ACS with Checkpoint

Unanswered Question
May 1st, 2007

Hi,

We have a Checkpoint Firewall using ACS for authentication with RADIUS protocol.

We have two ACS servers configured as primary and secondary on the Checkpoint. Both the ACS servers are configured to use AD as the external database.

Checkpoint is forwarding the authentication request to the primary ACS server. The primary ACS server receives the request and keeps trying to authenticate with the AD. For some reason, the authentication is failing. Please check the attached failed login attempt log. ACS tries the authentication many times and hence the account of the user is being locked out on the AD.

Meanwhile, Checkpoint does not receive any response from the primary ACS server. So, it goes to the secondary ACS server. Checkpoint is able to authenticate with the Secondary ACS server.

To add more information to the case, the primary ACS server is successfully authenticating requests from wireless Access Points for the same user accounts.

The External Database configuration on both the ACS servers look the same.

Please let me know, what could be the problem and why the Primary ACS server is not authenticating requests from Checkpoint, while it can authenticate requests from Wireless Access Points.

Regards,

Suresh

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Wed, 05/02/2007 - 04:48

Hi Suresh,

What is the ver of acs ? I assume both are on same code ? Can you please check the shared secret key on check-point and on acs? Retype the key manually(do not copy paste ).

If issue is still there then I would like to see package.cab ( logs ) from acs.

Also let me know if it is acs appliance or acs running on windows server so that I can tell you the steps of generating package.cab.

Regards,

sureshkrishnan Wed, 05/02/2007 - 08:19

Hi,

Thank you very much for your response.

The ACS version is 3.3. Yes, both the servers are running the same code. we have checked the shared secret key.

It is a software version of ACS running on a windows server.

Regards,

Suresh

Jagdeep Gambhir Wed, 05/02/2007 - 09:57

Suresh,

What is the complete ver like 3.3.1 or 3.3.2 or 3.3.3. Both acs should be exactly on same code.

If that is same then kindly follow these instructions to generate package.cab for ACS server even if your server is already running in detailed logging mode. Below are the steps to get package.cab

- Log onto the ACS server.

- Use an account that is a member of the server's "Administrators"group.

- Browse to the "Utils" folder in the ACS program folder.

- By default this will be C:\Program Files\CiscoSecure ACS vX.X\Utils

- Delete any existing Temp folder in the Utils\Support folder.

- Run the program in the Utils folder called CSSupport.

- Select "Set Log Levels Only" and click Next.- Select "Set Diagnostic Log Verbosity to

Maximum."

- Put a check in the TACACS+ Packet Capture box.

- Put a check in the RADIUS Packet Capture box.- Click Next, then click Finish.

At this point, we need to duplicate the issue. If the issue is not easily or quickly

duplicated, you can skip the duplication and continue with the rest of the steps to gather

the logs as they are so I can see if the error has already been captured and check for

software incompatibilities.

Do whatever is causing the problem, or wait for the problem to occur again if it's not

triggered by a direct sequence of events. Once that's done, we need to gather the verbose

logs created. To do so, follow the instructions below AFTER the problem has been recreated

and recorded:

- Log onto the ACS server using the same account used before.

- Browse to the Utils folder.

- Run the program there called CSSupport.

- Select "Run Wizard" and click Next.

- Uncheck both "Previous Logs" boxes.

-- ** THE PREVIOUS STEP IS IMPORTANT **- Click Next four times.- When the Finish button

appears, click it.The CSSupport program has created Package.cab in the Support\Utilsfolder.

Thanks

sureshkrishnan Wed, 05/02/2007 - 15:10

Hi,

Thanks for your help.

The ACS version is 3.3(1) Build 16. Both the servers are running the same version. I have sent you the "package.cab" file and the other log files in a separate email.

The corresponding error message on the domain controller is as shown below:

*********************************

2/5/2007 20:42:53 Security Failure Audit Account Logon 680 NT AUTHORITY\SYSTEM UKSWDC02 Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon account: Bob

Source Workstation: CISCO

Error Code: 0xC0000234

*************************************

Regards,

Suresh

Jagdeep Gambhir Thu, 05/03/2007 - 05:17

Hi Suresh,

In the package.cab this is what I find,

5/2/200723:48:13Authen failedjiwilsonGlobal_AdminsExternal DB account locked outjiwilson10.64.45.1

5/2/200723:48:18Authen failedjiwilsonGlobal_AdminsExternal DB account locked outjiwilson10.64.45.1

AUTH 05/02/2007 23:47:14 E 0365 0728 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)

AUTH 05/02/2007 23:47:14 I 0365 0728 External DB [NTAuthenDLL.dll]: Reattempting authentication at domain PLT

AUTH 05/02/2007 23:47:14 I 0365 0728 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user jiwilson

Windows is returning error code "error 1326L"

1326L ERROR_LOGON_FAILURE : The attempted logon is invalid. This is due to either a bad user name or authentication information.

I would like you to check for permission issue since the same user is able to login from secondary acs.

In the domain controller serving the ACS server:

- Create a user.

- To make it hard to hack, give it a very long complicated password.

- Make the user a member of Domain Admins group.

- Make the user a member of Administrators group.

On the Windows 2000 server running ACS:

- Add new user to proper local group.

-- Open "Administrative Tools" from the control panel.

-- Open "Computer Management."

-- Open "Local Users and Groups" and then "Groups."

-- Double-click the "Administrators" group.

-- Click "Add."

-- Choose the domain from the "Look in" box.

-- Double-click the user created earlier to add it.

-- Click OK.

- Give new user special rights on ACS server.

-- Open "Administrative Tools" from the control panel.

-- Open "Local Security Policy."

-- Open "Local Policies."

-- Open "User Rights Assignment."

-- Double-click on "Act as part of the operating system."

-- Click "Add."

-- Choose the domain from the "Look in" box.

-- Double-click the user created earlier to add it.

-- Click OK.

-- Double-click on "Log on as a service."

-- Click "Add."

-- Choose the domain from the "Look in" box.

-- Double-click the user created earlier to add it.

-- Click OK.

- Set the ACS services to run as the created user.

-- Open "Administrative Tools" from the control panel.

-- Open "Services."

-- Double-click the CSADMIN entry.

-- Click the "Log On" tab.

-- Click "This Account" and then the "Browse" button.

-- Choose the domain, double-click the user created earlier.

-- Click "OK."

-- Repeat for the rest of the CS services.

- Wait for Windows to apply the security policy changes, or reboot the

server.

- If you rebooted the server, skip the rest of these instructions.

- Stop and then start the CSADMIN service.

- Open the ACS GUI.

- Click on System Config.

- Click on Service Control.

- Click "Restart."

Note that if the Domain Security Policy is set to override settings for "Act as part of the operating system" and "Log on as a service" rights,

the user rights changes listed above will also need to be made there.

Regards,

Jagdeep

sureshkrishnan Thu, 05/03/2007 - 06:54

Hi Jagdeep,

While I try this, I would like to highlight that the same users are able to login using the Wireless Access Point against the same ACS server.

Also, the account lockout in the logs are because ACS is trying to authenticate the user multiple times and is failing to do so for each request from Checkpoint.

Thanks for your assistance.

Regards,

Suresh

Actions

This Discussion