Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 3.0 strange failed attempts

I am currenlty using Cisco ACS 3.0 and have noticed very strange logs under Reports,failed Attempts.

It is showing numerous failed attempts from username : azbycx to our 4 Core 6500 Catos Switches.

The caller-id field does not display a source ip address and these hits are happening every minute.

I have noticed that any passed or failed attempts to any catos switches does not provide a caller-id ip address in the report. Any ios attempts logs the ip address fine.

Any help would be appreciated. Even a way to log the catos switch to determine what is attempting to log into these 6500 switches.

Thanks SG

5 REPLIES
Silver

Re: ACS 3.0 strange failed attempts

Is your concern that

a) the switch is the problem, or

b) that acs isnt logging correctly

You can easily check what acs is recieving

Run CSradius -z -p or CSTacacs -z -e at the command line to see a packet-by-packet debug.

New Member

Re: ACS 3.0 strange failed attempts

Hi,

I ran the csradius -z -p and got the following debug results on unknown username "azbycx"

I not sure if this debug is telling me anything l don't already know !!!

Also caller-id from the failed attempts report is not showing a source ip address from the switches in question which are running CATOS ??

Request from host 172.16.2.6:1645 code=1, id=69, length=65 on port 1024

[001] User-Name value: azbycx

[004] NAS-IP-Address value: 172.16.2.6

[079] EAP-Message value: .E...azbycx

[080] Message-Authenticator value: F2 F3 E3 1C 56 E9 73 10 14 DE C6 F7 24 31 5F 29

ExtensionPoint: Initiating scan of configured extension points...

ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Generic EAP]

ExtensionPoint: [Generic EAP] ASAuthenticateUser failed [-1092]

ExtensionPoint: [GenericEAP.dll->AuthenticationExtension] returned [3 - reject]

ExtensionPoint: Start of Attribute Set

ExtensionPoint: End of Attribute Set

User:azbycx - Authentication type not supported by external database

Sending response code 3, id 69 to 172.16.2.6 on port 1024

Request from host 172.16.2.8:1645 code=1, id=164, length=65 on port 1024

[001] User-Name value: azbycx

[004] NAS-IP-Address value: 172.16.2.8

[079] EAP-Message value: .¤...azbycx

[080] Message-Authenticator value: FD B9 66 FE A4 50 57 FE 68 1F B3 2A CE 57 2C 63

ExtensionPoint: Initiating scan of configured extension points...

ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Generic EAP]

ExtensionPoint: [Generic EAP] ASAuthenticateUser failed [-1092]

ExtensionPoint: [GenericEAP.dll->AuthenticationExtension] returned [3 - reject]

ExtensionPoint: Start of Attribute Set

ExtensionPoint: End of Attribute Set

User:azbycx - Authentication type not supported by external database

Thanks for your assistance

Silver

Re: ACS 3.0 strange failed attempts

Hmm, your switch is trying to perform an EAP authentication - albeit not very well since there are no calling/called station id attrs which are normal with .1x

I suspect the catos debug logs may give you more of an idea, because this doesnt look like an ACS issue.

Sorry I cant help more

New Member

Re: ACS 3.0 strange failed attempts

Thanks for the reply.

Do you know exactly what debug logs l need to activate on the 6500 CATOS to determine where this source authentications are coming from ??

E.g Radius logging

New Member

Re: ACS 3.0 strange failed attempts

I was testing 802.1x authentication and ran into this issue. Here's the TAC response I recieved and this fixed the problem:

Just for the future reference we were getting this issue because the keep alives packets are sometimes missinterpretted by ACS server so by adding "Set dot1x radius-keeplive disable" the command stops those keep-alive packets.

416
Views
0
Helpful
5
Replies
CreatePlease to create content