×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Problem with AS5300 w/ACS v3.0 authenticating to an NT Domain

Unanswered Question
Mar 13th, 2002
User Badges:

I have an AS5300 setup with 2 PRIs

I have created Modem Pools for each PRI and Split the modems (48) evenly between them.

The 1st PRI is setup for a propritary application using TCP_Clear and is authenticating against a Cisco Secure ACS v2.3


Unix server using RADIUS. This works Fine.


THe 2nd PRI is being setup for Remote Users to dialin and be authenticated against a RSA Secure ID server as well as be


authenticated by our Windows NT 4.0 Domain. This is setup using a IP local pool on the AS5300.


I can get the ACS v3.0 server to authenticate users dialing in using the local Cisco Secure Database.

I can also authenticate users against the RSA Secure ID server using the "Unknown User Policy" model.

We have 300+ remote users and would like to use the Unknown User Policy model to configure the ACS database by dynamically


adding the users to the Default Group.



Here is a copy of my config on the as5300:


Current configuration:

!

version 12.0

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service hide-telnet-addresses

!

hostname daphne

!

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login mrt group radius

aaa authentication ppp default group tacacs+

aaa authorization exec default group tacacs+ local

aaa authorization exec mrt group radius

aaa authorization network default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

enable secret 5 $1$LWM7$6J0/JW3ZLIEmIgqS8G9Us.

!

username cisco password 7 04735B2B2D13697D

spe 1/0 1/3

firmware location system:/ucode/mica_port_firmware

!

!

resource-pool disable

!

modem-pool MRT

pool-range 1-24

called-number 5551111 max-conn 24

!

modem-pool REDA

pool-range 25-48

called-number 5552222 max-conn 24

!

!

!

!

!

modem startup-test

modem country mica usa

ip subnet-zero

ip domain-name alc.ca

ip name-server 10.#.#.#

!

no ip bootp server

async-bootp dns-server 10.#.#.#

isdn switch-type primary-dms100

isdn voice-call-failure 0

cns event-service server

!

!

controller T1 0

framing esf

clock source line primary

linecode b8zs

pri-group timeslots 1-24

!

controller T1 1

framing esf

clock source line secondary 1

linecode b8zs

pri-group timeslots 1-24

!

interface Loopback0

no ip address

no ip directed-broadcast

!

interface Ethernet0

no ip address

no ip directed-broadcast

no ip mroute-cache

shutdown

!

interface Serial0

no ip address

no ip directed-broadcast

no ip mroute-cache

shutdown

no fair-queue

clockrate 2015232

no cdp enable

!

interface Serial1

no ip address

no ip directed-broadcast

no ip mroute-cache

shutdown

no fair-queue

clockrate 2015232

no cdp enable

!

interface Serial2

no ip address

no ip directed-broadcast

no ip mroute-cache

shutdown

no fair-queue

clockrate 2015232

no cdp enable

!

interface Serial3

no ip address

no ip directed-broadcast

no ip mroute-cache

shutdown

no fair-queue

clockrate 2015232

no cdp enable

!

interface Serial0:23

no ip address

no ip directed-broadcast

no ip route-cache

isdn switch-type primary-dms100

isdn incoming-voice modem

no fair-queue

no cdp enable

!

interface Serial1:23

no ip address

no ip directed-broadcast

no ip route-cache

isdn switch-type primary-dms100

isdn incoming-voice modem

no fair-queue

no cdp enable

!

interface FastEthernet0

ip address 10.#.#.# 255.255.0.0

no ip directed-broadcast

no ip mroute-cache

duplex auto

speed auto

no mop enabled

!

interface Group-Async1

no ip address

no ip directed-broadcast

no ip route-cache

no ip mroute-cache

no peer default ip address

group-range 1 24

!

interface Group-Async2

ip unnumbered FastEthernet0

no ip directed-broadcast

encapsulation ppp

no ip route-cache

no ip mroute-cache

async mode interactive

peer default ip address pool dialin_pool

no cdp enable

ppp authentication ms-chap chap pap

group-range 25 48

!

ip local pool dialin_pool 10.#.#.# 10.#.#.#

ip classless

ip route 0.0.0.0 0.0.0.0 10.#.#.#

no ip http server

!

logging history notifications

logging 10.#.#.#

!

tacacs-server host 10.#.#.# single-connection

tacacs-server key ########

radius-server host 10.#.#.# auth-port 1645 acct-port 1646 non-standard

radius-server key ########

radius-server vsa send authentication

banner login ^CAuthorized Access only^C

banner slip-ppp ^Your Passcode has been Accepted

Please hit DONE or CONTINUE

^C

!

line con 0

exec-timeout 0 0

password 7 002C432B26692E35

transport input none

line 1 24

autoselect during-login

authorization exec mrt

login authentication mrt

modem Dialin

transport preferred none

transport input all

transport output telnet

line 25 48

autoselect during-login

autoselect ppp

modem InOut

autocommand ppp

transport preferred none

transport output none

line aux 0

line vty 0 4

exec-timeout 0 0

password 7 04735B2B2D13697D

!

end


When I try to log into the AS5300 using the dial-up clients, I am getting authentication failure in my PPP debug.


I have setup my ACS v3.0 server (Win2K Server) and configured the 2 External Databases (RSA Secure ID and WinNT). I have


enabled the Unknown User policy to check the RSA Server 1st then the Windows NT Domain. The Cisco Secure ACS Server also


has the RSA Secure ID server installed on it.

If I remove the "ppp authentication MS-Chap chap pap" command from the GroupAsync 2 interface, I can log in. I go and check


the ACS v3.0 User Group and see if have been added dynamically and my


I am using WinNT Wks 4.0 to dial in using Username/password/Domain. I can dial, the modems pick up, and I am presented with

a Terminal Window on my client. i provide my username and then the Passcode for my Secure ID Token and get the PPP message


and click on the DONE button and it tires to verify my username and password and it fails - Error 5 Access is denied".


Here is the ouput from my debug

daphne#sh debug

PPP:

PPP authentication debugging is on

PPP protocol negotiation debugging is on

daphne#debug aaa authen

AAA Authentication debugging is on

daphne#debug aaa author

AAA Authorization debugging is on

daphne#term mon

daphne#

daphne#

daphne#

daphne#

daphne#

daphne#

daphne#

*Jan 2 06:56:10.712: AAA: parse name=tty40 idb type=10 tty=40

*Jan 2 06:56:10.712: AAA: name=tty40 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=40 channel=0

*Jan 2 06:56:10.712: AAA: parse name=Serial1:9 idb type=12 tty=-1

*Jan 2 06:56:10.712: AAA: name=Serial1:9 flags=0x51 type=1 shelf=0 slot=0 adapter=0 port=1 channel=9

*Jan 2 06:56:10.712: AAA/MEMORY: create_user (0x61A7721C) user='' ruser='' port='tty40' rem_addr='5065550000/5552222'


authen_type=1

*Jan 2 06:56:10.712: AAA/AUTHEN/START (2236285450): port='tty40' list='' action=LOGIN service=LOGIN

*Jan 2 06:56:10.712: AAA/AUTHEN/START (2236285450): using "default" list

*Jan 2 06:56:10.712: AAA/AUTHEN/START (2236285450): Method=tacacs+ (tacacs+)

*Jan 2 06:56:10.712: TAC+: send AUTHEN/START packet ver=192 id=2236285450

*Jan 2 06:56:11.012: TAC+: ver=192 id=2236285450 received AUTHEN status = GETUSER

*Jan 2 06:56:11.012: AAA/AUTHEN (2236285450): status = GETUSER

*Jan 2 06:56:15.156: AAA/AUTHEN/CONT (2236285450): continue_login (user='(undef)')

*Jan 2 06:56:15.156: AAA/AUTHEN (2236285450): status = GETUSER

*Jan 2 06:56:15.156: AAA/AUTHEN (2236285450): Method=tacacs+ (tacacs+)

*Jan 2 06:56:15.156: TAC+: send AUTHEN/CONT packet id=2236285450

*Jan 2 06:56:15.356: TAC+: ver=192 id=2236285450 received AUTHEN status = GETPASS

*Jan 2 06:56:15.356: AAA/AUTHEN (2236285450): status = GETPASS

*Jan 2 06:56:27.804: AAA/AUTHEN/CONT (2236285450): continue_login (user='pete')

*Jan 2 06:56:27.804: AAA/AUTHEN (2236285450): status = GETPASS

*Jan 2 06:56:27.804: AAA/AUTHEN (2236285450): Method=tacacs+ (tacacs+)

*Jan 2 06:56:27.804: TAC+: send AUTHEN/CONT packet id=2236285450

*Jan 2 06:56:30.004: TAC+: ver=192 id=2236285450 received AUTHEN status = PASS

*Jan 2 06:56:30.004: AAA/AUTHEN (2236285450): status = PASS

*Jan 2 06:56:30.004: As40 AAA/AUTHOR/EXEC (2870071555): Port='tty40' list='' service=EXEC

*Jan 2 06:56:30.004: AAA/AUTHOR/EXEC: As40 (2870071555) user='pete'

*Jan 2 06:56:30.004: As40 AAA/AUTHOR/EXEC (2870071555): send AV service=shell

*Jan 2 06:56:30.004: As40 AAA/AUTHOR/EXEC (2870071555): send AV cmd*

*Jan 2 06:56:30.004: As40 AAA/AUTHOR/EXEC (2870071555): send AV autocmd*ppp

*Jan 2 06:56:30.004: As40 AAA/AUTHOR/EXEC (2870071555): found list "default"

*Jan 2 06:56:30.004: As40 AAA/AUTHOR/EXEC (2870071555): Method=tacacs+ (tacacs+)

*Jan 2 06:56:30.004: AAA/AUTHOR/TAC+: (2870071555): user=pete

*Jan 2 06:56:30.004: AAA/AUTHOR/TAC+: (2870071555): send AV service=shell

*Jan 2 06:56:30.004: AAA/AUTHOR/TAC+: (2870071555): send AV cmd*

*Jan 2 06:56:30.004: AAA/AUTHOR/TAC+: (2870071555): send AV autocmd*ppp

*Jan 2 06:56:30.204: TAC+: (2870071555): received author response status = PASS_REPL

*Jan 2 06:56:30.204: As40 AAA/AUTHOR (2870071555): Post authorization status = PASS_REPL

*Jan 2 06:56:30.204: AAA/AUTHOR/EXEC: Processing AV service=shell

*Jan 2 06:56:30.204: AAA/AUTHOR/EXEC: Processing AV cmd*

*Jan 2 06:56:30.204: AAA/AUTHOR/EXEC: Authorization successful

*Jan 2 06:56:30.208: As40 AAA/AUTHOR/PPP (1244408945): Port='tty40' list='' service=NET

*Jan 2 06:56:30.208: AAA/AUTHOR/PPP: As40 (1244408945) user='pete'

*Jan 2 06:56:30.208: As40 AAA/AUTHOR/PPP (1244408945): send AV service=ppp

*Jan 2 06:56:30.208: As40 AAA/AUTHOR/PPP (1244408945): send AV protocol=ip

*Jan 2 06:56:30.208: As40 AAA/AUTHOR/PPP (1244408945): send AV addr-pool*default

*Jan 2 06:56:30.208: As40 AAA/AUTHOR/PPP (1244408945): found list "default"

*Jan 2 06:56:30.208: As40 AAA/AUTHOR/PPP (1244408945): Method=tacacs+ (tacacs+)

*Jan 2 06:56:30.208: AAA/AUTHOR/TAC+: (1244408945): user=pete

*Jan 2 06:56:30.208: AAA/AUTHOR/TAC+: (1244408945): send AV service=ppp

*Jan 2 06:56:30.208: AAA/AUTHOR/TAC+: (1244408945): send AV protocol=ip

*Jan 2 06:56:30.208: AAA/AUTHOR/TAC+: (1244408945): send AV addr-pool*default

*Jan 2 06:56:30.408: TAC+: (1244408945): received author response status = PASS_REPL

*Jan 2 06:56:30.408: As40 AAA/AUTHOR (1244408945): Post authorization status = PASS_REPL

*Jan 2 06:56:30.408: AAA/AUTHOR/Async40: PPP: Processing AV service=ppp

*Jan 2 06:56:30.408: AAA/AUTHOR/Async40: PPP: Processing AV protocol=ip

*Jan 2 06:56:30.408: AAA/AUTHOR/Async40: PPP: Processing AV addr-pool=dialin_pool

*Jan 2 06:56:30.408: AAA/AUTHOR/SLIP: Async40: succeeded

*Jan 2 06:56:32.536: %LINK-3-UPDOWN: Interface Async40, changed state to up

*Jan 2 06:56:32.536: As40 PPP: Treating connection as a dedicated line

*Jan 2 06:56:32.536: As40 PPP: Phase is ESTABLISHING, Active Open

*Jan 2 06:56:32.536: As40 AAA/AUTHOR/FSM: (0): LCP succeeds trivially

*Jan 2 06:56:32.536: As40 LCP: O CONFREQ [Closed] id 1 len 25

*Jan 2 06:56:32.536: As40 LCP: ACCM 0x000A0000 (0x0206000A0000)

*Jan 2 06:56:32.536: As40 LCP: AuthProto MS-CHAP (0x0305C22380)

*Jan 2 06:56:32.536: As40 LCP: MagicNumber 0x09A12CDF (0x050609A12CDF)

*Jan 2 06:56:32.536: As40 LCP: PFC (0x0702)

*Jan 2 06:56:32.536: As40 LCP: ACFC (0x0802)

*Jan 2 06:56:34.016: As40 LCP: I CONFREQ [REQsent] id 0 len 23

*Jan 2 06:56:34.016: As40 LCP: ACCM 0x00000000 (0x020600000000)

*Jan 2 06:56:34.016: As40 LCP: MagicNumber 0x00007DA1 (0x050600007DA1)

*Jan 2 06:56:34.016: As40 LCP: PFC (0x0702)

*Jan 2 06:56:34.016: As40 LCP: ACFC (0x0802)

*Jan 2 06:56:34.016: As40 LCP: Callback 6 (0x0D0306)

*Jan 2 06:56:34.016: As40 LCP: O CONFREJ [REQsent] id 0 len 7

*Jan 2 06:56:34.016: As40 LCP: Callback 6 (0x0D0306)

*Jan 2 06:56:34.160: As40 LCP: I CONFREQ [REQsent] id 1 len 20

*Jan 2 06:56:34.160: As40 LCP: ACCM 0x00000000 (0x020600000000)

*Jan 2 06:56:34.160: As40 LCP: MagicNumber 0x00007DA1 (0x050600007DA1)

*Jan 2 06:56:34.160: As40 LCP: PFC (0x0702)

*Jan 2 06:56:34.160: As40 LCP: ACFC (0x0802)

*Jan 2 06:56:34.160: As40 LCP: O CONFACK [REQsent] id 1 len 20

*Jan 2 06:56:34.160: As40 LCP: ACCM 0x00000000 (0x020600000000)

*Jan 2 06:56:34.160: As40 LCP: MagicNumber 0x00007DA1 (0x050600007DA1)

*Jan 2 06:56:34.164: As40 LCP: PFC (0x0702)

*Jan 2 06:56:34.164: As40 LCP: ACFC (0x0802)

*Jan 2 06:56:34.536: As40 LCP: TIMEout: State ACKsent

*Jan 2 06:56:34.536: As40 LCP: O CONFREQ [ACKsent] id 2 len 25

*Jan 2 06:56:34.536: As40 LCP: ACCM 0x000A0000 (0x0206000A0000)

*Jan 2 06:56:34.536: As40 LCP: AuthProto MS-CHAP (0x0305C22380)

*Jan 2 06:56:34.536: As40 LCP: MagicNumber 0x09A12CDF (0x050609A12CDF)

*Jan 2 06:56:34.536: As40 LCP: PFC (0x0702)

*Jan 2 06:56:34.536: As40 LCP: ACFC (0x0802)

*Jan 2 06:56:34.672: As40 LCP: I CONFACK [ACKsent] id 2 len 25

*Jan 2 06:56:34.672: As40 LCP: ACCM 0x000A0000 (0x0206000A0000)

*Jan 2 06:56:34.672: As40 LCP: AuthProto MS-CHAP (0x0305C22380)

*Jan 2 06:56:34.672: As40 LCP: MagicNumber 0x09A12CDF (0x050609A12CDF)

*Jan 2 06:56:34.672: As40 LCP: PFC (0x0702)

*Jan 2 06:56:34.672: As40 LCP: ACFC (0x0802)

*Jan 2 06:56:34.672: As40 LCP: State is Open

*Jan 2 06:56:34.676: As40 PPP: Phase is AUTHENTICATING, by this end

*Jan 2 06:56:34.676: As40 MS-CHAP: O CHALLENGE id 1 len 21 from "daphne "

*Jan 2 06:56:34.688: As40 LCP: I IDENTIFY [Open] id 2 len 18 magic 0x00007DA1 MSRASV4.00

*Jan 2 06:56:34.704: As40 LCP: I IDENTIFY [Open] id 3 len 24 magic 0x00007DA1 MSRAS-1-TELECOM1

*Jan 2 06:56:34.816: As40 MS-CHAP: I RESPONSE id 1 len 62 from "DOMAIN\pete"

*Jan 2 06:56:34.816: AAA: parse name=Async40 idb type=10 tty=40

*Jan 2 06:56:34.816: AAA: name=Async40 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=40 channel=0

*Jan 2 06:56:34.820: AAA: parse name=Serial1:9 idb type=12 tty=-1

*Jan 2 06:56:34.820: AAA: name=Serial1:9 flags=0x51 type=1 shelf=0 slot=0 adapter=0 port=1 channel=9

*Jan 2 06:56:34.820: AAA/MEMORY: create_user (0x61AC3D68) user='DOMAIN\pete' ruser='' port='Async40'


rem_addr='5068675800/8676149' au1

*Jan 2 06:56:34.820: AAA/AUTHEN/START (1391837548): port='Async40' list='' action=LOGIN service=PPP

*Jan 2 06:56:34.820: AAA/AUTHEN/START (1391837548): using "default" list

*Jan 2 06:56:34.820: AAA/AUTHEN/START (1391837548): Method=tacacs+ (tacacs+)

*Jan 2 06:56:34.820: TAC+: send AUTHEN/START packet ver=193 id=1391837548

*Jan 2 06:56:35.020: TAC+: ver=193 id=1391837548 received AUTHEN status = FAIL

*Jan 2 06:56:35.020: AAA/AUTHEN (1391837548): status = FAIL

*Jan 2 06:56:35.020: As40 CHAP: Unable to validate Response. Username DOMAIN\pete: Authentication failure

*Jan 2 06:56:35.020: As40 MS-CHAP: O FAILURE id 1 len 26 msg is "Authentication failure"

*Jan 2 06:56:35.020: As40 PPP: Phase is TERMINATING

*Jan 2 06:56:35.020: As40 LCP: O TERMREQ [Open] id 3 len 4

*Jan 2 06:56:35.020: AAA/MEMORY: free_user (0x61AC3D68) user='DOMAIN\pete' ruser='' port='Async40'


rem_addr='5068675800/8676149' auth1

*Jan 2 06:56:35.152: As40 LCP: I TERMREQ [TERMsent] id 4 len 8 (0x00000005)

*Jan 2 06:56:35.152: As40 AAA/AUTHOR/FSM: (0): LCP succeeds trivially

*Jan 2 06:56:35.152: As40 LCP: O TERMACK [TERMsent] id 4 len 4

*Jan 2 06:56:35.168: As40 LCP: I TERMACK [TERMsent] id 3 len 4

*Jan 2 06:56:35.168: As40 LCP: State is Closed

*Jan 2 06:56:35.168: As40 PPP: Phase is DOWN

*Jan 2 06:56:35.168: As40 PPP: Phase is ESTABLISHING, Passive Open

*Jan 2 06:56:35.172: As40 LCP: State is Listen

*Jan 2 06:56:35.284: %ISDN-6-DISCONNECT: Interface Serial1:9 disconnected from unknown , call lasted 47 seconds

*Jan 2 06:56:36.612: %LINK-3-UPDOWN: Interface Serial1:9, changed state to down

*Jan 2 06:56:37.168: %LINK-5-CHANGED: Interface Async40, changed state to reset

*Jan 2 06:56:37.168: As40 LCP: State is Closed

*Jan 2 06:56:37.168: As40 PPP: Phase is DOWN

*Jan 2 06:56:40.168: As40 IPCP: Remove route to 10.251.8.13

*Jan 2 06:56:40.368: AAA/MEMORY: free_user (0x61A7721C) user='pete' ruser='' port='tty40' rem_addr='5065550000/5552222'


authen_typ1

*Jan 2 06:56:42.168: %LINK-3-UPDOWN: Interface Async40, changed state to down

*Jan 2 06:56:42.168: As40 LCP: State is Closed


If I check the ACSv3.0 server, my user pete has been added dynamically to the default group. And if I check my user pete,


it shows that he was authenticated by RSA Secure ID.

If I check the Failed Attempts report, I see an entry with an "Unknown" Auth Failure Code.

I have setup the 7 services on the ACS v3.0 Server to use an account with Domain Admin privledges.


Any help would be appreciated

Thanks





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ciscomoderator Tue, 03/19/2002 - 11:59
User Badges:
  • Gold, 750 points or more

Often times complex troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, it’s often difficult to do so for this type of issue.


To utilize the resources at our Technical Assistance Center, please visit http://www.cisco.com/tac and to open a case with one of our TAC engineers, visit http://www.cisco.com/tac/caseopen


If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.


Actions

This Discussion