UAC 4.1 accuses "wrong password" even though it is...

papageno_ · ‎08-17-2011

Hi

UAC is controlling 802.1X on our Juniper switches, and is also configured for Radius control of the admin logins to the switches. I am now trying to set UAC up to do the same for our Cisco switches, but have a strange issue where the UAC is rejecting the same credentials when supplied from a Cisco client that it accepts from a Junos one.

Here is a policy trace from a test user login to a test Cisco switch:

2011/08/17 16:35:16 - node0 - test(cisco)[] - User "test" starting sign-in to realm cisco

2011/08/17 16:35:16 - node0 - test(cisco)[] - Sign-in prompt username = "test"

2011/08/17 16:35:16 - node0 - test(cisco)[] - Sign-in Vlan ID = "cluster internal VIP"

2011/08/17 16:35:16 - node0 - test(cisco)[] - Sign-in source IP = "0.0.0.0"

2011/08/17 16:35:16 - node0 - test(cisco)[] - Sign-in host name = ""2011/08/17 16:35:16 - node0 - test(cisco)[] - Sign-in browser = ""2011/08/17 16:35:16 - node0 - test(cisco)[] - Sign-in network interface = "?"

2011/08/17 16:35:16 - node0 - test(cisco)[] - Sign-in prompt password = "****"

2011/08/17 16:35:16 - node0 - test(cisco)[] - Sign-in prompt protocol = "PAP (default)"

2011/08/17 16:35:16 - node0 - test(cisco)[] - Sign-in URL = "*/pap-cisco-space/"

2011/08/17 16:35:16 - node0 - test(cisco)[] - Sign-in location group = "Cisco switches"

2011/08/17 16:35:16 - node0 - test(cisco)[] - Sign-in calling station id = "10.240.4.1"

2011/08/17 16:35:16 - node0 - test(cisco)[] - Attempting to authenticate user "test" with auth server "Test"2011/08/17 16:35:16 - node0 - test(cisco)[] - Wrong password

2011/08/17 16:35:16 - node0 - [0.0.0.0] - test(cisco)[] - Sign-in rejected using auth server Test (Local Authentication). Reason: Failed

The Cisco switch has debug set for AAA and Radius, and we see:

Aug 17 16:32:01.885: AAA/BIND(00000017): Bind i/fAug 17 16:32:01.885: AAA/AUTHEN/LOGIN (00000017): Pick method list 'default'

Aug 17 16:32:01.885: RADIUS/ENCODE(00000017): ask "Username: "

Aug 17 16:32:04.896: RADIUS/ENCODE(00000017): ask "Password: "

Aug 17 16:32:08.948: RADIUS/ENCODE(00000017): O-rig. component type = EXEC

Aug 17 16:32:08.948: RADIUS: AAA Unsupported Attr: interface [171] 4

Aug 17 16:32:08.948: RADIUS: 74 74 [ tt]

Aug 17 16:32:08.948: RADIUS/ENCODE(00000017): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

Aug 17 16:32:08.948: RADIUS(00000017): Config NAS IP: 0.0.0.0

Aug 17 16:32:08.948: RADIUS/ENCODE(00000017): acct_session_id: 23

Aug 17 16:32:08.948: RADIUS(00000017): sending

Aug 17 16:32:08.948: RADIUS/ENCODE: Best Local IP-Address 10.240.4.32 for Radius-Server 10.240.5.20

Aug 17 16:32:08.948: RADIUS(00000017): Send Access-Request to 10.240.5.20:1812 id 1645/7, len 80

Aug 17 16:32:08.948: RADIUS: authenticator B2 46 35 C6 46 F9 10 FF - 7F C0 34 D3 93 2C 65 81

Aug 17 16:32:08.948: RADIUS: User-Name [1] 6 "test"

Aug 17 16:32:08.948: RADIUS: User-Password [2] 18 *

Aug 17 16:32:08.948: RADIUS: NAS-Port [5] 6 2

Aug 17 16:32:08.948: RADIUS: NAS-Port-Id [87] 6 "tty2"

Aug 17 16:32:08.948: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

Aug 17 16:32:08.948: RADIUS: Calling-Station-Id [31] 12 "10.240.4.1"

Aug 17 16:32:08.948: RADIUS: NAS-IP-Address [4] 6 10.240.4.32#

Aug 17 16:32:08.948: RADIUS(00000017): Started 5 sec timeout

Aug 17 16:32:09.074: RADIUS: Received from id 1645/7 10.240.5.20:1812, Access-Reject, len 20

Aug 17 16:32:09.074: RADIUS: authenticator 02 23 66 F1 8D D3 A2 9D - 71 8C 46 24 BF 0E DD 09

Aug 17 16:32:09.074: RADIUS: response-authenticator decrypt fail, pak len 20

Aug 17 16:32:09.074: RADIUS: packet dump: 03070014022366F18DD3A29D718C4624BF0EDD09

Aug 17 16:32:09.074: RADIUS: expected digest: FEAEA32E4510E7AD99954261F5B6C09D

Aug 17 16:32:09.074: RADIUS: response authen: 022366F18DD3A29D718C4624BF0EDD09

Aug 17 16:32:09.074: RADIUS: request authen: B24635C646F910FF7FC034D3932C6581

Aug 17 16:32:09.074: RADIUS: Response (7) failed decryptA_

Now, the Test authentication server is a local authentication server on the UAC itself, in which there is only one user called "test", whose password I have personally set (and re-set) to "password". This user realm is called "cisco" and this has role mapping for any user (i.e. name = *) to a role called "Cisco Network Admins". This role sets AAV pairs for Cisco service types, but otherwise does nothing special.

Any ideas?

Raveen_ · ‎08-17-2011

From the cisco switch's debug log, it appears that it is not able to decrypt response authenticator.

Can you check if you have configured radius shared_secret the same at switch as well as IC ?

You could even retype the keys again at both ends and check.

Regards,

Raveen

papageno_ · ‎08-18-2011

Hi Raveen

The keys are 100% correct. I have already re-entered them to be sure, but from experience with UAC, if the keys do not match, there is (a) an event log message to that effect and (b) UAC doesn't send anything back to the agent.

I believe the decryption failure may be "normal" behaviour after an access-reject, though I have no proof of it. From the UAC point of view, what more is there to say, so it just pads the message with rubbish.

Regards

papageno_ · ‎08-18-2011

Hi all

OK - problem resolved, though no idea why -

Had to delete the definition of the agent in UAC, then re-create it with exactly the same parameters, and everything worked 100% fine. Annoying, 'cos it had been bugging me all day yesterday, as I was sure it was an interoperability issue.

Thanks to all.

UAC 4.1 accuses "wrong password" even though it isn't

UAC 4.1 accuses "wrong password" even though it isn't

Re: UAC 4.1 accuses "wrong password" even though it isn't

Re: UAC 4.1 accuses "wrong password" even though it isn't

Re: UAC 4.1 accuses "wrong password" even though it isn't