09-15-2016 08:27 AM
Hi Experts,
We are trying to integrate ISE with CA AuthMinder as a RADIUS Proxy Server. We can't use RADIUS Token Server due to a requirement to do username domain stripping which RADIUS Token Server doesn't support.
Our authentication attempts through ISE to AuthMinder were silently dropped, nothing in LiveLog.
Upon some investigation, we found that AuthMinder is responding with an Accept, but without any RADIUS attributes.
PRRT reports the following:
AcsLogs,2016-09-15 14:55:06,055,DEBUG,0x7f2f9584e700,cntx=0000091231,sesn=THC2EXTISE01/261438722/27,CPMSessionID=0a3440440000a00057da6fb5,user=000248933@lisa.lester,CallingStationID=107.77.199.79,Log_Message=[2016-09-15 14:55:06.054 +00:00 0000065725 11352 WARN RADIUS-Proxy: Response Proxy-State attribute validation failed, ConfigVersionId=188, Device IP Address=10.52.64.68, Device Port=65487, DestinationIPAddress=10.192.200.41, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=32, User-Name=000248933, NAS-IP-Address=10.52.64.68, NAS-Port=40960, Called-Station-ID=65.89.98.68, Calling-Station-ID=107.77.199.79, Proxy-State=FirstProxy=10.192.200.41, Proxy-State=Cisco Secure ACSb1d9c820-6a2a-11e6-c000-000000000000-139842593584896-16335, NAS-Port-Type=Virtual, Tunnel-Client-Endpoint=(tag=0) 107.77.199.79, cisco-av-pair=audit-session-id=0a3440440000a00057da6fb5, cisco-av-pair=ip:source-ip=107.77.199.79, cisco-av-pair=coa-push=true, CVPN3000/ASA/PIX7x-Tunnel-Group-Name=SSLClient, CVPN3000/ASA/PIX7x-Client-Type=3, AcsSessionID=THC2EXTISE01/261438722/27, SelectedAccessService=AUTH_MDL_SEQUENCE, CPMSessionID=0a3440440000a00057da6fb5, Response={RadiusPacketType=AccessAccept; },],MessageFormatter.cpp:94
RFC for RADIUS at RFC 2865 - Remote Authentication Dial In User Service (RADIUS) states:
This Attribute is available to be sent by a proxy server to
another server when forwarding an Access-Request and MUST be
returned unmodified in the Access-Accept, Access-Reject or
Access-Challenge.
It's clear that Auth Minder is non-Compliant here. Is there anything that can be enabled in ISE to ignore Proxy-State?
Can you think of some other clever way to strip the username? In the example above the username comes in as 000248933@lisa.lester and we only need to send 000248933 to AuthMinder
Thanks
Solved! Go to Solution.
09-16-2016 12:11 PM
Not aware of way to ignore required field. Would be enhancement to become non-compliant!
Could be ugly, but how about proxying request back to ISE where strip out request and send back to ISE? On forward, the RADIUS source is now ISE, so can apply different policy accordingly.
Craig
09-16-2016 12:11 PM
Not aware of way to ignore required field. Would be enhancement to become non-compliant!
Could be ugly, but how about proxying request back to ISE where strip out request and send back to ISE? On forward, the RADIUS source is now ISE, so can apply different policy accordingly.
Craig
09-16-2016 04:59 PM
Thanks, Craig,
Yeah, i was thinking about our trusty looping technique, but it does get ugly.
We asked the customer to reach out to CA to see if they can make their product be RFC compliant.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide