Change RADIUS Certificate or Reset RADIUS, SERVER 3.2.2

Hi All,
I've got an expiring self signed certificate that I was using for the RADIUS service on 10.9, server 3.2.2.
I can figure out how to replace this certificate with our valid trusted SSL certificate for our domain.  We originally setup the RADIUS server with the instructions at https://www.yesdevnull.net/2013/10/os-x-mavericks-server-setting-up-freeradius/
If I just try to install new certs using sudo radiusconfig -installcerts command, it just breaks the radius.
I've also tried blowing away the radius folder inside of /Library/Server in an attempt to reset RADIUS to the factor defaults, but after reinstalling the server app, and going through the process of setting up RADIUS, it's still using the old certificate.
Any help would be appreciated!
Thanks

Thanks to Charles over at Krytped, deleting the Radius folder from /Library/Server/Radius and running this command:
sudo rm /var/db/.ServerSetupDone
Allowed me to get Server to recreate a clean Radius set.

Similar Messages

  • Changing RADIUS Server

    We have an AS5300 and a Radius server. We are changing the Radius server. Besides changing the IP address of the Radius server on the AS5300, is there anything else that we need to do? Thanks.

    I dont think so, just specify the new IP and you are good to go.
    check the following example:
    aaa authentication login default group radius local
    aaa authorization exec default group radius local
    aaa authorization command 2 default group tacacs+ if-authenticated
    radius-server host 172.16.71.146 auth-port 1645 acct-port 1646
    radius-server attribute 44 include-in-access-req
    radius-server attribute 8 include-in-access-req
    So, unless you are changing port or other parameters, changing the IP will do the job.
    HTH,
    please rate all posts.
    Vlad

  • EAP-TLS with Radius Server configuration (1130AG)

    Hi All,
    Im currently tryign to get eap-tls user certificate based wireless authentication working. The mismatch of guides im trying to follow has me ocming up trumps with success so far, so heres hoping you guys can right me wrongs and put me on the right path again.
    My steps for radius:- (i think this part ive actually got ok)
    http://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx
    Steps for the wirless profile on a win 7 client:- this has me confused all over the place
    http://technet.microsoft.com/en-us/library/dd759246.aspx
    My 1130 Config:-
    [code]
    Current configuration : 3805 bytes
    ! Last configuration change at 11:57:56 UTC Fri Jan 25 2013 by apd
    ! NVRAM config last updated at 14:43:51 UTC Fri Jan 25 2013 by apd
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname WAP1
    aaa new-model
    aaa group server radius RAD_EAP
    server 10.1.1.29 auth-port 1812 acct-port 1813
    aaa authentication login default local
    aaa authentication login EAP_LOGIN group RAD_EAP
    aaa authorization exec default local
    aaa authorization network default local
    aaa session-id common
    ip domain name ************
    dot11 syslog
    dot11 ssid TEST
       authentication open eap EAP_LOGIN
       authentication network-eap EAP_LOGIN
       guest-mode
    crypto pki trustpoint TP-self-signed-1829403336
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1829403336
    revocation-check none
    rsakeypair TP-self-signed-1829403336
      quit
    username ***************
    ip ssh version 2
    bridge irb
    interface Dot11Radio0
    no ip address
    no ip route-cache
    ssid TEST
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface Dot11Radio1
    no ip address
    no ip route-cache
    ssid TEST
    no dfs band block
    channel dfs
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface BVI1
    ip address 10.1.2.245 255.255.255.0
    ip helper-address 10.1.1.27
    no ip route-cache
    no ip http server
    ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    radius-server host 10.1.1.29 auth-port 1812 acct-port 1813 key **************
    radius-server key ************
    bridge 1 route ip
    line con 0
    logging synchronous
    transport preferred ssh
    line vty 0 4
    logging synchronous
    transport input ssh
    sntp server 130.88.212.143
    end
    [/code]
    and my current debug
    [code]
    Jan 25 12:00:56.703: dot11_auth_send_msg:  sending data to requestor status 1
    Jan 25 12:00:56.703: dot11_auth_send_msg: Sending EAPOL to requestor
    Jan 25 12:00:56.703: dot1x-registry:registry:dot1x_ether_macaddr called
    Jan 25 12:00:56.703: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
    WAP1#
    Jan 25 12:01:26.698: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
    Jan 25 12:01:26.698: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
    Jan 25 12:01:26.698: dot11_auth_send_msg:  sending data to requestor status 0
    Jan 25 12:01:26.698: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
    Jan 25 12:01:26.699: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
    Jan
    WAP1#25 12:01:26.699: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
    Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
    Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
    Jan 25 12:01:26.699: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
    Jan 25 12:01:26.699: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
    Jan 25 12:01:27.580: AAA/BIND(000000
    WAP1#12): Bind i/f
    Jan 25 12:01:27.580: dot11_auth_add_client_entry: Create new client 74de.2b81.56c4 for application 0x1
    Jan 25 12:01:27.580: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
    Jan 25 12:01:27.581: dot11_auth_add_client_entry: req->auth_type 0
    Jan 25 12:01:27.581: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    Jan 25 12:01:27.581: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
    Jan 25 12:01:27.581: dot11_run_auth_methods: Start aut
    WAP1#h method EAP or LEAP
    Jan 25 12:01:27.581: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    Jan 25 12:01:27.581: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
    Jan 25 12:01:27.581: EAPOL pak dump tx
    Jan 25 12:01:27.581: EAPOL Version: 0x1  type: 0x0  length: 0x002B
    Jan 25 12:01:27.581: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
    01801670:                   0100002B 0101002B          ...+...+
    01801680: 01006E65 74776F72 6B69643D 54455354  ..networkid=TEST
    WAP1#
    01801690: 2C6E6173 69643D41 50445741 50312C70  ,nasid=WAP1,p
    018016A0: 6F727469 643D30                      ortid=0
    Jan 25 12:01:27.582: dot11_auth_send_msg:  sending data to requestor status 1
    Jan 25 12:01:27.582: dot11_auth_send_msg: Sending EAPOL to requestor
    Jan 25 12:01:27.582: dot1x-registry:registry:dot1x_ether_macaddr called
    Jan 25 12:01:27.583: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
    WAP1#
    [/code]
    Can anyone point me in the right direction with this?
    i also dont like it that you can attempt to join the network first before failing
    can i have user cert based + psk? and then apply it all by GPO
    Thanks for any help

    ok ive ammdened the wireless profile as suggested
    i already have the root ca and a user certificate installed with matching usernames
    I had already added the radius device to the NPS server and matched the keys to the AP
    now heres the debug im getting, when i check the NPS server, still doesnt look like its getting any requests at all :|
    Jan 29 11:53:13.501: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
    Jan 29 11:53:13.501: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
    Jan 29 11:53:13.501: dot11_auth_send_msg:  sending data to requestor status 0
    Jan 29 11:53:13.501: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
    Jan 29 11:53:13.501: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
    Jan
    WAP1#29 11:53:13.501: dot11_mgr_disp_callback: Received message from Local Authenticator
    Jan 29 11:53:13.501: dot11_mgr_disp_callback: Received FAIL from Local Authenticator
    Jan 29 11:53:13.501: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_FAIL) for 74de.2b81.56c4
    Jan 29 11:53:13.502: dot11_mgr_sm_send_client_fail: Authentication failed for 74de.2b81.56c4
    Jan 29 11:53:13.502: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
    Jan 29 11:53:13.502: dot11_mgr_disp_auth_abort
    WAP1#: Sending abort request for client 74de.2b81.56c4 to local Authenticator
    Jan 29 11:53:13.502: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
    Jan 29 11:53:13.502: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
    Jan 29 11:53:14.619: AAA/BIND(00000019): Bind i/f
    Jan 29 11:53:14.619: dot11_mgr_disp_auth_request: Send auth request for client 74de.2b81.56c4 to local Authenticator
    Jan 29 11:53:14.619: dot11_auth_add_client_entry: Create new c
    WAP1#lient 74de.2b81.56c4 for application 0x1
    Jan 29 11:53:14.620: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
    Jan 29 11:53:14.620: dot11_auth_add_client_entry: req->auth_type 0
    Jan 29 11:53:14.620: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    Jan 29 11:53:14.620: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
    Jan 29 11:53:14.620: dot11_run_auth_methods: Start auth method EAP or LEAP
    Jan 29 11:53:14.620: dot11_auth_dot1x_start: in the dot11
    WAP1#_auth_dot1x_start
    Jan 29 11:53:14.620: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
    Jan 29 11:53:14.620: EAPOL pak dump tx
    Jan 29 11:53:14.621: EAPOL Version: 0x1  type: 0x0  length: 0x002B
    Jan 29 11:53:14.621: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
    01808560: 0100002B 0101002B 01006E65 74776F72  ...+...+..networ
    01808570: 6B69643D 54455354 2C6E6173 69643D41  kid=TEST,nasid=A
    01808580: 50445741 50312C70 6F727469 643D30    WAP1,portid=0
    Jan 29 11:53
    WAP1#:14.621: dot11_auth_send_msg:  sending data to requestor status 1
    Jan 29 11:53:14.621: dot11_auth_send_msg: Sending EAPOL to requestor
    Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received message from Local Authenticator
    Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received DOT11_AAA_EAP from Local Authenticator
    Jan 29 11:53:14.622: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_REPLY) for 74de.2b81.56c4
    Jan 29 11:53:14.622: dot11_mgr_sm_send_response_to_client: Forwarding Authenti
    WAP1#cator message to client 74de.2b81.56c4
    Jan 29 11:53:14.622: EAPOL pak dump tx
    Jan 29 11:53:14.622: EAPOL Version: 0x1  type: 0x0  length: 0x002B
    Jan 29 11:53:14.622: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
    01808690:                   0100002B 0101002B          ...+...+
    018086A0: 01006E65 74776F72 6B69643D 54455354  ..networkid=TEST
    018086B0: 2C6E6173 69643D41 50445741 50312C70  ,nasid=WAP1,p
    018086C0: 6F727469 643D30                      ortid=0
    Jan 29 11:53:14.623: dot1x-regi

  • VPN Tunnel w/ 802.1X port authentication against remote RADIUS server

    I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X.  The tunnel works fine and comes up if theirs correct traffic.  I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.
    If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work.  I'll see the following.  This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone.  No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.
    *Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.
    *Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.
    *Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.
    *Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.
    If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly.  In this situation, I can ping the RADIUS servers from VLAN10.  If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.
    Current configuration : 6199 bytes
    ! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by
    version 15.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname router1
    boot-start-marker
    boot-end-marker
    aaa new-model
    aaa local authentication default authorization default
    aaa authentication login default local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa session-id common
    clock timezone EST -5 0
    clock summer-time EDT recurring
    ip cef
    ip dhcp pool pool
    import all
    network 192.168.28.0 255.255.255.248
    bootfile PXEboot.com
    default-router 192.168.28.1
    dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2
    domain-name domain.local
    option 66 ip 192.168.23.10
    option 67 ascii PXEboot.com
    option 150 ip 192.168.23.10
    lease 0 2
    ip dhcp pool phonepool
    network 192.168.28.128 255.255.255.248
    default-router 192.168.28.129
    dns-server 192.168.26.10 192.168.1.100
    option 150 ip 192.168.1.132
    domain-name domain.local
    lease 0 2
    ip dhcp pool guestpool
    network 10.254.0.0 255.255.255.0
    dns-server 8.8.8.8 4.2.2.2
    domain-name local
    default-router 10.254.0.1
    lease 0 2
    no ip domain lookup
    ip domain name remote.domain.local
    no ipv6 cef
    multilink bundle-name authenticated
    license udi pid CISCO892-K9
    dot1x system-auth-control
    username somebody privilege 15 password 0 password
    redundancy
    crypto isakmp policy 1
    encr aes 256
    authentication pre-share
    group 5
    crypto isakmp key secretpassword address 123.123.123.123
    crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac
    mode tunnel
    crypto map pix 10 ipsec-isakmp
    set peer 123.123.123.123
    set transform-set pix-set
    match address 110
    interface BRI0
    no ip address
    encapsulation hdlc
    shutdown
    isdn termination multidrop
    interface FastEthernet0
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    authentication port-control auto
    dot1x pae authenticator
    spanning-tree portfast
    interface FastEthernet1
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    authentication port-control auto
    dot1x pae authenticator
    spanning-tree portfast
    interface FastEthernet2
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    authentication port-control auto
    dot1x pae authenticator
    spanning-tree portfast
    interface FastEthernet3
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    authentication port-control auto
    dot1x pae authenticator
    spanning-tree portfast
    interface FastEthernet4
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    spanning-tree portfast
    interface FastEthernet5
    switchport access vlan 12
    switchport voice vlan 11
    no ip address
    spanning-tree portfast
    interface FastEthernet6
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    spanning-tree portfast
    interface FastEthernet7
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    authentication port-control auto
    dot1x pae authenticator
    spanning-tree portfast
    interface FastEthernet8
    no ip address
    shutdown
    duplex auto
    speed auto
    interface GigabitEthernet0
    ip address dhcp
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map pix
    interface Vlan1
    no ip address
    interface Vlan10
    ip address 192.168.28.1 255.255.255.248
    ip nat inside
    ip virtual-reassembly in
    interface Vlan11
    ip address 192.168.28.129 255.255.255.248
    interface Vlan12
    ip address 10.254.0.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    ip forward-protocol nd
    ip http server
    ip http authentication local
    ip http secure-server
    ip nat inside source list 101 interface GigabitEthernet0 overload
    ip route 0.0.0.0 0.0.0.0 dhcp
    ip radius source-interface Vlan10
    ip sla auto discovery
    access-list 101 deny   ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
    access-list 101 permit ip 192.168.28.0 0.0.0.255 any
    access-list 101 permit ip 10.254.0.0 0.0.0.255 any
    access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
    access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255
    radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey
    radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey
    control-plane
    mgcp profile default
    line con 0
    line aux 0
    line vty 0 4
    transport input all
    ntp source FastEthernet0
    ntp server 192.168.26.10
    ntp server 192.168.1.100
    end

    I have 802.1X certificate authentication enabled on the computers.  As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication.  It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.

  • Wrv200 and radius server does not work

    I am "upgrading" from a dlink di-524 to a wrv200 because I want multiple ssid's. I have my old ssid configured to use the same radius server, port, password, etc. on the wrv200 as on the dlink. When I try to connect it does not authenticate. (Using certificates - wpa2 Enterprise.) The dlink will still authenticate if I plug that back in. The wrv200 seems to be getting to the radius server since it will complain if I change the ip address of the wrv200 to something unexpected. However, the authentication never finishes. It's as if something just does not pass through the router or is dropped. There are no messages on the radius server, not even a rejected or successful message. Does anyone have any ideas on this? I'd hate to have to use 2 routers to add an ssid (I already have 3 in my network.)
    Message Edited by Howlie on 12-11-2007 06:48 PM

    Sorry to take so long to reply. I'm using freeradius under Fedora 7. Thanks for the url but I already saw that when I was setting up the radius server. I chatted with tech support about the issue and, since I'm using a wrvs4400n with the same radius settings and working, it is probably a firmware issue. I guess I'll have to just wait for the firmware to catch up.
    Message Edited by Howlie on 12-15-2007 03:44 AM

  • 1100 with Local Radius Server problems Atheros Client

    I have Local authentication turned on for the 1100 and am using the Atheros Client Utility configuring LEAP with username/password and it is failing, here is the debug from the 1100.Any help much appreciated.
    Xcon-ap1100#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    Xcon-ap1100(config)#radius
    Xcon-ap1100(config)#radius-server local
    Xcon-ap1100(config-radsrv)#no nas 10.201.1.5
    Xcon-ap1100(config-radsrv)#nas 10.201.1.5 key thiskey
    Xcon-ap1100(config-radsrv)#end
    Xcon-ap1100#debug radius
    Radius protocol debugging is on
    Radius protocol brief debugging is off
    Radius protocol verbose debugging is off
    Radius packet hex dump debugging is off
    Radius packet protocol debugging is on
    Radius packet retransmission debugging is off
    Radius server fail-over debugging is off
    Xcon-ap1100#term mon
    Xcon-ap1100#
    *Apr 3 16:26:26.961: RADIUS: AAA Unsupported [248] 10
    *Apr 3 16:26:26.961: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
    *Apr 3 16:26:26.962: RADIUS: AAA Unsupported [150] 3
    *Apr 3 16:26:26.962: RADIUS: 32 [2]
    *Apr 3 16:26:26.962: RADIUS(000000FC): Storing nasport 246 in rad_db
    *Apr 3 16:26:26.962: RADIUS(000000FC): Config NAS IP: 10.201.1.5
    *Apr 3 16:26:26.963: RADIUS/ENCODE(000000FC): acct_session_id: 251
    *Apr 3 16:26:26.963: RADIUS(000000FC): Config NAS IP: 10.201.1.5
    *Apr 3 16:26:26.963: RADIUS(000000FC): sending
    *Apr 3 16:26:26.963: RADIUS(000000FC): Send Access-Request to 10.201.1.5:1645 id 21645/158, len 130
    *Apr 3 16:26:26.963: RADIUS: authenticator 74 20 7D 86 32 7B 1A 65 - 88 DE A7 58 51 91 FA 5D
    *Apr 3 16:26:26.963: RADIUS: User-Name [1] 6 "test"
    *Apr 3 16:26:26.964: RADIUS: Framed-MTU [12] 6 1400
    *Apr 3 16:26:26.964: RADIUS: Called-Station-Id [30] 16 "000f.f751.7970"
    *Apr 3 16:26:26.964: RADIUS: Calling-Station-Id [31] 16 "0090.963d.7bf6"
    *Apr 3 16:26:26.964: RADIUS: Service-Type [6] 6 Login [1]
    *Apr 3 16:26:26.965: RADIUS: Message-Authenticato[80] 18 *
    *Apr 3 16:26:26.965: RADIUS: EAP-Message [79] 11
    *Apr 3 16:26:26.965: RADIUS: 02 02 00 09 01 74 65 73 74 [?????test]
    *Apr 3 16:26:26.965: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
    *Apr 3 16:26:26.965: RADIUS: NAS-Port [5] 6 246
    *Apr 3 16:26:26.965: RADIUS: NAS-IP-Address [4] 6 10.201.1.5
    *Apr 3 16:26:26.965: RADIUS: Nas-Identifier [32] 13 "Xcon-ap1100"
    *Apr 3 16:26:31.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
    *Apr 3 16:26:36.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
    *Apr 3 16:26:41.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
    *Apr 3 16:26:46.965: RADIUS: No response from (10.201.1.5:1645,1646) for id 21645/158
    *Apr 3 16:26:46.965: RADIUS/DECODE: parse response no app start; FAIL
    *Apr 3 16:26:46.965: RADIUS/DECODE: parse response; FAIL
    *Apr 3 16:26:46.966: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
    *Apr 3 16:26:50.070: RADIUS: AAA Unsupported [248] 10
    *Apr 3 16:26:50.070: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
    *Apr 3 16:26:50.071: RADIUS: AAA Unsupported [150] 3
    *Apr 3 16:26:50.071: RADIUS: 32 [2]
    *Apr 3 16:26:50.071: RADIUS(000000FD): Storing nasport 247 in rad_db
    *Apr 3 16:26:50.072: RADIUS(000000FD): Config NAS IP: 10.201.1.5
    *Apr 3 16:29:29.041: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
    *Apr 3 16:29:52.253: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed

    I have a very similar situation here. Took me a while to figure out why existing user certificates are OK but no new users can enroll. I checked all certificates for expiry. No go. It was not the expiry ("Valid to") time, but rather the "Valid From" time that is messed up.
    This is what happens: The rollover gets created and replaces the original one (which remains in memory, no flash) But the new one is valid from the expiry of the old one - in my case TOMORROW and after a power-outage the day before yesterday (the most definitive way to get a reboot!) I only have the new NOT YET VALID certificate.
    OK, I can wait until tomorrow and see if it works. But the design is far from intelligent. The industry standard is that when you renew a certificate, the validity of the new one is immediate - even if it means it runs for a few days longer than the designated lifetime.
    So much for the overlap period of 30 days (as you can see from your own post) if the old certificate goes away after a reboot and the new one is not yet valid! (The CA certificate expiration timer gets reset to some Unix time-zero ( 01:00:00 CEST Jan 1 1970) which I take to mean "not valid yet".)
    I only have a few days of trouble - and just one to go after finally working it out, but it could have been up to 30 days if I for any reason had rebooted after the roll-over certificate got created.
    Cheers
    Bernhard

  • Problems with Radius Server

    Hi
    I am trying to setup the Radius server on my Mac OSX 10.5.2 server. I have two Airport Extreme 802.11n base stations connected to my network, one which we use normally for wireless access and another that I am using to test and get the Radius Server configured. One has an address of 192.168.10.5 and the other is 192.168.10.6. All my wireless clients can browse the net without any issues.
    When I go into Server Admin and select Radius and then Configure Radius Service, I select the default certificate and am then presented with a screen where I add my base stations. Now, the puzzling thing is that both of my base stations appear, but they are showing 169.254.xxx.xxx addresses. So, my first question is why do they show self assigned IPs? Is it because they are being found using Bonjour?
    If I then back out of this screen and select the Base Stations icon in the menu, I can click browse and again it shows the AEBSs but again with a self assigned IP. Another interesting point is that if I select my normal base station, in the info below it shows the Ethernet and Airport ID info showing V7.3.1 software version but a picture of the old dome shape Airport Extreme Base Station. If I select the test base station, I get the same info but THE RIGHT PICTURE !
    If I then select the test base station and enter the password, it says it's the wrong password, even though I know it's the right one.
    I'd like to get past this point, but can't see how to proceed until the IPs are right. What's going on? Any ideas gratefully received.
    Paul

    I have just purchased a new AirPort Extreme to begin testing to rollout wireless using RADIUS on our Mac OS X 10.5 server.
    I am having a bit of trouble setting up the actual base station. I too was having the same problem with the IP address showing up on the RADIUS server as self-assigned 169. but noticed that when I changed the Primary RADIUS IP address to something different to the AirPorts Ethernet IP address it showed up correctly. Maybe I am wrong but that's what I think happened.
    The problem I am having is this: I have created a wireless RADIUS network. My client was able to log in and connect to the wireless system, but I am not getting any DHCP information from my DHCP server running on Mac OS X Server. What am I doing wrong. What settings should be entered for Primary RADIUS IP Address, Shared Secret, etc. I am a bit confused an Apple hasn't provided technical documentation on this aspect.
    Help!

  • Cisco AAA authentication with windows radius server

    Cisco - Windows Radius problems
    I need to created a limited access group through radius that I can have new network analysts log into
    and not be able to commit changes or get into global config.
    Here are my current radius settings
    aaa new-model
    aaa group server radius IAS
     server name something.corp
    aaa authentication login USERS local group IAS
    aaa authorization exec USERS local group IAS
    radius server something.corp
     address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
     key mypassword
    line vty 0 4
     access-class 1 in
     exec-timeout 0 0
     authorization exec USERS
     logging synchronous
     login authentication USERS
     transport input ssh
    When I log in to the switch, the radius server is passing the corrrect attriubute
    ***Jan 21 13:59:51.897: RADIUS:   Cisco AVpair       [1]   18  "shell:priv-lvl=7"
    The switch is accepting it and putting you in the correct priv level.
    ***Radius-Test#sh priv
       Current privilege level is 7
    I am not sure why it logs you in with the prompt for  privileged EXEC mode when
    you are in priv level 7. This shows that even though it looks like your in priv exec
    mode, you are not.
    ***Radius-Test#sh run
                    ^
       % Invalid input detected at '^' marker.
       Radius-Test#
    Now this is where I am very lost.
    I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
    global config mode.
    ***Radius-Test#enable
       Radius-Test#
    Debug log -
    Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
    ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
    Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
    ***Radius-Test#sh priv
       Current privilege level is 15
       Radius-Test#
    I have tried to set
    ***privilege exec level 15 enable
    It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
    Even if I try to do
    ***privilege exec level 7 show running-config (or other variations)
    It will allow you to type sh run without errors, but it doest actually run the command.
    What am I doing wrong?
    I also want to get PKI working with radius.

    I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
    Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch?

  • EAP-FAST on Local Radius Server : Can't Get It Working

    Hi all
    I'm using an 877w router (flash:c870-advsecurityk9-mz.124-24.T4.bin) as local radius server and have followed various config guides on CCO. LEAP works fine but I just can't get EAP-FAST to work.
    I'm testing with win7 client using anyconnect secure mobility client, and also a mac book pro but without luck.
    the router sees unknown auth type, and when I run some debugs it talks of unknown eap type 3
    sh radius local-server s
    Successes              : 1           Unknown usernames      : 0        
    Client blocks          : 0           Invalid passwords      : 0        
    Unknown NAS            : 0           Invalid packet from NAS: 17      
    NAS : 172.27.44.1
    Successes              : 1           Unknown usernames      : 0        
    Client blocks          : 0           Invalid passwords      : 0        
    Corrupted packet       : 0           Unknown RADIUS message : 0        
    No username attribute  : 0           Missing auth attribute : 0        
    Shared key mismatch    : 0           Invalid state attribute: 0        
    Unknown EAP message    : 0           Unknown EAP auth type  : 17       
    Auto provision success : 0           Auto provision failure : 0        
    PAC refresh            : 0           Invalid PAC received   : 0       
    Can anyone suggest what I might be doing wrong?
    Regs, Tim

    Thanks Nicolas, relevant snippets from config:
    aaa new-model
    aaa group server radius rad_eap
    server 172.27.44.1 auth-port 1812 acct-port 1813
    aaa authentication login eap_methods group rad_eap
    aaa authorization exec default local
    aaa session-id common
    dot11 ssid home
    vlan 3
    authentication open eap eap_methods
    authentication network-eap eap_methods
    authentication key-management wpa
    ip dhcp pool home
       import all
       network 192.168.1.0 255.255.255.0
       default-router 192.168.1.1
       dns-server 194.74.65.68 194.74.65.69
    ip inspect name ethernetin tcp
    ip inspect name ethernetin udp
    ip inspect name ethernetin pop3
    ip inspect name ethernetin ssh
    ip inspect name ethernetin dns
    ip inspect name ethernetin ftp
    ip inspect name ethernetin tftp
    ip inspect name ethernetin smtp
    ip inspect name ethernetin icmp
    ip inspect name ethernetin telnet
    interface Dot11Radio0
    no ip address
    encryption vlan 1 mode ciphers aes-ccm tkip
    encryption vlan 2 mode ciphers aes-ccm tkip
    encryption vlan 3 mode ciphers aes-ccm tkip
    broadcast-key vlan 1 change 30
    broadcast-key vlan 2 change 30
    broadcast-key vlan 3 change 30
    ssid home
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    interface Dot11Radio0.3
    encapsulation dot1Q 3
    no cdp enable
    bridge-group 3
    bridge-group 3 subscriber-loop-control
    bridge-group 3 spanning-disabled
    bridge-group 3 block-unknown-source
    no bridge-group 3 source-learning
    no bridge-group 3 unicast-flooding
    interface Vlan3
    no ip address
    bridge-group 3
    interface BVI3
    ip address 192.168.1.1 255.255.255.0
    ip inspect ethernetin in
    ip nat inside
    ip virtual-reassembly
    radius-server local
    no authentication mac
    nas 172.27.44.1 key 0 123456
    user test1 nthash 0 B151E8FF684B4F376C018E632A247D84
    user test2 nthash 0 F2EEAE1D895645B819C9FD217D0CA1F9
    user test3 nthash 0 0CB6948805F797BF2A82807973B89537
    radius-server host 172.27.44.1 auth-port 1812 acct-port 1813 key 123456
    radius-server vsa send accounting

  • Trying to implement EAP/TLS using java (as part of RADIUS server)

    Hi
    This is a cross port since I didn't know which forum to post in!
    I'm trying to implement a RADIUS server (EAP/TLS) as part of my master thesis. I'm not used to Java SSL libraries and can't get it to work. The server will respond to an accesspoint that uses 802.1x. I have created certificates using openssl and imported the "cert-clt.pl2"and "root.pem" to a laptop trying to connect to the accesspoint. On the server side i imported the "cacert.pem" and "cert-srv.der" using keytool to a keystore. In my code I read the keystore and create the SSLEngine with following code:
              KeyStore ksKeys = KeyStore.getInstance("JKS");
                ksKeys.load(new FileInputStream("certs/FeebeeCommunity.keystore"), passphrase);
                KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
                kmf.init(ksKeys, passphrase);
                KeyStore ksTrust = KeyStore.getInstance("JKS");
                ksTrust.load(new FileInputStream("FeebeeCommunity.keystore"), passphrase);
                TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
                tmf.init(ksKeys);
                sslContext = SSLContext.getInstance("TLS");
                sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
                sslEngine = sslContext.createSSLEngine();
                sslEngine.setUseClientMode(false);
                sslEngine.setNeedClientAuth(true);
                sslEngine.setWantClientAuth(true);
                sslEngine.setEnableSessionCreation(true);
                appBuffer = ByteBuffer.allocate(sslEngine.getSession().getApplicationBufferSize());
                appBuffer.clear();
                netBuffer = ByteBuffer.allocate(sslEngine.getSession().getPacketBufferSize());
                netBuffer.clear();All I want to do with TLS is a handshake.
    I'm not talking ssl using sockets instead I receive and send all TLS data encapsulated in EAP packet that are incapsulated in RADIUS packets. I start off with sending TLS-Start upon I recive TLS data. I handle it with the following code:
           SSLEngineResult result = null;
            SSLEngineResult.HandshakeStatus hsStatus = null;
            if( internalState != EAPTLSState.Handshaking ) {
                if( internalState == EAPTLSState.None ) {
                    TLSPacket tlsPacket = new TLSPacket( packet.getData() );
                    peerIdentity = tlsPacket.getData();
                    internalState = EAPTLSState.Starting;
                    try {
                        sslEngine.beginHandshake();
                    } catch (SSLException e) {
                        e.printStackTrace();
                    return;
                else if(internalState == EAPTLSState.Starting ) {
                    internalState = EAPTLSState.Handshaking;
                    try {
                        sslEngine.beginHandshake();
                    } catch (SSLException e) {
                        e.printStackTrace();
            TLSPacket tlsPacket = new TLSPacket( packet.getData() );
            netBuffer.put( tlsPacket.getData() );
            netBuffer.flip();
            while(true) {
                hsStatus = sslEngine.getHandshakeStatus();
                if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                    Runnable task;
                    while((task=sslEngine.getDelegatedTask()) != null) {
                        new Thread(task).start();
                else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP) {
                    try {
                        result = sslEngine.unwrap( netBuffer, appBuffer );
                    } catch (SSLException e) {
                        e.printStackTrace();
                else {
                    return;
            }When I try to send data I use the following code:
               SSLEngineResult.HandshakeStatus hsStatus = null;
                SSLEngineResult result = null;
    //            netBuffer = ByteBuffer.allocate(EAPTLSMethod.BUFFER_SIZE);
                netBuffer.clear();
                while(true) {
                    hsStatus = sslEngine.getHandshakeStatus();
                    if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                        Runnable task;
                        while((task=sslEngine.getDelegatedTask()) != null) {
                            new Thread(task).start();
                    else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
                        try {
                            result = sslEngine.wrap( dummyBuffer, netBuffer );
                        } catch (SSLException e) {
                            e.printStackTrace();
                    else {
                        if( result != null && result.getStatus() == SSLEngineResult.Status.OK ) {
                            int size = Math.min(result.bytesProduced(),this.MTU);
                            byte [] tlsData = new byte[size];
                            netBuffer.flip();
                            netBuffer.get(tlsData,0,size);
                            TLSPacket tlsPacket = new TLSPacket((byte)0,tlsData);
                            if( size < result.bytesProduced() ) {
                                tlsPacket.setFlag(TLSFlag.MoreFragments);
                            return new EAPTLSRequestPacket( ID,
                                    (short)(tlsPacket.getData().length + 6),
                                    stateMachine.getCurrentMethod(), tlsPacket );
                        else {
                            return null;
                    }After I sent TLS-Start I receive data and manage to process it but when then trying to produce TLS data I get the following error:
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:992)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1054)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1026)
    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
    at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.java:125)
    at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStateMachine.java:358)
    at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.java:262)
    at java.lang.Thread.run(Thread.java:595)
    Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
    at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:930)
    Any help wold be most greatfull, if any questions or anything unclear plz let me know.
    add some additional information here is a debug output
    Before this I have sent a TLS-star package and this is when I receive new information and then try to create the answer
    [Raw read]: length = 5
    0000: 16 03 01 00 41 ....A
    [Raw read]: length = 65
    0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
    0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
    0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
    0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
    0040: 00 .
    Thread-2, READ: TLSv1 Handshake, length = 65
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1084488726 bytes = { 168, 20, 137, 240, 89, 129, 200, 201, 4
    1, 194, 9, 209, 10, 112, 24, 88, 220, 46, 176, 200, 20, 144, 212, 253, 164, 198,
    50, 201 }
    Session ID: {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH
    _3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA,
    SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EX
    PORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DE
    S_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
    Compression Methods: { 0 }
    [read] MD5 and SHA1 hashes: len = 65
    0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
    0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
    0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
    0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
    0040: 00 .
    Thread-5, fatal error: 40: no cipher suites in common
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
    Thread-5, SEND TLSv1 ALERT: fatal, description = handshake_failure
    Thread-5, WRITE: TLSv1 Alert, length = 2
    Thread-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeEx
    ception: no cipher suites in common
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:9
    92)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineI
    mpl.java:459)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineIm
    pl.java:1054)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:10
    26)
    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
    at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.ja
    va:153)
    at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStat
    eMachine.java:358)
    at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.j
    ava:262)
    at java.lang.Thread.run(Thread.java:595)
    Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1
    352)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(Serve
    rHandshaker.java:638)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHands
    haker.java:450)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHa
    ndshaker.java:178)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:4
    95)
    at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.
    java:930)
    ... 1 more

    I am developing a simple client/server SSL app using sdk 1.4 (no SSLEngine) and am faced with the same problem. Could anybody track down the problem further?

  • RADIUS Server Won't Start

    After running Software Update and installing the Security Update 2008-005 and iTunes 7.7.1 on the server, I noticed none of my wireless clients would authenticate. I checked Server admin and the Radius server was not running. Upon trying to start the RADIUS service in Server Admin the Radius server wouldn't start. Could this software update be to blame? Any Ideas?

    +The Logs keep repeating the following sequence:+
    Sat Aug 2 10:51:33 2008 : Info: Using deprecated naslist file. Support for this will go away soon.
    Sat Aug 2 10:51:33 2008 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none?
    Sat Aug 2 10:51:33 2008 : Info: rlmeaptls: Loading the certificate file as a chain
    Sat Aug 2 10:51:33 2008 : Error: rlm_eap: SSL error error:0906A068:PEM routines:PEMdoheader:bad password read
    Sat Aug 2 10:51:33 2008 : Error: rlmeaptls: Error reading private key file
    Sat Aug 2 10:51:33 2008 : Error: rlm_eap: Failed to initialize type tls
    Sat Aug 2 10:51:33 2008 : Error: radiusd.conf[10]: eap: Module instantiation failed.
    Sat Aug 2 10:51:33 2008 : Error: radiusd.conf[1954] Unknown module "eap".
    Sat Aug 2 10:51:33 2008 : Error: radiusd.conf[1897] Failed to parse authenticate section.

  • Server 2008 R2 RADIUS Server with a Cisco Aironet 1040 Wireless AP

    I am trying to get Server 2008 R2 RADIUS Server to work with a Cisco Aironet 1040 Wireless AP. I have installed the RADIUS server by MS standards and performed some searches on Google to configure the Cisco Aironet. I see others using a Wireless LAN Controller, which I do not have. I found this post below:
    https://supportforums.cisco.com/discussion/11546056/wlc-2504-radius-2008-r2-server
    But I have yet to locate a good step by step document on how to set it up and I have found so many different ways that others have set it up, but none have yet to work. I am having authentication issues that I have know of and I do not see any errors in the Windows Event Viewer and I do not know where the Acess Point stores it logs for any sort of error. Keep in mind this is the first time I am doing this. I do not have a Wireless LAN Controller and all my network / domain services are on individually built servers and not on one single server as I have seen with most of the documentation they all say the same thing by putting the Certificate Services, Domain Services (AD / ADS, etc), and NPS. I do not want that configuration and my setup should not be any different, but something is not right. I know from reading that this is not rocket science, but from someone who has never done it before this is difficult as I keep reading on and so many people do it different ways including what I have been reading according to what Cisco says to configure in the environment. Does anyone know where I can find good step by step documentation along with where I can look for logs on either device? I find that all the documentation I see on Cisco's website and from searching that it is old and outdated and not been updated in a long time so it is hard to determine what works and what does not work. I am stumped here and have been doing this for several weeks now with no luck. Thank you in advance.

    I did configure the Server 2008 R2 RADIUS Server using this video below: 
    https://www.youtube.com/watch?v=g-0MM_tK-Tk
    I also referenced Technet to make sure it was configured correctly as well. I am still not sure if I am 100% setup correctly on the Windows Server side, but I for sure want to make sure I have the AP side setup correctly. Do you know of a better article for the Windows Server 2008 R2 setup? Does it matter that I do not have all the services installed on the same server? Instead I have them installed on multiple servers.
    I have image number c1140-k9w7-tar.124.25d.JA1 on the AP. The part that confused me in that article, which I have seen before was the part about "Setting up access point must be configured in the authentication server as an AAA client." What is the AAA Client? I also am not aware of having Cisco Secure ACS anywhere built into the AP as that part through me off completely. Do I need to skip these steps? Thank you for help on this.

  • Cisco 28xx easy vpn server & MS NPS (RADIUS server)

    Здравстуйте.
    Имеется LAN (192.168.11.0/24) с граничным роутером cisco 2821 (192.168.11.1), на котором настроен Easy VPN Server с локальной авторизацией удаленных пользователей, использующих для подключения Cisco VPN Client v 5.0. Все работает. В той же LAN имеется MS Windows Server 2012 Essensial в качестве DC AD.
    Возникла необходимость перенести авторизацию удаленных пользователей на RADIUS сервер. В качестве RADIUS сервера хочется использовать MS Network Policy Server (NPS) 2012 Essensial (192.168.11.9).
    На сервере поднята соответствующая политика, NPS сервер зарегистрирован в AD, создан RADIUS-клиент (192.168.11.1), настроена Сетевая политика. В AD создана группа VPN-USERS, в которую помимо удаленных пользователей добавлен служебный пользователь EasyVPN с паролем "cisco".
    Ниже выдежка из сонфига cisco 2821:
    aaa new-model
    aaa authentication login rausrs local
    aaa authentication login VPN-XAUTH group radius
    aaa authorization network ragrps local
    aaa authorization network VPN-GROUP local
    aaa session-id common
    crypto isakmp policy 10
    encr aes 256
    authentication pre-share
    group 2
    crypto isakmp client configuration address-pool local RAPOOL
    crypto isakmp client configuration group ra1grp
    key key-for-remote-access
    domain domain.local
    pool RAPOOL
    acl split-acl
    split-dns 192.168.11.9
    crypto isakmp client configuration group EasyVPN
    key qwerty123456
    domain domain.local
    pool RAPOOL
    acl split-acl
    split-dns 192.168.11.9
    crypto isakmp profile RA-profile
       description profile for remote access VPN
       match identity group ra1grp
       client authentication list rausrs
       isakmp authorization list ragrps
       client configuration address respond
    crypto isakmp profile VPN-IKMP-PROFILE
       description profile for remote access VPN via RADIUS
       match identity group EasyVPN
       client authentication list VPN-XAUTH
       isakmp authorization list VPN-GROUP
       client configuration address respond
    crypto ipsec transform-set tset1 esp-aes esp-sha-hmac
    crypto dynamic-map dyn-cmap 100
    set transform-set tset1
    set isakmp-profile RA-profile
    reverse-route
    crypto dynamic-map dyn-cmap 101
    set transform-set tset1
    set isakmp-profile VPN-IKMP-PROFILE
    reverse-route
    crypto map stat-cmap 100 ipsec-isakmp dynamic dyn-cmap
    int Gi0/1
    descrition -- to WAN --
    crypto map stat-cmap
    В результате на cisco вылезает следующая ошибка (выделено жирным):
    RADIUS/ENCODE(000089E0):Orig. component type = VPN_IPSEC
    RADIUS:  AAA Unsupported Attr: interface         [157] 14
    RADIUS:   31 39 34 2E 38 38 2E 31 33 39 2E 31              [194.88.139.1]
    RADIUS(000089E0): Config NAS IP: 192.168.11.1
    RADIUS/ENCODE(000089E0): acct_session_id: 35296
    RADIUS(000089E0): sending
    RADIUS(000089E0): Send Access-Request to 192.168.11.9:1645 id 1645/61, len 103
    RADIUS:  authenticator 4A B1 DB 2D B7 58 B2 BF - 7F 12 6F 96 01 99 32 91
    RADIUS:  User-Name           [1]   9   "EasyVPN"
    RADIUS:  User-Password       [2]   18  *
    RADIUS:  Calling-Station-Id  [31]  16  "aaa.bbb.ccc.137"
    RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
    RADIUS:  NAS-Port            [5]   6   1
    RADIUS:  NAS-Port-Id         [87]  16  "aaa.bbb.ccc.136"
    RADIUS:  Service-Type        [6]   6   Outbound                  [5]
    RADIUS:  NAS-IP-Address      [4]   6   192.168.11.1
    RADIUS: Received from id 1645/61 192.168.11.9:1645, Access-Reject, len 20
    RADIUS:  authenticator A8 08 69 44 44 8B 13 A5 - 06 C2 95 8D B4 C4 E9 01
    RADIUS(000089E0): Received from id 1645/61
    MS NAS выдает ошибку 6273:
    Сервер сетевых политик отказал пользователю в доступе.
    За дополнительными сведениями обратитесь к администратору сервера сетевых политик.
    Пользователь:
        ИД безопасности:            domain\VladimirK
        Имя учетной записи:            VladimirK
        Домен учетной записи:           domain
        Полное имя учетной записи:   domain.local/Users/VladimirK
    Компьютер клиента:
        ИД безопасности:            NULL SID
        Имя учетной записи:            -
        Полное имя учетной записи:    -
        Версия ОС:            -
        Идентификатор вызываемой станции:        -
        Идентификатор вызывающей станции:       aaa.bbb.ccc.137
    NAS:
        Адрес IPv4 NAS:        192.168.11.1
        Адрес IPv6 NAS:        -
        Идентификатор NAS:            -
        Тип порта NAS:            Виртуальная
        Порт NAS:            0
    RADIUS-клиент:
        Понятное имя клиента:        Cisco2821
        IP-адрес клиента:            192.168.11.1
    Сведения о проверке подлинности:
        Имя политики запроса на подключение:    Использовать проверку подлинности Windows для всех пользователей
        Имя сетевой политики:        Подключения к другим серверам доступа
        Поставщик проверки подлинности:        Windows
        Сервер проверки подлинности:        DC01.domain.local
        Тип проверки подлинности:        PAP
        Тип EAP:            -
        Идентификатор сеанса учетной записи:        -
        Результаты входа в систему:            Сведения об учетных данных были записаны в локальный файл журнала.
        Код причины:            66
        Причина:                Пользователь пытался применить способ проверки подлинности, не включенный в соответствующей сетевой политике.
    Игры с Cisco AV Pairs и прочими параметрами настройки Сетевой политики на RADIUS выдают аналогичный результат.
    Штудирование "Network Policy Server Technical Reference" и "Configuring IPSec Between a Cisco IOS Router and a Cisco VPN Client 4.x for Windows Using RADIUS for User Authentication" Document ID: 21060 ответа не дали.
    Если кто практиковал подобное, прошу дать направление для поиска решения.

    Going through your post, I could see that radius is sending access-reject because radius access-request is sending a vpn group name in the user name field. I was in a discussion of same problem few days before and that got resolved by making 2 changes.
    replace the authorization from radius to local
    and
    changing the encryption type in transform set
    However, in your configuration, your configuration already have those changes.
    Here you can check the same : https://supportforums.cisco.com/thread/2226065
    Could you please tell me what exactly radius server complaining? Can you please paste the error you're getting on the radius server.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Cisco 871w, radius server local, and leap or eap-fast will not authenticate

    Hello, i trying to setup eap-fast or leap on my 871w.  i belive i have it confiured correctly but i can not get any device to authenticate to router.  Below is the confiureation that i being used.  any help would be welcome!
    ! Last configuration change at 15:51:30 AZT Wed Jan 4 2012 by testtest
    ! NVRAM config last updated at 15:59:37 AZT Wed Jan 4 2012 by testtest
    version 12.4
    configuration mode exclusive auto
    service nagle
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service linenumber
    service pt-vty-logging
    service sequence-numbers
    hostname router871
    boot-start-marker
    boot-end-marker
    logging count
    logging message-counter syslog
    logging buffered 4096
    logging rate-limit 512 except critical
    logging console critical
    enable secret 5 <omitted>
    aaa new-model
    aaa group server radius rad-test3
    server 192.168.16.49 auth-port 1812 acct-port 1813
    aaa authentication login default local
    aaa authentication login eap-methods group rad-test3
    aaa authorization exec default local
    aaa session-id common
    clock timezone AZT -7
    clock save interval 8
    dot11 syslog
    dot11 ssid test2
    vlan 2
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 <omitted>
    dot11 ssid test1
    vlan 1
    authentication open
    authentication key-management wpa
    wpa-psk ascii 7 <omitted>
    dot11 ssid test3
    vlan 3
    authentication open eap eap-methods
    authentication network-eap eap-methods
    no ip source-route
    no ip gratuitous-arps
    ip options drop
    ip dhcp bootp ignore
    ip dhcp excluded-address 192.162.16.49 192.162.16.51
    ip dhcp excluded-address 192.168.16.33
    ip dhcp excluded-address 192.168.16.1 192.168.16.4
    ip dhcp pool vlan1pool
       import all
       network 192.168.16.0 255.255.255.224
       default-router 192.168.16.1
       domain-name test1.local.home
       lease 4
    ip dhcp pool vlan2pool
       import all
       network 192.168.16.32 255.255.255.240
       default-router 192.168.16.33
       domain-name test2.local.home
       lease 0 6
    ip dhcp pool vlan3pool
       import all
       network 192.168.16.48 255.255.255.240
       default-router 192.168.16.49
       domain-name test3.local.home
       lease 2
    ip cef
    ip inspect alert-off
    ip inspect max-incomplete low 25
    ip inspect max-incomplete high 50
    ip inspect one-minute low 25
    ip inspect one-minute high 50
    ip inspect udp idle-time 15
    ip inspect tcp idle-time 1800
    ip inspect tcp finwait-time 30
    ip inspect tcp synwait-time 60
    ip inspect tcp block-non-session
    ip inspect tcp max-incomplete host 25 block-time 2
    ip inspect name firewall tcp router-traffic
    ip inspect name firewall ntp
    ip inspect name firewall ftp
    ip inspect name firewall udp router-traffic
    ip inspect name firewall pop3
    ip inspect name firewall pop3s
    ip inspect name firewall imap
    ip inspect name firewall imap3
    ip inspect name firewall imaps
    ip inspect name firewall smtp
    ip inspect name firewall ssh
    ip inspect name firewall icmp router-traffic timeout 10
    ip inspect name firewall dns
    ip inspect name firewall h323
    ip inspect name firewall hsrp
    ip inspect name firewall telnet
    ip inspect name firewall tftp
    no ip bootp server
    no ip domain lookup
    ip domain name local.home
    ip name-server 8.8.8.8
    ip name-server 8.8.4.4
    ip accounting-threshold 100
    ip accounting-list 192.168.16.0 0.0.0.31
    ip accounting-list 192.168.16.32 0.0.0.15
    ip accounting-list 192.168.16.48 0.0.0.15
    ip accounting-transits 25
    login block-for 120 attempts 5 within 60
    login delay 5
    login on-failure log
    memory free low-watermark processor 65536
    memory free low-watermark IO 16384
    username testtest password 7 <omitted>
    archive
    log config
      logging enable
      logging size 255
      notify syslog contenttype plaintext
      hidekeys
    path tftp://<omitted>/archive-config
    write-memory
    ip tcp synwait-time 10
    ip ssh time-out 20
    ip ssh authentication-retries 2
    ip ssh logging events
    ip ssh version 2
    bridge irb
    interface Loopback0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    interface Null0
    no ip unreachables
    interface FastEthernet0
    switchport mode trunk
    shutdown
    interface FastEthernet1
    switchport mode trunk
    shutdown
    interface FastEthernet2
    shutdown
    spanning-tree portfast
    interface FastEthernet3
    spanning-tree portfast
    interface FastEthernet4
    description Cox Internet Connection
    ip address dhcp
    ip access-group ingress-filter in
    ip access-group egress-filter out
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip accounting access-violations
    ip flow ingress
    ip flow egress
    ip inspect firewall out
    ip nat outside
    ip virtual-reassembly
    ip tcp adjust-mss 1460
    load-interval 30
    duplex auto
    speed auto
    no cdp enable
    interface Dot11Radio0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    encryption vlan 1 mode ciphers aes-ccm
    encryption vlan 2 mode ciphers aes-ccm
    encryption key 1 size 128bit 7 <omitted> transmit-key
    encryption mode wep mandatory
    broadcast-key vlan 1 change <omitted> membership-termination
    broadcast-key vlan 3 change <omitted> membership-termination
    broadcast-key vlan 2 change <omitted> membership-termination
    ssid test2
    ssid test1
    ssid test3
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    rts threshold 2312
    no cdp enable
    interface Dot11Radio0.1
    description <omitted>
    encapsulation dot1Q 1 native
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    interface Dot11Radio0.2
    description <omitted>
    encapsulation dot1Q 2
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    bridge-group 2
    bridge-group 2 subscriber-loop-control
    bridge-group 2 spanning-disabled
    bridge-group 2 block-unknown-source
    no bridge-group 2 source-learning
    no bridge-group 2 unicast-flooding
    interface Dot11Radio0.3
    description <omitted>
    encapsulation dot1Q 3
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    bridge-group 3
    bridge-group 3 subscriber-loop-control
    bridge-group 3 spanning-disabled
    bridge-group 3 block-unknown-source
    no bridge-group 3 source-learning
    no bridge-group 3 unicast-flooding
    interface Vlan1
    description <omitted>
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    bridge-group 1
    bridge-group 1 spanning-disabled
    interface Vlan2
    description <omitted>
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    bridge-group 2
    bridge-group 2 spanning-disabled
    interface Vlan3
    description <omitted>
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    bridge-group 3
    bridge-group 3 spanning-disabled
    interface BVI1
    description <omitted>
    ip address 192.168.16.1 255.255.255.224
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    interface BVI2
    description <omitted>
    ip address 192.168.16.33 255.255.255.240
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    interface BVI3
    description <omitted>
    ip address 192.168.16.49 255.255.255.240
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip http secure-ciphersuite 3des-ede-cbc-sha rc4-128-sha
    ip http timeout-policy idle 5 life 43200 requests 5
    ip flow-top-talkers
    top 10
    sort-by bytes
    ip nat inside source list 1 interface FastEthernet4 overload
    ip nat inside source static tcp 192.168.16.50 80 interface FastEthernet4 80
    ip nat inside source static tcp 192.168.16.50 53 interface FastEthernet4 53
    ip nat inside source static tcp 192.168.16.50 3074 interface FastEthernet4 3074
    ip nat inside source static udp 192.168.16.50 3074 interface FastEthernet4 3074
    ip nat inside source static udp 192.168.16.50 88 interface FastEthernet4 88
    ip nat inside source static udp 192.168.16.50 53 interface FastEthernet4 53
    ip access-list extended egress-filter
    deny   ip any host <omitted>
    deny   ip any host <omitted>
    deny   ip host <omitted> any
    deny   ip host <omitted> any
    remark ----- Bogons Filter -----
    deny   ip 0.0.0.0 0.255.255.255 any
    deny   ip 10.0.0.0 0.10.9.255 any
    deny   ip 10.0.0.0 0.10.13.255 any
    deny   ip 127.0.0.0 0.255.255.255 any
    deny   ip 169.254.0.0 0.0.255.255 any
    deny   ip 172.16.0.0 0.15.255.255 any
    deny   ip 192.0.0.0 0.0.0.255 any
    deny   ip 192.0.2.0 0.0.0.255 any
    deny   ip 192.168.0.0 0.0.15.255 any
    deny   ip 192.168.0.0 0.0.255.255 any
    deny   ip 198.18.0.0 0.1.255.255 any
    deny   ip 198.51.100.0 0.0.0.255 any
    deny   ip 203.0.113.0 0.0.0.255 any
    deny   ip 224.0.0.0 31.255.255.255 any
    remark ----- Internal networks -----
    permit ip <omitted> 0.0.0.3 any
    deny   ip any any log
    ip access-list extended ingress-filter
    remark ----- To get IP form COX -----
    permit udp any eq bootps any eq bootpc
    deny   icmp any any log
    deny   udp any any eq echo
    deny   udp any eq echo any
    deny   tcp any any fragments
    deny   udp any any fragments
    deny   ip any any fragments
    deny   ip any any option any-options
    deny   ip any any ttl lt 4
    deny   ip any host <omitted>
    deny   ip any host <omitted>
    deny   udp any any range 33400 34400
    remark ----- Bogons Filter -----
    deny   ip 0.0.0.0 0.255.255.255 any
    deny   ip 10.0.0.0 0.255.255.255 any
    deny   ip 127.0.0.0 0.255.255.255 any
    deny   ip 169.254.0.0 0.0.255.255 any
    deny   ip 172.16.0.0 0.15.255.255 any
    deny   ip 192.0.0.0 0.0.0.255 any
    deny   ip 192.0.2.0 0.0.0.255 any
    deny   ip 192.168.0.0 0.0.255.255 any
    deny   ip 198.18.0.0 0.1.255.255 any
    deny   ip 198.51.100.0 0.0.0.255 any
    deny   ip 203.0.113.0 0.0.0.255 any
    deny   ip 224.0.0.0 31.255.255.255 any
    remark ----- Internal networks -----
    deny   ip 10.10.10.0 0.0.0.255 any
    deny   ip 10.10.11.0 0.0.0.255 any
    deny   ip 10.10.12.0 0.0.0.255 any
    deny   ip any any log
    access-list 1 permit 192.168.16.0 0.0.0.63
    access-list 20 permit 127.127.1.1
    access-list 20 permit 204.235.61.9
    access-list 20 permit 173.201.38.85
    access-list 20 permit 216.229.4.69
    access-list 20 permit 152.2.21.1
    access-list 20 permit 130.126.24.24
    access-list 21 permit 192.168.16.0 0.0.0.63
    radius-server local
    no authentication mac
    eapfast authority id <omitted>
    eapfast authority info <omitted>
    eapfast server-key primary 7 <omitted>
    nas 192.168.16.49 key 7 <omitted>
    group rad-test3
      vlan 3
      ssid test3
    user test nthash 7 <omitted> group rad-test3
    user testtest nthash 7 <omitted> group rad-test3
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 192.168.16.49 auth-port 1812 acct-port 1813 key 7 <omitted>
    radius-server vsa send accounting
    control-plane host
    control-plane transit
    control-plane cef-exception
    control-plane
    bridge 1 protocol ieee
    bridge 1 route ip
    bridge 2 protocol ieee
    bridge 2 route ip
    bridge 3 protocol ieee
    bridge 3 route ip
    line con 0
    password 7 <omitted>
    logging synchronous
    no modem enable
    transport output telnet
    line aux 0
    password 7 <omitted>
    logging synchronous
    transport output telnet
    line vty 0 4
    password 7 <omitted>
    logging synchronous
    transport preferred ssh
    transport input ssh
    transport output ssh
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    process cpu threshold type total rising 80 interval 10 falling 40 interval 10
    ntp authentication-key 1 md5 <omitted> 7
    ntp authenticate
    ntp trusted-key 1
    ntp source FastEthernet4
    ntp access-group peer 20
    ntp access-group serve-only 21
    ntp master 1
    ntp server 152.2.21.1 maxpoll 4
    ntp server 204.235.61.9 maxpoll 4
    ntp server 130.126.24.24 maxpoll 4
    ntp server 216.229.4.69 maxpoll 4
    ntp server 173.201.38.85 maxpoll 4
    end

    so this what i am getting now for debug? any thoughs?
    010724: Jan  5 16:26:04.527 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/2
    010725: Jan  5 16:26:08.976 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/2
    010726: Jan  5 16:26:08.976 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
    010727: Jan  5 16:26:08.976 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
    010728: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
    010729: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
    010730: Jan  5 16:26:08.976 AZT: Client d8b3.7759.0488 failed: EAP reason 1
    010731: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
    010732: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
    010733: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
    010734: Jan  5 16:26:08.976 AZT: EAPOL pak dump tx
    010735: Jan  5 16:26:08.976 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0004
    010736: Jan  5 16:26:08.976 AZT: EAP code: 0x4  id: 0x1  length: 0x0004
    0AD05650:                   01000004 04010004          ........
    0AD05660:
    010737: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010738: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010739: Jan  5 16:26:08.980 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
    010740: Jan  5 16:26:08.980 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
    010741: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg:  sending data to requestor status 0
    010742: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
    010743: Jan  5 16:26:08.980 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
    010744: Jan  5 16:26:08.984 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
    010745: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
    010746: Jan  5 16:26:09.624 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
    010747: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: req->auth_type 0
    010748: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    010749: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
    010750: Jan  5 16:26:09.624 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
    010751: Jan  5 16:26:09.624 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    010752: Jan  5 16:26:09.624 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
    010753: Jan  5 16:26:09.624 AZT: EAPOL pak dump tx
    010754: Jan  5 16:26:09.624 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
    010755: Jan  5 16:26:09.624 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
    0AD05B50:                   01000031 01010031          ...1...1
    0AD05B60: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
    0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
    0AD05B80: 72383731 2C706F72 7469643D 30        r871,portid=0
    010756: Jan  5 16:26:09.644 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010757: Jan  5 16:26:09.648 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010758: Jan  5 16:26:09.648 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
    010759: Jan  5 16:26:09.656 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
    010760: Jan  5 16:26:09.656 AZT: EAPOL pak dump rx
    010761: Jan  5 16:26:09.656 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0009
    010762: Jan  5 16:26:09.656 AZT: EAP code: 0x2  id: 0x1  length: 0x0009 type: 0x1
    0B060D50:                   01000009 02010009          ........
    0B060D60: 01746573 74                          .test
    010763: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
    010764: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
    010765: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
    010766: Jan  5 16:26:09.664 AZT: RADIUS/ENCODE(00000198):Orig. component type = DOT11
    010767: Jan  5 16:26:09.664 AZT: RADIUS:  AAA Unsupported Attr: ssid              [282] 8
    010768: Jan  5 16:26:09.664 AZT: RADIUS:   74 6F 79 73 6F 6E                                [toyson]
    010769: Jan  5 16:26:09.664 AZT: RADIUS:  AAA Unsupported Attr: interface         [175] 3
    010770: Jan  5 16:26:09.664 AZT: RADIUS:   36                                               [6]
    010771: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
    010772: Jan  5 16:26:09.664 AZT: RADIUS/ENCODE(00000198): acct_session_id: 408
    010773: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
    010774: Jan  5 16:26:09.664 AZT: RADIUS(00000198): sending
    010775: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Send Access-Request to 162.168.16.49:1645 id 1645/3, len 133
    010776: Jan  5 16:26:09.664 AZT: RADIUS:  authenticator BF 69 DD DF 89 1F C6 FB - EF EC 12 EB C5 3F 3A CD
    010777: Jan  5 16:26:09.664 AZT: RADIUS:  User-Name           [1]   6   "test"
    010778: Jan  5 16:26:09.664 AZT: RADIUS:  Framed-MTU          [12]  6   1400
    010779: Jan  5 16:26:09.664 AZT: RADIUS:  Called-Station-Id   [30]  16  "0019.3075.e660"
    010780: Jan  5 16:26:09.664 AZT: RADIUS:  Calling-Station-Id  [31]  16  "d8b3.7759.0488"
    010781: Jan  5 16:26:09.668 AZT: RADIUS:  Service-Type        [6]   6   Login                     [1]
    010782: Jan  5 16:26:09.668 AZT: RADIUS:  Message-Authenticato[80]  18
    010783: Jan  5 16:26:09.668 AZT: RADIUS:   5B FA 47 07 0E E3 4B 71 7F 60 6E 4E 91 37 84 A6  [[?G???Kq?`nN?7??]
    010784: Jan  5 16:26:09.668 AZT: RADIUS:  EAP-Message         [79]  11
    010785: Jan  5 16:26:09.668 AZT: RADIUS:   02 01 00 09 01 74 65 73 74                       [?????test]
    010786: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
    010787: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port            [5]   6   661
    010788: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port-Id         [87]  5   "661"
    010789: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-IP-Address      [4]   6   192.168.16.49
    010790: Jan  5 16:26:09.668 AZT: RADIUS:  Nas-Identifier      [32]  11  "router871"
    010791: Jan  5 16:26:14.501 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
    router871#
    010792: Jan  5 16:26:19.018 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
    router871#
    010793: Jan  5 16:26:23.739 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
    router871#
    010794: Jan  5 16:26:28.700 AZT: RADIUS: Fail-over to (162.168.16.49:1812,1813) for id 1645/3
    router871#
    010795: Jan  5 16:26:33.629 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
    router871#
    010796: Jan  5 16:26:38.494 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
    router871#
    010797: Jan  5 16:26:39.794 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
    010798: Jan  5 16:26:39.794 AZT: EAPOL pak dump rx
    010799: Jan  5 16:26:39.794 AZT: EAPOL Version: 0x1  type: 0x1  length: 0x0000
    0AD053D0:                   01010000                   ....
    010800: Jan  5 16:26:39.798 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,EAP_START) for d8b3.7759.0488
    010801: Jan  5 16:26:39.798 AZT: dot11_auth_dot1x_ignore_event: Ignore event: do nothing
    router871#
    010802: Jan  5 16:26:43.007 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
    router871#
    010803: Jan  5 16:26:47.336 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/3
    010804: Jan  5 16:26:47.336 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
    010805: Jan  5 16:26:47.336 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
    010806: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
    010807: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
    010808: Jan  5 16:26:47.336 AZT: Client d8b3.7759.0488 failed: EAP reason 1
    010809: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
    010810: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
    010811: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
    010812: Jan  5 16:26:47.336 AZT: EAPOL pak dump tx
    010813: Jan  5 16:26:47.336 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0004
    010814: Jan  5 16:26:47.336 AZT: EAP code: 0x4  id: 0x1  length: 0x0004
    0B060710:                   01000004 04010004          ........
    0B060720:
    010815: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010816: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010817: Jan  5 16:26:47.340 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
    010818: Jan  5 16:26:47.340 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
    010819: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg:  sending data to requestor status 0
    010820: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
    router871#
    010821: Jan  5 16:26:47.340 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
    010822: Jan  5 16:26:47.344 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
    010823: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
    010824: Jan  5 16:26:47.972 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
    010825: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: req->auth_type 0
    010826: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    010827: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
    010828: Jan  5 16:26:47.976 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
    010829: Jan  5 16:26:47.976 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    010830: Jan  5 16:26:47.976 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
    010831: Jan  5 16:26:47.976 AZT: EAPOL pak dump tx
    010832: Jan  5 16:26:47.976 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
    010833: Jan  5 16:26:47.976 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
    0AD05B50:                   01000031 01010031          ...1...1
    0AD05B60: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
    0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
    0AD05B80: 72383731 2C706F72 7469643D 30        r871,portid=0
    010834: Jan  5 16:26:47.996 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010835: Jan  5 16:26:47.996 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010836: Jan  5 16:26:47.996 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
    010837: Jan  5 16:26:47.996 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
    010838: Jan  5 16:26:47.996 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
    router871#
    010839: Jan  5 16:26:47.996 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
    router871#
    010840: Jan  5 16:26:58.634 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
    010841: Jan  5 16:26:58.634 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
    010842: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: req->auth_type 0
    010843: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    010844: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
    010845: Jan  5 16:26:58.638 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
    010846: Jan  5 16:26:58.638 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    010847: Jan  5 16:26:58.638 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
    010848: Jan  5 16:26:58.638 AZT: EAPOL pak dump tx
    010849: Jan  5 16:26:58.638 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
    010850: Jan  5 16:26:58.638 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
    0B060710:                   01000031 01010031          ...1...1
    0B060720: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
    0B060730: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
    0B060740: 72383731 2C706F72 7469643D 30        r871,portid=0
    010851: Jan  5 16:26:58.658 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010852: Jan  5 16:26:58.658 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010853: Jan  5 16:26:58.658 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
    010854: Jan  5 16:27:01.603 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
    010855: Jan  5 16:27:01.603 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
    010856: Jan  5 16:27:01.603 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
    010857: Jan  5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list ingress-filter denied tcp 32.42.41.254(57443) -> 72.201.117.84(59652), 1 packet
    010858: Jan  5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list egress-filter denied tcp 22.3.184.118(0) -> 74.125.53.188(0), 4 packets
    010859: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
    010860: Jan  5 16:27:12.261 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
    010861: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: req->auth_type 0
    010862: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    010863: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
    010864: Jan  5 16:27:12.261 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
    010865: Jan  5 16:27:12.261 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    010866: Jan  5 16:27:12.261 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
    010867: Jan  5 16:27:12.261 AZT: EAPOL pak dump tx
    010868: Jan  5 16:27:12.261 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
    010869: Jan  5 16:27:12.261 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
    0B060FD0:                   01000031 01010031          ...1...1
    0B060FE0: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
    0B060FF0: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
    0B061000: 72383731 2C706F72 7469643D 30        r871,portid=0
    010870: Jan  5 16:27:12.285 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010871: Jan  5 16:27:12.285 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010872: Jan  5 16:27:12.285 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
    010873: Jan  5 16:27:12.293 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
    010874: Jan  5 16:27:12.293 AZT: EAPOL pak dump rx
    010875: Jan  5 16:27:12.293 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0009
    010876: Jan  5 16:27:12.293 AZT: EAP code: 0x2  id: 0x1  length: 0x0009 type: 0x1
    0AD05290:                   01000009 02010009          ........
    0AD052A0: 01746573 74                          .test
    010877: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
    010878: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
    010879: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
    010880: Jan  5 16:27:12.301 AZT: RADIUS/ENCODE(0000019B):Orig. component type = DOT11
    010881: Jan  5 16:27:12.305 AZT: RADIUS:  AAA Unsupported Attr: ssid              [282] 8
    010882: Jan  5 16:27:12.305 AZT: RADIUS:   74 6F 79 73 6F 6E                                [toyson]
    010883: Jan  5 16:27:12.305 AZT: RADIUS:  AAA Unsupported Attr: interface         [175] 3
    010884: Jan  5 16:27:12.305 AZT: RADIUS:   36                                               [6]
    010885: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
    010886: Jan  5 16:27:12.305 AZT: RADIUS/ENCODE(0000019B): acct_session_id: 411
    010887: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
    010888: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): sending
    010889: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Send Access-Request to 162.168.16.49:1645 id 1645/4, len 133
    010890: Jan  5 16:27:12.305 AZT: RADIUS:  authenticator 6F 6C 63 31 88 DE 30 A2 - C2 06 12 EB 50 A3 53 36
    010891: Jan  5 16:27:12.305 AZT: RADIUS:  User-Name           [1]   6   "test"
    010892: Jan  5 16:27:12.305 AZT: RADIUS:  Framed-MTU          [12]  6   1400
    010893: Jan  5 16:27:12.305 AZT: RADIUS:  Called-Station-Id   [30]  16  "0019.3075.e660"
    010894: Jan  5 16:27:12.305 AZT: RADIUS:  Calling-Station-Id  [31]  16  "d8b3.7759.0488"
    010895: Jan  5 16:27:12.305 AZT: RADIUS:  Service-Type        [6]   6   Login                     [1]
    010896: Jan  5 16:27:12.305 AZT: RADIUS:  Message-Authenticato[80]  18
    010897: Jan  5 16:27:12.305 AZT: RADIUS:   9D D5 62 1A 38 13 94 30 3A 43 D7 A4 AE A4 43 64  [??b?8??0:C????Cd]
    010898: Jan  5 16:27:12.305 AZT: RADIUS:  EAP-Message         [79]  11
    010899: Jan  5 16:27:12.305 AZT: RADIUS:   02 01 00 09 01 74 65 73 74                       [?????test]
    010900: Jan  5 16:27:12.305 AZT: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
    010901: Jan  5 16:27:12.305 AZT: RADIUS:  NAS-Port            [5]   6   664
    010902: Jan  5 16:27:12.309 AZT: RADIUS:  NAS-Port-Id         [87]  5   "664"
    010903: Jan  5 16:27:12.309 AZT: RADIUS:  NAS-IP-Address      [4]   6   192.168.16.49
    010904: Jan  5 16:27:12.309 AZT: RADIUS:  Nas-Identifier      [32]  11  "router871"
    010905: Jan  5 16:27:16.642 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/4

  • Client Exclusion Policies on WLC not working with ISE as RADIUS Server

    Hi,
    for our Guest WLAN (Security Setting for this SSID:Layer2: MAC filtering, Layer3:none) we use ISE as RADIUS Server. On WLC I enabled client exclusion polices and checked all options (Excessive 802.11 Auth. Failures etc..).. But even if a client fails 20times at authentication, it is not excluded on the wlc. It works with other SSIDs, where security settings are set to 802.1x.
    Am I missing any settings here or do you have some tipps on how to troubleshoot this?
    Thanks very much!

    Hi Renata,
    If those guest failures are not associated with valid guest users (i.e. people who have forgotten their account or entering the wrong password) there isn't anything that can be done. The main point of Guest WLAN is to make it as easy as possible for Guests - individuals with device configurations you don't want to deal with or know about, to connect your network for internet access. From a WiFi/802.11 perspective, the standard Guest WLAN setup means its easy for any device to connect.
    If your Guest WLAN has the following:
    SSID is broadcast enabled, Security = OPEN, Encryption = none, then any 802.11 device can find the WLAN via passive scanning and connect. And any device that connects will get the ISE portal. Once recieveing that portal they can guess away at valid username/password.
    I would suspect that unless your Guest WiFi is adjacent to a Mall, school, hotel or other hi-density area of individuals  with time and electronics on their hands, other than alerts in your ops window and logs, resources associated with this (WLC & ISE) are very low.
    You can try and dull the noise a few ways.
    Option 1. create and ISE log filter on those alerts so they don't cluter the console.
    Option 2. Stop broadcasting the SSID.  This is not a security measure, but will cut volume of people connecting to the SSID significantly. You will have to tell your guests what SSID or include it in their credential communication.
    Option 3. Put a very simple PSK on the SSID. The PSK will become a public secret - shared with valid guests, doesn't have change as it's purpose is not security.  You will have to include this information on their credential communication.
    Option 4 - both 2 and 3
    The most effective option would be 3.
    Good Luck!

Maybe you are looking for

  • How to upload photos in iPad from pc?

    How to upload photos from pc to iPad?

  • TS3297 itunes wont connect to the internet even though its already connected...?

    Itunes continues to "load" and "connect" but then finally informs me that Itunes cannot connect due to lack of Internet Connection, even though there is nothing wrong with the connection. Now what?

  • Thumbnail issues in Pages 5.1

    Hi all, since upgrading to pages 5.1 I am having some issues that were quite basic in the previous version.  I am unable to select multiple thumbnails in order to copy/paste.  I am also unable to do a right click on thumbnails (no menus).  Help.

  • Tuxedo Version Interoperability

    I need to call Tuxedo services from an existing multithreaded application. In looking at the Tuxedo documentation, it appears that Release 7.1 is the first release that is threadsafe, so my application will need to use version 7.1. However, the Tuxed

  • I can't get my VPN working - Any ideas?

    I'm trying to set up a VPN into my work computer. My work computer is running Windows, and I can VPN in using a Windows desktop here, so I know the details are right. I've set up a PPTP VPN with my work IP address, username and password. It connects,