1100 with Local Radius Server problems Atheros Client

Similar Messages

• Problems w/config AP1200 - WPA Enterprise/Local RADIUS Server

  I have been attempting to reconfigure a AP1200 in our lab environment from using static WEP keys to WPA/TKIP. I can make the solution work with WPA-PSK, but not enterprise. I believe I have everything configured correctly but cannot "validate identity" on the client. Below are the details to my configuration.
  SSID: labssid (Open authentication with EAP)
  Cipher: TKIP
  Key management: Mandatory (WPA)
  I have a Cisco ACS server but am attempting to get this running intially using the local RADIUS server on the Access Point. I have a user defined locally called "test" with a password of "test".
  I am using an IBM ThinkPad T43 with the built-in wireless (Intel PRO/Wireless 2915ABG NIC) for testing. I have the "Use Windows to configure my wireless network settings" checked so I am using the inherant Windows configuration screens. However, I have also attempted to use the IBM NIC configuration utility and receive the same failures. I have the client device configured as follows:
  1. Network authentication: WPA
  2. Data encryption: TKIP
  3. Authentication: Protected EAP (PEAP) (only option other than smartcard, cert.)
  3a. (PROPERTIES) - AuthMethod: Secured Password (EAP-MSCHAP v2)
  4. Authenticate as computer whe computer information is avail (UNCHECKED)
  5. Authenticate as guest when user or computer is unavailable (UNCHECKED)
  When I attempt to provide my test/test credientials the Access Point logs the following:
  Station 0016.6f77.9ccd Authentication failed
  When I look at the Local RADIUS server stats, for each authentication failure the following stat is recorded:
  "Unknown EAP Type"
  If I try to authenticate 5 times, there will be 5 Unknown EAP Type stats logged.
  What am I missing?

  I didn't realize the local RADIUS couldn't do PEAP. That makes sense now, as in testing I decided to point the AP at my ACS server and was able to authenticate. I'm having an issue authenticating at times because it seems the AP looses it's connection TO the ACS server. The Access Point logs the following:
  1. Station 0016.6f77.9ccd Authentication failed
  2. RADIUS server 192.168.102.82:1645,1646 has returned.
  3. RADIUS server 192.168.102.82:1645,1646 is not responding.
  The "not responding" and "returned" logs are recorded at the exact same time period. In my most recent case, it was "Aug 31 18:19:36.981". Both have that time stamp. It's as if the AP looses some heartbeat to the RADIUS server and doesn't check to see if it's alive until a certain interval. When I'm not able to authenticate, if I log into the ACS and manually "restart" the services through the GUI, I authenticate right away. I'm thinking this is an ACS issue not an AP issue, but am wondering if anyone else has ever noticed this behavior.

• EAP-FAST on Local Radius Server : Can't Get It Working

  Hi all
  I'm using an 877w router (flash:c870-advsecurityk9-mz.124-24.T4.bin) as local radius server and have followed various config guides on CCO. LEAP works fine but I just can't get EAP-FAST to work.
  I'm testing with win7 client using anyconnect secure mobility client, and also a mac book pro but without luck.
  the router sees unknown auth type, and when I run some debugs it talks of unknown eap type 3
  sh radius local-server s
  Successes              : 1           Unknown usernames      : 0        
  Client blocks          : 0           Invalid passwords      : 0        
  Unknown NAS            : 0           Invalid packet from NAS: 17      
  NAS : 172.27.44.1
  Successes              : 1           Unknown usernames      : 0        
  Client blocks          : 0           Invalid passwords      : 0        
  Corrupted packet       : 0           Unknown RADIUS message : 0        
  No username attribute  : 0           Missing auth attribute : 0        
  Shared key mismatch    : 0           Invalid state attribute: 0        
  Unknown EAP message    : 0           Unknown EAP auth type  : 17       
  Auto provision success : 0           Auto provision failure : 0        
  PAC refresh            : 0           Invalid PAC received   : 0       
  Can anyone suggest what I might be doing wrong?
  Regs, Tim

  Thanks Nicolas, relevant snippets from config:
  aaa new-model
  aaa group server radius rad_eap
  server 172.27.44.1 auth-port 1812 acct-port 1813
  aaa authentication login eap_methods group rad_eap
  aaa authorization exec default local
  aaa session-id common
  dot11 ssid home
  vlan 3
  authentication open eap eap_methods
  authentication network-eap eap_methods
  authentication key-management wpa
  ip dhcp pool home
     import all
     network 192.168.1.0 255.255.255.0
     default-router 192.168.1.1
     dns-server 194.74.65.68 194.74.65.69
  ip inspect name ethernetin tcp
  ip inspect name ethernetin udp
  ip inspect name ethernetin pop3
  ip inspect name ethernetin ssh
  ip inspect name ethernetin dns
  ip inspect name ethernetin ftp
  ip inspect name ethernetin tftp
  ip inspect name ethernetin smtp
  ip inspect name ethernetin icmp
  ip inspect name ethernetin telnet
  interface Dot11Radio0
  no ip address
  encryption vlan 1 mode ciphers aes-ccm tkip
  encryption vlan 2 mode ciphers aes-ccm tkip
  encryption vlan 3 mode ciphers aes-ccm tkip
  broadcast-key vlan 1 change 30
  broadcast-key vlan 2 change 30
  broadcast-key vlan 3 change 30
  ssid home
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  interface Dot11Radio0.3
  encapsulation dot1Q 3
  no cdp enable
  bridge-group 3
  bridge-group 3 subscriber-loop-control
  bridge-group 3 spanning-disabled
  bridge-group 3 block-unknown-source
  no bridge-group 3 source-learning
  no bridge-group 3 unicast-flooding
  interface Vlan3
  no ip address
  bridge-group 3
  interface BVI3
  ip address 192.168.1.1 255.255.255.0
  ip inspect ethernetin in
  ip nat inside
  ip virtual-reassembly
  radius-server local
  no authentication mac
  nas 172.27.44.1 key 0 123456
  user test1 nthash 0 B151E8FF684B4F376C018E632A247D84
  user test2 nthash 0 F2EEAE1D895645B819C9FD217D0CA1F9
  user test3 nthash 0 0CB6948805F797BF2A82807973B89537
  radius-server host 172.27.44.1 auth-port 1812 acct-port 1813 key 123456
  radius-server vsa send accounting

• EAP-FAST with local radius on 1242AG

  I'm trying to get EAP-FAST working using the local radius server on a 1242AG autonomous AP using the latest firmware from Cisco. The cypher I'm using is CCMP. LEAP works fine with all my clients, however if I move to EAP-FAST in the radius config my clients fail to authenticate
  I know I need to set PAC to automatic somewhere, but the EAP-FAST configuration in the 1242AG GUI doesn't make this clear what to do.
  Any help or a basic example you be great.
  thanks,
  Simon

  I think this is what you're looking for;
  Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
  HTH
  Regards,
  Jatin
  Do rate helpful posts~

• Local radius server : one username for several devices ?

  I've just installed a AP 1231g as a local radius server and I've got two devices that are authenticated by the AP with the same username/password .
  is not there a problem?

  Hi,
  Problem ?? no there is no issues. You are using a single user name to access network devices.
  Regards,
  ~JG
  Please rate if helps

• Exchange Server 2013 with a RADIUS server (freeRADIUS).

  Hello,
  I am a student and doing an internship. I have to test Microsoft Exchange Server 2013.
  I am using Windows Server 2012, I already installed Exchange Server 2013 on it and everything works as intended.
  But I couldn't find out how to configure my Windows Server 2012 in order to authenticate my mailbox users from Exchange Server 2013 with a RADIUS server which is not on my Windows Server 2012. I have to use their RADIUS server (freeRADIUS), the RADIUS server
  from the company where I am doing my internship.
  I already created a NPS and added the RADIUS Client + Remote
  RADIUS Server Groups. I created a Connection Request Policies with the condition:
  User Name *
  I forwarded the Connection Request to the
  Remote RADIUS server that I created in Remote RADIUS Server Groups and then I registered the NPS in th AD. But it's still not working. 
  Maybe I did something wrong or I misunderstood something or does this even work with Exchange Server 2013? To authenticate mailbox users with a RADIUS server before they can login into their mailbox and use their mailbox?
  Thanks in advance.

  Hi,
  I suggest we refer to the following article to double confirm the Network Policy Server is registered properly.
  http://technet.microsoft.com/library/cc732912.aspx
  Thanks,
  Simon Wu
  TechNet Community Support

• Dynamic WEP with Win2k3 Radius server

  Can someone provide information as how to configure AP350 and AP1200 to use dynamic WEP with Win2k3 Radius server.
  What security feature should be configured
  If possible provide information for configuration of Win2k3 Radius server.

  PEAP CHAPS,128-BIT or WPA

• 1240AG as WDS & Local Radius Server

  Have 5 1240AG's and want to use one as WDS and Local Radius Server.
  Am using the following as a guide:
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml#hw
  The above example uses a Cisco Secure ACS and designates both an AP and a WSLM as the WDS. I just want to use the AP as the WDS.
  Isn't it possible to do the whole thing just using a 1240AG as both the WDS and Local Radius Server and not use a Cisco Secure ACS or WSLM?
  Is there an online guide for such a thing? (looked, didn't find it)
  Appreciate the guidance
  Cheers

  Thanks, that's what I thought.
  I had found the WDS setup link but wasn't sure if I was missing something.
  The link you provided for the Local Radius Server setup is for "partners" only I believe? Can't access it.
  But I think I should be able to find some guides/examples somewhere else in the archives. I'm starting w/ these 2 links;
  https://www.cisco.com/en/US/products/ps6521/prod_configuration_examples_list.html
  and
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
  Appreciated the heads up about port 1812.

• OVMRU_002030E Cannot create OCFS2 file system with local file server: Local FS OVMSRVR. Its server is not in a cluster. [Thu Dec 04 01:33:10 EST 2014]

  Hi Guys,
  Im trying to create a repository .I have a single node OVM server and have presented two LUN's (Hitachi  HUS110 direct attached (via FC))
  I've created a server pool and unchecked the clustered server pool. I see the LUN's (physical disk from Oracle Virtual manager) .But when creating the repository i'm having this error
  "OVMRU_002030E Cannot create OCFS2 file system with local file server: Local FS OVMSRVR. Its server is not in a cluster. [Thu Dec 04 01:33:10 EST 2014]"
  Any steps i missed?Appreciate anyone's input
  Regards,
  Robert

  Hi Robert,
  did you actually add the OVS to the server pool, that you created?

• WLC Web-auth fail with external RADIUS server

  I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"
  My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user.
  WLC 4402 version 4.1.171.0
  http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.html

  Hi,
  I am having some issues when I try to authenticate an AD account against a NAP Radius Server on Windows 2008.
  In fact, I own a WLC 2106 and I configured it to authenticate users againts a radius Server with Active Directory. I set the Web Radius Authentication to CHAP on the controller tab from the WLC 2106 and i am getting the error below  
  : Authentication failed for gcasanova. When I set the controller to  Web Radius Authentication to PAP, everything is working fine. I am able to connect to through the controller using an AD Account. But my purpose is not use PAP which is an unsecure protocol since password are sent as plaintext on the network.
  Can someone tell me what's wrong?
  *radiusTransportThread: Oct 26 11:02:13.975:    proxyState......................                                                                                                 .............00:24:D7:40:E5:00-00:00
  *radiusTransportThread: Oct 26 11:02:13.975:    Packet contains 0 AVPs:
  *emWeb: Oct 26 11:02:13.977: Authentication failed for gcasanova
  *aaaQueueReader: Oct 26 11:02:29.985: AuthenticationRequest: 0xb6564634
  *aaaQueueReader: Oct 26 11:02:29.985:   Callback.....................................0x8576720
  *aaaQueueReader: Oct 26 11:02:29.985:   protocolType.................................0x00000001
  *aaaQueueReader: Oct 26 11:02:29.985:   proxyState...................................00:24:D7:40:E5:00-00:00
  *aaaQueueReader: Oct 26 11:02:29.986:   Packet contains 11 AVPs (not shown)
  *aaaQueueReader: Oct 26 11:02:29.986: apfVapRadiusInfoGet: WLAN(4) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *aaaQueueReader: Oct 26 11:02:29.986: 00:24:d7:40:e5:00 Successful transmission of Authentication Packet (id 86) to 10.2.0.15:1812, proxy state 00:24:d7:40:e5:00-00:00
  *aaaQueueReader: Oct 26 11:02:29.987: 00000000: 01 56 00 9a 8e 48 e7 20  1d ef be 29 e6 3a 61 6d  .V...H.....).:am
  *aaaQueueReader: Oct 26 11:02:29.987: 00000010: 2b de 07 24 01 0b 67 63  61 73 61 6e 6f 76 61 3c  +..$..gcasanova<
  *aaaQueueReader: Oct 26 11:02:29.987: 00000020: 12 3c ce a0 87 ac df 7a  a5 35 af 7c ef 83 c7 58  .<.....z.5.|...X
  *aaaQueueReader: Oct 26 11:02:29.987: 00000030: ed 03 13 28 a7 5a 0d 26  6d ab 49 ea da 7c 5a 8e  ...(.Z.&m.I..|Z.
  *aaaQueueReader: Oct 26 11:02:29.987: 00000040: 1d 94 70 69 06 06 00 00  00 01 04 06 0a 02 00 06  ..pi............
  *aaaQueueReader: Oct 26 11:02:29.987: 00000050: 05 06 00 00 00 01 20 0a  50 41 52 2d 57 4c 43 31  ........PAR-WLC1
  *aaaQueueReader: Oct 26 11:02:29.987: 00000060: 3d 06 00 00 00 13 1a 0c  00 00 37 63 01 06 00 00  =.........7c....
  *aaaQueueReader: Oct 26 11:02:29.988: 00000070: 00 04 1f 0c 31 30 2e 32  2e 30 2e 31 35 36 1e 0a  ....10.2.0.156..
  *aaaQueueReader: Oct 26 11:02:29.988: 00000080: 31 30 2e 32 2e 30 2e 36  50 12 7f 86 5a c5 61 ad  10.2.0.6P...Z.a.
  *aaaQueueReader: Oct 26 11:02:29.988: 00000090: af 54 fa fa 42 e7 f6 16  9e 10                    .T..B.....
  *radiusTransportThread: Oct 26 11:02:29.988: 00000000: 03 56 00 14 a9 10 07 84  83 00 87 83 b9 10 64 e1  .V............d.
  *radiusTransportThread: Oct 26 11:02:29.988: 00000010: 66 b3 c5 5e                                       f..^
  *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processIncomingMessages: response code=3
  *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processRadiusResponse: response code=3
  *radiusTransportThread: Oct 26 11:02:29.988: 00:24:d7:40:e5:00 Access-Reject received from RADIUS server 10.2.0.15 for mobile 00:24:d7:40:e5:00 receiveId = 0
  *radiusTransportThread: Oct 26 11:02:29.989: 00:24:d7:40:e5:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d7:40:e5:00
  *radiusTransportThread: Oct 26 11:02:29.989: AuthorizationResponse: 0xb97fe774
  *radiusTransportThread: Oct 26 11:02:29.989:    structureSize................................32
  *radiusTransportThread: Oct 26 11:02:29.989:    resultCode...................................-4
  *radiusTransportThread: Oct 26 11:02:29.989:    protocolUsed.................................0xffffffff
  *radiusTransportThread: Oct 26 11:02:29.989:    proxyState...................................00:24:D7:40:E5:00-00:00
  *radiusTransportThread: Oct 26 11:02:29.989:    Packet contains 0 AVPs:

• Web authentication with Radius server problem

  Hello,
  I'm having problem to web authenticate users via radius server for one WLC. Here is the outpu from WLC:
  *emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created for mobile, length = 7
  *emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created in mscb for mobile, length = 7
  *aaaQueueReader: Mar 26 14:17:31.537: Unable to find requested user entry for aaaaaa
  *aaaQueueReader: Mar 26 14:17:31.537: ReProcessAuthentication previous proto 8, next proto 1
  *aaaQueueReader: Mar 26 14:17:31.537: AuthenticationRequest: 0x1e08eb94
  *aaaQueueReader: Mar 26 14:17:31.538:   Callback.....................................0x10908d90
  *aaaQueueReader: Mar 26 14:17:31.538:   protocolType.................................0x00000001
  *aaaQueueReader: Mar 26 14:17:31.538:   proxyState...................................20:7D:xx:xx:D8:F0-00:00
  *aaaQueueReader: Mar 26 14:17:31.538:   Packet contains 11 AVPs (not shown)
  *aaaQueueReader: Mar 26 14:17:31.538: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *aaaQueueReader: Mar 26 14:17:31.538: 20:7d:xx:xx:d8:f0 Successful transmission of Authentication Packet (id 67) to 10.xx.33.249:1645, proxy state 20:7d:xx:xx:d8:f0-00:01
  *aaaQueueReader: Mar 26 14:17:31.538: 00000000: 01 43 00 8c 48 7c a7 ff  df 06 53 30 c0 be e1 8e  .C..H|....S0....
  *aaaQueueReader: Mar 26 14:17:31.538: 00000010: d7 fd 8b d3 01 09 73 65  66 72 73 76 65 02 12 7b  ......aaaaaa..{
  *aaaQueueReader: Mar 26 14:17:31.538: 00000020: ae 2e f5 eb fa cf f5 cc  3b 08 65 d7 04 0e ba 06  ........;.e.....
  *aaaQueueReader: Mar 26 14:17:31.538: 00000030: 06 00 00 00 01 04 06 0a  2e 09 14 05 06 00 00 00  ................
  *aaaQueueReader: Mar 26 14:17:31.538: 00000040: 0d 20 0d 73 65 76 73 74  2d 6c 77 63 31 30 3d 06  ...xxxxx-lwc10=.
  *aaaQueueReader: Mar 26 14:17:31.538: 00000050: 00 00 00 13 1a 0c 00 00  37 63 01 06 00 00 00 01  ........7c......
  *aaaQueueReader: Mar 26 14:17:31.538: 00000060: 1f 0e 31 39 32 2e 31 36  38 2e 31 2e 36 31 1e 0c  ..192.168.1.61..
  *aaaQueueReader: Mar 26 14:17:31.538: 00000070: 31 30 2e 34 36 2e 39 2e  32 30 50 12 95 11 7c d9  10.xx.9.20P...|.
  *aaaQueueReader: Mar 26 14:17:31.538: 00000080: 75 8e 01 6e bf 62 38 f8  38 ab 68 4a              u..n.b8.8.hJ
  *radiusTransportThread: Mar 26 14:17:31.603: 00000000: 03 43 00 14 e5 8c e7 75  52 04 af e0 07 b7 fb 96  .C.....uR.......
  *radiusTransportThread: Mar 26 14:17:31.603: 00000010: c1 4a fb 40                                       .J.@
  *radiusTransportThread: Mar 26 14:17:31.603: ****Enter processIncomingMessages: response code=3
  *radiusTransportThread: Mar 26 14:17:31.603: ****Enter processRadiusResponse: response code=3
  *radiusTransportThread: Mar 26 14:17:31.603: 20:7d:xx:xx:d8:f0 Access-Reject received from RADIUS server 10.xx.33.249 for mobile 20:7d:xx:xx:d8:f0 receiveId = 0
  *radiusTransportThread: Mar 26 14:17:31.603: ReProcessAuthentication previous proto 1, next proto 2
  *radiusTransportThread: Mar 26 14:17:31.603: AuthenticationRequest: 0x1da9fa4c
  *radiusTransportThread: Mar 26 14:17:31.603:    Callback.....................................0x10908d90
  *radiusTransportThread: Mar 26 14:17:31.603:    protocolType.................................0x00000002
  *radiusTransportThread: Mar 26 14:17:31.603:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
  *radiusTransportThread: Mar 26 14:17:31.603:    Packet contains 11 AVPs (not shown)
  *radiusTransportThread: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Returning AAA Error 'No Server' (-7) for mobile 20:7d:xx:xx:d8:f0
  *radiusTransportThread: Mar 26 14:17:31.605: AuthorizationResponse: 0x2dd03648
  *radiusTransportThread: Mar 26 14:17:31.605:    structureSize................................32
  *radiusTransportThread: Mar 26 14:17:31.605:    resultCode...................................-7
  *radiusTransportThread: Mar 26 14:17:31.605:    protocolUsed.................................0x00000002
  *radiusTransportThread: Mar 26 14:17:31.605:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
  *radiusTransportThread: Mar 26 14:17:31.605:    Packet contains 0 AVPs:
  *emWeb: Mar 26 14:17:31.605: Authentication failed for aaaaaa
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Username entry deleted for mobile
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Plumbing web-auth redirect rule due to user logout
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Deleting mobile policy rule 42461
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Adding Web RuleID 42464 for mobile 20:7d:xx:xx:d8:f0
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Web Authentication failure for station
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Reached ERROR: from line 5069
  That was pretty clear for me that Radius is refusing to give user access.
  Fully-Qualified-User-Name = NMEA\aaaaaa
  NAS-IP-Address = 10.xx.9.20
  NAS-Identifier = xxxxx-lwc10
  Called-Station-Identifier = 10.xx.9.20
  Calling-Station-Identifier = 192.168.1.61
  Client-Friendly-Name = YYY10.xx
  Client-IP-Address = 10.xx.9.20
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 13
  Proxy-Policy-Name = Use Windows authentication forall users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = YYYYY Wireless Users
  Authentication-Type = PAP
  EAP-Type = <undetermined>
  Reason-Code = 66
  Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy
  That output is from WLC 5508 version 7.0.235
  What is strange, that user was able to authenticate from other before refresh WLC 4402 ver 4.2.207. I cannot change WLC because of AP which cannot run old version.
  this is output from working client connection from old WLC
  NAS-IP-Address = 10.xx.9.13
  NAS-Identifier = xxxxx-lwc03
  Client-Friendly-Name = YYY10.46
  Client-IP-Address = 10.xx.9.13
  Calling-Station-Identifier = 192.168.19.246
  NAS-Port-Type = <not present>
  NAS-Port = <not present>
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = YYYYY Wireless Guest Access
  Authentication-Type = PAP
  EAP-Type = <undetermined>
  I know there is different Policy Name used, but my question is why it is not using the same as on old WLC when configuration is same.
  Is there any way I can force users to use different policy from WLC or AP configuration or is this solely configuration of Radius?
  Is it maybe problem of version 7.0.235?
  Any toughts would be much appriciated.

  Scott,
  You are probably right. The condition that is checked for the first policy name (we have 2) is to match
  NAS-Port-Type = Wireless - IEEE 802.11, and this is basically used to differentiate guests from other company users.
  as you can see from the logs the one that is working correctly is not sending NAS-Port-Type. The question is why.
  As I said before.
  WLC 5508 ver. 7.0.235 is sending NAS-Port-Type
  WLC 4402 ver. 4.2.207 is not.
  The same user was working OK on 4402 WLC and after refresh and associating APs to 5508 it all broke, so client did not changed anything on adapter.

• Phonefactor with RRAS(Windows Server 2003) - VPN client timeout after 20 seconds -- too fast!

  [Note that I have previously posted this question on Experts Exchange... but have not found a solution yet].
  We are a small business and would like to switch to two-factor authentication for VPN connections. We spent nearly a year helping Barracuda debug their small business VPN appliance and finally they took their boxes back and gave us back our money - they
  just couldn't get file sharing to work consistently with some new firmware they had to install due to a patent case.
  So... now we are trying Phonefactor.
  Our VPN setup is RRAS on a Windows Server 2003 domain controller.
  We have installed Phonefactor, enabled it as a Radius server, and configured RRAS to point to Phonefactor for Radius authentication. We configured phonefactor to send text messages for authentication, as we figured that would be less disruptive than a phone
  call.
  It all works except... the timeout for VPN clients is only 20 seconds! By the time we receive the text message on a cell phone, sometimes there is only 5 or 6 seconds to get the six digit code typed into a reply on the cell phone... and unless we are really
  nimble, that is frequently not enough time!
  When the VPN client times out, it gives an Error 718 "The connection was terminated because the remote computer did not respond in a timely manner."
  How can we increase the timeout on the VPN clients, so we can more reliably enter the authentication code in a reply back to phonefactor?
  Things we have tried:
  1) Connecting (PPTP) from different Windows clients to see if we get different timeout limits. So far we have tried several Windows 7 boxes and a Windows Server 2003 as the client, but in all cases the timeout is 20 seconds.
  2) On the windows clients: Searching through the PPTP client settings to see if there is one labeled "connection timeout". So far we have found nothing.
  3) On the windows 2003 server: Modifying the RRAS Radius Server time-out to be 30 seconds, 60 seconds, 300 seconds. We've tried restarting RRAS after these changes, but the client connection timeout is still 20 seconds.
  4) In the phonefactor configuration: Searching through the radius server settings to see if there is one labeled "connection timeout". So far we have found nothing.
  5) Using NTRadPing to connect directly to the phonefactor radius server. With NTRadPing we were able to wait more than 60 seconds without a timeout from phonefactor. So we don't *think* at this point that the issue is within phonefactor.
  6) We have asked phonefactor support, but their response is "hmmm... good question, we don't know, that sounds like a problem with your vpn client". And they could well be correct.
  7) Search the web for how to increase either the stock windows VPN client timeout, or the RRAS radius authentication timeout. No luck so far.
  8) Try this registry hack:
  http://windowsitpro.com/networking/solving-ras-718-error. Didn't help.
  Any ideas?
  thanks!

  Hi fdc2005,
  Thanks for the post.
  However, generally, we first type User Name, Password, then click connect to establish the VPN connection. Such as:
  Therefore, I have a little confusion about the timeout you mentioned. Would you please provide us more details.
  Regarding error 718, please check if the following could help:
  If you have a third-party VPN server which does not support MS-CHAPv2 as an authentication method and supports only MS-CHAPv1, you will need to use either CHAP or PAP to connect from the Windows Vista VPN client until the server you use starts supporting MS-CHAPv2.
  Steps to follow for resolution:
  (1) Check if the Routing and Remote Access Server (RRAS) is configured to allow connections with MS-CHAPv2
  (2) Check if the RADIUS server policy supports MSCHAPv2 (This step is needed if you control access to clients using Remote Access Policies on the IAS/NPS server)
  Quote from:
  Troubleshooting Vista VPN problems.
  Hope this helps.
  Jeremy Wu
  TechNet Community Support

• Cisco AAA authentication with windows radius server

  Cisco - Windows Radius problems
  I need to created a limited access group through radius that I can have new network analysts log into
  and not be able to commit changes or get into global config.
  Here are my current radius settings
  aaa new-model
  aaa group server radius IAS
   server name something.corp
  aaa authentication login USERS local group IAS
  aaa authorization exec USERS local group IAS
  radius server something.corp
   address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
   key mypassword
  line vty 0 4
   access-class 1 in
   exec-timeout 0 0
   authorization exec USERS
   logging synchronous
   login authentication USERS
   transport input ssh
  When I log in to the switch, the radius server is passing the corrrect attriubute
  ***Jan 21 13:59:51.897: RADIUS:   Cisco AVpair       [1]   18  "shell:priv-lvl=7"
  The switch is accepting it and putting you in the correct priv level.
  ***Radius-Test#sh priv
     Current privilege level is 7
  I am not sure why it logs you in with the prompt for  privileged EXEC mode when
  you are in priv level 7. This shows that even though it looks like your in priv exec
  mode, you are not.
  ***Radius-Test#sh run
                  ^
     % Invalid input detected at '^' marker.
     Radius-Test#
  Now this is where I am very lost.
  I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
  global config mode.
  ***Radius-Test#enable
     Radius-Test#
  Debug log -
  Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
  ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
  Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
  ***Radius-Test#sh priv
     Current privilege level is 15
     Radius-Test#
  I have tried to set
  ***privilege exec level 15 enable
  It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
  Even if I try to do
  ***privilege exec level 7 show running-config (or other variations)
  It will allow you to type sh run without errors, but it doest actually run the command.
  What am I doing wrong?
  I also want to get PKI working with radius.

  I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
  Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch?

• Accesso to Apache Local Web Server Problem

  Hi, i have a problem related to the set up of Apache Local Web Server on Mac OS X Lion 10.7.5.
  I have correctly installed Apache (2.2.24) php (5.3.26) and MySql (5.5.22) but during the web access i get this message: 403 Forbidden and in the error_log i see this:
  [Tue Nov 05 18:55:19 2013] [error] [client 10.202.145.171] client denied by server configuration: /Users/marcopuccetti/Sites/drupal-7.12
  Before this i have modified the configuration of httpd.conf (DocumentRoot) file in order to point the Sites folder "Users/username/sites"; The same for users configuration file.
  I have also enabled the Web Sharing properties in the System Preferences Section.
  Have i to do any other settings?
  Thank you!
  Marco

  Now it works, but i still don't understand why The directory "Sites" has to be named Only UpperCase.
  Marco

• Authentication Policy ISE with External RADIUS Server

  Hi All,
  I would like to authenticate client by using External RADIUS. Once I create authentication policy using the new compound condition (wireless dot1x + Radius Username Matches "domainB\") I would like to forward the user authentication who make an authen using domainB\username to the External RADIUS Server Sequence. But when I check on the authentication dashboard, it still authenticate using the default authentication rule.
  Please suggest about this scenario.
  Regards,
  Sent from Cisco Technical Support Android App

  Hi jrabinow,
  Which details you would like to see ?
  Here is some infos.
  ISEs are deployed in 2 domains such as "acme.com" and "sub.acme.com"
  Each domain does not make a trusted relationship so these 2 domains cannot communicate between them.
  Each domain has owned Enterprise Root CA (Microsoft)
  Client who need to access the network need to authenticate with EAP-TLS.
  My environment
  My ISE node joined into domain "acme.com"
  User will be "[email protected]"
  Once the user from "[email protected]" try to authenticate, I would like to forward the RADIUS request from ISEs (acme.com) to other ISEs (sub.acme.com)
  After ISEs in "sub.acme.com" return RADIUS-ACCEPT then ISEs in "acme.com" will process an authorization policy.
  Regards,
  Pongsatorn