From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Sun Feb 08 2009 - 22:32:04 ARST
Sadiq,
Thanks for getting back to me.
ACS4.1 peak with Vasco Server using radius protocol.
Regarding Vasco, it is doing a authentication external DB so that people can
use their token with password that change over time. That is something we want
to achive for the ISO 27001.
I know that my config is all right because of the next:
1.-
When I enter to may company using cisco VPN Client, I use the token
successfully:
[MyPC]-------(INTERNET)--------[VPN-SERVER-CISCO]--------Prot.=Radius--------
[ACS4.1]--------Prot.=Radius--------[VACMAN(Vasco)Server]
2.-
When I enter to my switches on my company, I authenticate successfully as
well:
[SW-C2950]--------Prot.=Radius(PAP)--------[ACS4.1]--------Prot.=Radius------
--[VACMAN(Vasco)Server]
Neverthelesss it failed when I use 802.1x:
[PC-USER]-------Prot.=802.1x(PEAPandEAP)--------[SW-C2950]--------Prot.=Radiu
s--------[ACS4.1]--------Prot.=Radius--------[VACMAN(Vasco)Server]
Here I see that the ACS never send the packet to the Vasco Server (wireshark
told me that), the only message I get on the logs is: "External DB password
invalid". I do not know why the ACS print this message if the packet never
leaves the ACS neither the Vasco get the packet asking for authentication.
That is why I just wanted to change the version from ACS4.1.1 to ACS4.1.3 and
figure out if the problem is or not a bug on that version,
Thanks a lot,
Regards
----- Original Message -----
From: Sadiq Yakasai
To: Edouard Zorrilla
Cc: security@groupstudy.com ; ccielab@groupstudy.com
Sent: Sunday, February 08, 2009 7:07 PM
Subject: Re: Upgrade ACS 4.1.1 to 4.1.3 or higher
Ed,
How can ACS4.1 speak RADIUS to another Server???? I am not sure that is
correct there.
So what is this VASCO server do at all? Is that the DB that contains the
user information? If you can provide some more detail of what you are trying
to do that would be great too!
How have you configured ACS??? Have you isolated that the issue is not to do
with your config??
Thanks,
Sadiq
On Sun, Feb 8, 2009 at 11:50 PM, Edouard Zorrilla <ezorrilla@tsf.com.pe>
wrote:
I there,
Is anyone there who can share with me the upgrade from ACS 4.1.1 to 4.1.3
or
4.1.4 for example ?. I am having problems with a config and I guess this
is
bug.:
[PC-USER]
-------Prot.=802.1x(PEAPandEAP)--------[SW-C2950]--------Prot.=Radius----
----
[ACS4.1]--------Prot.=Radius--------[VACMAN(Vasco)Server]
PC-USER can not log-in with 802.1x. I have used EAP-MD5 and PEAP w/o luck.
The
message I get inside the ACS is that user is not sending the right
password:
"External DB password invalid". The interesting thing is that the packen
never
leave the ACS to go to the Vasco Server.
Nevertheless, PAP works good with ACS and Vasco. For instance when I try
to
login inside the SWITCH, it works very well.
[SW-C2950]--------Prot.=Radius(PAP)--------[ACS4.1]--------Prot.=Radius--
----
--[VACMAN(Vasco)Server]
That is why I need to upgrade my ACS. I know that I should go to the TAC
to
ask a soft but here someone forgot to renew the contract with Cisco :( and
I
am asked inside my company to finish with this problem. I just want to
figure
out if a bug is the problem, I would not run it on my live network. Anyone
who
can help me with the upgrade patch please send me an email offline.
Any help will be appreciated,
Regards
PS: I already used the latest patch for ACS 4.1.1, what I want is to
upgrade
at the latest to ACS 4.1.3 and see if things work fine there.
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
--
CCIE #19963
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:10 ARST