NPS Discarding RADIUS request from Cisco switch (802.1x)

Similar Messages

• 3com and cisco switches (802.1q)vlan integration problem - broadcast storm?

  Hi forum,
  we are using 3com switches, the 3com switches implement open vlans, which mean if an ieee 802.1q packet is received at a port and the port is not a member of that vlan, the switch does not perform vlan filtering. if the address is previously learned, it will be forwarded correctly, but if it is not, it will be flooded to all ports within that VLAN.
  my questions:
  1) if another cisco switch connected with the 3com switch are placed in the same vlan, and the 3com switch received a 802.1q packet from a rogue device, it will be flooded to all the ports(including the cisco ports) within that VLANs, will it cause a broadcast storm?
  2) how do i configure the cisco switch to filter off unknown tagged packet on a port? by using vlan prunning?
  3) how do i blocked the broadcast from the 3com switches? using broadcast suppression?
  4) is there a way on the design side to effectly counter this problem?
  Kind regards,
  paul

  It sounds like setup of your 3com switch is not quite up to your requirements. If a port is declared as tagged, it's ok to receive tagged frames for VLAN's that were not previously known on this port. However if your policy requires that only specific VLAN's are permitted on given tagged port, then you need to add some extra command on your 3com switch. Check with documentation and possibly with your 3com support partner.
  As for cisco routers, tagged ports in Cisco-speach are trunks (this might be confusing for you as 3com calls trunks what in Cisco world is known as either Etherchannel or port aggregation). By default a trunk (tagged) port allows any VLAN. If your policy requires so, you can explicitly specify which VLAN's are allowed on given trunk (tagged) port. If a frame arrives with a tag that is not on the allowed list, the frame will be discarded. So you don't need any fancy broadcast supression to block traffic from disallowed vlans coming from your 3com switch to cisco.
  P.S.: Make sure that you don't mistake 'member of VLAN' with 'native VLAN'. Some parts of your message suggest that you do.

• ISE 1.3 not receiving Radius requests from WLC 5508 ver 8.0.110.0

  Hello all. I just implemented ISE 1.3 at a customer site. added a WLC running 8.0.110.0 using its mgmt address with a RADIUS preshared key. On the WLC, I created to SSIDs, corp and guest.
  For corp I configured WPA2 and AES and forwarded Radius requests to my 2 ISE node PSN interfaces
  For the guest I configured MAC filter with advanced features AAA overide and Radius NAC - per Cisco's documents
  The corp forwards Radius requests to ISE, the guest does not. I get nothing from the guest.
  I configured the WLC step by step from the Cisco document. I have completed over 10 ISE implementations in the last year using ISE 1.2 and WLC 7.x and have never run into this issue before.
  Any help will be much appreciated.

  This issue has been resolved. The issue was that for the guest SSID MAC filtering was enabled as required, but they had the test PCs on a mac filter bypass list for that SSID in the WLC. This was automatically authenticating the PC, and therefore not forwarding the RADIUS to ISE.
  Once we removed the PC from the MAC filter list in the WLC, the authentications were forwarded to ISE as desired.

• Configuration Cisco switch 802.1x for ISE

  Hi dears,
  I configurated EAP_FAST authentication on Cisco ISE  from Cisco Video material. Now I need full 802.1X configuration in cisco switch  guide or video link.
  Please provide this.
  Thanks.

  See this link:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_sw_cnfg.html

• Collecting information from Cisco switchs using SNMP

  Dear All,
  I have a wide network with more than 250 sites connected using the DSL. the WAN devices are under the provider responsability and the LAN devices are directly in my responsability. In each site, I have :
  1 or 2 Cisco switchs (2960 or 3560), connecting via fibr.
  or
  Linksys switch connected via ethernet cable
  and
  cisco 877 router connected to switch
  cisco 881G router conected to switch
  pc and printers
  In order to improve the availibilty of our network, we lauch every day a script from local pc to test connectivity of LAN equipements :
  ping to switchs (Vlan 1), ping to ip fa0/0 cisco router1, ip cisco router2, ping to HSRP address (of two router). the resulting ini file will be inserted in a database and exported to excel for analysing.
  I'm asking if someone can help in order to implement SNMP and let me know the name of cisco MIB to implement to :
  - to have from SNMP information, the result of show cdp nei, show interface status, show ip int brief,...
  - to have if wan router LAN interface are up,connected
  -  others usefuls informations.
  Thanks and regards,
  AA

  Hi,
  the basic SNMP config for 2960 and 3560 is:
       snmp-server community <> RO
  The configuration for SNMP traps to get alerts from the device if there is for example a failure with a fan is:
            snmp-server enable traps
            snmp-server host <> <>
  This enables all traps available with your IOS version. You can the disable not wanted traps by using the "no"-command like this.
  Example for dot1x traps:
            no snmp-server enable traps dot1x
  With a snmp client you can then do a snmpwalk (or snmp get) without a specific OID to get all the SNMP information from the device:
  On a Linux server the following command should work:
       snmpwalk -v 2c -c <> -T <>
  -v = use SNMP version 2c
  -c = use the community string you configured on the device
  -T = output in the dotted decimal format
  But be careful, this will be a lot of data output.
  Here you will find a docu for configuring SNMP on a Cisco device:
  http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf014.html
  Sven

• NAP- Settings required on Cisco switches- 802.1X

  Hi All,
  We have to provide access control for users using NAP and Cisco 2960s switches.
  The request is to have only domain users authenticate to the operations vlan, non domain users will be assigned to a guest network.
  What would be the configs on the switch to allow this config to work? What will force the switch port to assign to the operations vlan when authenticated to the domain?
  Thanks much

  Hi,
  I suppsoe you are using ACS 4.x version.
  you need to config dot1x under the switchport. use the default VLAN as the guest VLAN.
  You need to configure the ACS to allow access to domain users only (by forcing MACHINE authentication with PEAP for example).
  In the NAP, you need to match the NAP selection on the NAS-IP-Address of the switch so that this NAP is only selected if this switch sends the request.
  Now, inside the NAP you have to allow only PEAP-MSCHAPv2. (you already forced machine authenticaiton with PEAP from under external DB config already as per earlier step).
  When auth works, from under the user/or group, send the attributes to assign a specific VLAN to the user.
  Otherwise, if the user auth is not successful it will be put in the default vlan which is the guest vlan.
  with ACS 5.x version, doing this is more flexible.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• 6274: Network Policy Server discarded the request for a user

  How to reproduce this event:
  6274: Network Policy Server discarded the request for a user

  Hello,
  according to the following just use an older RADIUS client version:
  Warning: NPS discarded the request for a user
  This monitor returns the number of events when the Network Policy Server discarded the request for a user.
  Type of event: Warning. Event ID: 6274.
  This condition occurs when the NPS discards accounting requests because the structure of the accounting request message that was sent by a RADIUS client does not comply with the RADIUS protocol. You should reconfigure, upgrade, or replace the RADIUS
  client.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

• ISE 1.2 rejects RADIUS messages from 5508 WLC

  The setup in ref is:
  WLC 5508 HA pair running 7.6 talking to ISE 1.2 patch 7 (was 6).
  Wireless users are authenticated fine, so the 5508 is a valid NAD in ISE, but...
  When I setup active RADIUS fallback, so that the WLC can poll the ISE servers I get the message:
  "The RADIUS request from a non-wireless device was dropped because the installed license is for wireless devices only"
  Why would ISE drop a RADIUS message from a WLC which is a wireless device?  Surely this is a mistake?

  Hi Nicholas,
  This is a known defect.
  CSCug34679    ISE drop keep alive coming from WLC. 
  <B>Symptom:</B>
  ISE drops keep alive authentications coming from the WLC, with message 11054 Request from a non-wireless device due to installed wireless license.
  <B>Conditions:</B>
  When only a wireless license is install on the ISE and using active keep alive on the WLC.
  <B>Workaround:</B>
  Use passive keep alive on the WLC and not active.
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

  Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
  I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
  Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
  Any ideas of what might be the issue or misconfiguration?

  Jim,
  I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
  It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
  May need to open a TAC case to see if this issue is on the 550x controllers also.
  Thanks,
  Tarik

• NPS: Event 6274 - Network Policy Server discarded the request for a user

  Intermittently I will get desktop (wired) and laptop (wireless) computers experiencing issues with NPS (they drop off the network).
  Some computers are affected more than others, although they are identical hardware and based on a standard image.
  In the event log of the NPS servers I can see the following messages:
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          2/05/2014 8:47:58 a.m.
  Event ID:      6274
  Task Category: Network Policy Server
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      NT147.domain.local
  Description:
  Network Policy Server discarded the request for a user.Contact the Network Policy Server administrator for more information.User:
   Security ID:   NULL SID
   Account Name:   host/DPC0387.domain.local
   Account Domain:   DOMAIN
   Fully Qualified Account Name: DOMAIN\DPC0387$Client Machine:
   Security ID:   NULL SID
   Account Name:   -
   Fully Qualified Account Name: -
   OS-Version:   -
   Called Station Identifier:  3c-xx-xx-xx-xx-xx
   Calling Station Identifier:  00-xx-xx-xx-xx-xxNAS:
   NAS IPv4 Address:  10.nnn.nnn.nnn
   NAS IPv6 Address:  -
   NAS Identifier:   ND246
   NAS Port-Type:   Ethernet
   NAS Port:   71RADIUS Client:
   Client Friendly Name:  Network Device Management Subnet
   Client IP Address:   10.nnn.nnn.nnnAuthentication Details:
   Connection Request Policy Name: NAP 802.1X (Wired)
   Network Policy Name:  -
   Authentication Provider:  Windows
   Authentication Server:  NT147.domain.local
   Authentication Type:  -
   EAP Type:   -
   Account Session Identifier:  384F322E317838316564303034313030306230666632
   Reason Code:   1
   Reason:    An internal error occurred. Check the system event log for additional information.
  How do I debug when an internal error occurs but there is nothing in the system event log? Where else can I look?
  Here's the packet trace that matches the event log entry above:
  No.     Time        Source                Destination           Protocol Length Time from request Info
        1 0.000000    JuniperN_xx:xx:xx     Universa_xx:xx:xx     EAP      60                       Request, Identity
        2 2.470423    Universa_xx:xx:xx     Nearest               EAPOL    60                       Start
        3 2.472870    JuniperN_xx:xx:xx     Universa_xx:xx:xx     EAP      60                       Request, Identity
        4 2.539416    Universa_xx:xx:xx     Nearest               EAP      60                       Response, Identity
        5 2.544206    Universa_xx:xx:xx     Nearest               EAPOL    60                       Start
        6 2.548804    JuniperN_xx:xx:xx     Universa_xx:xx:xx     EAP      60                       Request, Identity
        7 2.550050    Universa_xx:xx:xx     Nearest               EAP      60                       Response, Identity
        8 2.552597    10.switch             10.NPS_Server         RADIUS   254                      Access-Request(1) (id=249, l=208)
        9 2.556043    10.NPS_Server         10.switch             RADIUS   136    0.003446000       Access-Challenge(11) (id=249, l=90)
       10 2.565876    JuniperN_xx:xx:xx     Universa_xx:xx:xx     EAP      60                       Request, Protected EAP (EAP-PEAP)
       11 2.569472    10.switch             10.NPS_Server         RADIUS   254                      Access-Request(1) (id=250, l=208)
       12 2.572566    10.NPS_Server         10.switch             RADIUS   136    0.003094000       Access-Challenge(11) (id=250, l=90)
       13 2.580254    Universa_xx:xx:xx     Nearest               TLSv1    123                      Client Hello
       14 2.586544    10.switch             10.NPS_Server         RADIUS   361                      Access-Request(1) (id=251, l=315)
       15 4.564841    Universa_xx:xx:xx     Nearest               EAPOL    60                       Start
       16 4.568530    JuniperN_xx:xx:xx     Universa_xx:xx:xx     EAP      60                       Request, Identity
       17 4.569876    Universa_xx:xx:xx     Nearest               EAP      60                       Response, Identity
       18 4.582263    10.switch             10.NPS_Server         RADIUS   254                      Access-Request(1) (id=252, l=208)
       19 4.586006    10.NPS_Server         10.switch             RADIUS   136    0.003743000       Access-Challenge(11) (id=252, l=90)
       20 4.591896    JuniperN_xx:xx:xx     Universa_xx:xx:xx     EAP      60                       Request, Protected EAP (EAP-PEAP)
       21 4.592692    Universa_xx:xx:xx     Nearest               TLSv1    123                      Client Hello
       22 4.599634    10.switch             10.NPS_Server         RADIUS   361                      Access-Request(1) (id=253, l=315)
       23 4.600887    10.NPS_Server         10.switch             IPv4     1518                     Fragmented IP protocol (proto=UDP 17, off=0, ID=07db)
       24 4.609920    JuniperN_xx:xx:xx     Universa_xx:xx:xx     TLSv1    1514                     Server Hello, Certificate, Certificate Request, Server Hello Done
       25 4.610516    Universa_xx:xx:xx     Nearest               EAP      60                       Response, Protected EAP (EAP-PEAP)
       26 4.617407    10.switch             10.NPS_Server         RADIUS   262                      Access-Request(1) (id=254, l=216)
       27 4.618352    10.NPS_Server         10.switch             RADIUS   288    0.000945000       Access-Challenge(11) (id=254, l=242)
       28 4.623650    JuniperN_xx:xx:xx     Universa_xx:xx:xx     TLSv1    176                      Server Hello, Certificate, Certificate Request, Server Hello Done
       29 4.643316    Universa_xx:xx:xx     Nearest               TLSv1    361                      Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
       30 4.649607    10.switch             10.NPS_Server         RADIUS   601                      Access-Request(1) (id=255, l=555)
       31 4.656950    10.NPS_Server         10.switch             RADIUS   199    0.007343000       Access-Challenge(11) (id=255, l=153)
       32 4.662734    JuniperN_xx:xx:xx     Universa_xx:xx:xx     TLSv1    87                       Change Cipher Spec, Encrypted Handshake Message
       33 4.681106    Universa_xx:xx:xx     Nearest               EAP      60                       Response, Protected EAP (EAP-PEAP)
       34 4.788536    10.switch             10.NPS_Server         RADIUS   262                      Access-Request(1) (id=2, l=216)
       35 4.789735    10.NPS_Server         10.switch             RADIUS   173    0.001199000       Access-Challenge(11) (id=2, l=127)
       36 4.795723    JuniperN_xx:xx:xx     Universa_xx:xx:xx     TLSv1    61                       Application Data
       37 4.796372    Universa_xx:xx:xx     Nearest               TLSv1    93                       Application Data
       38 4.802368    10.switch             10.NPS_Server         RADIUS   331                      Access-Request(1) (id=3, l=285)
       39 4.803363    10.NPS_Server         10.switch             RADIUS   189    0.000995000       Access-Challenge(11) (id=3, l=143)
       40 4.808905    JuniperN_xx:xx:xx     Universa_xx:xx:xx     TLSv1    77                       Application Data
       41 4.809501    Universa_xx:xx:xx     Nearest               TLSv1    77                       Application Data
       42 4.817342    10.switch             10.NPS_Server         RADIUS   315                      Access-Request(1) (id=4, l=269)
       43 4.822986    10.NPS_Server         10.switch             RADIUS   189    0.005644000       Access-Challenge(11) (id=4, l=143)
       44 4.828973    JuniperN_xx:xx:xx     Universa_xx:xx:xx     TLSv1    77                       Application Data
       45 4.833318    Universa_xx:xx:xx     Nearest               TLSv1    829                      Application Data
       46 4.840610    10.switch             10.NPS_Server         RADIUS   1073                     Access-Request(1) (id=5, l=1027)
       47 4.845946    10.NPS_Server         10.switch             RADIUS   189    0.005336000       Access-Challenge(11) (id=5, l=143)
       48 4.850938    JuniperN_xx:xx:xx     Universa_xx:xx:xx     TLSv1    77                       Application Data
       49 4.907924    Universa_xx:xx:xx     Nearest               TLSv1    141                      Application Data
       50 4.913390    10.switch             10.NPS_Server         RADIUS   379                      Access-Request(1) (id=6, l=333)
       51 4.917535    10.NPS_Server         10.switch             RADIUS   221    0.004145000       Access-Challenge(11) (id=6, l=175)
       52 4.922877    JuniperN_xx:xx:xx     Universa_xx:xx:xx     TLSv1    109                      Application Data
       53 4.923472    Universa_xx:xx:xx     Nearest               TLSv1    61                       Application Data
       54 4.930319    10.switch             10.NPS_Server         RADIUS   299                      Access-Request(1) (id=7, l=253)
       55 4.937348    10.NPS_Server         10.switch             RADIUS   381    0.007029000       Access-Challenge(11) (id=7, l=335)
       56 4.942543    JuniperN_xx:xx:xx     Universa_xx:xx:xx     TLSv1    269                      Application Data
       57 4.944791    Universa_xx:xx:xx     Nearest               TLSv1    125                      Application Data
       58 4.951408    10.switch             10.NPS_Server         RADIUS   363                      Access-Request(1) (id=8, l=317)
       59 4.954022    10.NPS_Server         10.switch             RADIUS   355    0.002614000       Access-Accept(2) (id=8, l=309)
       60 4.981482    JuniperN_xx:xx:xx     Universa_xx:xx:xx     EAP      60                       Success
       61 32.590347   10.switch             10.NPS_Server         RADIUS   361                      Access-Request(1) (id=251, l=315)
       62 62.592420   10.switch             10.NPS_Server         RADIUS   361                      Access-Request(1) (id=251, l=315)
       63 92.595043   10.switch             10.NPS_Backup_Server  RADIUS   361                      Access-Request(1) (id=9, l=315)
       64 122.597856  10.switch             10.NPS_Backup_Server  RADIUS   361                      Access-Request(1) (id=9, l=315)
       65 152.600618  10.switch             10.NPS_Backup_Server  RADIUS   361                      Access-Request(1) (id=9, l=315)

  A belated thanks for your reply.
  Our environment doesn't have NPS accounting configured so that was easy to rule out.
  The mid-day drop outs have stopped after I added "set protocols dot1x authenticator no-mac-table-binding" to our Juniper switches (which prevents mac address aging from clearing the active dot1x client session).
  I believe the above error message occurs because the RADIUS session ID is rejected / ignored because of some quirks in the RADIUS standard.  At the start of a dot1x authentication request a RADIUS session ID is created.  For whatever reason the
  RADIUS/NAP server stops responding and the Juniper switch fails over to the backup RADIUS/NAP server configured.  The session ID is kept (per RADIUS standard) but the backup RADIUS/NAP server doesn't know about the session, so this event: "Network
  Policy Server discarded the request for a user." occurs.
  It would be nice to see a clearer error message "Invalid RADIUS session" or similar.
  There is a Microsoft guide on how to set up RADIUS/NAP servers in a highly available configuration - something to do with RADIUS proxy servers.
  It would be even nicer to see some kind of RADIUS session synchronisation between NAP servers... if it doesn't already exist?
  I am having the same exact issue you posted on here except I have Extreme Network switches. Some of my computers, various hardware, will randomly not authenticate during re-authentication. The switch says that it failed to contact the NPS server so then it
  switches to my backup server. The client has a random time on how long it waits to authenticate so sometimes I end up having the disable/re-enable the port they are connected to so that the session is started again. I see that you basically removed the option
  to force clients to re-authenticate Any downfall disabling that?. Any idea why the NPS server is no longer responding? Are you using Windows Server 2012?

• DACL does not get downloaded to Cisco Switch from ISE

  Hello,
  I have a cisco switch with ios: c3550-ipbasek9-mz.122-44.SE6.bin
  I am trying to push dACL fro my ISE device into the switch, but it is not getting applied to switch.   dynamic vlan assignment workds fine, but dACL doesnot apply
  Any instruction plz?

  Hi Jatin,
  ISE is properly configured for dACL,   i think there is some compatibility issue on cisco switch ios.
  following is the debug output>>
  06:36:43: dot1x-packet:Received an EAP packet on interface FastEthernet0/11
  06:36:43: EAPOL pak dump rx
  06:36:43: EAPOL Version: 0x1  type: 0x0  length: 0x0006
  06:36:43: dot1x-packet:Received an EAP packet on the FastEthernet0/11 from mac 0019.b981.e812
  06:36:43: dot1x-sm:Posting EAPOL_EAP on Client=1D68028
  06:36:43:     dot1x_auth_bend Fa0/11: during state auth_bend_request, got event 6(eapolEap)
  06:36:43: @@@ dot1x_auth_bend Fa0/11: auth_bend_request -> auth_bend_response
  06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_enter called
  06:36:43: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from 0019.b981.e812
  06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_response_action called
  06:36:43: RADIUS/ENCODE(00000049):Orig. component type = DOT1X
  06:36:43: RADIUS(00000049): Config NAS IP: 192.168.2.250
  06:36:43: RADIUS/ENCODE(00000049): acct_session_id: 73
  06:36:43: RADIUS(00000049): sending
  06:36:43: RADIUS(00000049): Send Access-Request to 192.168.2.231:1812 id 1645/99, len 267
  06:36:43: RADIUS:  authenticator 5B 61 1D 64 D3 D5 9F AD - 23 E0 11 11 B3 C3 5C 81
  06:36:43: RADIUS:  User-Name           [1]   6   "test"
  06:36:43: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  06:36:43: RADIUS:  Framed-MTU          [12]  6   1500
  06:36:43: RADIUS:  Called-Station-Id   [30]  19  "00-11-5C-6E-5E-0B"
  06:36:43: RADIUS:  Calling-Station-Id  [31]  19  "00-19-B9-81-E8-12"
  06:36:43: RADIUS:  EAP-Message         [79]  8
  06:36:43: RADIUS:   02 7A 00 06 0D 00                 [ z]
  06:36:43: RADIUS:  Message-Authenticato[80]  18
  06:36:43: RADIUS:   A6 AB 5A CA ED B8 B4 1E 36 00 9D AB 1A F6 B9 E0                [ Z6]
  06:36:43: RADIUS:  Vendor, Cisco       [26]  49
  06:36:43: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A802FA0000006F016B36D8"
  06:36:43: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  06:36:43: RADIUS:  NAS-Port            [5]   6   50011
  06:36:43: RADIUS:  NAS-Port-Id         [87]  18  "FastEthernet0/11"
  06:36:43: RADIUS:  State               [24]  80
  06:36:43: RADIUS:   33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43  [37CPMSessionID=C]
  06:36:43: RADIUS:   30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30  [0A802FA0000006F0]
  06:36:43: RADIUS:   31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F  [16B36D8;35Sessio]
  06:36:43: RADIUS:   6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31  [nID=ise-server-1]
  06:36:43: RADIUS:   2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B    [ /171025988/24;]
  06:36:43: RADIUS:  NAS-IP-Address      [4]   6   192.168.2.250
  06:36:43: %LINK-3-UPDOWN: Interface FastEthernet0/11, changed state to up
  06:36:43: RADIUS: Received from id 1645/99 192.168.2.231:1812, Access-Challenge, len 1134
  06:36:43: RADIUS:  authenticator 78 36 A3 38 30 1C F0 7A - 19 83 93 81 B4 6B FF 9E
  06:36:43: RADIUS:  State               [24]  80
  06:36:43: RADIUS:   33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43  [37CPMSessionID=C]
  06:36:43: RADIUS:   30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30  [0A802FA0000006F0]
  06:36:43: RADIUS:   31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F  [16B36D8;35Sessio]
  06:36:43: RADIUS:   6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31  [nID=ise-server-1]
  06:36:43: RADIUS:   2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B    [ /171025988/24;]
  06:36:43: RADIUS:  EAP-Message         [79]  255
  06:36:43: RADIUS:   4D 5D 13 47 FC 46 16 EE 62 76 40 09 77 48 31 B6 01 6B 5E 52 33 56 A2 1E 34  [M]GFbv@wH1k^R3V4]
  06:36:43: RADIUS:   02 32 39 FA 4D CA 79 18 4A 42 A2 4E 5C BD AE 29 D2 3D D1 5A FC C2 ED 3E E5 FB C6 B8 D8 DE A8 75 EB 3A A5 7D 02 03 01 00 01 A3 81 CD 30  [29MyJBN\)=Z>u:}0]
  06:36:43: RADIUS:   81 CA 30 0B 06 03 55 1D 0F 04 04 03 02 01 86 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 1D 06 03 55 1D 0E 04 16 04 14 C4 56 80 A7 C9 18 50 92 EE CC 91 D4 E1 EC DB AD E7 1E 70 A8 30 79 06 03 55 1D 1F 04 72 30 70  [0U0U00UVPp0yUr0p]
  06:36:43: RADIUS:   30 6E A0 6C A0 6A 86 32 68 74 74 70 3A 2F 2F 73 79 73 6C  [0nlj2http://sysl]
  06:36:43: RADIUS:   6F 67 2D 73 65 72 76 65 72 2F 43 65 72 74 45 6E  [og-server/CertEn]
  06:36:43: RADIUS:   72 6F 6C 6C 2F 46 4D 46 42 5F 54 72 75 73 74 65  [roll/FMFB_Truste]
  06:36:43: RADIUS:   64 43 41 2E 63 72 6C 86 34 66 69 6C 65 3A 2F 2F 5C  [dCA.crl4file://\]
  06:36:43: RADIUS:   5C 73 79 73 6C 6F 67 2D 73 65 72 76 65 72 5C 43  [\syslog-server\C]
  06:36:43: RADIUS:   65 72 74 45 6E 72 6F 6C 6C 5C 46 4D 46 42 5F 54  [ertEnroll\FMFB_T]
  06:36:43: RADIUS:   72 75 73 74 65 64 43 41 2E         [ rustedCA.]
  06:36:43: RADIUS:  EAP-Message         [79]  251
  06:36:43: RADIUS:   63 72 6C 30 10 06 09 2B 06 01 04 01 82 37 15 01 04 03 02 01 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 82 01 01 00 63 BA F8 CE D5 8B 0E 94 77 AE 86 6C 37 AB 2F 36 9A B2 85 D5 4A  [crl0+70*Hcwl7/6J]
  06:36:43: RADIUS:   74 8C 33 F5 93 06 A6 57 8D 39 56 8F 02 08 97 CB C6 08 70 8C 22 1E 5D 1F A8 26 6D 60 1F 05 62 D1 24 AB 03 8C 41 F8 1C F1 F8 C2 87 8B 97 02 71 FC 6A  [t3W9Vp"]&m`b$Aqj]
  06:36:43: RADIUS:   EB 12 FC DD 8C 5C 9C 2D AF D2 C4 1C 18 1B 40 BE 78 B0 54 55 59 89 03 1B B7 FB 91 85 EE CA C0 18 1C 78 5D 4D BA FA 9E 44 D3 45 53 A3 BE 46 8A FB 81 BD F1 4C B3 3B  [\-@xTUYx]MDESFL;]
  06:36:43: RADIUS:   D6 66 7E 5B 79 9F 83 53 5E 49 92 B5 7F E5 1A E2 86 8C 83 96 7D 75 A5 1D 08 4E 32 C3 5E EC BF 28 53 EC 53 8A C3 E0 36  [f~[yS^I}uN2^(SS6]
  06:36:43: RADIUS:   82 EE AA 0D 38 3E BA 9C 1D D9 24 BD 48 A6 EE 44 BD 95 68 85 CA 8C 44 F8 E8 A2 FB 94 BC 6F 7C F2 06 91 6C A0 A6 BB 7B 7F 56 BD 15 32 A4     [ 8>$HDhDo|l{V2]
  06:36:43: RADIUS:  Message-Authenticato[80]  18
  06:36:43: RADIUS:   DD 82 F7 10 3F C7 B5 62 9B 2A BB 24 16 A7 59 33            [ ?b*$Y3]
  06:36:44: RADIUS(00000049): Received from id 1645/99
  06:36:44: RADIUS/DECODE: EAP-Message fragments, 253+253+253+249, total 1008 bytes
  06:36:44: dot1x-packet:Received an EAP request packet from EAP for mac 0019.b981.e812
  06:36:44: dot1x-sm:Posting EAP_REQ on Client=1D68028
  06:36:44:     dot1x_auth_bend Fa0/11: during state auth_bend_response, got event 7(eapReq)
  06:36:44: @@@ dot1x_auth_bend Fa0/11: auth_bend_response -> auth_bend_request
  06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_exit called
  06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_enter called
  06:36:44: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1  id: 0x7B length: 0x03F0 type: 0xD  data: @Cfui[ab2,Jt1){                                                                                                                              2]g&GZ1pIbu;+Ga;iF"jy#
  oohuV.aFZ4_|
  P0`At   )B
  06:36:44: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
  06:36:44: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
  06:36:44: RADIUS:  Message-Authenticato[80]  18
  06:36:44: RADIUS:   F5 B0 56 D3 C6 87 BD 10 6E C7 4A 72 5B 5C 60 C5           [ VnJr[\`]
  06:36:44: RADIUS:  Vendor, Cisco       [26]  49
  06:36:44: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A802FA0000006F016B36D8"
  06:36:44: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  06:36:44: RADIUS:  NAS-Port            [5]   6   50011
  06:36:44: RADIUS:  NAS-Port-Id         [87]  18  "FastEthernet0/11"
  06:36:44: RADIUS:  State               [24]  80
  06:36:44: RADIUS:   33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43  [37CPMSessionID=C]
  06:36:44: RADIUS:   30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30  [0A802FA0000006F0]
  06:36:45: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
  06:36:45: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
  06:36:45: dot1x-registry:registry:dot1x_ether_macaddr called
  06:36:45: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/11
  06:36:45: EAPOL pak dump Tx
  06:36:45: EAPOL Version: 0x2  type: 0x0  length: 0x0039
  06:36:45: EAP code: 0x1  id: 0x7E length: 0x0039 type: 0xD
  06:36:45: dot1x-packet:dot1x_txReq: EAPOL packet sent to client (0019.b981.e812)
  06:36:45: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_request_action called
  06:36:46: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
  06:36:46: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
  06:36:46: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
  06:36:46: EAPOL pak dump rx
  06:36:46: EAPOL Version: 0x1  type: 0x0  length: 0x0006
  06:36:46: dot1x-ev:
  dot1x_auth_queue_event: Int Fa0/11 CODE= 2,TYPE= 13,LEN= 6
  06:36:46: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/11
  06:36:46: dot1x-ev:Received pkt saddr =0019.b981.e812 , daddr = 0180.c200.0003,
                      pae-ether-type = 888e.0100.0006
  06:36:46: dot1x-ev:dot1x_auth_process_eapol: EAPOL flag status of the port  Fa0/11 is TRUE

• Radius Authentication Cisco Switch

  Hi,
  I have a cisco 2960 switch and currently trying to setup radius authentication. My microsoft guy does the server side we have matching keys and he says there is no problem on his side, but we still canno get it to work.
  Config on switch
  aaa new-model
  aaa authentication login default group radius local
  radius-server host 10.0.0.13 auth-port 1812
  radius-server key 0 test
  line vty 0 4
  login authentication default
  switch and radius server are on the same network. I have done a debug and confused on the output. Can anyone point me in the right direction.
  I have done a debug aaa authentication and debug radius
  AccessSwitch#
  RADIUS/ENCODE(00001586):Orig. component type = Exec
  RADIUS:  AAA Unsupported Attr: interface         [221] 4   92269176
  RADIUS/ENCODE(00001586): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
  RADIUS(00001586): Config NAS IP: 0.0.0.0
  RADIUS(00001586): Config NAS IPv6: ::
  RADIUS/ENCODE(00001586): acct_session_id: 20
  RADIUS(00001586): sending
  RADIUS/ENCODE: Best Local IP-Address 10.0.0.56 for Radius-Server 10.0.0.13
  RADIUS(00001586): Sending a IPv4 Radius Packet
  RADIUS(00001586): Send Access-Request to 10.0.0.13:1812 id 1645/18,len 77
  RADIUS:  authenticator 7C B1 A0 55 62 45 7B AF - F2 E2 48 4C C3 F0 72 98
  RADIUS:  User-Name           [1]   15  "james.hoggard"
  RADIUS:  User-Password       [2]   18  *
  RADIUS:  NAS-Port            [5]   6   2
  RADIUS:  NAS-Port-Id         [87]  6   "tty2"
  RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  RADIUS:  NAS-IP-Address      [4]   6   10.0.0.56
  RADIUS(00001586): Started 5 sec timeout
  RADIUS: Received from id 1645/18 10.0.0.13:1812, Access-Reject, len 20
  RADIUS:  authenticator 80 CE C9 C2 D6 30 65 A9 - 07 D8 12 4C 9E 80 A9 3C
  RADIUS(00001586): Received from id 1645/18
  AAA/AUTHEN/LOGIN (00001586): Pick method list 'default'
  RADIUS/ENCODE(00001586): ask "Password: "
  RADIUS/ENCODE(00001586): send packet; GET_PASSWORD
  Thanks
  James.

  yes, PAP always use plain text and that doesn't provide any kind of security.  However, administrative session with radius doesn't support chap/mschap.we can't configure firewall/IOS devices for aministration session like telnet/ssh to authenticate users on mschapv2 authentication method.
  If you need secure communication then you may implement TACACS.
  TACACS+ and RADIUS use a shared secret key to provide encryption for communication between the client and the server. RADIUS encrypts the user's password when the client made a request to the server. This encryption prevents someone from sniffing the user's password using a packet analyzer. However other information such as username and services that is being performed can be analyzed. TACACS+ encrypts not just only the entire payload when communicating, but it also encrypts the user's password between the client and the server. This makes it more difficult to decipher information about the communication between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Radius Dictionary file conversion from free radius/steelbelt to cisco acs

  Does anyone have a tool or have experience converting a free radius dictionary file to cisco acs radius format.

  The key is to get all of the information needed. Normally when they say it takes too long for the client to answer that is not always the exact fault.
  You may seem to get that answer if the ACS is taking a long time to process the request and the switch or client has basically timed out its requests.
  The information needed is the following
  all of these items really need to be gathered at the same time
  switch debugs including
  debug radius
  debug aaa authen
  debug aaa accounting
  sniffer capture between the switch and the ACS
  logs from ACS with debugs enabled.
  If you are going to AD on the backend you may also want a sniffer capture between the ACS and the AD
  all of these together should tell you where the delay of failure lays and then at that time some changes can be suggested

• How to view the login log in window NPS after login cisco switch and without SQL server database

  how to view the login log in window NPS after login cisco switch and without SQL server database
  in summary 
  there is only log with event id 4400
  A LDAP connection with domain controller XCPAWS20.cyberport.noc for domain NOC2 is established.

  Hi adil,
  For your issue, you can create a custom security token service (STS) and then set up a trust relationship between a SharePoint 2010 farm and the custom STS.
  For more information, you can refer to the articles:
  http://forums.asp.net/t/1335229.aspx?Sharing+Authentication+Ticket+Between+ASP+NET+and+Sharepoint
  https://msdn.microsoft.com/en-us/library/office/ff955607(v=office.14).aspx
  http://www.paraesthesia.com/archive/2011/02/01/working-with-windows-identity-foundation-in-asp-net-mvc.aspx/
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• Cisco switches and 802.1.x

  Hi, there !
  I have a question for you.
  Cisco all switches, is it impossible to present for 802.1x ?
  I try to put a network access server in our network to authenticate.
  Thanks.
  I will wait your answer.
  Regards.

  Most Cisco switches will handle 802.1x, but it depends on the switch and the OS. Which specific ones are you considering?
  Wes