Merlin_Raja
asked on
Cisco VPN Authention : Reason - 413
Hi
I need some help regarding cisco vpn client authentication. We have a vpn concentrator and a cisco acs. This is how it is done... The user database is created on the cisco acs and the group names are created on the vpn concentrator.
This is what happens....
When I connect to the vpn concentrator using the cisco client, it gets authenticated and I am asked to enter the username and password. When i enter the username and password which has been created on the cisco acs, I get the following error:
Secure VPN Client terminated locally by the client.
Reason 413: User authentication failed.
Can you tell me if i need to change any settings on the cisco acs????
Note : The test between the vpn concentrator and the cisco acs is successful. There are 2 authentication servers for the time being. (1) Internal VPN database (Placed TOP) and (2) Radius Server(Cisco ACS- Placed Second).
Please advice
Thanks
I need some help regarding cisco vpn client authentication. We have a vpn concentrator and a cisco acs. This is how it is done... The user database is created on the cisco acs and the group names are created on the vpn concentrator.
This is what happens....
When I connect to the vpn concentrator using the cisco client, it gets authenticated and I am asked to enter the username and password. When i enter the username and password which has been created on the cisco acs, I get the following error:
Secure VPN Client terminated locally by the client.
Reason 413: User authentication failed.
Can you tell me if i need to change any settings on the cisco acs????
Note : The test between the vpn concentrator and the cisco acs is successful. There are 2 authentication servers for the time being. (1) Internal VPN database (Placed TOP) and (2) Radius Server(Cisco ACS- Placed Second).
Please advice
Thanks
ASKER
Hi Koudry
I can tell you for sure that the username and password is correct becuase if i enter a wrong username and password, it stills prompts me to enter a valid username and password.
But can you guide me through as how to configure the user in the right authentication group?
The usernames and local to the ACS box. I have created a group called TEST and placed the user "USER1" into that group. But i dont know if I have configured the group properly.
And besides, since I am connecting it with a vpn comcentrator, i dont know if the settings on the vpn concentrator and the acs needs to be the same.
Please advice
Thanks
I can tell you for sure that the username and password is correct becuase if i enter a wrong username and password, it stills prompts me to enter a valid username and password.
But can you guide me through as how to configure the user in the right authentication group?
The usernames and local to the ACS box. I have created a group called TEST and placed the user "USER1" into that group. But i dont know if I have configured the group properly.
And besides, since I am connecting it with a vpn comcentrator, i dont know if the settings on the vpn concentrator and the acs needs to be the same.
Please advice
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thankyou Koudry
Ill look at these documents and get back to you.
And i have one more issue. I triedto upgrade the acs box from 4.1.1.23 to 4.1.4.13 and after a very long time it failed. Is there any work around for this?? :(
Ill look at these documents and get back to you.
And i have one more issue. I triedto upgrade the acs box from 4.1.1.23 to 4.1.4.13 and after a very long time it failed. Is there any work around for this?? :(
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
your good at this i guess... :)))
it is a software upgrade. The reason for the upgrade was because, ACS 1113 cannot put in a static IP and you need to overcome this by a patch. The current version is 4.1.1.23 and I thought I could upgrade it to 4.1.4.13 to solve this issue.
But now after you have mentioned the file size issue, I need to check this out. I did get another link on the site regarding this issue.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00808d9199.shtml#sok
Im not sure if this will help me overcome this problem. But I will go ahead with your suggestion on your prevoius answer and will check this out and get back to you.
Thank you Koudry
it is a software upgrade. The reason for the upgrade was because, ACS 1113 cannot put in a static IP and you need to overcome this by a patch. The current version is 4.1.1.23 and I thought I could upgrade it to 4.1.4.13 to solve this issue.
But now after you have mentioned the file size issue, I need to check this out. I did get another link on the site regarding this issue.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00808d9199.shtml#sok
Im not sure if this will help me overcome this problem. But I will go ahead with your suggestion on your prevoius answer and will check this out and get back to you.
Thank you Koudry
ASKER
Hi Koudry
Ive applied the patch which was recommended regarding the ip issue. It worked successfully.
But when I hyperterminal to the device, it asks me for login and password and once it goes inside, its blank and i dont get to see anything. (its just one problem after the other>>>)
is there a way to resolve this issue??
Thanks
Ive applied the patch which was recommended regarding the ip issue. It worked successfully.
But when I hyperterminal to the device, it asks me for login and password and once it goes inside, its blank and i dont get to see anything. (its just one problem after the other>>>)
is there a way to resolve this issue??
Thanks
Hi Merlin_Raja:
It looks like you have lost your config on the device. If you have a backup config, you can load it into the device using the copy command. If you haven't got a backup config, I don't know if you can recover anything from the file system (either flash or disk) since these devices don't do auto-backup.
It looks like you have lost your config on the device. If you have a backup config, you can load it into the device using the copy command. If you haven't got a backup config, I don't know if you can recover anything from the file system (either flash or disk) since these devices don't do auto-backup.
ASKER
i do have my backup config file.
i think the problem occurred wen i installed the previous patch and it failed. ive been facing this issue since then. My web access works. Is it possible for me to apply another patch and regain connectivity?
i think the problem occurred wen i installed the previous patch and it failed. ive been facing this issue since then. My web access works. Is it possible for me to apply another patch and regain connectivity?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I can access hyperterminal now but not web access and thisis the msg on the terminal
Cisco Secure ACS: 4.1.1.23
ACS 4.1.1.24 CSCsm73656-Set-Ip: (Patch: 4.1.1.24 Tue 04/03/2008 21:03:08.16)
ACS 4.1.4.13.6 Fix: (Patch: 4.1.4.13.6 Mon 02/18/2008 15:47:35.76)
Appliance Management Software: 4.1.1.23
Appliance Base Image: 4.1.1.4
CSA build 4.0.1.543.2: (Patch: 4_0_1_543)
Appliance upgrade in progress...
Its been more than an hour since the status is like this and i cant do anything.
Is there any worjaround or can i restore the acs box from scratch??
Thanks
Cisco Secure ACS: 4.1.1.23
ACS 4.1.1.24 CSCsm73656-Set-Ip: (Patch: 4.1.1.24 Tue 04/03/2008 21:03:08.16)
ACS 4.1.4.13.6 Fix: (Patch: 4.1.4.13.6 Mon 02/18/2008 15:47:35.76)
Appliance Management Software: 4.1.1.23
Appliance Base Image: 4.1.1.4
CSA build 4.0.1.543.2: (Patch: 4_0_1_543)
Appliance upgrade in progress...
Its been more than an hour since the status is like this and i cant do anything.
Is there any worjaround or can i restore the acs box from scratch??
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Koudry
hey u know,, i guess it was that patch that failed has done something. The device is near me right now as it is still not on production. I cannot use restore or rollback command on the acs device.
For every command other than the "show" command , i get the following message
Appliance Upgrade is in progress, please try later
I did shutdown and reboot the deive but i still get the meesage that the applicance is still in process of upgradation. I do have the config file which i had taken using the web access.
I do have the restore appliance CD with me. What to do now????
Thanks
hey u know,, i guess it was that patch that failed has done something. The device is near me right now as it is still not on production. I cannot use restore or rollback command on the acs device.
For every command other than the "show" command , i get the following message
Appliance Upgrade is in progress, please try later
I did shutdown and reboot the deive but i still get the meesage that the applicance is still in process of upgradation. I do have the config file which i had taken using the web access.
I do have the restore appliance CD with me. What to do now????
Thanks
Hi Merlin_Raja:
Please don't do anything just yet. I will get back to you in a moment.
Thanks,
Koudry
Please don't do anything just yet. I will get back to you in a moment.
Thanks,
Koudry
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Koudry
Hear this.. My prevoius version was 4.1.1.23 and so i downloaded the patch 4.1.1.23.1 and i applied it. Guess what happened,,, The patch got applied and I can access my web as well as my hyperterminal.
Cisco Secure ACS: 4.1.1.23
ACS 4.1.1.23.1 Fix: (Patch: 4.1.1.23.1 Mon 01/15/2007 20:01:36.20) [This is the patch Ii Applied NOW]
ACS 4.1.1.24 CSCsm73656-Set-Ip: (Patch: 4.1.1.24 Tue 04/03/2008 21:03:08.16)
ACS 4.1.4.13.6 Fix: (Patch: 4.1.4.13.6 Mon 02/18/2008 15:47:35.76)
Appliance Management Software: 4.1.1.23
Appliance Base Image: 4.1.1.4
CSA build 4.0.1.543.2: (Patch: 4_0_1_543)
Session Timeout: 10
Last Reboot Time: Fri Aug 01 10:01:26 2008
I guess for a start i can access my device but i cant start all my services
CSAdmin running
CSAuth stopped
CSDbSync stopped
CSLog running
CSMon stopped
CSRadius stopped
CSTacacs stopped
I still havent restarted my device to check for issues yet. I will restart and get back to you
Thank you
Hear this.. My prevoius version was 4.1.1.23 and so i downloaded the patch 4.1.1.23.1 and i applied it. Guess what happened,,, The patch got applied and I can access my web as well as my hyperterminal.
Cisco Secure ACS: 4.1.1.23
ACS 4.1.1.23.1 Fix: (Patch: 4.1.1.23.1 Mon 01/15/2007 20:01:36.20) [This is the patch Ii Applied NOW]
ACS 4.1.1.24 CSCsm73656-Set-Ip: (Patch: 4.1.1.24 Tue 04/03/2008 21:03:08.16)
ACS 4.1.4.13.6 Fix: (Patch: 4.1.4.13.6 Mon 02/18/2008 15:47:35.76)
Appliance Management Software: 4.1.1.23
Appliance Base Image: 4.1.1.4
CSA build 4.0.1.543.2: (Patch: 4_0_1_543)
Session Timeout: 10
Last Reboot Time: Fri Aug 01 10:01:26 2008
I guess for a start i can access my device but i cant start all my services
CSAdmin running
CSAuth stopped
CSDbSync stopped
CSLog running
CSMon stopped
CSRadius stopped
CSTacacs stopped
I still havent restarted my device to check for issues yet. I will restart and get back to you
Thank you
ASKER
Hi Koudry
After restarting, I goy my hyperterminal and web access running. Thank you so much for your guidance. However I still havent got all my services running. I remember seeing a patch for the CSAuth service to be fixed if it is not running but I cant remember where. Can you help me out?
Thank you
After restarting, I goy my hyperterminal and web access running. Thank you so much for your guidance. However I still havent got all my services running. I remember seeing a patch for the CSAuth service to be fixed if it is not running but I cant remember where. Can you help me out?
Thank you
ASKER
Hi Koudry
I got these services running
CSAdmin running
CSAuth running
CSDbSync stopped
CSLog running
CSMon stopped
CSRadius running
CSTacacs running
Still waiting for 2 more. The way I accomploshied to get the others starting was I applied 4.1.23.3 patch.
Thanks
I got these services running
CSAdmin running
CSAuth running
CSDbSync stopped
CSLog running
CSMon stopped
CSRadius running
CSTacacs running
Still waiting for 2 more. The way I accomploshied to get the others starting was I applied 4.1.23.3 patch.
Thanks
ASKER
All of Koudry's answers were exactly what I needed at that moment of time.
Thank you Koudry for your timely help :)))))))
*** I did want to give you 500 points for all your questions but I guess I cant allot more than a total of 500 points. :((
Thank you again
Thank you Koudry for your timely help :)))))))
*** I did want to give you 500 points for all your questions but I guess I cant allot more than a total of 500 points. :((
Thank you again
Hi Merlin_Raja:
You may want to take a look at the following document:
Release Notes Update for Cisco Secure ACS 4.1.4.13 @ http://www.cisco.com/en/US /docs/net_ mgmt/cisco _secure_ac cess_contr ol_server_ for_window s/4.1.4/re lease/note s/Release_ Notes_for_ Cisco_Secu re_ACS_4.1 .4_v2.html
I am not sure if CSDbSync and CSMon services are related but is there a way you can try manually restarting these services using the command "restart CSDbSync" and "restart CSMon"
Good luck.
Koudry
You may want to take a look at the following document:
Release Notes Update for Cisco Secure ACS 4.1.4.13 @ http://www.cisco.com/en/US
I am not sure if CSDbSync and CSMon services are related but is there a way you can try manually restarting these services using the command "restart CSDbSync" and "restart CSMon"
Good luck.
Koudry
ASKER
Thank you
Ill have a look at them now and get back to you
Ill have a look at them now and get back to you
I had two cases in which the Client (v4.8) generated reason 413 (with correct username and passphrase):
- earlier this year it was a computer which did not meet firewall policy (the firewall software has been damaged and had to be reinstalled).
- yesterday it was token issue. The RSA token has desynchronized with RSA SecurID server and had to be resynchronized with the assistance of the VPN helpdesk. I wouldn't have figured it out without help as Cisco VPN Client haven't shown any warnings or errors (all options in the log settings were set to high priority).
BTW: our manual says, that there are few reasons for error 413 to appear:
- locked AD or token account
- dropped connection (which has to timeout before making another one)
- firewall and antivirus policy mismatch
- earlier this year it was a computer which did not meet firewall policy (the firewall software has been damaged and had to be reinstalled).
- yesterday it was token issue. The RSA token has desynchronized with RSA SecurID server and had to be resynchronized with the assistance of the VPN helpdesk. I wouldn't have figured it out without help as Cisco VPN Client haven't shown any warnings or errors (all options in the log settings were set to high priority).
BTW: our manual says, that there are few reasons for error 413 to appear:
- locked AD or token account
- dropped connection (which has to timeout before making another one)
- firewall and antivirus policy mismatch
This error is likely to be related to wrong username, password or authentication group.
If you are using a security token, please make sure that the associations of the token number, authentication group, shared password, are consistent across the authentication servers.
You may also be using a local user name as opposed to a user name as configured on the authentication servers.
I am not sure if the URLs below will be of any use:
http://www.chicagotech.net/cisco/cisco413.htm
http://www.uoguelph.ca/ccs/internet/faq/index.cfm?fuseaction=faq.showfaq&faqid=37#142
Koudry