Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2216
Views
1
Helpful
7
Replies

Access Point to ACS authentication

dopenfield
Level 1
Level 1

‎03-24-2003 02:12 PM - edited ‎03-10-2019 07:13 AM

Attempting to setup wireless users to authenticate through new ACS 3.1 server. With our test user we are getting an error message in the 'Failed Attempts Log' that we can't find and explanation for to see what it means.

In the Authentication Failure code field...

Radius Extension DLL rejected user

Any pointer towards an explanation for this message would be appreciated!

We do see the MAC of the 350 card in the Username and Caller-ID fields.

Labels:
0 Helpful
7 Replies 7

sghosh
Level 1
Level 1

‎03-26-2003 03:19 AM

This is a very generic message for Wireless authen failure , I would suggest you to collect some more detail debug and open a case with TAC to troubleshoot further.

prossouw
Level 1
Level 1
In response to sghosh

‎04-14-2003 04:46 AM

When the user is defined to authenticate to the acs3.0 locally it works fine , Aironet Radius and 1200 ap. When trying to handoff to NT Domain or Securid this error occurs.

I did a Radius trace on ACS3.0 and got the following error messages, of which I find no trace on CCO. Any links or information is very welcome.

Trace output:

ExtensionPoint: Initiating scan of configured extension points...

ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Aironet]

ExtensionPoint: [AironetEAP.DLL] Calling station attribute=000b46563aad

ExtensionPoint: [AironetEAP.DLL] NAS port attribute=37

ExtensionPoint: [AironetEAP.DLL] EAP attribute type=0 size=39

ExtensionPoint: [AironetEAP.DLL] EAP Attribute=02 D6 00 27 11 01 00 18 D4 DE C5 D3 75 36 7

C7 4B 84 20 01 E1 BE BC BE 03 90 12 1E 9F CB 73 89 61 6C 65 6E 6E 6F 78

ExtensionPoint: [AironetEAP.DLL] Find existing client rc=01843860

ExtensionPoint: [AironetEAP.DLL] Peer response: D4 DE C5 D3 75 36 71 C7 4B 84 20 01 E1 BE

C BE 03 90 12 1E 9F CB 73 89

ExtensionPoint: [AironetEAP.DLL] Recorded peer challenge: 97 EA 8C FB 94 82 D1 1F

ExtensionPoint: [AironetEAP.DLL] Client alennox failed authentication error code = -1065

ExtensionPoint: [AironetEAP.DLL] Fail attribute: 04 D6 00 04

ExtensionPoint: [AironetEAP.dll->AuthenticationExtension] returned [3 - reject]

ExtensionPoint: Start of Attribute Set

[079] EAP-Message value: .¨W..

ExtensionPoint: End of Attribute Set

User:alennox - Radius authentication dll rejected user

Sending response code 3, id 41 to 20.50.18.253 on port 1065

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to prossouw

‎04-14-2003 02:16 PM

Can you go to System Config - Service Control and enable full logging on ACS. Then try an authentication, then look in the auth.log file and send us the messages that appear for that failed authentication attempt. It should have a bit more detail about what's going on.

Thanks.

0 Helpful

prossouw
Level 1
Level 1
In response to gfullage

‎04-15-2003 01:39 AM

I had logging enabled..Here are the msgs..I restarted all services and then had another attempt. Point to consider is that the userid (using securid) is authenticating correctly, via tacacs+, from routers etc. and that the AP is defined to "authenticate using Aironet Radius" in the Network Device Group.?

Trace:

AUTH 15/04/2003 10:53:22 I 5081 1724 Start RQ1012, client 27 (127.0.0.1)

AUTH 15/04/2003 10:53:22 I 5081 1724 Done RQ1012, client 27, status 0

AUTH 15/04/2003 10:53:22 I 5094 1724 Worker 3 processing message 20.

AUTH 15/04/2003 10:53:22 I 5081 1724 Start RQ1012, client 27 (127.0.0.1)

AUTH 15/04/2003 10:53:22 I 5081 1724 Done RQ1012, client 27, status 0

AUTH 15/04/2003 10:53:22 I 5094 1724 Worker 3 processing message 21.

AUTH 15/04/2003 10:53:22 I 5081 1724 Start RQ1028, client 27 (127.0.0.1)

AUTH 15/04/2003 10:53:22 I 5081 1724 Done RQ1028, client 27, status -1085

AUTH 15/04/2003 10:53:22 I 5094 1724 Worker 3 processing message 22.

AUTH 15/04/2003 10:53:22 I 5081 1724 Start RQ1012, client 27 (127.0.0.1)

AUTH 15/04/2003 10:53:22 I 5081 1724 Done RQ1012, client 27, status 0

AUTH 15/04/2003 10:53:22 I 5094 1724 Worker 3 processing message 23.

AUTH 15/04/2003 10:53:22 I 5081 1724 Start RQ1012, client 27 (127.0.0.1)

AUTH 15/04/2003 10:53:22 I 5081 1724 Done RQ1012, client 27, status 0

AUTH 15/04/2003 10:53:22 I 5094 1724 Worker 3 processing message 24.

AUTH 15/04/2003 10:53:22 I 5081 1724 Start RQ1028, client 27 (127.0.0.1)

AUTH 15/04/2003 10:53:22 I 5081 1724 Done RQ1028, client 27, status -1085

AUTH 15/04/2003 10:53:27 A 5096 1408 Worker 0 error/timeout, forcing API disconnect of connection 1.

AUTH 15/04/2003 10:53:27 A 5097 1408 Worker 0 closing conn 1 endpoint. Handled 1016 messages.

AUTH 15/04/2003 10:53:27 A 5082 1408 Worker 0 waiting for work

AUTH 15/04/2003 10:53:32 I 5094 1724 Worker 3 processing message 25.

AUTH 15/04/2003 10:53:32 I 5081 1724 Start RQ1012, client 27 (127.0.0.1)

AUTH 15/04/2003 10:53:32 I 5081 1724 Done RQ1012, client 27, status 0

AUTH 15/04/2003 10:53:32 I 5094 1724 Worker 3 processing message 26.

AUTH 15/04/2003 10:53:32 I 5081 1724 Start RQ1012, client 27 (127.0.0.1)

AUTH 15/04/2003 10:53:32 I 5081 1724 Done RQ1012, client 27, status 0

AUTH 15/04/2003 10:53:32 I 5094 1724 Worker 3 processing message 27.

AUTH 15/04/2003 10:53:32 I 5081 1724 Start RQ1028, client 27 (127.0.0.1)

AUTH 15/04/2003 10:53:32 I 5081 1724 Done RQ1028, client 27, status -1085

AUTH 15/04/2003 10:53:32 I 5094 1724 Worker 3 processing message 28.

AUTH 15/04/2003 10:53:32 I 5081 1724 Start RQ1012, client 27 (127.0.0.1)

AUTH 15/04/2003 10:53:32 I 5081 1724 Done RQ1012, client 27, status 0

AUTH 15/04/2003 10:53:32 I 5094 1724 Worker 3 processing message 29.

AUTH 15/04/2003 10:53:32 I 5081 1724 Start RQ1012, client 27 (127.0.0.1)

AUTH 15/04/2003 10:53:32 I 5081 1724 Done RQ1012, client 27, status 0

AUTH 15/04/2003 10:53:32 I 5094 1724 Worker 3 processing message 30.

AUTH 15/04/2003 10:53:32 I 5081 1724 Start RQ1028, client 27 (127.0.0.1)

AUTH 15/04/2003 10:53:32 I 5081 1724 Done RQ1028, client 27, status -1085

AUTH 15/04/2003 10:53:42 I 5094 1724 Worker 3 processing message 31.

AUTH 15/04/2003 10:53:42 I 5081 1724 Start RQ1012, client 27 (127.0.0.1)

AUTH 15/04/2003 10:53:42 I 5081 1724 Done RQ1012, client 27, status 0

AUTH 15/04/2003 10:53:42 I 5094 1724 Worker 3 processing message 32.

AUTH 15/04/2003 10:53:42 I 5081 1724 Start RQ1012, client 27 (127.0.0.1)

AUTH 15/04/2003 10:53:42 I 5081 1724 Done RQ1012, client 27, status 0

AUTH 15/04/2003 10:53:42 I 5094 1724 Worker 3 processing message 33.

AUTH 15/04/2003 10:53:42 I 5081 1724 Start RQ1028, client 27 (127.0.0.1)

AUTH 15/04/2003 10:53:42 I 5081 1724 Done RQ1028, client 27, status -1085

AUTH 15/04/2003 10:53:42 I 5094 1724 Worker 3 processing message 34.

AUTH 15/04/2003 10:53:42 I 5081 1724 Start RQ1012, client 27 (127.0.0.1)

AUTH 15/04/2003 10:53:42 I 5081 1724 Done RQ1012, client 27, status 0

AUTH 15/04/2003 10:53:42 I 5094 1724 Worker 3 processing message 35.

AUTH 15/04/2003 10:53:42 I 5081 1724 Start RQ1012, client 27 (127.0.0.1)

AUTH 15/04/2003 10:53:42 I 5081 1724 Done RQ1012, client 27, status 0

AUTH 15/04/2003 10:53:42 I 5094 1724 Worker 3 processing message 36.

AUTH 15/04/2003 10:53:42 I 5081 1724 Start RQ1028, client 27 (127.0.0.1)

AUTH 15/04/2003 10:53:42 I 5081 1724 Done RQ1028, client 27, status -1085

0 Helpful

prossouw
Level 1
Level 1
In response to gfullage

‎04-15-2003 01:42 AM

Some more msgs:

AUTH 15/04/2003 10:51:42 A 5016 0760 Server stop requested

AUTH 15/04/2003 10:51:42 A 0523 0792 Shutdown initiated

AUTH 15/04/2003 10:51:42 A 0535 0792 Waiting for workers...

AUTH 15/04/2003 10:51:43 A 5012 0792 All workers stopped ok.

AUTH 15/04/2003 10:51:43 A 0547 0792 Waiting for main threads...

AUTH 15/04/2003 10:51:43 A 5014 0792 Listen/Replicate threads stopped ok.

AUTH 15/04/2003 10:51:43 X 5125 0792 ========= Server statistics =========

AUTH 15/04/2003 10:51:43 X 5126 0792 ------ Worker stats ------

AUTH 15/04/2003 10:51:43 X 5122 0792 Worker 00 messages processed : 1970

AUTH 15/04/2003 10:51:43 X 5123 0792 Worker 00 rejected connections : 0

AUTH 15/04/2003 10:51:43 X 5122 0792 Worker 01 messages processed : 654

AUTH 15/04/2003 10:51:43 X 5123 0792 Worker 01 rejected connections : 0

AUTH 15/04/2003 10:51:43 X 5122 0792 Worker 02 messages processed : 77

AUTH 15/04/2003 10:51:43 X 5123 0792 Worker 02 rejected connections : 0

AUTH 15/04/2003 10:51:43 X 5122 0792 Worker 03 messages processed : 125

AUTH 15/04/2003 10:51:43 X 5123 0792 Worker 03 rejected connections : 0

AUTH 15/04/2003 10:51:43 X 5128 0792 Worker 04 : Unused.

AUTH 15/04/2003 10:51:43 X 5127 0792 ------ Global stats ------

AUTH 15/04/2003 10:51:43 X 5005 0792 Total messages processed : 2826

AUTH 15/04/2003 10:51:43 X 5000 0792 Total connection attempts : 43

AUTH 15/04/2003 10:51:43 X 5001 0792 Handled connections : 43

AUTH 15/04/2003 10:51:43 X 5003 0792 Rejected connections : 0

AUTH 15/04/2003 10:51:43 X 5004 0792 Missed connections (too busy) : 0 (0% of total).

AUTH 15/04/2003 10:51:43 X 5006 0792 Max threads used (idle %age) : 4 of 5 (20%).

AUTH 15/04/2003 10:51:43 X 5008 0792 Recommend new thread count : 5

AUTH 15/04/2003 10:51:43 A 0562 0792 Shutdown phase 1...

AUTH 15/04/2003 10:51:43 A 0564 0792 Shutdown phase 2...

AUTH 15/04/2003 10:51:44 I 0266 0792 External DB [LeapProxy.dll]: FinaliseLibrary OK

AUTH 15/04/2003 10:51:44 I 0266 0792 External DB [RadiusToken.dll]: FinaliseLibrary OK

AUTH 15/04/2003 10:51:44 I 0266 0792 External DB [Vasco.dll]: FinaliseLibrary OK

AUTH 15/04/2003 10:51:44 I 0266 0792 External DB [Activcard.dll]: FinaliseLibrary OK

AUTH 15/04/2003 10:51:44 I 0266 0792 External DB [CSCryptoCard.dll]: FinaliseLibrary OK

AUTH 15/04/2003 10:51:44 I 0266 0792 External DB [SecurID.dll]: Completed user [alennox]

AUTH 15/04/2003 10:51:44 A 5030 0792 Closing Database.

AUTH 15/04/2003 10:51:44 I 0312 0792 Varsdb:All ODBC workers closed OK

AUTH 15/04/2003 10:51:44 I 0312 0792 Varsdb:DLL shutdown complete

AUTH 15/04/2003 10:51:44 A 5030 0792 Database closed OK.

AUTH 15/04/2003 10:51:44 A 5031 0792 CSAuth server stopped ==============================

AUTH 15/04/2003 10:52:08 A 5020 1488 CSAuth server starting ==============================

AUTH 15/04/2003 10:52:08 I 5021 1488 Base directory is C:\Program Files\CiscoSecure ACS v3.0\CSAuth

AUTH 15/04/2003 10:52:08 I 5022 1488 Log directory is C:\Program Files\CiscoSecure ACS v3.0\CSAuth\Logs

AUTH 15/04/2003 10:52:08 I 5023 1488 User directory is C:\Program Files\CiscoSecure ACS v3.0\CSAuth\Users

AUTH 15/04/2003 10:52:08 I 5024 1488 CSAuth version is 3.0(1.40)

AUTH 15/04/2003 10:52:08 A 5026 1488 Running as NT service.

AUTH 15/04/2003 10:52:08 I 5051 1488 Socket library initialised OK.

AUTH 15/04/2003 10:52:08 I 5055 1488 CSAuth port is 2000

AUTH 15/04/2003 10:52:09 I 5061 1488 File handle limit is 64

AUTH 15/04/2003 10:52:09 I 5065 1488 Will use 5 worker threads.

AUTH 15/04/2003 10:52:09 I 1116 1488 Started password aging module.

AUTH 15/04/2003 10:52:09 I 1126 1488 Started network model module.

AUTH 15/04/2003 10:52:09 I 0312 1488 Varsdb:Kicking off 1 ODBC workers

AUTH 15/04/2003 10:52:09 I 5029 1488 Database opened OK.

AUTH 15/04/2003 10:52:09 I 1507 1488 Unknown user cache updated.

AUTH 15/04/2003 10:52:09 E 1113 1488 ReadLibraryRegistry: Cannot find 'Name' for key SOFTWARE\Cisco\CiscoAAAv3.0\Authenticators\Libraries\14

AUTH 15/04/2003 10:52:09 E 0696 1488 AuthenInitialise: library 14 has invalid registry settings

AUTH 15/04/2003 10:52:09 I 1138 1488 ReadLibraryRegistry : RSA SecurID Token Server loaded (DLL SecurID.dll Properties 10a)

AUTH 15/04/2003 10:52:09 I 1172 1488 ReadSupplierRegistry: RSA SecurID Token Server loaded

AUTH 15/04/2003 10:52:09 I 1138 1488 ReadLibraryRegistry : SafeWord Token Server loaded (DLL CSSafeword.dll Properties 10a)

AUTH 15/04/2003 10:52:09 I 1138 1488 ReadLibraryRegistry : CryptoCard Token Server loaded (DLL CSCryptoCard.dll Properties 5)

AUTH 15/04/2003 10:52:09 I 0266 1488 External DB [CSCryptoCard.dll]: InitialiseLibrary OK

AUTH 15/04/2003 10:52:09 I 0433 1488 AuthenLoadLibrary: Loaded DLL for CryptoCard Token Server

AUTH 15/04/2003 10:52:09 I 1138 1488 ReadLibraryRegistry : AXENT Token Server loaded (DLL CSAxent.dll Properties 10a)

AUTH 15/04/2003 10:52:09 I 1138 1488 ReadLibraryRegistry : ActivCard Token Server loaded (DLL Activcard.dll Properties 5)

AUTH 15/04/2003 10:52:09 I 0266 1488 External DB [Activcard.dll]: InitialiseLibrary OK

AUTH 15/04/2003 10:52:09 I 0433 1488 AuthenLoadLibrary: Loaded DLL for ActivCard Token Server

AUTH 15/04/2003 10:52:09 I 1138 1488 ReadLibraryRegistry : Vasco Token Server loaded (DLL Vasco.dll Properties 5)

AUTH 15/04/2003 10:52:09 I 0266 1488 External DB [Vasco.dll]: InitialiseLibrary OK

AUTH 15/04/2003 10:52:09 I 0433 1488 AuthenLoadLibrary: Loaded DLL for Vasco Token Server

AUTH 15/04/2003 10:52:09 I 1138 1488 ReadLibraryRegistry : RADIUS Token Server loaded (DLL RadiusToken.dll Properties 5)

AUTH 15/04/2003 10:52:09 I 0266 1488 External DB [RadiusToken.dll]: InitialiseLibrary OK

AUTH 15/04/2003 10:52:09 I 0433 1488 AuthenLoadLibrary: Loaded DLL for RADIUS Token Server

AUTH 15/04/2003 10:52:09 I 1138 1488 ReadLibraryRegistry : External ODBC Database loaded (DLL ODBCAuthDll.dll Properties 833)

AUTH 15/04/2003 10:52:09 I 1172 1488 ReadSupplierRegistry: External ODBC Database loaded

AUTH 15/04/2003 10:52:09 I 1138 1488 ReadLibraryRegistry : Generic LDAP loaded (DLL DServDll.dll Properties 2205)

AUTH 15/04/2003 10:52:09 I 0266 1488 External DB [DServDll.dll]: Starting Init

AUTH 15/04/2003 10:52:09 I 0266 1488 External DB [DServDll.dll]: Connect Init 1

AUTH 15/04/2003 10:52:09 I 0266 1488 External DB [DServDll.dll]: OK Connect Init

AUTH 15/04/2003 10:52:09 I 0433 1488 AuthenLoadLibrary: Loaded DLL for Generic LDAP

AUTH 15/04/2003 10:52:09 I 1138 1488 ReadLibraryRegistry : Novell NDS loaded (DLL NDSAuth.dll Properties 207)

AUTH 15/04/2003 10:52:09 I 0266 1488 External DB [NDSAuth.dll]: Starting NDS DLL Init

AUTH 15/04/2003 10:52:09 A 0266 1488 External DB [NDSAuth.dll]: NDSAuth failed to load clxwin32.dll

AUTH 15/04/2003 10:52:09 E 0266 1488 External DB [NDSAuth.dll]: Novell Libraries not found on this machine. NDS authentication will not be operable.

AUTH 15/04/2003 10:52:09 E 0449 1488 AuthenLoadLibrary: DLL for Novell NDS initialization function failed

AUTH 15/04/2003 10:52:09 I 1138 1488 ReadLibraryRegistry : Windows NT/2000 loaded (DLL NTAuthenDLL.dll Properties 3a07)

AUTH 15/04/2003 10:52:09 I 0266 1488 External DB [NTAuthenDLL.dll]: Dialin check disabled

AUTH 15/04/2003 10:52:09 I 0266 1488 External DB [NTAuthenDLL.dll]: RAS features enabled

AUTH 15/04/2003 10:52:09 I 0266 1488 External DB [NTAuthenDLL.dll]: The local computer name is ACS

AUTH 15/04/2003 10:52:09 I 0266 1488 External DB [NTAuthenDLL.dll]: We are NOT a domain controller

AUTH 15/04/2003 10:52:09 I 0266 1488 External DB [NTAuthenDLL.dll]: We are NOT a member of a domain => we cannot authenticate accounts on other trusted domains

AUTH 15/04/2003 10:52:09 I 0266 1488 External DB [NTAuthenDLL.dll]: Loaded OK

AUTH 15/04/2003 10:52:09 I 0433 1488 AuthenLoadLibrary: Loaded DLL for Windows NT/2000

AUTH 15/04/2003 10:52:09 I 1172 1488 ReadSupplierRegistry: Windows NT/2000 loaded

AUTH 15/04/2003 10:52:09 I 1138 1488 ReadLibraryRegistry : LEAP Proxy RADIUS Server loaded (DLL LeapProxy.dll Properties 805)

AUTH 15/04/2003 10:52:09 I 0266 1488 External DB [LeapProxy.dll]: InitialiseLibrary OK

AUTH 15/04/2003 10:52:09 I 0433 1488 AuthenLoadLibrary: Loaded DLL for LEAP Proxy RADIUS Server

AUTH 15/04/2003 10:52:11 I 5074 1488 Idle connections dropped after 1 minutes

0 Helpful

FRANK SCHADE
Level 1
Level 1

‎05-12-2003 09:42 PM

I've the same problem with ACS 2.6-2. Is there a solution around in the meantime?

0 Helpful

prossouw
Level 1
Level 1
In response to FRANK SCHADE

‎05-13-2003 11:07 PM

We have LEAP working with a locally defined user. If you want to OTP Tokens you have to use PEAP, this requires v3.1 or higher, as yet we cannot get PEAP on Win2K to work, looks like it must be XP. As for Win Domain, I will not be testing that, the ACS Server must be part of the Domain.

The attached link takes you to a document that contains a matrix of which acs databases supports which authentication protocols, http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs31/acsuser/o.htm#625794

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents