RADIUS and Nortel (Bay Networks)

I have install BMAS 3.8 and the RADIUS server worrks fine with NTRadPing. I am tryig to use the RADIUS server to authenicate users to a Nortel (Bay Networks) 450. I have put a sniffer on the line and find the RADIUS server is sending an Access-Accept message, but the 450 shows access denied. The only thing I can figure is the 450 does not like the authenicator. I have tried just about all the options under Bay Networks in the RADIUS Profile, with no luck.
Has anyone got Nortel switches to authenicate thru a Novell RADIUS server/
John Curran

John,
I am interested in knowing if you found a solution to your problem? We
are currently planning on setting up Radius and we use Nortel devices. Any
information or tips you could provide would be appreciated. Thanks,
Lee Anne
> Your Nortel box is probably expecting an attribute in the access-accept
> packet that is not there. You probably just need to configure this
attribute
> in your RADIUS Dial Access Profile, although it's possible that you need
an
> attribute that is not yet in our dictionary.
>
> I suggest that you check your Nortel documentation to see what
attributes it
> expects from the RADIUS server. If you require an attribute that is not
in
> our dictionary, post the details here and I'll see that it gets added.
>
> >>> John Curran<[email protected]> 12/23/2004 10:59 AM >>>
> I have install BMAS 3.8 and the RADIUS server worrks fine with
NTRadPing. I
> am tryig to use the RADIUS server to authenicate users to a Nortel (Bay
> Networks) 450. I have put a sniffer on the line and find the RADIUS
server
> is sending an Access-Accept message, but the 450 shows access denied.
The
> only thing I can figure is the 450 does not like the authenicator. I
have
> tried just about all the options under Bay Networks in the RADIUS
Profile,
> with no luck.
>
> Has anyone got Nortel switches to authenicate thru a Novell RADIUS
server/
>
> John Curran
>
>
>

Similar Messages

  • RADIUS and Cisco 2611 router

    Greetings. First, let me start by saying I am an idiot, I know I am an idiot, and I apologize for wasting everyone's time. I have actually RTFM, many RTFMs, in fact, and I still have not found a resolution.
    Second, I am trying to set up a RADIUS server in my test network. I have installed ClearBox RADIUS on a Windows 2000 system. I have the following configuration on my Cisco 2611 router:
    Using 2297 out of 29688 bytes
    ! Last configuration change at 17:20:27 PDT Tue May 20 2008
    ! NVRAM config last updated at 17:20:29 PDT Tue May 20 2008
    version 12.1
    no service single-slot-reload-enable
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    hostname Tester
    logging buffered 10000 debugging
    aaa new-model
    aaa group server radius RadiusServers
    server 172.26.0.2 auth-port 1812 acct-port 1813
    aaa authentication login default group RadiusServers local
    aaa authentication login localauth local
    aaa authentication ppp default if-needed group radius local
    aaa authorization exec default group radius local
    aaa authorization network default group radius local
    aaa accounting delay-start
    aaa accounting exec default start-stop group radius
    aaa accounting network default start-stop group radius
    aaa processes 6
    enable secret xxx
    username test password xxx
    clock timezone PST -8
    clock summer-time PDT recurring
    ip subnet-zero
    no ip domain-lookup
    no ip bootp server
    interface Loopback0
    ip address 192.168.0.1 255.255.255.0
    interface Ethernet0/0
    description To Main Network
    ip address X.X.X.X 255.255.255.128
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    full-duplex
    no cdp enable
    interface Ethernet0/1
    description To Internal Network
    ip address 172.26.0.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    load-interval 30
    full-duplex
    no cdp enable
    ip nat pool test X.X.X.X X.X.X.X netmask 255.255.255.128
    ip nat inside source list 3 pool test overload
    ip nat inside destination list 3 pool test
    ip classless
    ip route 0.0.0.0 0.0.0.0 X.X.X.X
    no ip http server
    ip radius source-interface Ethernet0/1
    access-list 3 permit 172.26.0.0 0.0.0.255
    no cdp run
    snmp-server community public RO 15
    radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret
    radius-server retransmit 3
    radius-server key secret
    line con 0
    password xxx
    logging synchronous
    line aux 0
    line vty 0 4
    access-class 10 in
    password 7 1234567890
    logging synchronous
    ntp clock-period 17208108
    ntp server 192.43.244.18
    end
    My RADIUS server is up and responding to requests, but my router does not appear to be forwarding authentication requests to it. In fact, when I log into the router using HyperTerm, it times out, and I end up authenticating locally.
    I really don't care whether my Cisco equipment authenticates against the RADIUS server, but I do need to get it set up to authenticate my users so I can track their time online. What have I missed in my router configuration? Why isn't it forwarding user authentication requests to the RADIUS server.
    Thank you for any assistance you may be able to provide.

    I have found that if I am in the middle of composing a response, and I open the thread in another browser window (to refer to it), when I go to submit my response, it doesn't get posted. Perhaps you are running into the same thing.
    The command I shared:
    aaa authentication enable default group radius local
    ... was erroneous. The keyword should have been "enable", as you have discovered.
    Therefore use:
    aaa authentication enable default group radius enable
    When I view a Wireshark trace I see the following:
    AVP: l=18 t=User-Password(2): Decrypted: "user-PWD\000\000\000\000\000\000\000\000"
    Like you, I see the user password appended with the group of \000 grouping's.
    Note the word "Decrypted" which confirms that the password entered in Wireshark is a match with that entered on the AAA client (for what that's worth).
    I'm not sure if I suggested that this would confirm that the server and client were using the same shared secret. If I did, I miss-spoke. I think we would have to gauge the server's response to the attributes we see passed by the client.
    The Wireshark decryption is much more dramatic with TACACS+ because the whole payload is encrypted.
    My issue with your PPPoE is that I saw no "interface" on the router that is configured to perform such authentication. I do seem to recall a global authentication command with the PPP keyword perhaps. I have not attempted to do this, and am not sure whether the interfaces in your router will support this method. Perhaps someone else will weigh in with an opinion.
    However, there are other mainstream authentication methods that I think you should investigate as well.
    You could implement 802.1x on a switch so that a host has to authenticate before it can gain Layer 3 access to the LAN. Depending on the platform, you can download VLAN assignments and ACLs.
    I believe the router also supports 802.1x, but that may determine whether a host can get "through" the router. I have not had cause to investigate 802.1x on the router. I may do so in the future to authorize access to IPsec tunnels.
    The router is also likely to support Authentication Proxy. This feature intercepts a user's attempt to browse resources on the other side of the router. User specific ACLs can be downloaded to the router (from RADIUS) to control what resources a user can access.
    I think you should:
    1. Resolve the issue(s) with AAA logins on the router. It'll establish a baseline of functionality, and give you some short term joy.
    2. Investigate whether PPPoE support exists on your router's interfaces.
    3. Read up on 802.x and Authentication Proxy (docs on Cisco web site).
    4. Decide which methods appeals to you.
    5. Dive in.
    I'd lose the self-deprecation. I don't think it will serve you well. If you're treated badly, move to a newsgroup where the participants display a higher level of emotional maturity. I don't think you will have an issue on the Cisco forums. Others would probably step in.
    I'm going to be absent for several days, so if you don't receive any response, it will be for said reason.
    Good luck.

  • Authenticating against RADIUS *AND* TACACS

    G'day...
    Toys:
    Cisco Secure ACS 3.2
    Cisco 1242 Access Points
    I want to authenticate spectralink phones via LEAP (Radius Aironet) and IT staff logging onto the CLI via TACACS+, all off the same ACS Server.
    The only way I have gotten this to work is to setup TWO Network Device Groups, and add the access point in TWICE (with different unique hostnames). One authenticating RADIUS, and the other profile authenticating TACACS.
    Is this the right way to go about it? Why can't I pick two authentication methods under the one AAA Client profile?
    Cheers,
    Andrew.

    Hi,
    The AAA client hostname configured in Cisco Secure ACS is not required to match the hostname configured on a network device, you can assign any name. What is important is the IP Address to allow the device and ACS to communicate via each AAA protocol.
    If your device need to use both TACACS+ and RADIUS to authenticate 2 different users, then your method is right. This is because a device with same name cannot use both AAA methods to authenticate users - different operation. You have to use 2 different names, but running on the same IP on both TACACS+ and RADIUS.
    I am using the same approach to authenticate remote access clients and network admin in my Access Server.
    Rgds,
    AK

  • Radius and Billing

    Dear NetPros,
    I have configured the Radius & Billing Servers on my Cisco AS5350 which is terminating VoIP Traffic as given below. The First two are Mind Billing Primary and Secondary Billing Servers. The Third one is a billing server from another vendor. I want to send CDR information to all the three billing servers simultaneously. Currently the gateway is only sending the Radius and Billing information to the first available server. Is there any way for the gateway to send radius and billing information to all these three servers simultaneously???? Would appreciate any help or suggestion in this area. Thanx
    aaa group server radius mind
    server AAA.BBB.CCC.DDD auth-port 1645 acct-port 1646
    server EEE.FFF.GGG.HHH auth-port 1645 acct-port 1646
    server III.JJJ.KKK.LLL auth-port 1812 acct-port 1813
    radius-server host AAA.BBB.CCC.DDD auth-port 1645 acct-port 1646 key 7 XXXXXXXXXXXXXXXXXXXX
    radius-server host EEE.FFF.GGG.HHH auth-port 1645 acct-port 1646 key 7 YYYYYYYYYYYYYYYYYYYY
    radius-server host III.JJJ.KKK.LLL auth-port 1812 acct-port 1813 key 7 ZZZZZZZZZZZZZZZZZZZZ
    Cheers
    Rushabh
    Senior Project Researcher
    PP-Ontime Co., Ltd.
    Cellular ~ 669-2047331
    www.pp-ontime.co.th

    The AAA "Broadcast Accounting" feature allows accounting information to be sent to multiple AAA servers at the same time; that is, accounting information can be broadcast to one or more AAA servers simultaneously. This feature allows broadcasting among "groups of servers". And each server group can define its backup servers for fail over independently of other groups.
    However, the restriction is that Accounting information can be sent simultaneously to a maximum of four AAA servers.
    For the scenario mentioned, in order to send billing info to all the 3 servers simultaneously, the aaa accounting command can be configured globally, as in:
    aaa accounting network default start-stop broadcast group mind1 group mind2 group mind3
    The individual servers in the server group 'mind' may be split across different server groups.
    aaa group server radius mind1
    server AAA.BBB.CCC.DDD auth-port 1645 acct-port 1646
    aaa group server radius mind2
    server EEE.FFF.GGG.HHH auth-port 1645 acct-port 1646
    aaa group server radius mind3
    server III.JJJ.KKK.LLL auth-port 1812 acct-port 1813
    (Backup servers within each server-group may be defined)
    Simultaneously accounting records are sent to the first server in each group. If the first server is unavailable, fail over occurs using the backup servers defined within that group.

  • Classification with  Adaptive Bayes Network - What's behind ?

    Hello,
    what's behind the Classification with an Adaptive Bayes Network?
    Neuronal Networks ?
    Thank You
    Martin Sautter

    Adaptive Bayes Network (ABN) is closer to Naive Bayes and Decision Trees than to neural networks. You can find more information on ABN in section 3.1.4 of the Oracle Data Mining Concepts Guide,10g Release 1 (10.1), Part Number B10698-01which is available on OTN through http://www.oracle.com/pls/db10g/portal.portal_demo3?selected=6
    Hope this helps.
    -joe yarmus

  • Updated bios via Live Update and now my Network card isn't detected

    I have an msi Z87-GD65 Gaming Motherboard and I updated some drivers and the bios via msi Live Update 6 last night and now my computer refuses to recognize my network adapter. The adapter is a TRENDnet N600, plugs into PCIe if I'm not mistaken. Wifi if my only option with this computer, I can't use ethernet, so it's really important I get the network card working again. I have had zero issues with it until this.
    The reason I was updating was to try to get my third monitor to work when plugged into the mobo, while my other two were plugged into the graphics card (which I also installed yesterday, but it's working fine). Note that it still was not working, but I had enabled the IGD Multi-Monitor from bios.
    Any suggestions would be appreciated. I did try uninstalling the drivers but it still won't detect the network card. I also tried disconnecting and reconnecting the network card (and I cleaned the port for good measure).
    I've only been using Windows computers for a year, so bear with me if there's stuff I don't know. Thanks in advance. I can try to get a full list of what was installed later tonight, but all of it that I can find has been uninstalled at this point.
    Note: I did not flash the bios when I installed, which I have now heard is a bad idea, apparently. l:

    what OS you are running?
    Quote
    Note: I did not flash the bios when I installed, which I have now heard is a bad idea, apparently. l:
    you said you've updated drivers & BIOS:
    Quote
    I updated some drivers and the bios via msi Live Update 6 last night and now my computer refuses to recognize my network adapter.
    can you clarify is you update BIOS too or not?
    and what is your current bios version?
    Quote
    and I updated some drivers
    what kind of drivers?
    Quote
    I did try uninstalling the drivers but it still won't detect the network card. I also tried disconnecting and reconnecting the network card (and I cleaned the port for good measure).
    have you tried to load last good known configuration or the last windows restore point?
    or to reinstall OS?

  • Welcome to Solutions and Architectures Borderless Networks Community

    Welcome to the Solutions and Architectures Borderless Networks Community.  We encourage everyone to share their knowledge and start conversations related to Borderless Solutions and architectures. All topics are welcome, including Switches, Routers, Security, Wireless, Cloud and System Management, WAN Optimization and solutions to solve business problems.
    Remember,  just like in the workplace, be courteous to your fellow forum  participants. Please refrain from using disparaging or obscene language  or posting advertisements.
    Cheers,
    Dan Bruhn       

    Hi,
    I have a question...
    I going to install two Nexus 7009 with three N7K-F248XP-25  modules on each one, I am planning to create 3 VDC, but at the initial configuration the system does not show the ethernets ports of these modules, even with the show inventory and show module I can see tah the modules are recognized and its status is OK. There is something that I have to do before start to configure these modules...? enable some feature or license in order to see the ports with show running CLI...?

  • Cant fix - "select a certificate or enter a name and password for network"

    iMac 27 - inch, Mid 2010
    Software OS X 10.8.2 (12C60)
    I cant seem to fix this message when going online, nore have I managed to find any help with it.
    everytime my imac27 2010 sleeps it goes offline then this message appears...
    "select a certificate or enter a name and password for network (whatever network im trying to connect to)"
    it continues with...
    "no certificate selected"
    "account name"
    "password"
    as a result I have to play around with "join other network" every time I want to join my own network.
    it was so anoying that I decided to reinstall everything from scrach, so I backed everything to time machine. but I couldnt restore as im on snow leapard and dont have an original disc with me. I moved countries so the apple store isnt round the corner any more :/ (disc would need to be shipped in)
    whats interesting in my mac did not have this wifi conection problem when I took it to another location. only from home. But every other devise does not have this problem even at home...
    any help really appreciated

    Hi, this has worked for a few...
    Make a New Location, Using network locations in Mac OS X ...
    http://support.apple.com/kb/HT2712
    10.7 & 10.8…
    System Preferences>Network, top of window>Locations>Edit Locations, little plus icon, give it a name.
    10.5.x/10.6.x/10.7.x instructions...
    System Preferences>Network, click on the little gear at the bottom next to the + & - icons, (unlock lock first if locked), choose Set Service Order.
    The interface that connects to the Internet should be dragged to the top of the list.
    10.4 instructions...
    Is that Interface dragged to the top of Network>Show:>Network Port Configurations.
    If using Wifi/Airport...
    Instead of joining your Network from the list, click the WiFi icon at the top, and click join other network. Fill in everything as needed.
    For 10.5/10.6/10.7/10.8, System Preferences>Network, unlock the lock if need be, highlight the Interface you use to connect to Internet, click on the advanced button, click on the DNS tab, click on the little plus icon, then add these numbers...
    208.67.222.222
    208.67.220.220
    Click OK.

  • Keeps asking for Select a certificate or enter a name and password for network

    everytime i start my mac it asks for "Select a certificate or enter a name and password for network" and when i'll close it and reopen it, it still asks.
    can somebody help with what am i suppose to do?

    If you are currently showing WiFi status in the menu bar, you would see this icon:
    If you see that near the top right corner, click it and choose "Join other network" from the drop down list.
    If you do not see that icon, then go to System Preferences (under the Apple logo in the menu bar), ciick "Network", then choose "WiFi" and choose something (probably "Assist me" at the bottom) there.

  • Hi. I have a MacBook Pro with OS10.6.8 and cannot get net pages to load on my network at home. I can connect to the internet in work and on other networks. However, some other networks are now starting to fail. Can anyone suggets how I can fix it??

    Hi. I have a MacBook Pro with OS10.6.8 and cannot get internet pages to load on my WiFi network at home. My iMac, iPhone and iPad all work on this network.  It is connected to the net as dropbox registers a connection and so does skype. I can connect to the WiFi in work and on other networks when travelling. However, some other networks are now starting to fail. Can anyone suggets how I can fix it, as the MBP appears to be fine, its updated with all the latest versions of software and the WiFi network is also fine....just not with my MBP??

    Hi. I have a MacBook Pro with OS10.6.8 and cannot get internet pages to load on my WiFi network at home. My iMac, iPhone and iPad all work on this network.  It is connected to the net as dropbox registers a connection and so does skype. I can connect to the WiFi in work and on other networks when travelling. However, some other networks are now starting to fail. Can anyone suggets how I can fix it, as the MBP appears to be fine, its updated with all the latest versions of software and the WiFi network is also fine....just not with my MBP??

  • HT4352 I installed itunes on Pc windows7 and on same network of Apple tv and enter same apple id but i dont see computer on apple tv

    I installed itunes on Pc windows7 and on same network of Apple tv and enter same apple id but i dont see computer on apple tv

    I did that and I have the device appearing in my Apple ID on the computer but Apple Tv don't see the computer I don't know why

  • Photosmart premium all in one and wireless G network

    Is the new photosmart premium with built-in Ethernet, WiFi 802.11n backward compatible on b/g wireless network?  Will it connect wirelessly to my Linksys WiFi 802.11g network?
    Thanks!

    Yes, 802.11n devices, including our two new Photosmart Premium All-In-One printers, are compatible with 802.11g wireless networks.
    A bit of background:  the 802.11n standard that was just recently ratified mandates compatibility with 802.11g and 802.11b networks and devices.  You can even mix devices on the same network.  For example, you can setup a 802.11n network and connect both 802.11n and 802.11g devices and have the 802.11n devices run at 802.11n speeds.
    You could also connect 802.11b devices to your 802.11n network though from a performance point of view, that isn't recommended.  The presence of any 802.11b devices in vicinity of 802.11g or 802.11n networks degrades those networks.
    Regards / Jim B / Wireless Enthusiasts
    ( While I'm an embedded wireless systems engineer at work, on this forum I do not represent my former employer, Hewlett-Packard, or my current employer, Microsoft )
    + Click the White Kudos star on the left as a way to say "thank you" for helpful posts.

  • I set up a new router and the windows machines have no problem with connectivity.  I go through the MacBook Pro's airport assistant and view my network and then enter the WPA2 password.  I get back a message saying the password is incorrect when it is

    I set up a new router and the windows machines connect fine.  My MacBook Pro does not.  I go through the airport assistant and see the network yet when I enter the router WPA password I get a message back saying that the password is incorrect.  And, it isn't!  Very frustrating.  What can I do as I had the same problem after I tried to reinstall my last router.  Again, only on the Mac.  Thanks!

    If you kept the same Base Station name and network name, that can confuse Keychain Access. Either change the Base Station and network name, or open Keychain Access Utility and delete any reference to your Base Station and network name. Make sure you delete from the Login and System keychains.

  • IPHONE 5: can't receive calls & random error messages, such as "could not activate cellular data network" and "no connection - network unavailable, please connect to wifi or cellular network."  This occurs even when signal strength or wifi is operational.

    IPHONE 5:  can't receive calls and random error messages, such as "could not activate cellular data network" and "no connection - network unavailable, please connect to wifi or cellular network."  This occurs even when signal strength or wifi is operational, and it does not matter whether wifi is on or off.  ATT went through the standard protocol - resetting network, resetting sim card, etc.  No changes.  Other phones working fine in same region with same carrier.  Apple's solution is to restore software, but haven't gone there yet.  Anyone successfully addressed this/these issues?   

    I should point out that it worked when the iPhone was set back to factory settings, but when restored with the backup, data/internet no longer works again, and I get the "Could not activate cellular data network" error message yet again.

  • Windows 7 hangs and switches off network access

    We are running a Windows 7 Ultimate 32-bit operating system as our server.
    About on 30 minute intervals the computer hangs and switches off network access.
    If the computer is in this state and you try and access it from another computer nothing happens.
    While in this state you can see the desktop indicating that it's not in sleep mode.
    The problem is rectified by click the mouse on the computer.
    It has not gone into a sleep mode as everything on the power options is set to never.
    Please help?
    Regards,
    Andries Malherbe
    Vizier Systems

    About on 30 minute intervals the computer hangs and switches off network access.
    If the computer is in this state and you try and access it from another computer nothing happens.
    Could you plaese share more information about "switches off network access" with us? I don't quite understand this situation
    Please also check the event viewer to collect related information about this issue when you re-use the Windows 7.
    Meanwhile, Please update the driver for network adapter or reinstall for a test.
    Regards
    Yolanda
    TechNet Community Support

Maybe you are looking for