Link to home
Start Free TrialLog in
Avatar of Merlin_Raja
Merlin_RajaFlag for United States of America

asked on

Cisco VPN Authention : Reason - 413

Hi
I need some help regarding cisco vpn client authentication. We have a vpn concentrator and a cisco acs. This is how it is done... The user database is created on the cisco acs and the group names are created on the vpn concentrator.
This is what happens....
When I connect to the vpn concentrator using the cisco client, it gets authenticated and I am asked to enter the username and password. When i enter the username and password which has been created on the cisco acs, I get the following error:

Secure VPN Client terminated locally by the client.
Reason 413: User authentication failed.

Can you tell me if i need to change any settings on the cisco acs????

Note : The test between the vpn concentrator and the cisco acs is successful. There are 2 authentication servers for the time being. (1) Internal VPN database (Placed TOP) and (2) Radius Server(Cisco ACS- Placed Second).

Please advice
Thanks
Avatar of koudry
koudry
Flag of United Kingdom of Great Britain and Northern Ireland image

Hi Merlin_Raja:

This error is likely to be related to wrong username, password or authentication group.  

If you are using a security token, please make sure that the associations of the token number, authentication group, shared password, are consistent across the authentication servers.

You may also be using a local user name as opposed to a user name as configured on the authentication servers.

I am not sure if the URLs below will be of any use:

http://www.chicagotech.net/cisco/cisco413.htm
http://www.uoguelph.ca/ccs/internet/faq/index.cfm?fuseaction=faq.showfaq&faqid=37#142
Koudry
Avatar of Merlin_Raja

ASKER

Hi Koudry
I can tell you for sure that the username and password is correct becuase if i enter a wrong username and password, it stills prompts me to enter a valid username and password.
But can you guide me through as how to configure the user in the right authentication group?

The usernames and local to the ACS box. I have created a group called TEST and placed the user "USER1" into that group. But i dont know if I have configured the group properly.

And besides, since I am connecting it with a vpn comcentrator, i dont know if the settings on the vpn concentrator and the acs needs to be the same.

Please advice

Thanks
ASKER CERTIFIED SOLUTION
Avatar of koudry
koudry
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thankyou Koudry
Ill look at these documents and get back to you.
And i have one more issue. I triedto upgrade the acs box from 4.1.1.23 to 4.1.4.13 and after a very long time it failed. Is there any work around for this?? :(
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
your good at this i guess... :)))

it is a software upgrade. The reason for the upgrade was because, ACS 1113 cannot put in a static IP and you need to overcome this by a patch. The current version is 4.1.1.23 and I thought I could upgrade it to 4.1.4.13 to solve this issue.

But now after you have mentioned the file size issue, I need to check this out. I did get another link on the site regarding this issue.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00808d9199.shtml#sok

Im not sure if this will help me overcome this problem. But I will go ahead with your suggestion on your prevoius answer and will check this out and get back to you.

Thank you Koudry
Hi Koudry

Ive applied the patch which was recommended regarding the ip issue. It worked successfully.
But when I hyperterminal to the device, it asks me for login and password and once it goes inside, its blank and i dont get to see anything.  (its just one problem after the other>>>)
is there a way to resolve this issue??

Thanks
Hi Merlin_Raja:
It looks like you have lost your config on the device. If you have a backup config, you can load it into the device using the copy command. If you haven't got a backup config, I don't know if you can recover anything from the file system (either flash or disk) since these devices don't do auto-backup.
i do have my backup config file.
i think the problem occurred wen i installed the previous patch and it failed. ive been facing this issue since then. My web access works. Is it possible for me to apply another patch and regain connectivity?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I can access hyperterminal now but not web access and thisis the msg on the terminal

Cisco Secure ACS: 4.1.1.23
ACS 4.1.1.24 CSCsm73656-Set-Ip: (Patch: 4.1.1.24 Tue 04/03/2008 21:03:08.16)
ACS 4.1.4.13.6 Fix: (Patch: 4.1.4.13.6 Mon 02/18/2008 15:47:35.76)
Appliance Management Software: 4.1.1.23
Appliance Base Image: 4.1.1.4
CSA build 4.0.1.543.2: (Patch: 4_0_1_543)

Appliance upgrade in progress...


Its been more than an hour since the status is like this and i cant do anything.

Is there any worjaround or can i restore the acs box from scratch??

Thanks
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi Koudry

hey u know,, i guess it was that patch that failed has done something. The device is near me right now as it is still not on production. I cannot use restore or rollback command on the acs device.

For every command other than the "show" command , i get the following message

Appliance Upgrade is in progress, please try later

I did shutdown and reboot the deive but i still get the meesage that the applicance is still in process of upgradation. I do have the config file which i had taken using the web access.

I do have the restore appliance  CD with me. What to do now????

Thanks
Hi Merlin_Raja:
Please don't do anything just yet. I will get back to you in a moment.
Thanks,
Koudry
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi Koudry

Hear this.. My prevoius version was 4.1.1.23 and so i downloaded the patch 4.1.1.23.1 and i applied it. Guess what happened,,, The patch got applied and I can access my web as well as my hyperterminal.

Cisco Secure ACS: 4.1.1.23
ACS 4.1.1.23.1 Fix: (Patch: 4.1.1.23.1 Mon 01/15/2007 20:01:36.20) [This is the patch Ii Applied NOW]
ACS 4.1.1.24 CSCsm73656-Set-Ip: (Patch: 4.1.1.24 Tue 04/03/2008 21:03:08.16)
ACS 4.1.4.13.6 Fix: (Patch: 4.1.4.13.6 Mon 02/18/2008 15:47:35.76)
Appliance Management Software: 4.1.1.23
Appliance Base Image: 4.1.1.4
CSA build 4.0.1.543.2: (Patch: 4_0_1_543)
Session Timeout: 10
Last Reboot Time: Fri Aug 01 10:01:26 2008

I guess for a start i can access my device but i cant start all my services

CSAdmin        running
CSAuth         stopped
CSDbSync       stopped
CSLog          running
CSMon          stopped
CSRadius       stopped
CSTacacs       stopped

I still havent restarted my device to check for issues yet. I will restart and get back to you

Thank you
Hi Koudry

After restarting, I goy my hyperterminal and web access running. Thank you so much for your guidance. However I still havent got all my services running. I remember seeing a patch for the CSAuth service to be fixed if it is not running but I cant remember where. Can you help me out?

Thank you
Hi Koudry

I got these services running

CSAdmin        running
CSAuth         running
CSDbSync       stopped
CSLog          running
CSMon          stopped
CSRadius       running
CSTacacs       running

Still waiting for 2 more. The way I accomploshied to get the others starting was I applied 4.1.23.3 patch.

Thanks
All of Koudry's answers were exactly what I needed at that moment of time.
Thank you Koudry for your timely help :)))))))

*** I did want to give you 500 points for all your questions but I guess I cant allot more than a total of 500 points. :((

Thank you again
Hi Merlin_Raja:

You may want to take a look at the following document:
Release Notes Update for Cisco Secure ACS 4.1.4.13 @ http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1.4/release/notes/Release_Notes_for_Cisco_Secure_ACS_4.1.4_v2.html
I am not sure if  CSDbSync  and  CSMon  services are related but is there a way you can try manually restarting these services using the command "restart  CSDbSync" and "restart  CSMon"
Good luck.
Koudry          
Thank you
Ill have a look at them now and get back to you
I had  two cases in which the Client (v4.8) generated reason 413 (with correct username and passphrase):
- earlier this year it was a computer which did not meet firewall policy (the firewall software has been damaged and had to be reinstalled).
- yesterday it was token issue. The RSA token has desynchronized with RSA SecurID server and had to be resynchronized with the assistance of the VPN helpdesk. I wouldn't have figured it out without help as Cisco VPN Client haven't shown any warnings or errors (all options in the log settings were set to high priority).

BTW: our manual says, that there are few reasons for error 413 to appear:
- locked AD or token account
- dropped connection (which has to timeout before making another one)
- firewall and antivirus policy mismatch