.cpp(416): Attribute 2 Length 18
    adius/ace_radius/ace_radius_database.cpp(416): Attribute 5 Length 6
    adius/ace_radius/ace_radius_database.cpp(416): Attribute 87 Length 7
    adius/ace_radius/ace_radius_database.cpp(416): Attribute 61 Length 6
    adius/ace_radius/ace_radius_database.cpp(416): Attribute 31 Length 10
    adius/ace_radius/ace_radius_database.cpp(416): Attribute 4 Length 6
    adius/ace_radius/ace_radius_dbapi.cpp(384): Get NAS Secret - Start.
    adius/ace_radius/ace_radius_dbapi.cpp(504): No trusted mode
    adius/ace_radius/ace_radius_dbapi.cpp(513): Search by address
    adius/ace_radius/ace_radius_dbapi.cpp(557): Found client right away.
    adius/ace_radius/ace_radius_dbapi.cpp(618): Got secret.
    adius/ace_radius/ace_radius_database.cpp(704): Request ID of received
    packet 6
    adius/ace_radius/ace_radius_auth.cpp(567): Request is OK
    adius/ace_radius/ace_radius_auth.cpp(574): Retransmitting request to
    adius/ace_radius/ace_radius_auth.cpp(181): Client address
    adius/ace_radius/ace_radius_auth.cpp(707): Authentication failed.
    adius/ace_radius/ace_radius_response.cpp(63): Top of response loop.
    adius/ace_radius/ace_radius_response.cpp(151): Formatting response to
    packet ID 6
    adius/ace_radius/ace_radius_response.cpp(293): Length of profile 0
    adius/ace_radius/ace_radius_response.cpp(71): Response size is 37.
    adius/ace_radius/ace_radius_response.cpp(92): Sent 37 bytes
    adius/ace_radius/ace_radius_garbage.cpp(61): Cleaned main hash.
    adius/ace_radius/ace_radius_garbage.cpp(61): Cleaned main hash.

    Router Config:
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname Router
    aaa new-model
    aaa authentication login DIALIN group radius
    aaa authentication ppp DIALIN if-needed group radius
    aaa session-id common
    resource policy
    no network-clock-participate slot 1
    no network-clock-participate wic 0
    ip subnet-zero
    ip cef
    no ip dhcp use vrf connected
    no ftp-server write-enable
    interface FastEthernet0/0
    no ip address
    duplex auto
    speed auto
    interface FastEthernet0/1
    ip address
    duplex auto
    speed auto
    ip classless
    ip http server
    radius-server host auth-port 1645 acct-port 1646
    radius-server key thisisakey
    line con 0
    line 33 40
    line aux 0
    line vty 0 4
    login authentication DIALIN
    RPO83, Sep 5, 2005
    1. Advertisements

  2. have you created the IOS ROuter as a agent host in the RSA Server ?
    Are there any "node secret created" ?

    Martin Bilgrav, Sep 5, 2005
    1. Advertisements

  3. RPO83

    RPO83 Guest

    Hey Martin,

    Thanks for your reply!

    I have set the router up as a "Communications Server" and set" Open to
    all locally known users" to on. All the addresses and ports all line up
    (I'm pretty sure)

    The "Node Secret Created" box is greyed out.

    As far as I can tell, the requests get to the Radius server (running on
    Windows 2003 server with SP1), but get rejected for some reason. Under
    the Ace Server Log Monitor the error I get is "Node verification
    failed". They keys set on the router and the Radius server also are the


    RPO83, Sep 6, 2005
  4. that is correct

    means the router havent talk succesfully with the SDI yet - the very first
    time it does this, it will create the secret.
    This is your issue
    Means tha the secret is wrong. ...
    Under the Agent setup screen, what happends if you , only for the test of
    it, delete the "netwrok address" (IP address) and the
    "Name", and the just try type in the hostname under "Name" and press
    TAB-key ?
    (You should see t hat the name get resolved into a IP address)
    If notthing happens, then try add the name and IP to the servers hosts-file
    Radius keys, right ?
    are the ports the same as on the server ?
    not really ...
    maybe something with namesolution or filters inbetween.
    but the fact that you get log entries, indikate that the IOS is ok.
    Martin Bilgrav, Sep 6, 2005
  5. RPO83

    RPO83 Guest


    I take your point with the node secret. So how do I get the router to
    talk with the SDI and exchange the secret?

    The key is definately correct. I've verified this on numerous occasions
    bot on the router and the ACE Server.
    So is the name resolution.

    I have also tried the configuration with the default ports (1645 and
    1646) as well as windows radius ports (1812 and 1813).

    Once again thanks for your help!
    RPO83, Sep 9, 2005
  6. Martin Bilgrav, Sep 9, 2005
  7. Just for info: Do you have ANY device that are currently operation with the
    ACE/Server ?
    Martin Bilgrav, Sep 9, 2005
  8. RPO83

    RPO83 Guest

    Hey Martin

    Again thanks for your assistance!

    I've fixed the problem, but I dont know how or why its fixed.

    Basically I kept the same Router Config, but rebuilt the RSA ACE server
    in accordance with the Cisco document called "Cisco Security Associate
    Design Guide for RSA SecurID"

    I still have one small problem, that being I havent worked out the
    passcode part of the authentication (I've got straight user passwords
    without the keyfob working) but thats a realtively minor thing.

    So in short, IOS was fine, the ACE Server was the drama. I cant put my
    finger on the exact problem, except since I was using RSA on Windows
    2003 with SP1, I patched the RSA server with the approprate fixes. So
    maybe that was the solution?!?!?

    RPO83, Sep 22, 2005
  9. ok - i have to have look at that - do you have a URL, you could spare ?
    If I recall correctly, you have to setup the modem clients to "bring up
    terminal" after connect, and in there you can authenticate themselfs, and
    after that continue, by closing the term-window.

    I will have to dig into the "old" doc-storage on my PC to find the old, but
    i will try
    Yes, I think you are right - recently I noticed a RSA mail, mention that, in
    some specific patch had to be installed in a special way, without reboot
    win2k3sp1 is kinda special - I have my doubts aswell, as I have to get
    LMS2.5 running on one of these soon ...
    SKÅL !
    Martin Bilgrav, Sep 23, 2005
  10. RPO83

    RPO83 Guest


    I cant seem to find the URL of that specific file, but I have a copy of
    it that I can send to you to your email address if you like.

    As for the dialin problem, thats all sorted out now. Now off to see how
    to integrate this into a PIX firewall
    More fun! hahahah

    off to learn firewalls....

    RPO83, Sep 29, 2005
  11. Please do email it to me - reply to this and edit the email for the obvious
    PIX firewalls are a peace of cake ...
    you need this as a VPN RAS User setup or ?
    Martin Bilgrav, Sep 29, 2005
  12. RPO83

    RPO83 Guest

    You get the file OK?
    RPO83, Oct 25, 2005
  13. yes, thank you.
    I did recieve it just fine
    I am currently working on a Ciscoworks LMS installation, so I have to wait
    with the RSA upgrade.
    Martin Bilgrav, Oct 25, 2005
  14. RPO83


    Jan 8, 2008
    Likes Received:

    I understand that you were trying to get your dialup users to access internal resouces using the RSA ACE two-factor authentication.

    I am also trying the same please can you help me with this setup..


    bhattii, Jan 8, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.