Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
591
Views
0
Helpful
5
Replies

dialup authentication via RADIUS ACS 4.0

che.candeloza
Level 1
Level 1

‎05-14-2008 06:34 PM - edited ‎03-10-2019 03:51 PM

What should be configured/set on the ACS for the Radius ietf authentication?

This is a new setup. Users failed to authenticate via ACS (both local users and AD). Failed attempts are being logged at ACS.

Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

‎05-15-2008 04:27 AM

Rachelle

If authentication requests are getting to the server then it sounds like most of the router config is in place. If there are entries in the failed attempts logs then there should be an indication of what the error is. What does the failed attempts log have for the error for these attempts?

In my experience the most common errors are not having the same value for the shared key between the router and the server or having the authentication request source address from the router not match the address configured in ACS. What do the failed attempt logs say about the error?

HTH

Rick

HTH

Rick
0 Helpful

che.candeloza
Level 1
Level 1
In response to Richard Burts

‎05-15-2008 10:08 PM

error are "CS password invalid" for local users of ACS and "External DB user invalid or bad password" for the AD users. Same users are being used for 802.1x authenication, users are authenticated succesfully.

What seems to be the problem?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to che.candeloza

‎05-16-2008 12:19 PM

Rachelle

The title in the original post indicates that this is dialup. Can you tell us a bit about the dialup and how it is setup. And can you post the appropriate parts of the router configuration? In particular I am wondering whether the router may be using PAP or CHAP for PPP authentication.

And would I be correct in assuming that in the failed attempts report that it is showing the correct ID of the user when it is reporting that password invalid or user invalid?

HTH

Rick

HTH

Rick
0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to Richard Burts

‎05-17-2008 04:44 AM

Other then this, also cross check shared secret key and acs and on your aaa-client.

Regards,

~JG

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Jagdeep Gambhir

‎05-17-2008 09:52 AM

JG

If the issue were a mismatch between the shared secret key would it not have failed before it got to the point where the error is:

"CS password invalid" ?

In my experience ACS checks the shared secret key long before it gets to the point of checking the user password.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents