AAA, ASA, IAS, AD

Unanswered Question
May 16th, 2009

Hey people. I'm sitting in front of an ASA 5510 firewall and got a problem with authenticating users.

3|May 16 2009 22:12:40|109026: [ RADIUS ] Invalid reply digest received; shared server key may be mismatched.

3|May 16 2009 22:12:30|109026: [ RADIUS ] Invalid reply digest received; shared server key may be mismatched.

asdm image disk0:/asdm506.bin

asdm history enable

: Saved

:

ASA Version 7.0(6)

!

hostname FW02

domain-name

enable password 8Ry2YjIyt7RRXU24 encrypted

names

dns-guard

!

interface Ethernet0/0

nameif Inside

security-level 100

ip address 192.168.5.2 255.255.255.0

!

interface Ethernet0/1

shutdown

nameif Outside

security-level 0

ip address 211.16.20.35 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif Management

security-level 100

ip address 192.168.10.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

pager lines 24

logging enable

logging asdm informational

mtu Inside 1500

mtu Outside 1500

mtu Management 1500

asdm image disk0:/asdm506.bin

asdm history enable

arp timeout 14400

route Inside 192.168.1.0 255.255.255.0 192.168.1.2 1

!

router ospf 1

network 192.168.5.0 255.255.255.0 area 0

network 192.168.10.0 255.255.255.0 area 0

network 211.16.20.0 255.255.255.0 area 0

area 0 authentication message-digest

log-adj-changes

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server Tech_Radius protocol radius

accounting-mode simultaneous

max-failed-attempts 5

aaa-server Tech_Radius host 192.168.1.1

key Password123

authentication-port 1812

accounting-port 1813

username test password P4ttSyrm33SV8TYp encrypted privilege 15

username taco password uRvcAEun1FM9R47Y encrypted privilege 10

username kaka password fw428MbVAj6nPVH9 encrypted privilege 15

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

username maha password G16z5dkWxCgEUU0Y encrypted privilege 15

aaa authentication http console Tech_Radius LOCAL

aaa authentication enable console Tech_Radius

http server enable

http 192.168.10.0 255.255.255.0 Management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

auth-prompt prompt Authentication:

auth-prompt accept Authenticated

auth-prompt reject Rejected

telnet timeout 5

ssh timeout 5

console timeout 0

Cryptochecksum:78fa9996d9ea1a3ee67d0b93bf99b54d

: end

I shut dowen every secret possibility, common password etc and nothing worked. All passwords and possible secrets are Password123

request for must contain messsage authentication is not marked and the password/secrets fields are empty at the AAA server as well.

They aren't empty right now but I had tried it several times.

I want users on a cisco firewall to authenticate against AD. IAS do get replies and messages about users but that log doesn't say anything with much information.

Users got the possibility to authenticate, but aren't just accepted, I tried several accounts.

Do anyone know the reason for this?

And do anyone know if I Cisco allow people to use their copyright router/switch pictures public somewhere or do I got to mail them for it?

Doing a projekt and we would need to get a mail with rights for it.:P

I did as well remove the commands for MD5 and framed-id etc in IAS.

I see as well that ASA auto encrypts passwords for users and thought it might been that, but got no clue how to shut it off.:/

I'm using Radius standard protocol as well.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
taco-addict Sun, 05/17/2009 - 07:19

Win2k3 is beeing used as well.

Is there anyone with a simulaur problem or someone who got a clue about what might try to use a key somewhere?

Actions

This Discussion