ACS 5.0 and remote access VPN

Unanswered Question
Jatin Katyal Thu, 09/24/2009 - 06:45

Hi,

Are we getting any hits on the ACS 5.0? If yes, please let me know?

HTH

Regards,

JK

Eric Hansen Fri, 09/25/2009 - 06:08

Ive got a ACS v5.0.0.8 authing with a ASA 5550 and a VPN3060 both to LDAP Active Directory v2k3, what VPN are you using? Are you looking to auth to an internal user or something external(ldap)?

v5 has good monitoring, are you showing any fails?

Hello,

A have got ACS V5.0.21 and ASA 5510 with IOS version 8.2.1.

The VPN is IPSec and try to authentication with internal user in ACS.

The trouble I saw the ASA send the authentication information to ACS, but ACS not respond and not show any hit in the monitoring.

The ACS is in inside network and the firewall have conectivy whit ACS by ping.

Regards.

Eric Hansen Fri, 09/25/2009 - 07:22

So I would review your setup:

Are you on the latest code? 5.0.0.21.8? We found a bug in 5.0.0.21.0, 5.0.0.21.6, and 5.0.0.21.7 that effected our install.

Is your device setup under “Network Devices and AAA Clients”? Do the shared secrets match? I can't count how many times I have screwed up a shared secret, re-enter it to be safe.

Are there users in your internal identity store? Is the user enabled?

Do you have an access policy for the user? Are there conditions? I would suggest setting all your conditions to “any” for testing to make sure one of your conditions isn't causing the problem. Is the result set to “permit access” or some other policy element? Whats the hit count?

I strongly suggest stripping out anything extra like passing attributes or complex conditions(use is in group X from location Y and coming from device Z) for testing. Make sure its working first then turn up the complexity.

On the ASA under device management, users/aaa, aaa server groups you should have a RADIUS entry in the “AAA Server Groups”. I set the defaults with protocol set to radius. Then below in your “Servers in the Selected Group” should have the IP addresses of your ACS with interface “inside”. Shared secret is here, re-enter it.

You could go one set further and download a RADIUS testing client, ive used Radlogin, its ok.

e-

I see probably the trouble is the code, because only use ACS V 5.0.21 and I test with Radlogin and work fine.

But when I used VPN not work and the firewall log say me AAA Server not found like if ACS was disconnect.

The internal user is enable, the access policy is basic (only any), not special setting condition.

The ASA configuration is OK, because I used ACS 4.2 for Windows and work fine the authentication.

I try the update to V5.0.21.8 with the patch 5-0-0-21-8.tar.gpg but the process end with error (1). Is possible download complete image to version 5.0.21.8?

Best Regards.

Eric Hansen Fri, 09/25/2009 - 08:12

Not sure on that one, when we DL'd the patch we didnt have any problems. If you FTP the file over to ACS the ACS server is going to want "write" permissions on your FTP server to send backup over.

chris.hailes Wed, 10/21/2009 - 17:20

Just an update for anyone else reading this thread, you must transfer the file with FTP as for some reason TFTP doesn't transfer the file correctly and you'll get a chmod error.

This is just my experiences.

Hope that helps any people wanting to do this update in future.

ivanbarkic Sat, 09/04/2010 - 06:14

I have the same problem. I'm using ASA v8.21 and ACS v5.0.0.21, which I'm using as tacacs and radius server. I have no problem with accessing devices via tacacs (except that changing pass with first login doesn't work). The problem is with VPN authentication. I tested radius with Radlogin and PAP is working fine, CHAP goes in timeout, but as I know ACS 5.0 doesn't suport CHAP.

Here are some logs from ASA:

the end of debug crypto isakmp:


Sep 04 15:01:35 [IKEv1]: Group = radiusACS, Username = user1, IP = X.X.X.X, Error: Unable to remove PeerTblEntry
Sep 04 15:01:35 [IKEv1 DEBUG]: Deleting active auth handle during SA deletion: handle = 1844

debug radius:

Sep 04 2010 15:08:53: %ASA-7-713906: IP = X.X.X.X, Connection landed on tunnel_group radiusACS
...
Sep 04 2010 15:08:53: %ASA-6-713172: Group = radiusACS, IP = X.X.X.X, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, IP = X.X.X.X, constructing blank hash payload
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, IP = X.X.X.X, constructing qm hash payload
Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=f9163eb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=f9163eb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 86
Sep 04 2010 15:08:53: %ASA-7-715001: Group = radiusACS, IP = X.X.X.X, process_attr(): Enter!
Sep 04 2010 15:08:53: %ASA-7-715001: Group = radiusACS, IP = X.X.X.X, Processing MODE_CFG Reply attributes.
Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, Authentication Failure: Unsupported server type!
Sep 04 2010 15:08:53: %ASA-7-715065: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE TM V6 FSM error history (struct &0xa7b636a8)  , :  TM_DONE, EV_ERROR-->TM_AUTH, EV_DO_AUTH-->TM_WAIT_REPLY, EV_CHK_MSCHAPV2-->TM_WAIT_REPLY, EV_PROC_MSG-->TM_WAIT_REPLY, EV_HASH_OK-->TM_WAIT_REPLY, NullEvent-->TM_WAIT_REPLY, EV_COMP_HASH-->TM_WAIT_REPLY, EV_VALIDATE_MSG
Sep 04 2010 15:08:53: %ASA-7-715065: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE AM Responder FSM error history (struct &0xac417310)  , :  AM_DONE, EV_ERROR-->AM_TM_INIT_XAUTH_V6H, EV_TM_FAIL-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_START_TM-->AM_TM_INIT_XAUTH, EV_START_TM-->AM_PROC_MSG3, EV_TEST_TM_H6
Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE SA AM:f7beee8e terminating:  flags 0x0105c001, refcnt 0, tuncnt 0
Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, sending delete/delete with reason message
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing blank hash payload
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing IKE delete payload
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing qm hash payload
Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=e0cd7809) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Sep 04 2010 15:08:53: %ASA-3-713902: Group = radiusACS, Username = user1, IP = X.X.X.X, Removing peer from peer table failed, no match!
Sep 04 2010 15:08:53: %ASA-4-713903: Group = radiusACS, Username = user1, IP = X.X.X.X, Error: Unable to remove PeerTblEntry
Sep 04 2010 15:08:53: %ASA-7-715040: Deleting active auth handle during SA deletion: handle = 1861
Sep 04 2010 15:08:53: %ASA-4-113019: Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

Regards

Actions

This Discussion