Announcement

Collapse
No announcement yet.

Cisco ACS Express problems with Active Directory

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco ACS Express problems with Active Directory

    I'm in the process of configuring a new Cisco ACS Express server for device administration for five cisco switches using radius.

    I've configured the following below but Active Directory is rejecting the authentication requests.

    Cisco Secure ACS Express Version 5.0 (Build 5.0.0.1

    Iíve configured the switches with the following aaa config
    aaa new-model
    aaa authentication login Test group radius local
    aaa session-id common
    radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 0835495D1D48 radius-server source-ports 1645-1646
    line vty 0 4
    exec-timeout 30 0
    logging synchronous
    login authentication Test
    line vty 5 15
    exec-timeout 30 0
    logging synchronous
    login authentication Test

    On the Cisco ACS Iíve configured the switches as Network Resources, configured the External User Database with my Active Directory and successfully joined. Created an access policy for Radius Access services, for switches to use a group in active directory to accept radius authentication.
    When I try and telnet to the switch the authentication fails. Iíve checked the acsxp_ server logs and the authentication request are being rejected by AD. On the domain controller security log I get the following error
    Event ID: 675
    Source: Security
    Category: Account Logon
    Type: Failure Aud

    Pre-authentication failed:
    User Name: drae
    User ID: domain\drae
    Service Name: krbtgt/domain.local
    Pre-Authentication Type: 0x2
    Failure Code: 0x18
    Client Address: x.x.x.x

    Any help would be greatly appriceated

    Thanks in advance

    Daniel

  • #2
    Re: Cisco ACS Express problems with Active Directory

    0x18
    Pre-authentication information was invalid
    Usually means bad password

    http ://www.ultimatewindowssecurity.com/kerberrors.html

    If you are setting this up then I'm going to guess it isn't a bad password in your case though.
    Can you re-check the details between the two and also try a test account maybe?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Cisco ACS Express problems with Active Directory

      I did see a similar post and have tried various different user accounts but still receive the same error message

      Comment


      • #4
        Re: Cisco ACS Express problems with Active Directory

        Is test1 the password you setup on your radius box as well?
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Cisco ACS Express problems with Active Directory

          For the radius passwords I've used 16 characters a sequence of random letters, numbers, punctuation.

          This is different from the users password.

          Is this want your referring to?

          Cheers,
          Daniel

          Comment


          • #6
            Re: Cisco ACS Express problems with Active Directory

            radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 0835495D1D48 radius-server source-ports 1645-1646

            The key above is test1, I think that has to match the shared secret on the radius box?
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: Cisco ACS Express problems with Active Directory

              Yes the key matches on both the radius server and clients, but the key i've posted on the forum is different from the one in use.

              Thanks,
              Daniel

              Comment


              • #8
                Re: Cisco ACS Express problems with Active Directory

                Ok, no probs. test1 just looked a little unlikely


                I realise this is for PIX but it should be similar.
                http://blog.scottlowe.org/2005/11/22...y-integration/
                cheers
                Andy

                Please read this before you post:


                Quis custodiet ipsos custodes?

                Comment

                Working...
                X