From: Nathan Hull (verb2300@yahoo.com)
Date: Wed Feb 11 2009 - 16:42:43 ARST
There is a patch for that issue if you have Cisco support. Or go to 4.1.3
________________________________
From: Edouard Zorrilla <ezorrilla@tsf.com.pe>
To: Tim <ccie2be@nyc.rr.com>; Sadiq Yakasai <sadiqtanko@gmail.com>
Cc: security@groupstudy.com; ccielab@groupstudy.com
Sent: Monday, February 9, 2009 1:49:12 PM
Subject: Re: Re: Upgrade ACS 4.1.1 to 4.1.3 or higher
Thanks Tima and Saquid for getting back to me,
I will check it out all the thing and see where is the root of the problem,
Regards
----- Original Message -----
From: "Tim" <ccie2be@nyc.rr.com>
To: "'Edouard Zorrilla'" <ezorrilla@tsf.com.pe>; "'Sadiq Yakasai'"
<sadiqtanko@gmail.com>
Cc: <security@groupstudy.com>; <ccielab@groupstudy.com>
Sent: Monday, February 09, 2009 7:43 AM
Subject: RE: Re: Upgrade ACS 4.1.1 to 4.1.3 or higher
> What I would do is double check that the 8021x config is working.
>
> I would setup a local user on the ACS and then use the test aaa command on
> the switch to verify that the user can be successfully authenticated
> without
> using a token server.
>
> Also, I would turn on detailed logging on the switch and ACS. I might
> also
> turn on debug aaa on the switch if 802.1x isn't working.
>
> One other thing I would do is use EAP-MD5 which doesn't require cert's to
> work.
>
> The idea is to basically isolate the problem, then fix it.
>
> I doubt you need to upgrade to a new version of ACS. While it's possible
> there's a bug which is causing this problem, I'd say the odds that the
> problem is something are a million times more likely.
>
> HTH, Tim
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Edouard Zorrilla
> Sent: Sunday, February 08, 2009 7:32 PM
> To: Sadiq Yakasai
> Cc: security@groupstudy.com; ccielab@groupstudy.com
> Subject: [!! SPAM] Re: Upgrade ACS 4.1.1 to 4.1.3 or higher
>
> Sadiq,
>
> Thanks for getting back to me.
>
> ACS4.1 peak with Vasco Server using radius protocol.
>
> Regarding Vasco, it is doing a authentication external DB so that people
> can
> use their token with password that change over time. That is something we
> want
> to achive for the ISO 27001.
>
> I know that my config is all right because of the next:
>
> 1.-
> When I enter to may company using cisco VPN Client, I use the token
> successfully:
>
> [MyPC]-------(INTERNET)--------[VPN-SERVER-CISCO]--------Prot.=Radius-------
> -
> [ACS4.1]--------Prot.=Radius--------[VACMAN(Vasco)Server]
>
>
> 2.-
> When I enter to my switches on my company, I authenticate successfully as
> well:
>
> [SW-C2950]--------Prot.=Radius(PAP)--------[ACS4.1]--------Prot.=Radius-----
> -
> --[VACMAN(Vasco)Server]
>
> Neverthelesss it failed when I use 802.1x:
>
> [PC-USER]-------Prot.=802.1x(PEAPandEAP)--------[SW-C2950]--------Prot.=Radi
> u
> s--------[ACS4.1]--------Prot.=Radius--------[VACMAN(Vasco)Server]
>
> Here I see that the ACS never send the packet to the Vasco Server
> (wireshark
> told me that), the only message I get on the logs is: "External DB
> password
> invalid". I do not know why the ACS print this message if the packet never
> leaves the ACS neither the Vasco get the packet asking for authentication.
>
>
> That is why I just wanted to change the version from ACS4.1.1 to ACS4.1.3
> and
> figure out if the problem is or not a bug on that version,
>
> Thanks a lot,
>
> Regards
>
> ----- Original Message -----
> From: Sadiq Yakasai
> To: Edouard Zorrilla
> Cc: security@groupstudy.com ; ccielab@groupstudy.com
> Sent: Sunday, February 08, 2009 7:07 PM
> Subject: Re: Upgrade ACS 4.1.1 to 4.1.3 or higher
>
>
> Ed,
>
> How can ACS4.1 speak RADIUS to another Server???? I am not sure that is
> correct there.
>
> So what is this VASCO server do at all? Is that the DB that contains the
> user information? If you can provide some more detail of what you are
> trying
> to do that would be great too!
>
> How have you configured ACS??? Have you isolated that the issue is not to
> do
> with your config??
>
> Thanks,
> Sadiq
>
>
>
> On Sun, Feb 8, 2009 at 11:50 PM, Edouard Zorrilla <ezorrilla@tsf.com.pe>
> wrote:
>
> I there,
>
> Is anyone there who can share with me the upgrade from ACS 4.1.1 to
> 4.1.3
> or
> 4.1.4 for example ?. I am having problems with a config and I guess
> this
> is
> bug.:
>
> [PC-USER]
>
> -------Prot.=802.1x(PEAPandEAP)--------[SW-C2950]--------Prot.=Radius----
> ----
> [ACS4.1]--------Prot.=Radius--------[VACMAN(Vasco)Server]
>
> PC-USER can not log-in with 802.1x. I have used EAP-MD5 and PEAP w/o
> luck.
> The
> message I get inside the ACS is that user is not sending the right
> password:
> "External DB password invalid". The interesting thing is that the
> packen
> never
> leave the ACS to go to the Vasco Server.
>
> Nevertheless, PAP works good with ACS and Vasco. For instance when I
> try
> to
> login inside the SWITCH, it works very well.
>
>
> [SW-C2950]--------Prot.=Radius(PAP)--------[ACS4.1]--------Prot.=Radius--
> ----
> --[VACMAN(Vasco)Server]
>
> That is why I need to upgrade my ACS. I know that I should go to the
> TAC
> to
> ask a soft but here someone forgot to renew the contract with Cisco :(
> and
> I
> am asked inside my company to finish with this problem. I just want to
> figure
> out if a bug is the problem, I would not run it on my live network.
> Anyone
> who
> can help me with the upgrade patch please send me an email offline.
>
> Any help will be appreciated,
>
> Regards
>
> PS: I already used the latest patch for ACS 4.1.1, what I want is to
> upgrade
> at the latest to ACS 4.1.3 and see if things work fine there.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:10 ARST