I have been tasked with having all non windows devices on our network to authenticate against our Active Directory, which is the reason we are using Cisco ACS. ACS currently authenticates for all cisco devices against our AD, via the external windows database option. I am now trying to get pam_radius to do the same with ACS's radius. I have compiled pam_radius and it appears to be working as intended, however Cisco ACS reports "External DB User Invalid or bad password" anytime I try to use the same credentials that properly authenticate with ACS's tacacs on a linux or freebsd server. The username shows up properly on the ACS server, so I am assuming that the NAS is sending the proper username, but it appears that the password is not being sent correctly. I know the ACS server is trying to authenticate against AD because after so many tries the account get's locked out. Has anyone been able to accomplish what I am trying to do here? Any suggestions besides "lose ACS" to get this to work? Is there something I can pass to the pam_radius module to have it transmit the password the way the ACS server is expecting to see it? I appreciate any help or suggestions anyone can provide in advance. Thank you, Tom
Tom <tjonesjr@gmail.com> wrote:
I have compiled pam_radius and it appears to be working as intended, however Cisco ACS reports "External DB User Invalid or bad password" anytime I try to use the same credentials that properly authenticate with ACS's tacacs on a linux or freebsd server. The username shows up properly on the ACS server, so I am assuming that the NAS is sending the proper username, but it appears that the password is not being sent correctly. I know the ACS server is trying to authenticate against AD because after so many tries the account get's locked out.
Is it a shared secret problem? Alan DeKok.
No, the shared secret is correct, otherwise the ACS would show that as being the error and wouldn't be trying to authenticate the user against the windows AD. I thought this might have been the issue until I purposely used the wrong secret and there were different error's. On 2/15/06, Alan DeKok <aland@ox.org> wrote:
Tom <tjonesjr@gmail.com> wrote:
I have compiled pam_radius and it appears to be working as intended, however Cisco ACS reports "External DB User Invalid or bad password" anytime I try to use the same credentials that properly authenticate with ACS's tacacs on a linux or freebsd server. The username shows up properly on the ACS server, so I am assuming that the NAS is sending the proper username, but it appears that the password is not being sent correctly. I know the ACS server is trying to authenticate against AD because after so many tries the account get's locked out.
Is it a shared secret problem?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Thomas Jones Jr.
Tom <tjonesjr@gmail.com> wrote:
No, the shared secret is correct, otherwise the ACS would show that as being the error
RADIUS doesn't work like that. If there's no Message-Authenticator in the packet (and pam_radius doesn't send one), then the server can't tell that the secret is wrong. It can guess, (e.g. the messages FreeRADIUS produces), but it has no way of knowing for sure.
I thought this might have been the issue until I purposely used the wrong secret and there were different error's.
If ACS can decode the password properly, then the shared secret is correct, and it *should* authenticate the user. If the shared secret is incorrect, then it will decode the password to random nonsense, and authentication will fail. RADIUS is really that simple. Alan DeKok.
participants (2)
-
Alan DeKok -
Tom