×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACS 3.0 strange failed attempts

Unanswered Question
Nov 10th, 2005
User Badges:

I am currenlty using Cisco ACS 3.0 and have noticed very strange logs under Reports,failed Attempts.


It is showing numerous failed attempts from username : azbycx to our 4 Core 6500 Catos Switches.


The caller-id field does not display a source ip address and these hits are happening every minute.

I have noticed that any passed or failed attempts to any catos switches does not provide a caller-id ip address in the report. Any ios attempts logs the ip address fine.


Any help would be appreciated. Even a way to log the catos switch to determine what is attempting to log into these 6500 switches.


Thanks SG

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
darpotter Fri, 11/11/2005 - 07:54
User Badges:
  • Silver, 250 points or more

Is your concern that


a) the switch is the problem, or

b) that acs isnt logging correctly


You can easily check what acs is recieving


Run CSradius -z -p or CSTacacs -z -e at the command line to see a packet-by-packet debug.

simon-galloway Sun, 11/13/2005 - 18:24
User Badges:

Hi,


I ran the csradius -z -p and got the following debug results on unknown username "azbycx"


I not sure if this debug is telling me anything l don't already know !!!


Also caller-id from the failed attempts report is not showing a source ip address from the switches in question which are running CATOS ??







Request from host 172.16.2.6:1645 code=1, id=69, length=65 on port 1024


[001] User-Name value: azbycx


[004] NAS-IP-Address value: 172.16.2.6


[079] EAP-Message value: .E...azbycx


[080] Message-Authenticator value: F2 F3 E3 1C 56 E9 73 10 14 DE C6 F7 24 31 5F 29


ExtensionPoint: Initiating scan of configured extension points...


ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Generic EAP]


ExtensionPoint: [Generic EAP] ASAuthenticateUser failed [-1092]


ExtensionPoint: [GenericEAP.dll->AuthenticationExtension] returned [3 - reject]


ExtensionPoint: Start of Attribute Set


ExtensionPoint: End of Attribute Set


User:azbycx - Authentication type not supported by external database


Sending response code 3, id 69 to 172.16.2.6 on port 1024


Request from host 172.16.2.8:1645 code=1, id=164, length=65 on port 1024


[001] User-Name value: azbycx


[004] NAS-IP-Address value: 172.16.2.8


[079] EAP-Message value: .¤...azbycx


[080] Message-Authenticator value: FD B9 66 FE A4 50 57 FE 68 1F B3 2A CE 57 2C 63


ExtensionPoint: Initiating scan of configured extension points...


ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Generic EAP]


ExtensionPoint: [Generic EAP] ASAuthenticateUser failed [-1092]


ExtensionPoint: [GenericEAP.dll->AuthenticationExtension] returned [3 - reject]


ExtensionPoint: Start of Attribute Set


ExtensionPoint: End of Attribute Set


User:azbycx - Authentication type not supported by external database



Thanks for your assistance



Attachment: 
darpotter Mon, 11/14/2005 - 00:39
User Badges:
  • Silver, 250 points or more

Hmm, your switch is trying to perform an EAP authentication - albeit not very well since there are no calling/called station id attrs which are normal with .1x


I suspect the catos debug logs may give you more of an idea, because this doesnt look like an ACS issue.


Sorry I cant help more

simon-galloway Mon, 11/14/2005 - 15:16
User Badges:

Thanks for the reply.


Do you know exactly what debug logs l need to activate on the 6500 CATOS to determine where this source authentications are coming from ??


E.g Radius logging

I was testing 802.1x authentication and ran into this issue. Here's the TAC response I recieved and this fixed the problem:


Just for the future reference we were getting this issue because the keep alives packets are sometimes missinterpretted by ACS server so by adding "Set dot1x radius-keeplive disable" the command stops those keep-alive packets.


Actions

This Discussion