802.1x Port Authentication via RADIUS
I am investigating implementing 802.1x port authentication on our network.
I have a test LAN with a Catalyst 2950 switch and 2 Win XP workstations, (I know its pretty basic, but should be enough for testing purposes). One of these XP PCs is running a Win32 RADIUS server and the other has been configured for 802.1x authentication with MD5-Challenge. Both switch ports are configured for the default vlan and can ping each other.
I have configured the switch with the following commands
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host x.x.x.x key test
and the port to be authorised has been configured with
dot1x port-control auto
As far as I can tell this is all I need to configure on the switch, please correct me if I am wrong.
When I plug the PC into the port I get the request to enter login details, which I do, the RADIUS server sees the request but rejects it, because 'the password wasnt available'. Here is the output from the request, but there isnt any password field and I know there should be as the RADIUS server comes with a test utility and the output from that is similar to below, but the password field is included. I have removed IP/MAC addresses.
Client address [x.x.x.x]
NAS address [x.x.x.x]
UniqueID=3
Realm = def
User = Administrator
Code = Access request
ID = 26
Length = 169
Authenticator = 0xCCD65F510764D2B2635563104D0C2601
NAS-IP-Address = x.x.x.x
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = Administrator
Called-Station-Id = 00-11-00-11-00-11
Calling-Station-Id = 11-00-11-00-11-00
Service-Type = Framed
Framed-MTU = 1500
State = 0x3170020000FCB47C00
EAP-Message = 0x0201002304106424F60D765905F614983F30504A87BA41646D696E6973747261746F72
Message-Authenticator = 0xA119F2FD6E7384F093A5EE1BF4F761EC
Client address [x.x.x.x]
NAS address [x.x.x.x]
UniqueID=4
Realm = def
User = Administrator
Code = Access reject
ID = 26
Length = 0
Authenticator = 0xCCD65F510764D2B2635563104D0C2601
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
On the 2950 I have turned on debugging with 'debug dot1x all' and part of the output is below:
*Mar 2 01:58:38: dot1x-ev:Username is Administrator
*Mar 2 01:58:38: dot1x-ev:MAC Address is 0011.0011.0011
*Mar 2 01:58:38: dot1x-ev:RemAddr is 00-11-00-11-00-11/00-11-00-11-00-11
*Mar 2 01:58:38: dot1x-ev:going to send to backend on SP, length = 26
*Mar 2 01:58:38: dot1x-ev:Received VLAN is No Vlan
*Mar 2 01:58:38: dot1x-ev:Enqueued the response to BackEnd
*Mar 2 01:58:38: dot1x-ev:Sent to Bend
*Mar 2 01:58:38: dot1x-ev:Received QUEUE EVENT in response to AAA Request
*Mar 2 01:58:38: dot1x-ev:Dot1x matching request-response found
*Mar 2 01:58:38: dot1x-ev:Length of recv eap packet from radius = 26
*Mar 2 01:58:38: dot1x-ev:Received VLAN Id -1
Again there doesnt appear to be a password, shouldn't I see one?
Ultimately we will be using a Unix RADIUS server but for testing purposes I have just configured an eval version of Clearbox's RADIUS server. I've tried others as I thought the problem maybe the software, but I get similar problems regardless. If anyone can recommend better Win32 software, please do so.
I'm struggling to figure out where the problem is, the XP machine, the switch or the RADIUS server. Any advice would be appreciated as it's getting quite frustrating.
These are dot1x event debugs, so you wouldn't see this with that debug. The closest thing to seeing it would be to debug radius on the switch, and the password would be contained in RADIUS Attribute[79]. The switch uses this attribute to replay the EAP message (unmodified) to a RADIUS server. You might see it, but it's encrytped, so it might not buy you much. I'm sure you can imagine from a security point of view why the switch won't/shouldn't have this much visibility into this ;-).
I would recommend either:
a) Double-checking your RADIUS setup and logs to find out why the user failed. (double-check the RADIUS key configured on the switch too .. it must match).
b) Downloading a third-party supplicant from Meetinghouse or Funk to use as a control.
Eval copies are available on their websites.
Hope this helps,
Similar Messages
-
802.1x port authentication and Windows Radius, possible?
Hello,
I'm just testing at the moment before implementing on our netowrk, but has anyone implemented 802.1x port authentication on there Cisco switch and used a Windows IAS server? See out users are all all on a Windows domain and I want to authenticate using their active directory credentials. I think I am fine with the switch config, but it is the Windows IAS/Raduis server. I have added the switch IP's and secret, but I need to create a policy to accept the domain users and need help.
ThanksAndy:
Yes of course you can use whatever radius server as a AAA server for 802.1x authentication on the switches. NPS, IAS, ACS, Open RADIUS ....etc.
If you have problem with configuring the IAS then I would suggest that you post your quesiton in a microsoft forum and not here. They would be able to better assist you with your issue. But you can still look somewhere in this forum or in google to help yourself.
See this link, it could be useful for you: https://supportforums.cisco.com/thread/2090403
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you" -
Radius server for 802.1x port authentication
Does anybody know if CiscoSecure for Unix version 2.3.6.2 can be used as a Radius server for 802.1x port authentication? I know the Windows version will do this and can be configured to assign a user to a specific VLAN, but can the UNIX software do the same?
ThanksCheck connectivity between the PIX and the server.
If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
aaa-server group_tag (if_name) host server_ip key timeout 5
If you are using TACACS+, verify that the PIX and server are communicating on the same port (Transmission Control Protocol (TCP)/49).
If you are using RADIUS, verify that the PIX and server are communicating on User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server is using port 1812, verify that the PIX is using software version 6.0 or later, and then issue the aaa-server radius-authport 1812 command to specify port 1812.
Ensure that the secret key is correct.
Check the server logs for failed attempts. All servers have some kind of logging function. -
Help Please :) LInksys WRVS4400N 802.1X port authentication setup
HI all,
I am trying to configure 802.1X port authentication on my Linksys WRVS4400N. I created a test lab in order to do this, currently I am using
1x Linksys WRVS4400N
1x Microsoft Server 2003 with IAS and Active Directory services
1x Dell Laptop (Used for testing Radius Athentication)
I Created 4 VLAN(s) to test with this LAB
VLAN 1 Managament. Addr Range 192.168.1.0 /24. GW 192.168.1.254
VLAN 10 Servers. Addr Range 172.16.1.0 /24. GW 172.16.1.254
VLAN 20 IT. Addr Range 172.16.2.0 /24. GW 172.16.2.254
VLAN 30 Design. Addr Range 172.16.3.0 /24. GW 172.16.3.254
This is how I assigned my VLAN(s) to my ports. This is found on the VLAN & Port Assignment Screen
Port 1 -> Mode: General -> Frame Type: All -> PVID 1 (Port 1 is used for VLAN 1: Management)
Port 2 -> Mode: General -> Frame Type: All -> PVID 10 (Port 2 is used for VLAN 20: Servers)
Port 3 -> Mode: Access -> Frame Type: All (Port 3 is used for RADIUS. DHCP enabled)
Port 4 -> Mode: Access -> Frame Type: All (Port 4 is used for RADIUS. DHCP enabled)
VLAN 1: Default
Port 1: Untagged, Port 2: Tagged, Port(s): 3, 4 & Wireless: Excluded
VLAN 10: Servers
Port(s): 1, 3, 4 & Wireless: Excluded. Port 2: Untagged
VLAN 20: IT
Port(s): 1, 2: Excluded, Port(s): 3,4 & Wireless: Untagged
VLAN 30: Design
Port(s): 1, 2: Excluded, Port(s): 3,4 & Wireless: Untagged
This is how my Radius is setup
Mode: Enabled
RADIUS IP: 172.16.1.1 (IP of the WIN2K3 Server)
UDP Port: 1812
Secret: Password1
Port(s) 1 & 2: Force Authorized
Port(s) 3 & 4: Force UnAuthorized
On the Server this is what I have configured
1. Created a domain: GLAB. Created two groups: IT LAN, Design LAN, then assigned users to those groups. IE: User1 belongs to IT LAN
2. Created a IAS Remote Access Policy and named it IT LAN. The profile settings are listed below
Tunnel-Medium-Type: 802
Tunnel-PVT-Group-ID: 20
Tunnel-Type: Virtual LAN
My goal is to test RADIUS authentication on ports 3 and 4 on the Linksys WRV . I tested everything else I made sure the VLAN's were working ok so what I did was took a Dell Laptop and joined it to my domain. I pluged the Dell Laptop into port 4 to test Radius Authentication. When I tried to log in as User1 it didn't work.
I am new to setting up 802.1X, I wanted to know if I missed a setting or I misconfigured something. I even ran wireshark on my Windows 2003 machine to see if any RADIUS data is coming from my router (172.16.1.254) and I didn't see anything
If anybody can help me out that would be great!
Cheers
Graham1. I don't think the WRVS4400N supports RADIUS assigned VLANs. I can't find anything in the manual suggesting it would. I would say you can only use the RADIUS server for authentication on a port but the VLAN must be configured before.
2. You don't write what is exactly connected to each port on the WRVS. For instance, it is unclear whether the MS Server is connected directly to port 2 or whether it connects to another switch to which you have connected other servers as well.
3. The VLAN configuration looks very odd to me. If I see it correctly you have:
Port 1: General mode, PVID 1, 1U
Port 2: General mode, PVID 10, 1T, 10U
Port 3: Access mode, PVID ???, 20U, 30U
Port 4: Access mode, PVID ???, 20U, 30U
I wonder why you are even able to set this up...
a. Port 1 should be set to Access mode with PVID 1 and 1U. With access mode the port is member of a single VLAN and all traffic is untagged. That is exactly what you have set up, but with General mode.
b. Port 2 must be connected to a server (or a managed switch). The NIC in the server must be configured for 802.1q tagged frames. On the server NIC you must configure VLAN 1 as tagged VLAN and VLAN 10 as default/native/untagged VLAN. Only then the server is able to communicate on VLAN 1 and VLAN 10.
c. Port 3&4 are in access mode. In access mode the port can only be member of a single VLAN. What you post suggests that they are member of two VLANs. That should not even be possible to configure. If it is possible, that it is definitively incorrect. You must decide to which VLAN these ports belong to.
4. To use RADIUS authentication on a port you must set it to "Auto". "Force UnAuthorized" sets it unauthorized, i.a.W. you disable the port completely. To traffic will go through. See the manual: "Force Unauthorized—Controlled port state is set to Force-Unauthorized (discard traffic). All connections are blocked."
5. Did you verify that your RADIUS server is actually using port 1812? 1645 is also commonly used for radius authentication. Check the configuration on the RADIUS server or check with "netstat -a" to see if 1812 is used.
6. Also check, whether the RADIUS traffic is sent on the management VLAN 1. The WRVS uses VLAN 1 as management VLAN and it might well be that it expects the RADIUS server to be in the management VLAN. Use the server IP address in VLAN 1 as RADIUS server IP address to check that.
7. Did you check with wireshark the traffic on the 802.1x client machine? Does it send something out? Does it receive anything? -
802.1x wired authentication via PEAP, MD5
Hi everyone,
Thank you for taking the time for reading this, I am implementing a security solution and wanted to take th benefit of implementing 802.1x over wire. I have been searching a bit but no much info from start to finish on how to implementing this solution,
i would really appreciate if someone could point me some where to find detailed instruction on how to do this, as so far i have been configuring in multiple way bit no result out of it. Still a orange port color on my switch, that means the first
hop of security work but the next no.
Thank you in advance to read this.Hi,
According to your description, my understanding is that you want to deploy 802.1x wired authentication via PEAP, MD5 and need instructions about this.
Some articles and just for your reference:
802.1X Authenticated Wired Access Overview
https://technet.microsoft.com/en-us/library/hh831831.aspx
802.1X Authenticated Wired Access Design Guide
https://technet.microsoft.com/library/dd378864(WS.10).aspx
IEEE 802.1X Wired Authentication
https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
About TACACS+ and 802.1x port authentication
Hi
Is it true? TACACS+ will not work with 802.1x port authentication because EAP is not supported in TACACS+,
Where to find the documents about Tacacs+ doesn't support EAP?
Regards,
Thanks.Correct, TACACS does not support EAP, check the following links:
https://cisco.hosted.jivesoftware.com/message/7901
http://www.rfc-editor.org/rfc/rfc1492.txt -
About 802.1x port authentication using TACACS+
Hi
I have some question. Please help me. Thanks.
Question1. May I use that 802.1x port authentication using TACACS+
Question2. Is it true? TACACS+ will not work with 802.1x because EAP is not supported in TACACS+, and there are no plans to get EAP over TACACS+.
Any help would be greatly appreciated.
Thanks.Thanks to you.
Where to find the documents about Tacacs+ doesn't support EAP?
I cast more time and I cannot find the documents.
Please help me....
Thanks. -
VPN Tunnel w/ 802.1X port authentication against remote RADIUS server
I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X. The tunnel works fine and comes up if theirs correct traffic. I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.
If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work. I'll see the following. This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone. No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.
If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly. In this situation, I can ping the RADIUS servers from VLAN10. If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.
Current configuration : 6199 bytes
! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router1
boot-start-marker
boot-end-marker
aaa new-model
aaa local authentication default authorization default
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
ip cef
ip dhcp pool pool
import all
network 192.168.28.0 255.255.255.248
bootfile PXEboot.com
default-router 192.168.28.1
dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2
domain-name domain.local
option 66 ip 192.168.23.10
option 67 ascii PXEboot.com
option 150 ip 192.168.23.10
lease 0 2
ip dhcp pool phonepool
network 192.168.28.128 255.255.255.248
default-router 192.168.28.129
dns-server 192.168.26.10 192.168.1.100
option 150 ip 192.168.1.132
domain-name domain.local
lease 0 2
ip dhcp pool guestpool
network 10.254.0.0 255.255.255.0
dns-server 8.8.8.8 4.2.2.2
domain-name local
default-router 10.254.0.1
lease 0 2
no ip domain lookup
ip domain name remote.domain.local
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO892-K9
dot1x system-auth-control
username somebody privilege 15 password 0 password
redundancy
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key secretpassword address 123.123.123.123
crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac
mode tunnel
crypto map pix 10 ipsec-isakmp
set peer 123.123.123.123
set transform-set pix-set
match address 110
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
interface FastEthernet0
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet1
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet2
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet3
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet4
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet5
switchport access vlan 12
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet6
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet7
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map pix
interface Vlan1
no ip address
interface Vlan10
ip address 192.168.28.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
interface Vlan11
ip address 192.168.28.129 255.255.255.248
interface Vlan12
ip address 10.254.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 101 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
ip radius source-interface Vlan10
ip sla auto discovery
access-list 101 deny ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.28.0 0.0.0.255 any
access-list 101 permit ip 10.254.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255
radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey
radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey
control-plane
mgcp profile default
line con 0
line aux 0
line vty 0 4
transport input all
ntp source FastEthernet0
ntp server 192.168.26.10
ntp server 192.168.1.100
endI have 802.1X certificate authentication enabled on the computers. As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication. It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.
-
Authentication via RADIUS : MSCHAPv2 Error 691
Hello All,
I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request
messages are in fact getting to the RADIUS server at which point the RADIUS server starts communicating with the domain controllers. I then see the chain of communication going back to the RADIUS and then finally back to the SBC. The problem is the response
I get back is always an access-reject message with a reason code of 16 (Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect). This is confirmed by looking
at the security event logs where I can see events 4625 and 6273. See the events below (Note: The names and IPs have been changed to protect the innocent):
Event ID: 6273
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
NULL SID
Account Name:
real_username
Account Domain:
real_domain
Fully Qualified Account Name:
real_domain\real_username
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name:
OS-Version:
Called Station Identifier:
Calling Station Identifier:
NAS:
NAS IPv4 Address:
10.0.0.10
NAS IPv6 Address:
NAS Identifier:
radius1.real_domain
NAS Port-Type:
NAS Port:
101451540
RADIUS Client:
Client Friendly Name:
sbc1mgmt
Client IP Address:
10.0.0.10
Authentication Details:
Connection Request Policy Name:
SBC Authentication
Network Policy Name:
Authentication Provider:
Windows
Authentication Server:
RADIUS1.real_domain
Authentication Type:
MS-CHAPv2
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the SQL data store and the local log file.
Reason Code:
16
Reason:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Event ID: 4625
An account failed to log on.
Subject:
Security ID:
SYSTEM
Account Name:
RADIUS1$
Account Domain:
REAL_DOMAIN
Logon ID:
0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID:
NULL SID
Account Name:
real_username
Account Domain:
REAL_DOMAIN
Failure Information:
Failure Reason:
Unknown user name or bad password.
Status:
0xC000006D
Sub Status:
0xC000006A
Process Information:
Caller Process ID:
0x2cc
Caller Process Name:
C:\Windows\System32\svchost.exe
Network Information:
Workstation Name:
Source Network Address:
Source Port:
Detailed Authentication Information:
Logon Process:
IAS
Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:
Package Name (NTLM only):
Key Length:
0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
So at first glance it would seem that the issue is merely a case of an invalid username or mismatched password. This is further confirmed in the packet capture where I can see the MSCHAPv2 response has an error code of 691 (Access denied because username or
password, or both, are not valid on the domain). The thing is I know I am using a valid username and I have tried many usernames including new ones I created just for troubleshooting. I don't know how many times I have reset the password in an attempt to ensure
it is not a mismatch password. I have even made sure to use passwords that are fairly short and contain only letters to ensure there was no terminal encoding issues (we connect to the SBC via SSH clients). I have also done this same thing with the shared secret
used during communication between the SBC and the RADIUS server. I have tried prefixing the username with the domain name at login (though I don't think that should be necessary). I have also tried using the full UPN of the user to login. I have tried several
RADIUS testing clients (NTRadPing, RadiusTest, etc.), but they either don't support MSCHAPv2 or only support EAP-MSCHAPv2. I have even created my own client using PHP's PECL RADIUS module. Still it always seems to fail with the MSCHAPv2 authentication with
an error code of 691. Does anyone have any ideas as to why I always get an invalid username or bad password response when I have done everything possible to ensure that is not the case?
Here are the specs for our RADIUS configuration:
Windows Server 2012 R2
SQL Server 2012 Back End Database for accounting.
The server has been authorized on the domain and is a member of the "RAS and IAS Servers" group. For which that group does have access to the accounts we are testing with.
The accounts we are testing with do have the "Control access through NPS Network Policy" option checked under their "Dial-in" property tab.
RADIUS clients configured to simply match on the IP address which you can see from the events above that it is applying the client friendly name.
Connection Request Policy: The "SBC Authenication" policy is being applied as seen above. The only condition is a regex expression that does successfully match the friendly name.
Network Policy: As seen in events above, none are getting applied. For troubleshooting purposes I have created a Network Policy that is set to "1" for the processing order and its only condition is a Day and Time Restriction currently set to any
time, any day.
The authentication method is set to only MSCHAPv2 or MSCHAPv2 (User can change password after it has expired). I have tried adding this to just the Network Policy and I have also tried adding this to the Connection Request Policy and setting it to override
the authentication method of the Network Policy.
We do have other RADIUS servers in our domain that use PEAP to authenticate wireless clients and they all work fine. However, we need this to work with MSCHAPv2 only (No EAP).
All other configurations are set to the defaults.
The only other things of note to consider is the fact that in the events above you can see that the Security ID is "NULL SID". Now I know this is common especially among failed logons but given that this issue is stating an invalid username or
bad password, perhaps it matters in this case. Also, this server has been rebuilt using the same computer account in Active Directory. I do not know if it would have worked before the rebuild. Essentially we built this server and only got as far as authorizing
the server to the domain and adding SQL when we decided to separate out the SQL role onto another server. Rather than uninstalling SQL we just rebuilt the machine. However, before reinstalling Windows I did do a reset on the computer account. I don't think
this should matter but thought I would point it out if there is some weird quirk where reusing the same SID of a previously authorized NPS server would cause an issue.
All in all it is a fairly basic setup and hopefully I have provided enough information for someone to get an idea of what might be going on. I hope this was the right forum to post this too, I figured there would be a higher number of RADIUS experts here than
any of the other categories. Apologies if my understanding of this seems a bit basic, after all, when it comes to RADIUS servers I guess you could say I'm the new guy here.Update 1:
In an attempt to further troubleshoot this issue I have tried bringing up additional servers for testing. Here are the additional tests I have performed.
Multiple Domains
I have now tried this in 3 different isolated domains. Both our test and production domains as well as my private home domain which has very little in the way of customizations aside from the modifications made for Exchange and ConfigMgr. All have the same
results described above.
VPN Service
Using Windows Server 2012 R2 we brought up a separate server to run a standard VPN setup. The intent was to see if we could use RADIUS authentication with the VPN and if that worked we would know the issue is with the SBCs. However, before we could even
configure it to use RADIUS we just attempted to make sure it worked with standard Windows Authentication on the local VPN server. Interestingly, it too fails with the same events getting logged as the RADIUS servers. The client machine being a Windows 8.1
workstation. Again I point out that we have working RADIUS servers used specifically for our wireless environment. The only difference between those RADIUS servers and the ones I am having problems with is that the working wireless servers are using PEAP instead
of MSCHAPv2.
FreeRADIUS
Now I'm no Linux guru but I believe I have it up and running. I am able to use ntlm_auth to authenticate users when logged on to the console. However, when the radiusd service tries to use ntlm_auth to do essentially the same thing it fails and returns the
same message I've been getting with the Windows server (E=691). I have the radiusd service running in debug mode so I can see more of what is going on. I can post the debug info I am getting if requested. The lines I am seeing of particular interest however
are as follows:
(1) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)'
(1) mschap : External script failed.
(1) ERROR: mschap : External script says: Logon Failure (0xc000006d)
(1) ERROR: mschap : MS-CHAP2-Response is incorrect
The thing to note here is that while we are essentially still getting a "wrong password" message, the actual status code (0xc000006d) is slightly different than what I was getting on the Windows Servers which was (0xc000006a). From this document
you can see what these codes mean:
NTSTATUS values . The good thing about this FreeRADIUS server is that I can see all of the challenge responses when it is in debug mode. So if I can wrap my head around how a MSCHAPv2 response is computed I can compare it to see if this is simply a miscomputed
challenge response. Update: Was just noticing that the 6a code is just the sub-status code for the 6d code. So nothing different from the Windows Servers, I still wonder if there is a computation error with the challenge responses though.
Currently, I am working on bringing up a Windows Server 2008 R2 instance of a RADIUS server to see if that helps at all. However, I would be surprised if something with the service broke between W2K8 R2 and W2K12 R2 without anyone noticing until now. If this
doesn't work I may have to open a case with Microsoft. Update: Same results with W2K8 R2. -
802.1x port authentication not working
I am having some troubles figuring out what is going on here. I am trying to setup 802.1x port based authentication to assign clients to VLANs. I inherited this mess and its been a long time since I have used this. I ran a wireshark on my Radius server and I see no packets even coming from my switch IP address when I plug into a port (I verified communication because pings come up in my trace)
Switch info:
sw-ConfB>sho ver
Cisco IOS Software, C2960C Software (C2960c405-UNIVERSALK9-M), Version 12.2(55)EX3, RELEASE SOFTWARE (fc2)
Port config:
interface FastEthernet0/11
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
Radius Server Info:
radius-server host 10.0.1.52 auth-port 1645 acct-port 1646 key 802.1x!
Kinda lost why not Radius packet even comes from the switch. Any tips?sw-ConfB#sho ru
Building configuration...
Current configuration : 6301 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname sw-ConfB
boot-start-marker
boot-end-marker
enable secret 5 $1$3QAC$puzutRpCI5zR3Xv55xBVH0
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
system mtu routing 1500
crypto pki trustpoint TP-self-signed-706182400
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-706182400
revocation-check none
rsakeypair TP-self-signed-706182400
crypto pki certificate chain TP-self-signed-706182400
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37303631 38323430 30301E17 0D393330 33303130 30303430
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3730 36313832
34303030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C72AE421 F5BF8C62 7C9E14C1 E73686FB 67DD760A 0C6C790D 935143A0 8DD96CC8
D14A11C1 D16F9583 AE3B591E 68581049 1C837110 1B1C0398 BDE81C86 3F80CD45
E55EBE76 73B9F7AB 5F14CBD5 2BD38330 E1B4FA92 32490A66 CE0BE135 9B695D97
BF7C04FB 2999CF98 2336E82C 559A89C1 7F4E2948 1D73EBD4 236E4DD9 4D8675AB
02030100 01A36930 67300F06 03551D13 0101FF04 05300301 01FF3014 0603551D
11040D30 0B820973 772D436F 6E66422E 301F0603 551D2304 18301680 14C35330
A1D32EA5 C2A07CC9 B1B3CCDB EB93CAA7 02301D06 03551D0E 04160414 C35330A1
D32EA5C2 A07CC9B1 B3CCDBEB 93CAA702 300D0609 2A864886 F70D0101 04050003
8181002E FC217BF1 F9E6FBE1 B07270A6 79A57AA5 691A949D C61C00C2 09C1C3CA
CA14EE07 60BA058E CFDCD8E7 19D83B68 5F06B92C 8612B396 B18BA823 C0E83021
2EFD391E 06113246 5609E287 7883422A 0513AF6D 5BF03CDE 92786B1D 3E01284C
1EE23296 12999C71 BE8A5BEA 4B768F7E 6EB63E05 B71AF375 7FB72B98 7665BF45 D14622
quit
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet0/1
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/2
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/3
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/4
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/5
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/6
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/7
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/8
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/9
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/10
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/11
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/12
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface GigabitEthernet0/1
switchport trunk native vlan 200
switchport trunk allowed vlan 100,200,900
switchport mode trunk
interface GigabitEthernet0/2
switchport access vlan 100
switchport mode access
interface Vlan1
no ip address
interface Vlan100
ip address 10.0.1.3 255.255.255.0
interface Vlan200
ip address 10.0.2.4 255.255.255.0
interface Vlan900
ip address 10.0.9.4 255.255.255.0
ip default-gateway 10.0.1.1
ip http server
ip http secure-server
ip sla enable reaction-alerts
radius-server host 10.0.1.52 auth-port 1645 acct-port 1646 key 802.1x!
radius-server retransmit 5
radius-server key secret
radius-server vsa send authentication -
802.1X Port Authentication\ACS Question
Hello,
I"m troubleshooting a 3560 port authentication issue. From what I was told from other members of my team when we upgraded to windows 7 at this site authentication no longer works. I compared an old config to a recent one and noticed there was no command dot1x system-auth-control.
I have only been dealing with 802.1x for a short time and my other configs have this command. My question is without this command could there still have been port authentication working? On a inteface for ex. they do have the following which are inligned with my other configs. FYI, I didn't set this site up and it has the rest of the config correct like radius and aaa. When I went onsite to test I shut down the service on my laptop for 802.1x which should of blocked me so I thought. When I checked the ACS server for the log it showed my username and my correct IP address along with the correct switch but it showed I connected using PAP_ASCII, I"m not sure how this protocol got used since we don't use that. Thanks for any suggestions you might have.
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x violation-mode protect
dot1x reauthentication
aaa new-model
aaa authentication password-prompt PASSCODE---->
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa session-id commonI have a little more to add. I was looking in the ACS and did find PAP_ASCII checked so at my home office which I know port security to be working at least that's what I thought. I turned off wired auto config and could still get on and when I looked at the ACS logs I saw my name with this protocol again. Not sure how this got turned on but my questionbecomes if 802.1x is setup on the switch but ACS allows this protocol and my laptop isn't running any 802.1x settings I can still get on the network, is this the correct behavior for this setup?
Thanks, -
NAC 802.1x: VLAN assignment via RADIUS
I'm deploy a 802.1x NAC solution. Users authenticate ok but the VLAN is not assigned to the port.
The RADIUS server send the attributes to the NAD (switch 3560). I see the following lines in the radius debug output:
02:49:08: RADIUS: Received from id 1645/4 192.168.1.1:1645, Access-Accept, len 267
02:49:08: RADIUS: authenticator AB 90 94 95 D0 86 04 E5 - D3 AC 43 21 C0 31 29 EB
02:49:08: RADIUS: Session-Timeout [27] 6 3600
02:49:08: RADIUS: Termination-Action [29] 6 1
02:49:08: RADIUS: Tunnel-Type [64] 6 01:Unsupported [13]
02:49:08: RADIUS: Tunnel-Medium-Type [65] 6 01:Unsupported [6]
02:49:08: RADIUS: Tunnel-Private-Group[81] 10 01:"healthy"
02:49:08: RADIUS: Vendor, Cisco [26] 29
02:49:08: RADIUS: Cisco AVpair [1] 23 "posture-token=Healthy"
I suppose that the error appears because the attributes 64 and 65 are "Unsupported". Is it right?
In RADIUS server I configure:
attribute 64 = VLAN (13)
attribute 65 = 802 (6)
Below I attach switch configuration. The "healthy" vlan is configured in this one.
Any help would be appreciated.
Thanks and regards.
Mart?n.I change the IOS and all work fine. The IOS must have the feature "NAC - L2 IEEE 802.1x".
Other user has the same problem, he posted the question with the following subject: "NAC L2 802.1x VLAN assignment".In this question the problem is better described. -
Hi,
I want to access Cisco PI 2.1 GUI using my AD credentials, so on PI I've enabled RADIUS AAA Mode and added RADIUS servers (two ISE nodes in our case). On ISE I added PI as RADIUS client and configured the same keys. Next, on ISE I created authorization profile PRIME_ADMIN_ACCESS with only attribute settings defined:
My authentication and authorization rules relating that case are as on following screenshots:
So when I open GUI of PI and enter my AD credentials to log in I have no success and I receive following message:
Looking in ISE's Authentication section I can see following:
Time difference between these two authentication/authorizations is just 25 msecs and clicking on each of them reveals following:
So at first I can authenticate and authorize (authorization profile has necessary attributes defined for PI management access (NCS:role0=Root, NCS:virtual-domain0=ROOT-DOMAIN)) and after 25 msecs I am getting failure. So what could be cause of such things and how I can successfully log in to PI GUI authenticating via ISE using AD credentials?Hi,
-- Please Go to Administration > Logging > set the Message level to TRACE > Click save
-- Then try to add the ISE.
-- Once it fails, collect the logs from Administration > Logging >
check the "ncs-0-0.log" & search the file for "ERROR" & paste the results here. This will give us exact reason.
- Ashok
Please rate the post or mark as correct answer as it will help others looking for similar information -
802.1x port authentication failing after getting a access-accept packet
Hi all,
Im not 100% sure what the hell is going on here.
Any idea's or help will be appreciated.
Heres the topology.
1 x windows 2012 NPS
1x 3750X
1x Windows 7 x64
data flow
<laptop> - - [gi 1/0/13]<3750X>[gi 1/0/48]- -[gi 5/39]<6513>[po 1] - - [po 4]<6509><5/1> - - <VMWARE>[NPS Server]
The switch that is doing the authentication is the 3750X. Here is the IOS version.
Switch Ports Model SW Version SW Image
* 1 54 WS-C3750X-48 15.2(1)E C3750E-UNIVERSALK9-M
A wireshark trace on the NPS server shows that the packets are arriving and being sent back
Wireshark on a mirror of the trunk port connecting the 6513. It also shows packets being sent and arriving. access-accept packets are being recieved.
As you can see in the debug output, the switch is getting a access-accept, then it is stating a AAA failure.
here is a debug output as you plug in the laptop.
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:45.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:46.641: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:47.538: dot1x-ev:[Gi1/0/13] Interface state changed to UP
Oct 24 10:53:47.564: dot1x-packet:[6431.500e.9b00, Gi1/0/13] queuing an EAPOL pkt on Auth Q
Oct 24 10:53:47.572: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/13
Oct 24 10:53:47.572: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1
Oct 24 10:53:47.572: dot1x-packet: length: 0x0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 0,TYPE= 0,LEN= 0
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Couldn't find the supplicant in the list
Oct 24 10:53:47.572: dot1x-ev:[6431.500e.9b00, Gi1/0/13] New client detected, sending session start event for 6431.500e.9b00
Oct 24 10:53:47.572: AAA/BIND(00000047): Bind i/f
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Sending create new context event to EAP for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: EAP-EVENT: Received context create from LL (Dot1x-Authenticator) (0x15000045)
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received AAA ID 0x00000047 from LL
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: Assigning AAA ID 0x00000047
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: CTS not enabled on interface Gi1/0/13
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received Session ID "C0A846660000004700DF6030" from LL
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Setting authentication mode: Passthrough
Oct 24 10:53:47.580: eap_authen : initial state eap_auth_initialize has enter
Oct 24 10:53:47.580: EAP-EVENT: Allocated new EAP context (handle = 0xE8000047)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Created a client entry (0x15000045)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Dot1x authentication started for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: %AUTHMGR-5-START: Starting 'dot1x' for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.580: EAP-EVENT: Received EAP event 'EAP_AUTHENTICATOR_START' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : during state eap_auth_initialize, got event 25(eapStartTmo)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_initialize -> eap_auth_select_action
Oct 24 10:53:47.580: eap_authen : during state eap_auth_select_action, got event 20(eapDecisionPropose)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_select_action -> eap_auth_propose_method
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_propose_method
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_propose_method -> eap_auth_method_request
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_method_request
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_method_request -> eap_auth_tx_packet
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Current method = Identity
Oct 24 10:53:47.580: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_ID_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_tx_packet
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_tx_packet -> eap_auth_idle
Oct 24 10:53:47.589: EAP-AUTH-TX-PAK: Code:REQUEST ID:0x1 Length:0x0005 Type:IDENTITY
Oct 24 10:53:47.589: EAP-EVENT: Started 'Authenticator ReqId Retransmit' timer (30s) for EAP sesion handle 0xE8000047
Oct 24 10:53:47.589: EAP-EVENT: Started EAP tick timer
Oct 24 10:53:47.589: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_TX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.597: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.597: dot1x-packet: length: 0x0005
Oct 24 10:53:47.597: dot1x-packet:EAP code: 0x1 id: 0x1 length: 0x0005
Oct 24 10:53:47.597: dot1x-packet: type: 0x1
Oct 24 10:53:47.597: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL packet sent to client 0x15000045
Oct 24 10:53:47.606: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Queuing an EAPOL pkt on Authenticator Q
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 2,TYPE= 1,LEN= 31
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001f
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Response sent to the server from 0x15000045
Oct 24 10:53:47.606: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_RX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-RX-PAK: Code:RESPONSE ID:0x1 Length:0x001F Type:IDENTITY
Oct 24 10:53:47.606: Payload: 47454E4552414C5C72616E64792E636F ...
Oct 24 10:53:47.606: eap_authen : during state eap_auth_idle, got event 1(eapRxPacket)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_idle -> eap_auth_received
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response received by context 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response type = Identity
Oct 24 10:53:47.606: EAP-EVENT: Stopping 'Authenticator ReqId Retransmit' timer for EAP sesion handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_received, got event 10(eapMethodData)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_received -> eap_auth_method_response
Oct 24 10:53:47.606: EAP-AUTH-EVENT: Received peer identity: GENERAL\randy.coburn.admin
Oct 24 10:53:47.606: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_IDENTITY' on handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_method_response, got event 13(eapMethodEnd)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_method_response -> eap_auth_select_action
Oct 24 10:53:47.606: eap_authen : during state eap_auth_select_action, got event 19(eapDecisionPass)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_select_action -> eap_auth_passthru_init
Oct 24 10:53:47.606: eap_authen : during state eap_auth_passthru_init, got event 22(eapPthruIdentity)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_passthru_init -> eap_auth_aaa_req
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_GET_PEER_MAC_ADDRESS' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding Audit-Session-ID "C0A846660000004700DF6030" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added Audit-Session-ID
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding IDB "0x070B90F8" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added IDB
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_AAA_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: eap_auth_aaa_authen_request_shim aaa_service 19, eap aaa_list handle 0, mlist handle 0
Oct 24 10:53:47.614: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Request sent successfully
Oct 24 10:53:47.614: eap_authen : during state eap_auth_aaa_req, got event 24(eapAAAReqOk)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_aaa_req -> eap_auth_aaa_idle
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute hwidb
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-type
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-service
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute clid-mac-addr
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute target-scope
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-unique-id
Oct 24 10:53:47.614: RADIUS(00000000): Config NAS IP: 0.0.0.0
Oct 24 10:53:47.614: RADIUS(00000000): sending
Oct 24 10:53:47.614: RADIUS/ENCODE: Best Local IP-Address 192.168.70.102 for Radius-Server 192.168.19.121
Oct 24 10:53:47.614: RADIUS(00000000): Send Access-Request to 192.168.19.121:1645 id 1645/21, len 288
Oct 24 10:53:47.614: RADIUS: authenticator F1 BA E5 31 71 54 BF 1A - A2 B1 5E 1A 63 72 1E 72
Oct 24 10:53:47.614: RADIUS: User-Name [1] 28 "GENERAL\randy.coburn.admin"
Oct 24 10:53:47.614: RADIUS: Service-Type [6] 6 Framed [2]
Oct 24 10:53:47.614: RADIUS: Vendor, Cisco [26] 27
Oct 24 10:53:47.614: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
Oct 24 10:53:47.614: RADIUS: Framed-MTU [12] 6 1500
Oct 24 10:53:47.614: RADIUS: Called-Station-Id [30] 19 "AC-F2-C5-75-7D-0D"
Oct 24 10:53:47.614: RADIUS: Calling-Station-Id [31] 19 "64-31-50-0E-9B-00"
Oct 24 10:53:47.614: RADIUS: EAP-Message [79] 33
Oct 24 10:53:47.614: RADIUS: 02 01 00 1F 01 47 45 4E 45 52 41 4C 5C 72 61 6E 64 79 2E 63 6F [GENERAL\randy.co]
Oct 24 10:53:47.622: RADIUS: 62 75 72 6E 2E 61 64 6D 69 6E [ burn.admin]
Oct 24 10:53:47.622: RADIUS: Message-Authenticato[80] 18
Oct 24 10:53:47.622: RADIUS: EE 52 4D ED B9 06 F3 CE 63 AC 9D 73 24 1B A7 ED [ RMcs$]
Oct 24 10:53:47.622: RADIUS: EAP-Key-Name [102] 2 *
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 49
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A846660000004700DF6030"
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 20
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 14 "method=dot1x"
Oct 24 10:53:47.622: RADIUS: NAS-IP-Address [4] 6 192.168.70.102
Oct 24 10:53:47.622: RADIUS: NAS-Port [5] 6 60000
Oct 24 10:53:47.622: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/13"
Oct 24 10:53:47.622: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Oct 24 10:53:47.622: RADIUS(00000000): Sending a IPv4 Radius Packet
Oct 24 10:53:47.622: RADIUS(00000000): Started 10 sec timeout
Oct 24 10:53:47.622: RADIUS: Received from id 1645/21 192.168.19.121:1645, Access-Accept, len 66
Oct 24 10:53:47.622: RADIUS: authenticator 92 F6 07 AF C1 AB 0B 4C - 1D 9E A0 D1 01 36 27 26
Oct 24 10:53:47.622: RADIUS: Class [25] 46
Oct 24 10:53:47.622: RADIUS: 76 E3 06 66 00 00 01 37 00 01 02 00 C0 A8 13 79 00 00 00 00 00 00 00 00 00 00 00 00 01 CE CF F8 1F 7B 75 41 00 00 00 00 00 00 00 50 [ vf7y{uAP]
Oct 24 10:53:47.622: RADIUS(00000000): Received from id 1645/21
Oct 24 10:53:47.622: EAP-EVENT: eap_aaa_reply
Oct 24 10:53:47.622: EAP-AUTH-AAA-EVENT: Reply received session_label 72000033
Oct 24 10:53:47.622: EAP-EVENT: Received AAA event 'EAP_AAA_FAIL' on handle 0xE8000047
Oct 24 10:53:47.622: eap_authen : during state eap_auth_aaa_idle, got event 8(eapAAAFail)
Oct 24 10:53:47.622: @@@ eap_authen : eap_auth_aaa_idle -> eap_auth_failure
Oct 24 10:53:47.631: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.631: EAP-AUTH-TX-PAK: Code:FAILURE ID:0x1 Length:0x0004
Oct 24 10:53:47.631: EAP-AUTH-EVENT: FAIL for EAP method ID: 1, name: , on handle 0xE8000047
Oct 24 10:53:47.631: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_FAIL' on handle 0xE8000047
Oct 24 10:53:47.631: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Received an EAP Fail
Oct 24 10:53:47.639: %DOT1X-5-FAIL: Authentication failed for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Added username in dot1x
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Dot1x did not receive any key data
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Processing client delete for hdl 0x15000045 sent by Auth Mgr
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] 6431.500e.9b00: sending canned failure due to method termination
Oct 24 10:53:47.639: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.639: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.639: dot1x-packet: length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:EAP code: 0x4 id: 0x1 length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL canned status packet sent to client 0x15000045
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Deleting client 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.639: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client 6431.500e.9b00 on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.648: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Delete auth client (0x15000045) message
Oct 24 10:53:47.648: EAP-EVENT: Received free context (0xE8000047) from LL (Dot1x-Authenticator)
Oct 24 10:53:47.648: dot1x-ev:Auth client ctx destroyed
Oct 24 10:53:47.648: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_DELETE' on handle 0xE8000047
Oct 24 10:53:47.648: EAP-AUTH-EVENT: Freed EAP auth context
Oct 24 10:53:47.648: EAP-EVENT: Freed EAP context
Oct 24 10:53:48.621: EAP-EVENT: Stopped EAP tick timer
Oct 24 10:53:49.485: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:50.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:54.518: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:55.524: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to downHi Jatin,
See below the data that you have requested.
show run bits.
aaa new-model
aaa authentication dot1x default group radius
aaa session-id common
clock timezone BST 0 0
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
dot1x system-auth-control
interface GigabitEthernet1/0/13
switchport access vlan 80
switchport mode access
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface GigabitEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 70
switchport mode trunk
radius server NPS1
address ipv4 192.168.19.121 auth-port 1645 acct-port 1646
timeout 10
key thesecret
ip default-gateway 192.168.70.1
SW1-randy#show auth sessions interface gig 1/0/13
Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/13 803f.5d09.189e N/A UNKNOWN Unauth C0A846660000002F00251DBC
SW1-randy#Show mac address-table Interface GigabitEthernet1/0/13
Mac Address Table
Vlan Mac Address Type Ports
80 803f.5d09.189e DYNAMIC Drop
SW1-randy#ping 192.168.19.121
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.19.121, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Here is a wireshark of the accept packet.
Message was edited by: randy coburn
Added wireshark trace -
ISE Sponsor Authentication via RADIUS
My client is requesting us to change the way the sponsor users are authenticated and authorized to access the ISE Sponsor Portal.
Their like to pass the ISE request to AD through a RADIUS server first. They said "to avoid sending AD credentials to ISE directly". Under this requirements,
My search and limited knowledge give me to assume I should define a Proxy RADIUS
I think I can Define an External RADIUS server, but I wonder if creating this, it would be available as an Identity Source for the "Sponsor Portal Sequence".
If not, how can I add this? After that, what conditions or attributes should I look for to use in the "Sponsor Group Policy" in order to filter username/password and allow access only to employees and deny access to anyone else?
I will appreciate any advice you can give me to offer the best recommendation to the customer.
Regards.
Daniel Escalante.I think I understood the customer concern. This is quoted from Microsoft http://support.microsoft.com/kb/321051
"The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory. By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology."
So the question now is how can we be sure the ISE communication is secure? ... I understand port 636 is used to transport LDAP-Secure ...
The ISE User Gude indicates that one of the ports required to be open in the case a firewall exists between ISE and ADE is 636 (LDAPS). -(ISE User Guide Page 5-6)
In my case there is no FW between ISE and AD, so where or how can I show the customer we are using LDAPS?
Regards.
Maybe you are looking for
-
Hi SAP gurus, I'm currently implementing automatic payment using DME to generate a text file, in a format that is specified by HSBC. I read some articles about this topic and I have done these steps: I created DME Format Tree (just a demo format tree
-
Server 2012 RC. I'm using Storage Spaces, with two virtual disks across 23 underlying physical disks. * First virtual disk is fixed provisioning, parity across 23 physical disks: 10,024GB capacity * Second virtual disk is fixed provisioning, parity a
-
Quick note to mention that the 'You Tube Living Room' application freezes up my pc... I have to terminate internet explorer. My PC is an XP machine about four years old - I do not have a webcam attached, maybe it was that.... there are not any error
-
Macbook pro - 10.5.6, wont accept leopard safari update..
I tried to install the latest safari update, 3.1..i think it was ( going off the top of my head ) but when i went to install it, it refused it, saying i wasn't compatible. I have leopard on my computer. The other option is Tiger but..it makes no sens
-
Finding the Darkest Pixel in a BufferedImage
What is the best way to find the darkest pixel in a BufferedImage?