Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1691
Views
0
Helpful
2
Replies

Proxy-State Requirement

Go to solution
vibobrov
Cisco Employee
Cisco Employee

‎09-15-2016 08:27 AM

Hi Experts,

We are trying to integrate ISE with CA AuthMinder as a RADIUS Proxy Server. We can't use RADIUS Token Server due to a requirement to do username domain stripping which RADIUS Token Server doesn't support.

Our authentication attempts through ISE to AuthMinder were silently dropped, nothing in LiveLog.

Upon some investigation, we found that AuthMinder is responding with an Accept, but without any RADIUS attributes.

PRRT reports the following:

AcsLogs,2016-09-15 14:55:06,055,DEBUG,0x7f2f9584e700,cntx=0000091231,sesn=THC2EXTISE01/261438722/27,CPMSessionID=0a3440440000a00057da6fb5,user=000248933@lisa.lester,CallingStationID=107.77.199.79,Log_Message=[2016-09-15 14:55:06.054 +00:00 0000065725 11352 WARN  RADIUS-Proxy: Response Proxy-State attribute validation failed, ConfigVersionId=188, Device IP Address=10.52.64.68, Device Port=65487, DestinationIPAddress=10.192.200.41, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=32, User-Name=000248933, NAS-IP-Address=10.52.64.68, NAS-Port=40960, Called-Station-ID=65.89.98.68, Calling-Station-ID=107.77.199.79, Proxy-State=FirstProxy=10.192.200.41, Proxy-State=Cisco Secure ACSb1d9c820-6a2a-11e6-c000-000000000000-139842593584896-16335, NAS-Port-Type=Virtual, Tunnel-Client-Endpoint=(tag=0) 107.77.199.79, cisco-av-pair=audit-session-id=0a3440440000a00057da6fb5, cisco-av-pair=ip:source-ip=107.77.199.79, cisco-av-pair=coa-push=true, CVPN3000/ASA/PIX7x-Tunnel-Group-Name=SSLClient, CVPN3000/ASA/PIX7x-Client-Type=3, AcsSessionID=THC2EXTISE01/261438722/27, SelectedAccessService=AUTH_MDL_SEQUENCE, CPMSessionID=0a3440440000a00057da6fb5, Response={RadiusPacketType=AccessAccept; },],MessageFormatter.cpp:94

RFC for RADIUS at RFC 2865 - Remote Authentication Dial In User Service (RADIUS) states:

This Attribute is available to be sent by a proxy server to

  another server when forwarding an Access-Request and MUST be

  returned unmodified in the Access-Accept, Access-Reject or

  Access-Challenge.

It's clear that Auth Minder is non-Compliant here. Is there anything that can be enabled in ISE to ignore Proxy-State?

Can you think of some other clever way to strip the username? In the example above the username comes in as 000248933@lisa.lester and we only need to send 000248933 to AuthMinder

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎09-16-2016 12:11 PM

Not aware of way to ignore required field.  Would be enhancement to become non-compliant! 

Could be ugly, but how about proxying request back to ISE where strip out request and send back to ISE?  On forward, the RADIUS source is now ISE, so can apply different policy accordingly.

Craig

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Craig Hyps
Level 10
Level 10

‎09-16-2016 12:11 PM

Not aware of way to ignore required field.  Would be enhancement to become non-compliant! 

Could be ugly, but how about proxying request back to ISE where strip out request and send back to ISE?  On forward, the RADIUS source is now ISE, so can apply different policy accordingly.

Craig

0 Helpful

Go to solution
vibobrov
Cisco Employee
Cisco Employee

‎09-16-2016 04:59 PM

Thanks, Craig,

Yeah, i was thinking about our trusty looping technique, but it does get ugly.

We asked the customer to reach out to CA to see if they can make their product be RFC compliant.

Thanks

0 Helpful
Customers Also Viewed These Support Documents