RSA Ace Server Authentication Problem

Discussion in 'Cisco' started by RPO83, Sep 5, 2005.

  1. RPO83

    RPO83 Guest

    Can someone please help me becasue this is drving me insane!

    I'm trying to authenticate via a RSA ACE Radius server (Version 6.0)
    and I continue to get authentication failures. Anyone have any
    suggestions please!

    Ace Radius debug output (IP 10.2.2.5):
    adius/ace_radius/ace_radius_dbapi.cpp(133): Preparing...
    adius/ace_radius/ace_radius_dbapi.cpp(150): Connecting...
    adius/ace_radius/ace_radius_dbapi.cpp(208): Connected successfully.
    adius/ace_radius/ace_radius_database.cpp(1748): Search for challenge
    profile
    adius/ace_radius/ace_radius_dbapi.cpp(1357): No challenge profile
    found.
    adius/ace_radius/ace_radius_receive.cpp(174): Received auth packet
    adius/ace_radius/ace_radius_database.cpp(416): Attribute 1 Length 6
    adius/ace_radius/ace_radius_database.cpp(416): Attribute 2 Length 18
    adius/ace_radius/ace_radius_database.cpp(416): Attribute 5 Length 6
    adius/ace_radius/ace_radius_database.cpp(416): Attribute 87 Length 7
    adius/ace_radius/ace_radius_database.cpp(416): Attribute 61 Length 6
    adius/ace_radius/ace_radius_database.cpp(416): Attribute 31 Length 10
    adius/ace_radius/ace_radius_database.cpp(416): Attribute 4 Length 6
    adius/ace_radius/ace_radius_dbapi.cpp(384): Get NAS Secret - Start.
    adius/ace_radius/ace_radius_dbapi.cpp(504): No trusted mode
    adius/ace_radius/ace_radius_dbapi.cpp(513): Search by address
    (10.2.2.6)
    adius/ace_radius/ace_radius_dbapi.cpp(557): Found client right away.
    adius/ace_radius/ace_radius_dbapi.cpp(618): Got secret.
    adius/ace_radius/ace_radius_database.cpp(704): Request ID of received
    packet 6
    adius/ace_radius/ace_radius_auth.cpp(567): Request is OK
    adius/ace_radius/ace_radius_auth.cpp(574): Retransmitting request to
    ourselves.
    adius/ace_radius/ace_radius_auth.cpp(181): Client address 10.2.2.6
    adius/ace_radius/ace_radius_auth.cpp(707): Authentication failed.
    adius/ace_radius/ace_radius_response.cpp(63): Top of response loop.
    adius/ace_radius/ace_radius_response.cpp(151): Formatting response to
    packet ID 6
    adius/ace_radius/ace_radius_response.cpp(293): Length of profile 0
    adius/ace_radius/ace_radius_response.cpp(71): Response size is 37.
    adius/ace_radius/ace_radius_response.cpp(92): Sent 37 bytes
    adius/ace_radius/ace_radius_garbage.cpp(61): Cleaned main hash.
    adius/ace_radius/ace_radius_garbage.cpp(61): Cleaned main hash.

    Router Config:
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    aaa new-model
    !
    aaa authentication login DIALIN group radius
    aaa authentication ppp DIALIN if-needed group radius
    !
    aaa session-id common
    !
    resource policy
    !
    no network-clock-participate slot 1
    no network-clock-participate wic 0
    ip subnet-zero
    ip cef
    !
    no ip dhcp use vrf connected
    !
    no ftp-server write-enable
    !
    interface FastEthernet0/0
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    ip address 10.2.2.6 255.0.0.0
    duplex auto
    speed auto
    !
    ip classless
    !
    ip http server
    !
    radius-server host 10.2.2.5 auth-port 1645 acct-port 1646
    radius-server key thisisakey
    !
    control-plane
    !
    line con 0
    line 33 40
    line aux 0
    line vty 0 4
    login authentication DIALIN
    !
    end
     
    RPO83, Sep 5, 2005
    #1
    1. Advertisements

  2. have you created the IOS ROuter as a agent host in the RSA Server ?
    Are there any "node secret created" ?

    /Martin
     
    Martin Bilgrav, Sep 5, 2005
    #2
    1. Advertisements

  3. RPO83

    RPO83 Guest

    Hey Martin,

    Thanks for your reply!

    I have set the router up as a "Communications Server" and set" Open to
    all locally known users" to on. All the addresses and ports all line up
    (I'm pretty sure)

    The "Node Secret Created" box is greyed out.

    As far as I can tell, the requests get to the Radius server (running on
    Windows 2003 server with SP1), but get rejected for some reason. Under
    the Ace Server Log Monitor the error I get is "Node verification
    failed". They keys set on the router and the Radius server also are the
    same.

    Suggestions?

    Steve
     
    RPO83, Sep 6, 2005
    #3
  4. that is correct

    means the router havent talk succesfully with the SDI yet - the very first
    time it does this, it will create the secret.
    This is your issue
    Means tha the secret is wrong. ...
    Under the Agent setup screen, what happends if you , only for the test of
    it, delete the "netwrok address" (IP address) and the
    "Name", and the just try type in the hostname under "Name" and press
    TAB-key ?
    (You should see t hat the name get resolved into a IP address)
    If notthing happens, then try add the name and IP to the servers hosts-file
    Radius keys, right ?
    are the ports the same as on the server ?
    not really ...
    maybe something with namesolution or filters inbetween.
    but the fact that you get log entries, indikate that the IOS is ok.
     
    Martin Bilgrav, Sep 6, 2005
    #4
  5. RPO83

    RPO83 Guest

    hmmm.....

    I take your point with the node secret. So how do I get the router to
    talk with the SDI and exchange the secret?

    The key is definately correct. I've verified this on numerous occasions
    bot on the router and the ACE Server.
    So is the name resolution.

    I have also tried the configuration with the default ports (1645 and
    1646) as well as windows radius ports (1812 and 1813).

    Once again thanks for your help!
     
    RPO83, Sep 9, 2005
    #5
  6. Martin Bilgrav, Sep 9, 2005
    #6
  7. Just for info: Do you have ANY device that are currently operation with the
    ACE/Server ?
     
    Martin Bilgrav, Sep 9, 2005
    #7
  8. RPO83

    RPO83 Guest

    Hey Martin

    Again thanks for your assistance!

    I've fixed the problem, but I dont know how or why its fixed.

    Basically I kept the same Router Config, but rebuilt the RSA ACE server
    in accordance with the Cisco document called "Cisco Security Associate
    Design Guide for RSA SecurID"

    I still have one small problem, that being I havent worked out the
    passcode part of the authentication (I've got straight user passwords
    without the keyfob working) but thats a realtively minor thing.

    So in short, IOS was fine, the ACE Server was the drama. I cant put my
    finger on the exact problem, except since I was using RSA on Windows
    2003 with SP1, I patched the RSA server with the approprate fixes. So
    maybe that was the solution?!?!?

    Cheers!
    Steve
     
    RPO83, Sep 22, 2005
    #8
  9. ok - i have to have look at that - do you have a URL, you could spare ?
    8)
    If I recall correctly, you have to setup the modem clients to "bring up
    terminal" after connect, and in there you can authenticate themselfs, and
    after that continue, by closing the term-window.

    I will have to dig into the "old" doc-storage on my PC to find the old, but
    i will try
    Yes, I think you are right - recently I noticed a RSA mail, mention that, in
    some specific patch had to be installed in a special way, without reboot
    win2k3sp1 is kinda special - I have my doubts aswell, as I have to get
    LMS2.5 running on one of these soon ...
    SKÅL !
     
    Martin Bilgrav, Sep 23, 2005
    #9
  10. RPO83

    RPO83 Guest

    Martin

    I cant seem to find the URL of that specific file, but I have a copy of
    it that I can send to you to your email address if you like.

    As for the dialin problem, thats all sorted out now. Now off to see how
    to integrate this into a PIX firewall
    More fun! hahahah
    :)

    off to learn firewalls....

    Steve
     
    RPO83, Sep 29, 2005
    #10
  11. Please do email it to me - reply to this and edit the email for the obvious
    PIX firewalls are a peace of cake ...
    you need this as a VPN RAS User setup or ?
     
    Martin Bilgrav, Sep 29, 2005
    #11
  12. RPO83

    RPO83 Guest

    You get the file OK?
     
    RPO83, Oct 25, 2005
    #12
  13. yes, thank you.
    I did recieve it just fine
    I am currently working on a Ciscoworks LMS installation, so I have to wait
    with the RSA upgrade.
     
    Martin Bilgrav, Oct 25, 2005
    #13
  14. RPO83

    bhattii

    Joined:
    Jan 8, 2008
    Messages:
    1
    Likes Received:
    0
    HI

    I understand that you were trying to get your dialup users to access internal resouces using the RSA ACE two-factor authentication.

    I am also trying the same please can you help me with this setup..

    Regards

    Imran
     
    bhattii, Jan 8, 2008
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.