Cisco ACS 5.X - Root Patch. [TESTED]

Real quick because it’s 2 A.M.

• Patch file is universal for all ACS 5.X versions - RootPatchSSH.tar.gz.
• To install it you should use “application install” command instead of “acs patch install”. Installation process does not require reboot the server:

hostname/admin# conf t
hostname/admin(config)# repository TEST
hostname/admin(config-Repository)# url
hostname/admin(config-Repository)# user ftpuser password plain ftppass
hostname/admin(config-Repository)# end
hostname/admin# application install RootPatchSSH.tar.gz TEST
Do you want to save the current configuration ? (yes/no) [yes] ? yes
Generating configuration...
Saved the running configuration to startup successfully

Application successfully installed

• After installation you will see additional section in “show ver” at very end:

hostname/admin#show version

Version     : 1.3.0                             Vendor: Cisco Systems, Inc.
Build Date  : May 10 2013  17:45IST

• To enable root login you have to relogin and then:

hostname/admin# root_enable
Password :
Password Again :

Root patch enabled

hostname/admin# root
Enter root patch password :
Starting root bash shell ...
ade # cat /etc/redhat-release
CentOS release 4.7 (Final)
ade #

Cisco ACS 5.3 - Patch installation. [TESTED]

Again about ACS patching.

• Configure simplest repository (FTP is simplest because RSA key is not required):

conf t
 repository TEST
  user ftpuser password plain ftppass

• Upload patch file to FTP server, then check file availability:

show repository TEST

• Install the patch:

acs patch install 5-3-0-40-10.tar.gpg repository TEST

Cisco IOS as PPTP server (VPDN) and Windows RADIUS server for remote user authentication. [TESTED]

Router’s config

• Well, ‘aaa new-model’ command is required to go further, and if Router use local authentication for CLI login, we have to make sure that we will be able to login after our changes. To do so:

username LOCALUSER privilege 15 secret SOMEPASSWORD
aaa new-model
aaa authorization exec default local

• Then we can go further. Configure RADIUS server group:

aaa group server radius VPDN_Auth
 server-private key SECRET
 ip radius source-interface Loopback0

• The following statements (BOTH) are important. Without authorization portion you will get “Error 742”.

aaa authentication ppp default group VPDN_Auth
aaa authorization network default group VPDN_Auth if-authenticated

Windows 2008 as RADIUS server

I set up Windows 2008 R2 Server with NPS (Network Policy Server) (nps.msc) as RADIUS server for VDPN Auth. It’s really simple thing.
• Download 7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso
• Read this post to setup roles, AD forest, etc.
• Then read this post about how to configure NPS.

About the UDP ports: According to the documentation NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 for both Internet Protocol version 6 (IPv6) and IPv4 for all installed network adapters by default.

ACS 5.X as RADIUS server for VPDN authentication

Basically, it’s easy to configure ACS 5.X for VDPN:

• Network Resources > Network Device and AAA Clients > Create > Important fiels: IP, RADIUS Shared Secret > Submit.
• Users and Identity Stores > Internal Identity Stores > Users > Create > Name, Password > Submit.
• Access Policies > Access Service > Default Network Access > Allowed Protocols tab > Allow MS-CHAPv2 > Submit.

I tried to use ACS 5.3 as RADIUS server for VPDN, but no luck. I got “Error 742: The remote computer does not support the required data encryption type.” all the time. I tried to find a solution, did some research. So, the problem with MPPE:

Router#debug ppp mppe events
MPPE Events debugging is on
*Dec 31 08:59:46.066: Vi3 MPPE: RADIUS keying material missing

IP Tunneling > PPTP Frequently Asked Questions > Q. What does “Error 742” mean?:

Q. What does “Error 742” mean?

A. This error means that the remote computer does not support the required data encryption type. For example, if you set the PC for “encrypted only” and delete the pptp encrypt mppe auto command from the router, then the PC and the router cannot agree on encryption. The debug ppp negotiation command shows this output.

04:41:09: Vi1 LCP: O PROTREJ
[Open] id 5 len 16 protocol CCP (0×80FD0102000A1206010000B0)

Another example involves the router MPPE RADIUS problem. If you set the router for ppp encrypt mppe auto required and the PC for “encryption allowed with authentication to a RADIUS server not returning the MPPE key,” then you get an error on the PC that states, “Error 742: The remote computer does not support the required data encryption type.” The router debug shows a “Call-Clear-Request” (bytes 9 and 10 = 0×000C = 12 = Call-Clear-Request per RFC) as seen here.

00:45:58: Tnl 17 PPTP: CC I 001000011A2B3C4D000C000000000000
00:45:58: Vi1 Tnl/Cl 17/17 PPTP: CC I ClearRQ

I compared successful and failed ‘debug radius’ outputs and made sure that MS-MPPE-Send-Key (16) and MS-MPPE-Recv-Key (17) attributes are absent in access-accept message from ACS.

BUT according to this official document:

In ACS 5.1, you cannot configure these attributes. These are added to the profile as required.

I also find few ACS BUGs related to MPPE functionality. For example:

CSCty11627 - ACS5 sends MS-CHAP-MPPE-Keys attribute in all access-accept packets
CSCtx90637 - ACS MSCHAPV2 is not hashing the mschap success correctly

Some useful links:

Configuring CiscoSecure ACS for Windows Router PPTP Authentication
Cisco Secure ACS for Windows Router PPTP Authentication

Well, I just stopped. Don’t want to waste my time for this tiny little buggy thing…

Cisco ACS 5.3 - Installation process. [TESTED on VMware ESXi]

Tested with VMware ESXi 5.5u2 and ACS 5.3.

• Download ACS_v5.3.0.40.iso, upload it to ESXi via VMware vSphere Client (DataStore Browser).
• New Virtual Machine > Typical > Type the desired name of virtual machine > Choose datastore > Linux (Other Linux (32-bit)) > NIC config (not important) > Virtual disk size: 60GB, Thin Provision (to save datastore size) > Edit the virtual mechine settings before completion > Memory 4GB > CPU 2 (not important) > Cd/DVD - Datastore ISO File, Choose ACS_v5.3.0.40.iso, Connect at power on > Finish.
• Open a Console > Power On.
• Choose boot option “[1] Cisco Secure ACS 5.3 Installation (Keyboard/Monitor)”.
• Wait until installation process is completed, issue ’setup’ command and do initial configuration:

Please type 'setup' to configure the applicance
localhost login: setup

• Wait VM booted up after reboot, login via HTTPS using acsadmin/default credential, upload license file.
• Finished!


I still do not understand what’s going on with CCIE Security Lab exam, what ACS version does it have. It should be ACS 5.3 with the latest patch, BUT after upgrading to “AAA Reports” stop working at all!

Useful links

Secure Access Control System (ACS 5.x and later) Troubleshooting

Cisco “service config”.

Сегодня в очередной раз заметил в консоли Cisco Catalyst с IOS 15.X следующее:

%Error opening tftp:// (Timed out)
%Error opening tftp:// (Timed out)
%Error opening tftp:// (Timed out)
%Error opening tftp:// (Timed out)

Пара ссылок по теме:

service config command reference.

Admin area