[c-nsp] SecurID (NEW PIN MODE) vs Cisco VPN client

Dennis Peng (dpeng) dpeng at cisco.com
Fri Feb 25 13:59:01 EST 2005


BoXeR [piestaga at aster.pl] wrote:
> Hi again,
> 
> I have just upgraded the router to 12.3(11)T3 and it is still not working.
> Actualy nothing has changed.
> I can still see the message sent from radius to router, but the CISCO VPN 
> Client does nothing with that.
> 
> Can somebody confirm, that this bug was really repaired.?

The fix has been confirmed to work with a few customers, one even
running 12.3(11)T3. So perhaps your problem is a bit different. Can
you send "debug radius", "debug aaa id", "debug aaa subsystem", "debug
aaa protocol radius", and "debug crypto isakmp aaa" (hidden)? Thanks.

Dennis

> Regard
> Sebastian
> 
> 
> 
> ----- Original Message ----- 
> From: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>
> To: "BoXeR" <piestagaF at LL-oFFaster.pl>; "Dennis Peng (dpeng)" 
> <dpeng at cisco.com>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Friday, February 25, 2005 8:30 AM
> Subject: RE: [c-nsp] SecurID (NEW PIN MODE) vs Cisco VPN client
> 
> 
> >
> >>
> >>I am using 12.3(11)T2 .
> >>Acc. to Cisco bug navig, the first fixed-in ver. is 12.3(11) T3 what
> >>means really the latest one.
> >>
> >>Am i right ?
> >
> >yes and no, 12.3(8)T6 also has the fix, so unless you need some specific
> >12.3(11)T features, you could also downgrade to 12.3(8)T6..
> >
> >oli
> >
> >
> >>----- Original Message -----
> >>From: "Dennis Peng" <dpeng at cisco.com>
> >>To: "BoXeR" <piestagaF at LL-oFFaster.pl>
> >>Cc: <cisco-nsp at puck.nether.net>
> >>Sent: Friday, February 25, 2005 1:55 AM
> >>Subject: Re: [c-nsp] SecurID (NEW PIN MODE) vs Cisco VPN client
> >>
> >>
> >>>What version of IOS are you using? This was only recently fixed.
> >>>CSCef07048.
> >>>
> >>>Dennis
> >>>
> >>>BoXeR [piestaga at aster.pl] wrote:
> >>>>Hi,
> >>>>
> >>>>I have configured the remote access environment, where the user
> >>>>access the VPN network using Cisco PN client with SecurID
> >>>>authentication.
> >>>>
> >>>>I do not know what is the reason, but when I set the user's token
> >>>>in New PIN mode it does not work.
> >>>>
> >>>>I see the Radius sends that request to IPSec aggregator (which is
> >>>>IOS router in my case)
> >>>>
> >>>>
> >>>>Authentication Response
> >>>>Packet : Code = 0xb ID = 0x2c
> >>>>Vector =
> >>>>000: 3297f98a 8427cdd8 19dfa4f7 bd4749de |2....'.......GI.|
> >>>>Prompt : Integer Value = 0
> >>>>Reply-Message : Value =
> >>>>000: 0d0a2020 20456e74 65722079 6f757220 |..   Enter your |
> >>>>010: 6e657720 50494e2c 20636f6e 7461696e |new PIN, contain|
> >>>>020: 696e6720 3620746f 20382064 69676974 |ing 6 to 8 digit|
> >>>>030: 732c0d0a 20202020 20202020 20202020 |s,..            |
> >>>>040: 20202020 6f720d0a 2020203c 4374726c |    or..   <Ctrl|
> >>>>050: 2d443e20 746f2063 616e6365 6c207468 |-D> to cancel th|
> >>>>060: 65204e65 77205049 4e207072 6f636564 |e New PIN proced|
> >>>>070: 7572653a 20                         |ure:            |
> >>>>State : String Value = SBR-CH 14|1
> >>>>
> >>>>and the router receives that request bot nothing else happens.
> >>>>
> >>>>Received from id 1645/44 195.114.173.28:1645, Access-Challenge, len
> >>>> 160 authenticator 32 97 F9 8A 84 27 CD D8 - 19 DF A4 F7 BD 47 49 DE
> >>>>Prompt              [76]  6   No-Echo                   [0]
> >>>>Reply-Message       [18]  120 0D 0A 20 20 20 45 6E 74 65 72 20 79
> >>>>6F 75 72 20  [??   Enter your ] 6E 65 77 20 50 49 4E 2C 20 63 6F 6E
> >>>>74 61 69 6E  [new PIN, contain] 69 6E 67 20 36 20 74 6F 20 38 20 64
> >>>>69 67 69 74  [ing 6 to 8 digit] 73 2C 0D 0A 20 20 20 20 20 20 20 20
> >>>>20 20 20 20  [s,??            ] 20 20 20 20 6F 72 0D 0A 20 20 20 3C
> >>>>43 74 72 6C  [    or??   <Ctrl] 2D 44 3E 20 74 6F 20 63 61 6E 63 65
> >>>>6C 20 74 68  [-D> to cancel th] 65 20 4E 65 77 20 50 49 4E 20 70 72
> >>>>6F 63 65 64  [e New PIN proced] 75 72 65 3A 20 00
> >>>>[ure: ?]
> >>>>State               [24]  14
> >>>>53 42 52 2D 43 48 20 31 34 7C 31 00              [SBR-CH 14|1?]
> >>>>
> >>>>
> >>>>The  Cisco VPN client (4.6) is not requesting the user for PIN,
> >>>>rePIN and finally the whole PASSCODE. And the whole authentication
> >>>>proccess fails :-(
> >>>>
> >>>>Do you have any ide what can be the reason of that ?
> >>>>__________________________ Before sending an answer, please remove
> >>>>apropriate string from my address. Usu? odpowiedni string z mojego
> >>>>adresu przed wys?aniem odpowiedzi.
> >>>>
> >>>>_______________________________________________
> >>>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>_______________________________________________
> >>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >>_______________________________________________
> >>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/ 


More information about the cisco-nsp mailing list