Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
641
Views
0
Helpful
4
Replies

No Response from the ACS

conceptzone
Level 1
Level 1

‎10-08-2006 01:54 AM - edited ‎03-10-2019 02:46 PM

Dear Group,

I have Two ACS , the Primary ACS has the IP address 192.168.1.8 and the secondary ACS has the IP address 192.168.1.9

I tried to forward the authentication requests to the secondary ACS to make sure that we have no problem in case the primary fail but the secondary ACS did not respond to the requests sent from the AAA Client though I have no problem with the primary ACS.

The secondary ACS has the same configuration and feature set as the primary ACS, the primary ACS is configured to replicates its username, configuration, etc. every 60 minutes, the Secondary ACS is configured to receive those replication information.

Unfortunately the secondary ACS is not responding and is giving the following message:

No response from (192.168.1.9:1645,1646)

RADIUS/ENCODE(00000019): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

I will appreciate if someone can help me with diagnosing what?s going on

Here is the complete debug while entering the username/password :

Username: testuser

*Mar 23 16:00:15.625: AAA/BIND(00000019): Bind i/f

*Mar 23 16:00:15.625: AAA/AUTHEN/LOGIN (00000019): Pick method list 'VTY'

*Mar 23 16:00:15.625: RADIUS/ENCODE(00000019): ask "Username: "

*Mar 23 16:00:15.625: RADIUS/ENCODE(00000019): send packet; GET_USER

Password:

*Mar 23 16:00:22.037: RADIUS/ENCODE(00000019): ask "Password: "

*Mar 23 16:00:22.037: RADIUS/ENCODE(00000019): send packet; GET_PASSWORD

*Mar 23 16:00:28.201: RADIUS: AAA Unsupported [150] 6

*Mar 23 16:00:28.201: RADIUS: 74 74 79 31 [tty1]

*Mar 23 16:00:28.201: RADIUS(00000019): Storing nasport 162 in rad_db

*Mar 23 16:00:28.201: RADIUS/ENCODE(00000019): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

*Mar 23 16:00:28.201: RADIUS(00000019): Config NAS IP: 192.168.1.12

*Mar 23 16:00:28.201: RADIUS/ENCODE(00000019): acct_session_id: 22

*Mar 23 16:00:28.201: RADIUS(00000019): sending

*Mar 23 16:00:28.201: RADIUS(00000019): Send Access-Request to 192.168.1.9:1645 id 21645/14, len 79

*Mar 23 16:00:28.201: RADIUS: authenticator 79 79 F3 E5 6F 89 69 EA - AA 87 44 E3 F7 93 47 6B

*Mar 23 16:00:28.201: RADIUS: User-Name [1] 9 "testuser"

*Mar 23 16:00:28.201: RADIUS: User-Password [2] 18 *

*Mar 23 16:00:28.201: RADIUS: NAS-Port [5] 6 162

*Mar 23 16:00:28.201: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

*Mar 23 16:00:28.201: RADIUS: Calling-Station-Id [31] 14 "192.168.1.12"

*Mar 23 16:00:28.201: RADIUS: NAS-IP-Address [4] 6 192.168.1.12

*Mar 23 16:00:33.201: RADIUS: Retransmit to (192.168.1.9:1645,1646) for id 21645/14

*Mar 23 16:00:38.201: RADIUS: Retransmit to (192.168.1.9:1645,1646) for id 21645/14

*Mar 23 16:00:43.201: RADIUS: Retransmit to (192.168.1.9:1645,1646) for id 21645/14

*Mar 23 16:00:48.201: RADIUS: No response from (192.168.1.9:1645,1646) for id 21645/14

*Mar 23 16:00:48.201: RADIUS/DECODE: parse response no app start; FAIL

*Mar 23 16:00:48.201: RADIUS/DECODE: parse response; FAIL

% Authentication failed.

*Mar 23 16:01:47.929: RADIUS: Retransmit to (192.168.1.9:1645,1646) for id 21645/15

*Mar 23 16:01:52.929: RADIUS: Retransmit to (192.168.1.9:1645,1646) for id 21645/15

*Mar 23 16:01:57.929: RADIUS: Retransmit to (192.168.1.9:1645,1646) for id 21645/15

*Mar 23 16:02:02.929: RADIUS: No response from (192.168.1.9:1645,1646) for id 21645/15

*Mar 23 16:02:02.929: RADIUS/DECODE: parse response no app start; FAIL

*Mar 23 16:02:02.929: RADIUS/DECODE: parse response; FAIL

% Authentication failed.

Thanks for helping me in advance

Labels:
0 Helpful
4 Replies 4

osamoz
Level 1
Level 1

‎10-08-2006 02:34 AM

Can you please post the configuration.!

0 Helpful

conceptzone
Level 1
Level 1
In response to osamoz

‎10-08-2006 03:43 AM

aaa new-model

aaa authentication login VTY group radius local

aaa authentication login no_authentication non

aaa accounting exec default stop-only group radius

aaa accounting connection default start-stop group radius

aaa accounting system default start-stop group radius

ip radius source-interface Ethernet0/0

radius-server host 192.168.1.9 auth-port 1645 acct-port 1646 key lemon123

interface Ethernet0/0

ip address 192.168.1.12 255.255.255.0

line con 0

login authentication no_authentication

line aux 0

line vty 0 4

password cisco

login authentication VTY

transport input telnet

line vty 5 15

login authentication VTY

transport input telnet

0 Helpful

darpotter
Level 5
Level 5

‎10-09-2006 06:09 AM

If you look in the failed attempts report on the secondary ACS - does it say anything?

You need to know if the request is making to the secondary, if its getting there is it being ignored or is there a problem in processing it.

Failed attempts is the first place to look

Darran

0 Helpful

conceptzone
Level 1
Level 1
In response to darpotter

‎10-10-2006 09:57 AM

Dear Daran,

Unfortunately there are no any logs in the Secondary ACS, the only logs I can see is the commands I entered it on the AAA client, there is no failed attempts records.

The Radius is dead, currently I bypassed this issue by installing a new ACS on a third server , the IT department is persistent to solve this issue from the root, they want me to analyze the problem and discover the reason behind this phenomenon.

I will dedicate a time next week to play very hard with this ACS to know what?s going on, meanwhile I will be glad if some one can tell me some methods to run a debug on the windows machine.

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents