[c-nsp] SecurID (NEW PIN MODE) vs Cisco VPN client

Dennis Peng (dpeng) dpeng at cisco.com
Sat Feb 26 18:35:50 EST 2005


Thanks for collecting the info. Based on the debugs, I believe you
require one additional fix, CSCsa45125. Let me know privately what
your CCO username is, what router and feature set you have and I'll
give you an image with the fix (it is not available in any
maintennance release yet).

Dennis

BoXeR [piestaga at aster.pl] wrote:
> Hi,
> 
> I dont know should I send that debug on private or to the list.
> So I will take a risk and I will send it to list also.
> 
> I put the user's token into NEW PIN MODE,
> When I try to login on router which authenticates the users using radius, I 
> enter only the token's code and I am receiving the prompt requesting me to 
> create PIN.
> When I am trying to connect to remote VPN  using VPN client, I am receiving 
> an error:
> (Connection terminated localy by the Client. Reason 413. User 
> authentication failure.)
> 
> #sh deb
> 
> General OS:
>  AAA Subsystem debugs debugging is on
>  AAA Unique Id debugs debugging is on
> Radius protocol debugging is on
> Radius packet protocol debugging is on
> 
> Cryptographic Subsystem:
>  Crypto ISAKMP AAA debugging is on
> 
> 
> *Oct  8 02:07:25.821: AAA/ID(NA): VPN_IPSEC allocating
> *Oct  8 02:07:25.821: AAA/ID(00000007) Unique id allocated for Component 
> VPN_IPSEC
> *Oct  8 02:07:25.821: AAA/ID(00000007): Call started 02:07:25 UTC Oct 8 2000
> *Oct  8 02:07:25.821: AAA/ID/CLIENT(00000007): port-type Virtual Terminal
> *Oct  8 02:07:25.821: AAA/ID/CLIENT(00000007): interface IPSec/1
> *Oct  8 02:07:25.821: AAA/ID(00000007): Could not find interface type to 
> notify session id = 7
> *Oct  8 02:07:25.821: AAA/ID(00000007): VPN_IPSEC allocated
> *Oct  8 02:07:25.821: ISAKMP AAA: Allocated session id 4 and replaced it 
> for uid 7
> *Oct  8 02:07:25.821: ISAKMP/aaa: unique id = 7
> *Oct  8 02:07:25.829: ISAKMP/aaa: setting up tunnel pw request
> *Oct  8 02:07:25.829: ISAKMP/tunnel: Tunnel PW Request successfully sent to 
> AAA
> *Oct  8 02:07:25.829: AAA SRV(00000007): process author req
> *Oct  8 02:07:25.829: AAA SRV(00000007): Author method=SERVER_GROUP 
> CUSTOMER_C-radius-group
> *Oct  8 02:07:25.829: RADIUS/ENCODE(00000007):Orig. component type = 
> VPN_IPSEC
> *Oct  8 02:07:25.829: RADIUS(00000007): Storing nasport 1 in rad_db
> *Oct  8 02:07:25.829: RADIUS(00000007): Config NAS IP: 77.77.77.77
> *Oct  8 02:07:25.829: RADIUS/ENCODE(00000007): acct_session_id: 4
> *Oct  8 02:07:25.829: RADIUS(00000007): Config NAS IP: 77.77.77.77
> *Oct  8 02:07:25.829: RADIUS(00000007): sending
> *Oct  8 02:07:25.829: RADIUS(00000007): Send Access-Request to 
> 195.114.173.28:1645 id 1645/7, len 103
> *Oct  8 02:07:25.829: RADIUS:  authenticator 09 43 37 17 95 F5 E9 03 - A4 
> 91 C2 8D 0F 76 D7 2E
> *Oct  8 02:07:25.829: RADIUS:  User-Name           [1]   12  "CUSTOMER_C"
> *Oct  8 02:07:25.829: RADIUS:  User-Password       [2]   18  *
> *Oct  8 02:07:25.829: RADIUS:  NAS-Port-Type       [61]  6   Virtual 
> [5]
> *Oct  8 02:07:25.829: RADIUS:  NAS-Port            [5]   6   1
> *Oct  8 02:07:25.829: RADIUS:  NAS-Port-Id         [87]  9   "IPSec/1"
> *Oct  8 02:07:25.829: RADIUS:  Service-Type        [6]   6   Outbound 
> [5]
> *Oct  8 02:07:25.829: RADIUS:  NAS-IP-Address      [4]   6   77.77.77.77
> *Oct  8 02:07:25.829: RADIUS:  Nas-Identifier      [32]  20 
> "PRIMARY-Aggregator"
> *Oct  8 02:07:25.837: RADIUS: Received from id 1645/7 195.114.173.28:1645, 
> Access-Accept, len 260
> *Oct  8 02:07:25.837: RADIUS:  authenticator B5 A4 D7 F1 C1 04 24 8B - 7B 
> 7D 01 C7 C5 CC 5D 24
> *Oct  8 02:07:25.837: RADIUS:  Class               [25]  32
> *Oct  8 02:07:25.837: RADIUS:   53 42 52 2D 43 4C 20 44 4E 3D 22 43 55 53 
> 54 4F  [SBR-CL DN="CUSTO]
> *Oct  8 02:07:25.837: RADIUS:   4D 45 52 5F 43 22 20 41 54 3D 22 30 22 00 
> [MER_C" AT="0"?]
> *Oct  8 02:07:25.837: RADIUS:  Vendor, Cisco       [26]  31
> *Oct  8 02:07:25.837: RADIUS:   Cisco AVpair       [1]   25 
> "ipsec:key-exchange=key "
> *Oct  8 02:07:25.837: RADIUS:  Vendor, Cisco       [26]  41
> *Oct  8 02:07:25.837: RADIUS:   Cisco AVpair       [1]   35 
> "ipsec:key-exchange=preshared-key "
> *Oct  8 02:07:25.837: RADIUS:  Vendor, Cisco       [26]  40
> *Oct  8 02:07:25.837: RADIUS:   Cisco AVpair       [1]   34 
> "ipsec:addr-pool=CUSTOMER_C-pool "
> *Oct  8 02:07:25.837: RADIUS:  Vendor, Cisco       [26]  36
> *Oct  8 02:07:25.837: RADIUS:   Cisco AVpair       [1]   30 
> "ipsec:netmask=255.255.255.0 "
> *Oct  8 02:07:25.837: RADIUS:  Vendor, Cisco       [26]  27
> *Oct  8 02:07:25.837: RADIUS:   Cisco AVpair       [1]   21 
> "ipsec:group-lock=1 "
> *Oct  8 02:07:25.837: RADIUS:  Service-Type        [6]   6   Outbound 
> [5]
> *Oct  8 02:07:25.837: RADIUS:  Tunnel-Password     [69]  21  *
> *Oct  8 02:07:25.837: RADIUS:  Tunnel-Type         [64]  6   00:ESP 
> [9]
> *Oct  8 02:07:25.837: RADIUS(00000007): Received from id 1645/7
> *Oct  8 02:07:25.837: AAA/ID(00000007): Setting connection progress = 203
> *Oct  8 02:07:25.837: AAA SRV(00000007): protocol reply PASS for 
> Authorization
> *Oct  8 02:07:25.837: AAA SRV(00000007): Return Authorization status=PASS
> *Oct  8 02:07:25.837: ISAKMP/tunnel: received callback from AAA
> *Oct  8 02:07:25.837: addr-pool: Processing AV AAA/AUTHOR/IKE
> *Oct  8 02:07:25.837: netmask: Processing AV AAA/AUTHOR/IKE
> *Oct  8 02:07:25.841: group-lock: Processing AV AAA/AUTHOR/IKE
> *Oct  8 02:07:25.841: : Group Lock is 1
> *Oct  8 02:07:25.841: tunnel-password: Processing AV AAA/AUTHOR/IKE
> *Oct  8 02:07:25.841: tunnel-type: Processing AV AAA/AUTHOR/IKE
> *Oct  8 02:07:25.841: ISAKMP/author: Tunnel Type ok
> *Oct  8 02:07:25.841: ISAKMP/tunnel: received tunnel atts
> *Oct  8 02:07:26.305: ISAKMP AAA: Profile CUSTOMER_C-isakmp-profile in use 
> with AAA list CUSTOMER_C-acct-net-list for peer 212.76.39.231
> *Oct  8 02:07:26.305: ISAKMP AAA: No peer record for address 212.76.39.231, 
> port 63930. Create Accounting Record
> 
> ; group authentication passed.
> ; now I enter user's token code
> 
> *Oct  8 02:07:48.413: ISAKMP:(0:8:HW:2):AAA Authen: setting up 
> authen_request
> *Oct  8 02:07:48.413: ISAKMP:(0:8:HW:2):AAA Authen: Successfully sent 
> authen info to AAA
> *Oct  8 02:07:48.413: AAA SRV(00000007): process authen req
> *Oct  8 02:07:48.413: AAA SRV(00000007): Authen method=SERVER_GROUP 
> CUSTOMER_C-radius-group
> *Oct  8 02:07:48.413: RADIUS/ENCODE(00000007):Orig. component type = 
> VPN_IPSEC
> *Oct  8 02:07:48.413: RADIUS(00000007): Using existing nas_port 1
> *Oct  8 02:07:48.413: RADIUS(00000007): Config NAS IP: 77.77.77.77
> *Oct  8 02:07:48.413: RADIUS/ENCODE(00000007): acct_session_id: 4
> *Oct  8 02:07:48.413: RADIUS(00000007): Config NAS IP: 77.77.77.77
> *Oct  8 02:07:48.413: RADIUS(00000007): sending
> *Oct  8 02:07:48.413: RADIUS(00000007): Send Access-Request to 
> 195.114.173.28:1645 id 1645/8, len 132
> *Oct  8 02:07:48.413: RADIUS:  authenticator 0F 87 D8 48 84 DF C9 6D - C6 
> 78 4D E5 B6 AE E5 59
> *Oct  8 02:07:48.413: RADIUS:  User-Name           [1]   20 
> "zarenks at CUSTOMER_C"
> *Oct  8 02:07:48.413: RADIUS:  User-Password       [2]   18  *
> *Oct  8 02:07:48.413: RADIUS:  Calling-Station-Id  [31]  15  "212.76.39.231"
> *Oct  8 02:07:48.413: RADIUS:  NAS-Port-Type       [61]  6   Virtual 
> [5]
> *Oct  8 02:07:48.413: RADIUS:  NAS-Port-Type       [61]  6   Virtual 
> [5]
> *Oct  8 02:07:48.413: RADIUS:  NAS-Port            [5]   6   1
> *Oct  8 02:07:48.413: RADIUS:  NAS-Port-Id         [87]  9   "IPSec/1"
> *Oct  8 02:07:48.413: RADIUS:  Service-Type        [6]   6   Login 
> [1]
> *Oct  8 02:07:48.413: RADIUS:  NAS-IP-Address      [4]   6   77.77.77.77
> *Oct  8 02:07:48.413: RADIUS:  Nas-Identifier      [32]  20 
> "PRIMARY-Aggregator"
> *Oct  8 02:07:53.321: RADIUS: Received from id 1645/8 195.114.173.28:1645, 
> Access-Challenge, len 160
> *Oct  8 02:07:53.321: RADIUS:  authenticator B4 BF DE A7 51 5E 42 11 - 3E 
> BD 23 79 C5 8C A2 5B
> *Oct  8 02:07:53.321: RADIUS:  Prompt              [76]  6   No-Echo 
> [0]
> *Oct  8 02:07:53.321: RADIUS:  Reply-Message       [18]  120
> *Oct  8 02:07:53.321: RADIUS:   0D 0A 20 20 20 45 6E 74 65 72 20 79 6F 75 
> 72 20  [??   Enter your ]
> *Oct  8 02:07:53.321: RADIUS:   6E 65 77 20 50 49 4E 2C 20 63 6F 6E 74 61 
> 69 6E  [new PIN, contain]
> *Oct  8 02:07:53.321: RADIUS:   69 6E 67 20 36 20 74 6F 20 38 20 64 69 67 
> 69 74  [ing 6 to 8 digit]
> *Oct  8 02:07:53.321: RADIUS:   73 2C 0D 0A 20 20 20 20 20 20 20 20 20 20 
> 20 20  [s,??            ]
> *Oct  8 02:07:53.321: RADIUS:   20 20 20 20 6F 72 0D 0A 20 20 20 3C 43 74 
> 72 6C  [    or??   <Ctrl]
> *Oct  8 02:07:53.321: RADIUS:   2D 44 3E 20 74 6F 20 63 61 6E 63 65 6C 20 
> 74 68  [-D> to cancel th]
> *Oct  8 02:07:53.321: RADIUS:   65 20 4E 65 77 20 50 49 4E 20 70 72 6F 63 
> 65 64  [e New PIN proced]
> *Oct  8 02:07:53.321: RADIUS:   75 72 65 3A 20 00 
> [ure: ?]
> *Oct  8 02:07:53.321: RADIUS:  State               [24]  14
> *Oct  8 02:07:53.321: RADIUS:   53 42 52 2D 43 48 20 33 31 7C 31 00 
> [SBR-CH 31|1?]
> *Oct  8 02:07:53.321: RADIUS(00000007): Received from id 1645/8
> *Oct  8 02:07:53.321: RADIUS/DECODE: Reply-Message fragments, 118, total 
> 118 bytes
> *Oct  8 02:07:53.321: AAA/ID(00000007): Setting connection progress = 203
> *Oct  8 02:07:53.321: AAA SRV(00000007): protocol reply 
> GET_CHALLENGE_RESP_NOECHO for Authentication
> *Oct  8 02:07:53.321: AAA SRV(00000007): Return Authentication 
> status=GET_CHALLENGE_RESP_NOECHO
> *Oct  8 02:07:53.321: ISAKMP:(0:8:HW:2):AAA Authen: Unknown response from 
> AAA
> *Oct  8 02:07:53.337: AAA/ID(00000007): dealloc , no idb or tty
> *Oct  8 02:07:53.337: AAA/ID(00000007): Enqueuing in aaa_stop_Q for CALL 
> STOP
> *Oct  8 02:07:53.337: AAA/ID(00000007): action(CALL STOP) rcv(0) xmit(0) 
> ip(0) op(0) xmitrt(0) rcvrt(0)
> *Oct  8 02:07:53.337: AAA/ID(00000007): Call completed 02:07:53 UTC Oct 8 
> 2000
> *Oct  8 02:07:53.337: ISAKMP AAA: Accounting Record Removed
> *Oct  8 02:07:53.337: AAA/AAA_SEND_STOP_PROC: Queue Event
> *Oct  8 02:07:53.337: AAA/ID/STOP(00000007): action(CALL STOP) rcv(0) 
> xmit(0) ip(0) op(0) xmitrt(0) rc=vrt(0)
> *Oct  8 02:07:53.337: AAA/AAA_SEND_STOP_PROC: Message Event
> *Oct  8 02:07:53.337: AAA/AAA_SEND_STOP_PROC(00000007): Initiated message 
> callback
> *Oct  8 02:07:53.337: AAA/AAA_SEND_STOP_PROC: Empty message queue
> 
> 
> What I see on the radius is that radius sends the PIN creation request and 
> from debug above, I see that that request is comming to the raiud (IPSec 
> aggregator)
> It is not sent to Cisco VPN client  (I am using 4.6 00 0049) or it is sent 
> but from some reason, the cisco VPN client does not proccess it.
> 
> 
> Thank you for taking a look for that problem
> Regards
> Sebastian
> 
> 
> ----- Original Message ----- 
> From: "Dennis Peng (dpeng)" <dpeng at cisco.com>
> To: "BoXeR" <piestagaF at LL-oFFaster.pl>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Friday, February 25, 2005 7:59 PM
> Subject: Re: [c-nsp] SecurID (NEW PIN MODE) vs Cisco VPN client
> 
> 
> >BoXeR [piestaga at aster.pl] wrote:
> >>Hi again,
> >>
> >>I have just upgraded the router to 12.3(11)T3 and it is still not 
> >>working.
> >>Actualy nothing has changed.
> >>I can still see the message sent from radius to router, but the CISCO VPN
> >>Client does nothing with that.
> >>
> >>Can somebody confirm, that this bug was really repaired.?
> >
> >The fix has been confirmed to work with a few customers, one even
> >running 12.3(11)T3. So perhaps your problem is a bit different. Can
> >you send "debug radius", "debug aaa id", "debug aaa subsystem", "debug
> >aaa protocol radius", and "debug crypto isakmp aaa" (hidden)? Thanks.
> >
> >Dennis
> >
> >>Regard
> >>Sebastian
> >>
> >>
> >>
> >>----- Original Message ----- 
> >>From: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>
> >>To: "BoXeR" <piestagaF at LL-oFFaster.pl>; "Dennis Peng (dpeng)"
> >><dpeng at cisco.com>
> >>Cc: <cisco-nsp at puck.nether.net>
> >>Sent: Friday, February 25, 2005 8:30 AM
> >>Subject: RE: [c-nsp] SecurID (NEW PIN MODE) vs Cisco VPN client
> >>
> >>
> >>>
> >>>>
> >>>>I am using 12.3(11)T2 .
> >>>>Acc. to Cisco bug navig, the first fixed-in ver. is 12.3(11) T3 what
> >>>>means really the latest one.
> >>>>
> >>>>Am i right ?
> >>>
> >>>yes and no, 12.3(8)T6 also has the fix, so unless you need some specific
> >>>12.3(11)T features, you could also downgrade to 12.3(8)T6..
> >>>
> >>>oli
> >>>
> >>>
> >>>>----- Original Message -----
> >>>>From: "Dennis Peng" <dpeng at cisco.com>
> >>>>To: "BoXeR" <piestagaF at LL-oFFaster.pl>
> >>>>Cc: <cisco-nsp at puck.nether.net>
> >>>>Sent: Friday, February 25, 2005 1:55 AM
> >>>>Subject: Re: [c-nsp] SecurID (NEW PIN MODE) vs Cisco VPN client
> >>>>
> >>>>
> >>>>>What version of IOS are you using? This was only recently fixed.
> >>>>>CSCef07048.
> >>>>>
> >>>>>Dennis
> >>>>>
> >>>>>BoXeR [piestaga at aster.pl] wrote:
> >>>>>>Hi,
> >>>>>>
> >>>>>>I have configured the remote access environment, where the user
> >>>>>>access the VPN network using Cisco PN client with SecurID
> >>>>>>authentication.
> >>>>>>
> >>>>>>I do not know what is the reason, but when I set the user's token
> >>>>>>in New PIN mode it does not work.
> >>>>>>
> >>>>>>I see the Radius sends that request to IPSec aggregator (which is
> >>>>>>IOS router in my case)
> >>>>>>
> >>>>>>
> >>>>>>Authentication Response
> >>>>>>Packet : Code = 0xb ID = 0x2c
> >>>>>>Vector =
> >>>>>>000: 3297f98a 8427cdd8 19dfa4f7 bd4749de |2....'.......GI.|
> >>>>>>Prompt : Integer Value = 0
> >>>>>>Reply-Message : Value =
> >>>>>>000: 0d0a2020 20456e74 65722079 6f757220 |..   Enter your |
> >>>>>>010: 6e657720 50494e2c 20636f6e 7461696e |new PIN, contain|
> >>>>>>020: 696e6720 3620746f 20382064 69676974 |ing 6 to 8 digit|
> >>>>>>030: 732c0d0a 20202020 20202020 20202020 |s,..            |
> >>>>>>040: 20202020 6f720d0a 2020203c 4374726c |    or..   <Ctrl|
> >>>>>>050: 2d443e20 746f2063 616e6365 6c207468 |-D> to cancel th|
> >>>>>>060: 65204e65 77205049 4e207072 6f636564 |e New PIN proced|
> >>>>>>070: 7572653a 20                         |ure:            |
> >>>>>>State : String Value = SBR-CH 14|1
> >>>>>>
> >>>>>>and the router receives that request bot nothing else happens.
> >>>>>>
> >>>>>>Received from id 1645/44 195.114.173.28:1645, Access-Challenge, len
> >>>>>> 160 authenticator 32 97 F9 8A 84 27 CD D8 - 19 DF A4 F7 BD 47 49 DE
> >>>>>>Prompt              [76]  6   No-Echo                   [0]
> >>>>>>Reply-Message       [18]  120 0D 0A 20 20 20 45 6E 74 65 72 20 79
> >>>>>>6F 75 72 20  [??   Enter your ] 6E 65 77 20 50 49 4E 2C 20 63 6F 6E
> >>>>>>74 61 69 6E  [new PIN, contain] 69 6E 67 20 36 20 74 6F 20 38 20 64
> >>>>>>69 67 69 74  [ing 6 to 8 digit] 73 2C 0D 0A 20 20 20 20 20 20 20 20
> >>>>>>20 20 20 20  [s,??            ] 20 20 20 20 6F 72 0D 0A 20 20 20 3C
> >>>>>>43 74 72 6C  [    or??   <Ctrl] 2D 44 3E 20 74 6F 20 63 61 6E 63 65
> >>>>>>6C 20 74 68  [-D> to cancel th] 65 20 4E 65 77 20 50 49 4E 20 70 72
> >>>>>>6F 63 65 64  [e New PIN proced] 75 72 65 3A 20 00
> >>>>>>[ure: ?]
> >>>>>>State               [24]  14
> >>>>>>53 42 52 2D 43 48 20 31 34 7C 31 00              [SBR-CH 14|1?]
> >>>>>>
> >>>>>>
> >>>>>>The  Cisco VPN client (4.6) is not requesting the user for PIN,
> >>>>>>rePIN and finally the whole PASSCODE. And the whole authentication
> >>>>>>proccess fails :-(
> >>>>>>
> >>>>>>Do you have any ide what can be the reason of that ?
> >>>>>>__________________________ Before sending an answer, please remove
> >>>>>>apropriate string from my address. Usu? odpowiedni string z mojego
> >>>>>>adresu przed wys?aniem odpowiedzi.
> >>>>>>
> >>>>>>_______________________________________________
> >>>>>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>>>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>>>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>>>_______________________________________________
> >>>>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>>
> >>>>_______________________________________________
> >>>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>
> >>>_______________________________________________
> >>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/ 


More information about the cisco-nsp mailing list