ACS using Active Directory for Router Admin

[Dannyrae74]

Hi,

I've installed a Cisco Secure ACS Express as a radius server for all of my switches/routers so that I can use Active Directory as user database.

I've configured the switches/routers and Cisco Secure ACS Express but when I try and authenicate I recieve a failure.

I've checked the logs on both the Cisco Secure ACS Express and the Domain Controllers and I get the following error

Event ID 675
Pre-Authentication Type: 0x2
Failure Code: 0x18

I've looked up this error and it suggests bad password, but i've used multiple accounts and it still gives me the same error.

Any help would be appreciated.

Regards
Daniel

 

[burtsbees]

Sounds like a bug---do you have CCO? If so, I would open a TAC.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[North323]

what are you trying to log into when you get this error? a switch? what does your radius config look like? do you have logging enabled on the ACS server?

 

[Dannyrae74]

The error from the ACS is
acsxp/server Warning Server 0 Authentication for user jbloggs failed for reason = 0
acsxp/server Error Protocol request from 192.0.0.1: User jbloggs rejected by RemoteServer: AD (Invalid Password)

The radius config is
aaa new-model
aaa authentication login AAA group radius local
aaa session-id common
radius-server host 192.0.0.200 auth-port 1645 acct-port 1646 key 7 0835495D1D48571001185F507F6F606D0D71613B0E1210
line vty 0 4
exec-timeout 30 0
logging synchronous
login authentication AAA

When I connect using telnet I get
% Authentication failed

Cheers
Daniel

 

[North323]

i have never used radius for switches and routers. i have used tacacs, i think there should be more to your config. can you search for sample radius configs ? if you want to use tacacs, let me know, i use ACS and have a working tacacs config

 

[Dannyrae74]

The authentication is being rejected by Active Directory, I think it may have something to do with the AD being hardened to CIS benchmark. I believe ACS uses NTLM so it maybe a security setting in the local security policy on the DC.

I haven't used ACS before but the setup seems fairly straight forward??

I'll build a test DC with no hardening policies to confirm.

Cheers
Daniel

 

[North323]

are you limiting the radius to any group in your defined domain?

 

[Dannyrae74]

Yes I've created a group for Network Admins and used it in the authentication rule.

Cheers
Daniel

 

[North323]

should work, i have win2k3 boxes hardened by CIS standards also. can windows be secured? but again, we use radius with the cisco conncentrator and tacacs for switches. i'd be very interested to find out the solution

 

[Dannyrae74]

I've built a test unhardened DC and the authentication works ok, so it must be a hardening policy from the cis benchmark. Did you harden you DC's.

Cheers
Daniel

 

[North323]

i dont think i hardened them the same way i did my webservers and database servers. what does the log say? i wonder what you have to unharden