NPS Discarding RADIUS request from Cisco switch (802.1x)
Last few weeks I've been busy to get the following to work:
- Cisco 2960 switch as the suppliant
- Another Cisco 2960 as the authenticator switch
- The supplicant is only able to send MS-EAP MS-ChapV2 requests
- The NPS server is Windows 2008 R2 (and also tested on 2012 R2)
This is called "NEAT" by Cisco; which does seem to work with Cisco ISE (http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html)
but I'd like to get it to work with Windows NPS.
Within NPS I've setup the following Connection Request policy:
- NAS Port Type: Ethernet
I'm using the following Network Policy:
- User Group: DOMAIN\Switches (the useraccount used by the switch is part of this group)
- NAS Port Type: Ethernet
- Autehntcation Type: EAP
Now the request sent by the switch is discarded. The actual error is the following (excluded irrelevant information):
User:
Account Name: Rotterdam-Switch-8-1
Account Domain: DOMAIN
Authentication Details:
Connection Request Policy Name: Secure Wired Connections
Network Policy Name: Switches Allowed
Authentication Provider: Windows
Authentication Server: SERVER.DOMAIN.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
Wireshark on the NPS server shows:
1. The RADIUS Access-Request (1) being received by the NPS Server
2. The NPS Server sending out a RADIUS Access-Challenge (11) to the authenticator switch
3. Another RADIUS Access-Request (1) is beging received by the NPS Server
Packet 2 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 1 (Challange)
Packet 3 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 2 (Response)
I've also tried the following:
- I've also tested with an invalid username/password. The request is correctly denied
- I've also tested by added ALL EAP Types as condition to the Network Policy. The request isn't pickup by this policy anymore.
Any help would be greatly appriciated ofcourse.
Kind regards,
Peter
It only took like.. uhm.. forever.. but there's an answer which is "OK ish..".
Cisco 2960 switches support EAP-MSCHAP; but it seems that NPS only supports EAP-MSCHAP for VPN Connections and not for Wired/Wirelss authentication. Something to do with inner and outer methods and NPS requireing PEAP as an outer method for Wired/Wirelss
authentication.
End result is that both the Cisco switches and NPS do support EAP-MD5. Though it's definitly not as secure (at all), it's definitly a step in the right direction and it's something that we'll be implementing.
Now it seems that NPS doesn't support EAP-MD5 (which is supposidly depricated), it's possible to re-enable it. Using the following articles.
http://support.microsoft.com/kb/922574/en-us
Microsft mentioned me that "Though this article says it applies to Windows Vista only, it does apply to Server 2008R2 as well. Also I would suggest you the following link:
http://support.microsoft.com/kb/981190"
Please note that you'll have to enable 'Store password using reversible encryption’ on the accounts that will be used for NEAT authentication.
All though I would have hoped EAP-MSCHAPv2 would work, I feel I do need to clarify that I understand Microsoft's point of view on this as well. They feel EAP methods without PEAP are simply not safe; which is understandable, espcially for EAP-MD5 which
could be sniffer using a hub/repeater/etc.
Kind regards,
Peter
Similar Messages
-
3com and cisco switches (802.1q)vlan integration problem - broadcast storm?
Hi forum,
we are using 3com switches, the 3com switches implement open vlans, which mean if an ieee 802.1q packet is received at a port and the port is not a member of that vlan, the switch does not perform vlan filtering. if the address is previously learned, it will be forwarded correctly, but if it is not, it will be flooded to all ports within that VLAN.
my questions:
1) if another cisco switch connected with the 3com switch are placed in the same vlan, and the 3com switch received a 802.1q packet from a rogue device, it will be flooded to all the ports(including the cisco ports) within that VLANs, will it cause a broadcast storm?
2) how do i configure the cisco switch to filter off unknown tagged packet on a port? by using vlan prunning?
3) how do i blocked the broadcast from the 3com switches? using broadcast suppression?
4) is there a way on the design side to effectly counter this problem?
Kind regards,
paulIt sounds like setup of your 3com switch is not quite up to your requirements. If a port is declared as tagged, it's ok to receive tagged frames for VLAN's that were not previously known on this port. However if your policy requires that only specific VLAN's are permitted on given tagged port, then you need to add some extra command on your 3com switch. Check with documentation and possibly with your 3com support partner.
As for cisco routers, tagged ports in Cisco-speach are trunks (this might be confusing for you as 3com calls trunks what in Cisco world is known as either Etherchannel or port aggregation). By default a trunk (tagged) port allows any VLAN. If your policy requires so, you can explicitly specify which VLAN's are allowed on given trunk (tagged) port. If a frame arrives with a tag that is not on the allowed list, the frame will be discarded. So you don't need any fancy broadcast supression to block traffic from disallowed vlans coming from your 3com switch to cisco.
P.S.: Make sure that you don't mistake 'member of VLAN' with 'native VLAN'. Some parts of your message suggest that you do. -
ISE 1.3 not receiving Radius requests from WLC 5508 ver 8.0.110.0
Hello all. I just implemented ISE 1.3 at a customer site. added a WLC running 8.0.110.0 using its mgmt address with a RADIUS preshared key. On the WLC, I created to SSIDs, corp and guest.
For corp I configured WPA2 and AES and forwarded Radius requests to my 2 ISE node PSN interfaces
For the guest I configured MAC filter with advanced features AAA overide and Radius NAC - per Cisco's documents
The corp forwards Radius requests to ISE, the guest does not. I get nothing from the guest.
I configured the WLC step by step from the Cisco document. I have completed over 10 ISE implementations in the last year using ISE 1.2 and WLC 7.x and have never run into this issue before.
Any help will be much appreciated.This issue has been resolved. The issue was that for the guest SSID MAC filtering was enabled as required, but they had the test PCs on a mac filter bypass list for that SSID in the WLC. This was automatically authenticating the PC, and therefore not forwarding the RADIUS to ISE.
Once we removed the PC from the MAC filter list in the WLC, the authentications were forwarded to ISE as desired. -
Configuration Cisco switch 802.1x for ISE
Hi dears,
I configurated EAP_FAST authentication on Cisco ISE from Cisco Video material. Now I need full 802.1X configuration in cisco switch guide or video link.
Please provide this.
Thanks.See this link:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_sw_cnfg.html -
Collecting information from Cisco switchs using SNMP
Dear All,
I have a wide network with more than 250 sites connected using the DSL. the WAN devices are under the provider responsability and the LAN devices are directly in my responsability. In each site, I have :
1 or 2 Cisco switchs (2960 or 3560), connecting via fibr.
or
Linksys switch connected via ethernet cable
and
cisco 877 router connected to switch
cisco 881G router conected to switch
pc and printers
In order to improve the availibilty of our network, we lauch every day a script from local pc to test connectivity of LAN equipements :
ping to switchs (Vlan 1), ping to ip fa0/0 cisco router1, ip cisco router2, ping to HSRP address (of two router). the resulting ini file will be inserted in a database and exported to excel for analysing.
I'm asking if someone can help in order to implement SNMP and let me know the name of cisco MIB to implement to :
- to have from SNMP information, the result of show cdp nei, show interface status, show ip int brief,...
- to have if wan router LAN interface are up,connected
- others usefuls informations.
Thanks and regards,
AAHi,
the basic SNMP config for 2960 and 3560 is:
snmp-server community <> RO
The configuration for SNMP traps to get alerts from the device if there is for example a failure with a fan is:
snmp-server enable traps
snmp-server host <> <>
This enables all traps available with your IOS version. You can the disable not wanted traps by using the "no"-command like this.
Example for dot1x traps:
no snmp-server enable traps dot1x
With a snmp client you can then do a snmpwalk (or snmp get) without a specific OID to get all the SNMP information from the device:
On a Linux server the following command should work:
snmpwalk -v 2c -c <> -T <>
-v = use SNMP version 2c
-c = use the community string you configured on the device
-T = output in the dotted decimal format
But be careful, this will be a lot of data output.
Here you will find a docu for configuring SNMP on a Cisco device:
http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf014.html
Sven -
NAP- Settings required on Cisco switches- 802.1X
Hi All,
We have to provide access control for users using NAP and Cisco 2960s switches.
The request is to have only domain users authenticate to the operations vlan, non domain users will be assigned to a guest network.
What would be the configs on the switch to allow this config to work? What will force the switch port to assign to the operations vlan when authenticated to the domain?
Thanks muchHi,
I suppsoe you are using ACS 4.x version.
you need to config dot1x under the switchport. use the default VLAN as the guest VLAN.
You need to configure the ACS to allow access to domain users only (by forcing MACHINE authentication with PEAP for example).
In the NAP, you need to match the NAP selection on the NAS-IP-Address of the switch so that this NAP is only selected if this switch sends the request.
Now, inside the NAP you have to allow only PEAP-MSCHAPv2. (you already forced machine authenticaiton with PEAP from under external DB config already as per earlier step).
When auth works, from under the user/or group, send the attributes to assign a specific VLAN to the user.
Otherwise, if the user auth is not successful it will be put in the default vlan which is the guest vlan.
with ACS 5.x version, doing this is more flexible.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you" -
6274: Network Policy Server discarded the request for a user
How to reproduce this event:
6274: Network Policy Server discarded the request for a userHello,
according to the following just use an older RADIUS client version:
Warning: NPS discarded the request for a user
This monitor returns the number of events when the Network Policy Server discarded the request for a user.
Type of event: Warning. Event ID: 6274.
This condition occurs when the NPS discards accounting requests because the structure of the accounting request message that was sent by a RADIUS client does not comply with the RADIUS protocol. You should reconfigure, upgrade, or replace the RADIUS
client.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights. -
ISE 1.2 rejects RADIUS messages from 5508 WLC
The setup in ref is:
WLC 5508 HA pair running 7.6 talking to ISE 1.2 patch 7 (was 6).
Wireless users are authenticated fine, so the 5508 is a valid NAD in ISE, but...
When I setup active RADIUS fallback, so that the WLC can poll the ISE servers I get the message:
"The RADIUS request from a non-wireless device was dropped because the installed license is for wireless devices only"
Why would ISE drop a RADIUS message from a WLC which is a wireless device? Surely this is a mistake?Hi Nicholas,
This is a known defect.
CSCug34679 ISE drop keep alive coming from WLC.
<B>Symptom:</B>
ISE drops keep alive authentications coming from the WLC, with message 11054 Request from a non-wireless device due to installed wireless license.
<B>Conditions:</B>
When only a wireless license is install on the ISE and using active keep alive on the WLC.
<B>Workaround:</B>
Use passive keep alive on the WLC and not active.
Regards,
Jatin Katyal
*Do rate helpful posts* -
Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS
Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication. I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user" along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
Any ideas of what might be the issue or misconfiguration?Jim,
I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
May need to open a TAC case to see if this issue is on the 550x controllers also.
Thanks,
Tarik -
NPS: Event 6274 - Network Policy Server discarded the request for a user
Intermittently I will get desktop (wired) and laptop (wireless) computers experiencing issues with NPS (they drop off the network).
Some computers are affected more than others, although they are identical hardware and based on a standard image.
In the event log of the NPS servers I can see the following messages:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/05/2014 8:47:58 a.m.
Event ID: 6274
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: NT147.domain.local
Description:
Network Policy Server discarded the request for a user.Contact the Network Policy Server administrator for more information.User:
Security ID: NULL SID
Account Name: host/DPC0387.domain.local
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\DPC0387$Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 3c-xx-xx-xx-xx-xx
Calling Station Identifier: 00-xx-xx-xx-xx-xxNAS:
NAS IPv4 Address: 10.nnn.nnn.nnn
NAS IPv6 Address: -
NAS Identifier: ND246
NAS Port-Type: Ethernet
NAS Port: 71RADIUS Client:
Client Friendly Name: Network Device Management Subnet
Client IP Address: 10.nnn.nnn.nnnAuthentication Details:
Connection Request Policy Name: NAP 802.1X (Wired)
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NT147.domain.local
Authentication Type: -
EAP Type: -
Account Session Identifier: 384F322E317838316564303034313030306230666632
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
How do I debug when an internal error occurs but there is nothing in the system event log? Where else can I look?
Here's the packet trace that matches the event log entry above:
No. Time Source Destination Protocol Length Time from request Info
1 0.000000 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Identity
2 2.470423 Universa_xx:xx:xx Nearest EAPOL 60 Start
3 2.472870 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Identity
4 2.539416 Universa_xx:xx:xx Nearest EAP 60 Response, Identity
5 2.544206 Universa_xx:xx:xx Nearest EAPOL 60 Start
6 2.548804 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Identity
7 2.550050 Universa_xx:xx:xx Nearest EAP 60 Response, Identity
8 2.552597 10.switch 10.NPS_Server RADIUS 254 Access-Request(1) (id=249, l=208)
9 2.556043 10.NPS_Server 10.switch RADIUS 136 0.003446000 Access-Challenge(11) (id=249, l=90)
10 2.565876 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Protected EAP (EAP-PEAP)
11 2.569472 10.switch 10.NPS_Server RADIUS 254 Access-Request(1) (id=250, l=208)
12 2.572566 10.NPS_Server 10.switch RADIUS 136 0.003094000 Access-Challenge(11) (id=250, l=90)
13 2.580254 Universa_xx:xx:xx Nearest TLSv1 123 Client Hello
14 2.586544 10.switch 10.NPS_Server RADIUS 361 Access-Request(1) (id=251, l=315)
15 4.564841 Universa_xx:xx:xx Nearest EAPOL 60 Start
16 4.568530 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Identity
17 4.569876 Universa_xx:xx:xx Nearest EAP 60 Response, Identity
18 4.582263 10.switch 10.NPS_Server RADIUS 254 Access-Request(1) (id=252, l=208)
19 4.586006 10.NPS_Server 10.switch RADIUS 136 0.003743000 Access-Challenge(11) (id=252, l=90)
20 4.591896 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Protected EAP (EAP-PEAP)
21 4.592692 Universa_xx:xx:xx Nearest TLSv1 123 Client Hello
22 4.599634 10.switch 10.NPS_Server RADIUS 361 Access-Request(1) (id=253, l=315)
23 4.600887 10.NPS_Server 10.switch IPv4 1518 Fragmented IP protocol (proto=UDP 17, off=0, ID=07db)
24 4.609920 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 1514 Server Hello, Certificate, Certificate Request, Server Hello Done
25 4.610516 Universa_xx:xx:xx Nearest EAP 60 Response, Protected EAP (EAP-PEAP)
26 4.617407 10.switch 10.NPS_Server RADIUS 262 Access-Request(1) (id=254, l=216)
27 4.618352 10.NPS_Server 10.switch RADIUS 288 0.000945000 Access-Challenge(11) (id=254, l=242)
28 4.623650 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 176 Server Hello, Certificate, Certificate Request, Server Hello Done
29 4.643316 Universa_xx:xx:xx Nearest TLSv1 361 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
30 4.649607 10.switch 10.NPS_Server RADIUS 601 Access-Request(1) (id=255, l=555)
31 4.656950 10.NPS_Server 10.switch RADIUS 199 0.007343000 Access-Challenge(11) (id=255, l=153)
32 4.662734 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 87 Change Cipher Spec, Encrypted Handshake Message
33 4.681106 Universa_xx:xx:xx Nearest EAP 60 Response, Protected EAP (EAP-PEAP)
34 4.788536 10.switch 10.NPS_Server RADIUS 262 Access-Request(1) (id=2, l=216)
35 4.789735 10.NPS_Server 10.switch RADIUS 173 0.001199000 Access-Challenge(11) (id=2, l=127)
36 4.795723 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 61 Application Data
37 4.796372 Universa_xx:xx:xx Nearest TLSv1 93 Application Data
38 4.802368 10.switch 10.NPS_Server RADIUS 331 Access-Request(1) (id=3, l=285)
39 4.803363 10.NPS_Server 10.switch RADIUS 189 0.000995000 Access-Challenge(11) (id=3, l=143)
40 4.808905 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 77 Application Data
41 4.809501 Universa_xx:xx:xx Nearest TLSv1 77 Application Data
42 4.817342 10.switch 10.NPS_Server RADIUS 315 Access-Request(1) (id=4, l=269)
43 4.822986 10.NPS_Server 10.switch RADIUS 189 0.005644000 Access-Challenge(11) (id=4, l=143)
44 4.828973 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 77 Application Data
45 4.833318 Universa_xx:xx:xx Nearest TLSv1 829 Application Data
46 4.840610 10.switch 10.NPS_Server RADIUS 1073 Access-Request(1) (id=5, l=1027)
47 4.845946 10.NPS_Server 10.switch RADIUS 189 0.005336000 Access-Challenge(11) (id=5, l=143)
48 4.850938 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 77 Application Data
49 4.907924 Universa_xx:xx:xx Nearest TLSv1 141 Application Data
50 4.913390 10.switch 10.NPS_Server RADIUS 379 Access-Request(1) (id=6, l=333)
51 4.917535 10.NPS_Server 10.switch RADIUS 221 0.004145000 Access-Challenge(11) (id=6, l=175)
52 4.922877 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 109 Application Data
53 4.923472 Universa_xx:xx:xx Nearest TLSv1 61 Application Data
54 4.930319 10.switch 10.NPS_Server RADIUS 299 Access-Request(1) (id=7, l=253)
55 4.937348 10.NPS_Server 10.switch RADIUS 381 0.007029000 Access-Challenge(11) (id=7, l=335)
56 4.942543 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 269 Application Data
57 4.944791 Universa_xx:xx:xx Nearest TLSv1 125 Application Data
58 4.951408 10.switch 10.NPS_Server RADIUS 363 Access-Request(1) (id=8, l=317)
59 4.954022 10.NPS_Server 10.switch RADIUS 355 0.002614000 Access-Accept(2) (id=8, l=309)
60 4.981482 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Success
61 32.590347 10.switch 10.NPS_Server RADIUS 361 Access-Request(1) (id=251, l=315)
62 62.592420 10.switch 10.NPS_Server RADIUS 361 Access-Request(1) (id=251, l=315)
63 92.595043 10.switch 10.NPS_Backup_Server RADIUS 361 Access-Request(1) (id=9, l=315)
64 122.597856 10.switch 10.NPS_Backup_Server RADIUS 361 Access-Request(1) (id=9, l=315)
65 152.600618 10.switch 10.NPS_Backup_Server RADIUS 361 Access-Request(1) (id=9, l=315)A belated thanks for your reply.
Our environment doesn't have NPS accounting configured so that was easy to rule out.
The mid-day drop outs have stopped after I added "set protocols dot1x authenticator no-mac-table-binding" to our Juniper switches (which prevents mac address aging from clearing the active dot1x client session).
I believe the above error message occurs because the RADIUS session ID is rejected / ignored because of some quirks in the RADIUS standard. At the start of a dot1x authentication request a RADIUS session ID is created. For whatever reason the
RADIUS/NAP server stops responding and the Juniper switch fails over to the backup RADIUS/NAP server configured. The session ID is kept (per RADIUS standard) but the backup RADIUS/NAP server doesn't know about the session, so this event: "Network
Policy Server discarded the request for a user." occurs.
It would be nice to see a clearer error message "Invalid RADIUS session" or similar.
There is a Microsoft guide on how to set up RADIUS/NAP servers in a highly available configuration - something to do with RADIUS proxy servers.
It would be even nicer to see some kind of RADIUS session synchronisation between NAP servers... if it doesn't already exist?
I am having the same exact issue you posted on here except I have Extreme Network switches. Some of my computers, various hardware, will randomly not authenticate during re-authentication. The switch says that it failed to contact the NPS server so then it
switches to my backup server. The client has a random time on how long it waits to authenticate so sometimes I end up having the disable/re-enable the port they are connected to so that the session is started again. I see that you basically removed the option
to force clients to re-authenticate Any downfall disabling that?. Any idea why the NPS server is no longer responding? Are you using Windows Server 2012? -
DACL does not get downloaded to Cisco Switch from ISE
Hello,
I have a cisco switch with ios: c3550-ipbasek9-mz.122-44.SE6.bin
I am trying to push dACL fro my ISE device into the switch, but it is not getting applied to switch. dynamic vlan assignment workds fine, but dACL doesnot apply
Any instruction plz?Hi Jatin,
ISE is properly configured for dACL, i think there is some compatibility issue on cisco switch ios.
following is the debug output>>
06:36:43: dot1x-packet:Received an EAP packet on interface FastEthernet0/11
06:36:43: EAPOL pak dump rx
06:36:43: EAPOL Version: 0x1 type: 0x0 length: 0x0006
06:36:43: dot1x-packet:Received an EAP packet on the FastEthernet0/11 from mac 0019.b981.e812
06:36:43: dot1x-sm:Posting EAPOL_EAP on Client=1D68028
06:36:43: dot1x_auth_bend Fa0/11: during state auth_bend_request, got event 6(eapolEap)
06:36:43: @@@ dot1x_auth_bend Fa0/11: auth_bend_request -> auth_bend_response
06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_enter called
06:36:43: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from 0019.b981.e812
06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_response_action called
06:36:43: RADIUS/ENCODE(00000049):Orig. component type = DOT1X
06:36:43: RADIUS(00000049): Config NAS IP: 192.168.2.250
06:36:43: RADIUS/ENCODE(00000049): acct_session_id: 73
06:36:43: RADIUS(00000049): sending
06:36:43: RADIUS(00000049): Send Access-Request to 192.168.2.231:1812 id 1645/99, len 267
06:36:43: RADIUS: authenticator 5B 61 1D 64 D3 D5 9F AD - 23 E0 11 11 B3 C3 5C 81
06:36:43: RADIUS: User-Name [1] 6 "test"
06:36:43: RADIUS: Service-Type [6] 6 Framed [2]
06:36:43: RADIUS: Framed-MTU [12] 6 1500
06:36:43: RADIUS: Called-Station-Id [30] 19 "00-11-5C-6E-5E-0B"
06:36:43: RADIUS: Calling-Station-Id [31] 19 "00-19-B9-81-E8-12"
06:36:43: RADIUS: EAP-Message [79] 8
06:36:43: RADIUS: 02 7A 00 06 0D 00 [ z]
06:36:43: RADIUS: Message-Authenticato[80] 18
06:36:43: RADIUS: A6 AB 5A CA ED B8 B4 1E 36 00 9D AB 1A F6 B9 E0 [ Z6]
06:36:43: RADIUS: Vendor, Cisco [26] 49
06:36:43: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A802FA0000006F016B36D8"
06:36:43: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
06:36:43: RADIUS: NAS-Port [5] 6 50011
06:36:43: RADIUS: NAS-Port-Id [87] 18 "FastEthernet0/11"
06:36:43: RADIUS: State [24] 80
06:36:43: RADIUS: 33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43 [37CPMSessionID=C]
06:36:43: RADIUS: 30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30 [0A802FA0000006F0]
06:36:43: RADIUS: 31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F [16B36D8;35Sessio]
06:36:43: RADIUS: 6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31 [nID=ise-server-1]
06:36:43: RADIUS: 2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B [ /171025988/24;]
06:36:43: RADIUS: NAS-IP-Address [4] 6 192.168.2.250
06:36:43: %LINK-3-UPDOWN: Interface FastEthernet0/11, changed state to up
06:36:43: RADIUS: Received from id 1645/99 192.168.2.231:1812, Access-Challenge, len 1134
06:36:43: RADIUS: authenticator 78 36 A3 38 30 1C F0 7A - 19 83 93 81 B4 6B FF 9E
06:36:43: RADIUS: State [24] 80
06:36:43: RADIUS: 33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43 [37CPMSessionID=C]
06:36:43: RADIUS: 30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30 [0A802FA0000006F0]
06:36:43: RADIUS: 31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F [16B36D8;35Sessio]
06:36:43: RADIUS: 6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31 [nID=ise-server-1]
06:36:43: RADIUS: 2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B [ /171025988/24;]
06:36:43: RADIUS: EAP-Message [79] 255
06:36:43: RADIUS: 4D 5D 13 47 FC 46 16 EE 62 76 40 09 77 48 31 B6 01 6B 5E 52 33 56 A2 1E 34 [M]GFbv@wH1k^R3V4]
06:36:43: RADIUS: 02 32 39 FA 4D CA 79 18 4A 42 A2 4E 5C BD AE 29 D2 3D D1 5A FC C2 ED 3E E5 FB C6 B8 D8 DE A8 75 EB 3A A5 7D 02 03 01 00 01 A3 81 CD 30 [29MyJBN\)=Z>u:}0]
06:36:43: RADIUS: 81 CA 30 0B 06 03 55 1D 0F 04 04 03 02 01 86 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 1D 06 03 55 1D 0E 04 16 04 14 C4 56 80 A7 C9 18 50 92 EE CC 91 D4 E1 EC DB AD E7 1E 70 A8 30 79 06 03 55 1D 1F 04 72 30 70 [0U0U00UVPp0yUr0p]
06:36:43: RADIUS: 30 6E A0 6C A0 6A 86 32 68 74 74 70 3A 2F 2F 73 79 73 6C [0nlj2http://sysl]
06:36:43: RADIUS: 6F 67 2D 73 65 72 76 65 72 2F 43 65 72 74 45 6E [og-server/CertEn]
06:36:43: RADIUS: 72 6F 6C 6C 2F 46 4D 46 42 5F 54 72 75 73 74 65 [roll/FMFB_Truste]
06:36:43: RADIUS: 64 43 41 2E 63 72 6C 86 34 66 69 6C 65 3A 2F 2F 5C [dCA.crl4file://\]
06:36:43: RADIUS: 5C 73 79 73 6C 6F 67 2D 73 65 72 76 65 72 5C 43 [\syslog-server\C]
06:36:43: RADIUS: 65 72 74 45 6E 72 6F 6C 6C 5C 46 4D 46 42 5F 54 [ertEnroll\FMFB_T]
06:36:43: RADIUS: 72 75 73 74 65 64 43 41 2E [ rustedCA.]
06:36:43: RADIUS: EAP-Message [79] 251
06:36:43: RADIUS: 63 72 6C 30 10 06 09 2B 06 01 04 01 82 37 15 01 04 03 02 01 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 82 01 01 00 63 BA F8 CE D5 8B 0E 94 77 AE 86 6C 37 AB 2F 36 9A B2 85 D5 4A [crl0+70*Hcwl7/6J]
06:36:43: RADIUS: 74 8C 33 F5 93 06 A6 57 8D 39 56 8F 02 08 97 CB C6 08 70 8C 22 1E 5D 1F A8 26 6D 60 1F 05 62 D1 24 AB 03 8C 41 F8 1C F1 F8 C2 87 8B 97 02 71 FC 6A [t3W9Vp"]&m`b$Aqj]
06:36:43: RADIUS: EB 12 FC DD 8C 5C 9C 2D AF D2 C4 1C 18 1B 40 BE 78 B0 54 55 59 89 03 1B B7 FB 91 85 EE CA C0 18 1C 78 5D 4D BA FA 9E 44 D3 45 53 A3 BE 46 8A FB 81 BD F1 4C B3 3B [\-@xTUYx]MDESFL;]
06:36:43: RADIUS: D6 66 7E 5B 79 9F 83 53 5E 49 92 B5 7F E5 1A E2 86 8C 83 96 7D 75 A5 1D 08 4E 32 C3 5E EC BF 28 53 EC 53 8A C3 E0 36 [f~[yS^I}uN2^(SS6]
06:36:43: RADIUS: 82 EE AA 0D 38 3E BA 9C 1D D9 24 BD 48 A6 EE 44 BD 95 68 85 CA 8C 44 F8 E8 A2 FB 94 BC 6F 7C F2 06 91 6C A0 A6 BB 7B 7F 56 BD 15 32 A4 [ 8>$HDhDo|l{V2]
06:36:43: RADIUS: Message-Authenticato[80] 18
06:36:43: RADIUS: DD 82 F7 10 3F C7 B5 62 9B 2A BB 24 16 A7 59 33 [ ?b*$Y3]
06:36:44: RADIUS(00000049): Received from id 1645/99
06:36:44: RADIUS/DECODE: EAP-Message fragments, 253+253+253+249, total 1008 bytes
06:36:44: dot1x-packet:Received an EAP request packet from EAP for mac 0019.b981.e812
06:36:44: dot1x-sm:Posting EAP_REQ on Client=1D68028
06:36:44: dot1x_auth_bend Fa0/11: during state auth_bend_response, got event 7(eapReq)
06:36:44: @@@ dot1x_auth_bend Fa0/11: auth_bend_response -> auth_bend_request
06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_exit called
06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_enter called
06:36:44: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x7B length: 0x03F0 type: 0xD data: @Cfui[ab2,Jt1){ 2]g&GZ1pIbu;+Ga;iF"jy#
oohuV.aFZ4_|
P0`At )B
06:36:44: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
06:36:44: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
06:36:44: RADIUS: Message-Authenticato[80] 18
06:36:44: RADIUS: F5 B0 56 D3 C6 87 BD 10 6E C7 4A 72 5B 5C 60 C5 [ VnJr[\`]
06:36:44: RADIUS: Vendor, Cisco [26] 49
06:36:44: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A802FA0000006F016B36D8"
06:36:44: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
06:36:44: RADIUS: NAS-Port [5] 6 50011
06:36:44: RADIUS: NAS-Port-Id [87] 18 "FastEthernet0/11"
06:36:44: RADIUS: State [24] 80
06:36:44: RADIUS: 33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43 [37CPMSessionID=C]
06:36:44: RADIUS: 30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30 [0A802FA0000006F0]
06:36:45: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
06:36:45: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
06:36:45: dot1x-registry:registry:dot1x_ether_macaddr called
06:36:45: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/11
06:36:45: EAPOL pak dump Tx
06:36:45: EAPOL Version: 0x2 type: 0x0 length: 0x0039
06:36:45: EAP code: 0x1 id: 0x7E length: 0x0039 type: 0xD
06:36:45: dot1x-packet:dot1x_txReq: EAPOL packet sent to client (0019.b981.e812)
06:36:45: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_request_action called
06:36:46: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
06:36:46: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
06:36:46: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
06:36:46: EAPOL pak dump rx
06:36:46: EAPOL Version: 0x1 type: 0x0 length: 0x0006
06:36:46: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/11 CODE= 2,TYPE= 13,LEN= 6
06:36:46: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/11
06:36:46: dot1x-ev:Received pkt saddr =0019.b981.e812 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0006
06:36:46: dot1x-ev:dot1x_auth_process_eapol: EAPOL flag status of the port Fa0/11 is TRUE -
Radius Authentication Cisco Switch
Hi,
I have a cisco 2960 switch and currently trying to setup radius authentication. My microsoft guy does the server side we have matching keys and he says there is no problem on his side, but we still canno get it to work.
Config on switch
aaa new-model
aaa authentication login default group radius local
radius-server host 10.0.0.13 auth-port 1812
radius-server key 0 test
line vty 0 4
login authentication default
switch and radius server are on the same network. I have done a debug and confused on the output. Can anyone point me in the right direction.
I have done a debug aaa authentication and debug radius
AccessSwitch#
RADIUS/ENCODE(00001586):Orig. component type = Exec
RADIUS: AAA Unsupported Attr: interface [221] 4 92269176
RADIUS/ENCODE(00001586): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
RADIUS(00001586): Config NAS IP: 0.0.0.0
RADIUS(00001586): Config NAS IPv6: ::
RADIUS/ENCODE(00001586): acct_session_id: 20
RADIUS(00001586): sending
RADIUS/ENCODE: Best Local IP-Address 10.0.0.56 for Radius-Server 10.0.0.13
RADIUS(00001586): Sending a IPv4 Radius Packet
RADIUS(00001586): Send Access-Request to 10.0.0.13:1812 id 1645/18,len 77
RADIUS: authenticator 7C B1 A0 55 62 45 7B AF - F2 E2 48 4C C3 F0 72 98
RADIUS: User-Name [1] 15 "james.hoggard"
RADIUS: User-Password [2] 18 *
RADIUS: NAS-Port [5] 6 2
RADIUS: NAS-Port-Id [87] 6 "tty2"
RADIUS: NAS-Port-Type [61] 6 Virtual [5]
RADIUS: NAS-IP-Address [4] 6 10.0.0.56
RADIUS(00001586): Started 5 sec timeout
RADIUS: Received from id 1645/18 10.0.0.13:1812, Access-Reject, len 20
RADIUS: authenticator 80 CE C9 C2 D6 30 65 A9 - 07 D8 12 4C 9E 80 A9 3C
RADIUS(00001586): Received from id 1645/18
AAA/AUTHEN/LOGIN (00001586): Pick method list 'default'
RADIUS/ENCODE(00001586): ask "Password: "
RADIUS/ENCODE(00001586): send packet; GET_PASSWORD
Thanks
James.yes, PAP always use plain text and that doesn't provide any kind of security. However, administrative session with radius doesn't support chap/mschap.we can't configure firewall/IOS devices for aministration session like telnet/ssh to authenticate users on mschapv2 authentication method.
If you need secure communication then you may implement TACACS.
TACACS+ and RADIUS use a shared secret key to provide encryption for communication between the client and the server. RADIUS encrypts the user's password when the client made a request to the server. This encryption prevents someone from sniffing the user's password using a packet analyzer. However other information such as username and services that is being performed can be analyzed. TACACS+ encrypts not just only the entire payload when communicating, but it also encrypts the user's password between the client and the server. This makes it more difficult to decipher information about the communication between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.
~BR
Jatin Katyal
**Do rate helpful posts** -
Radius Dictionary file conversion from free radius/steelbelt to cisco acs
Does anyone have a tool or have experience converting a free radius dictionary file to cisco acs radius format.
The key is to get all of the information needed. Normally when they say it takes too long for the client to answer that is not always the exact fault.
You may seem to get that answer if the ACS is taking a long time to process the request and the switch or client has basically timed out its requests.
The information needed is the following
all of these items really need to be gathered at the same time
switch debugs including
debug radius
debug aaa authen
debug aaa accounting
sniffer capture between the switch and the ACS
logs from ACS with debugs enabled.
If you are going to AD on the backend you may also want a sniffer capture between the ACS and the AD
all of these together should tell you where the delay of failure lays and then at that time some changes can be suggested -
How to view the login log in window NPS after login cisco switch and without SQL server database
how to view the login log in window NPS after login cisco switch and without SQL server database
in summary
there is only log with event id 4400
A LDAP connection with domain controller XCPAWS20.cyberport.noc for domain NOC2 is established.Hi adil,
For your issue, you can create a custom security token service (STS) and then set up a trust relationship between a SharePoint 2010 farm and the custom STS.
For more information, you can refer to the articles:
http://forums.asp.net/t/1335229.aspx?Sharing+Authentication+Ticket+Between+ASP+NET+and+Sharepoint
https://msdn.microsoft.com/en-us/library/office/ff955607(v=office.14).aspx
http://www.paraesthesia.com/archive/2011/02/01/working-with-windows-identity-foundation-in-asp-net-mvc.aspx/
Best Regards,
Eric
Eric Tao
TechNet Community Support -
Cisco switches and 802.1.x
Hi, there !
I have a question for you.
Cisco all switches, is it impossible to present for 802.1x ?
I try to put a network access server in our network to authenticate.
Thanks.
I will wait your answer.
Regards.Most Cisco switches will handle 802.1x, but it depends on the switch and the OS. Which specific ones are you considering?
Wes
Maybe you are looking for
-
Ipod not recognized when using an external hardrive, please help me!
I have a 4 gig ipod mini, I have been using it for over a year with no problems. recently, my computer will not recognize my ipod when it is plugged in with my external hardrive. I have chosen to keep all of my music on a 100 gig external hardrive, b
-
Mega 180/Media Player/Graphic Card/TV-Out
Hi, after very long research I decided to use Mega 180 as a dedicated PC for media center purpose and to connect it directly to my TV (Siemens 100 Hz real flat 16:9) and to upgrade my second PC and to connect the two PCs wirelesly and to use Media Po
-
How to pass client IP address via CSS with SSL offload?
Hello, We use Cisco CSS 11501S to do the SSL offload of web servers in one-armed mode. So we have to SNAT client IP in order to guaranty correct return path via the CSS. In this case web server can see only the IP address of the VIP used for SNAT. If
-
How to find Blocked Stock Value for a Material Division
Hi Every Body, I have gone through the notes 589024,637927 to find out Blocked Stock value for a Particular Material at different plants . But I have to get Blocked Stock value at each Material Division . Kindly give some light on it to get it. The s
-
My iphone 5 have problem with screen
Dear Sir/Madam My iphone 5 have problem with screen, i could not control sometime because it frozen and appear white cross line. I have restore my phone, but issue still there I have same issue with this user on youtube http://www.youtube.com/watch?v