2504 WebAuth and IPv6 RADIUS Accounting (IPv6-Framed-Address)

Similar Messages

• WAP321 ignore global radius active server ip address

  Hello everyone,
  I have few WAP321 with a radius server listening on 2 different IPs (one for each SSID).
  I configured the global radius server with theses two IPs.
  Then I created 2 wireless networks with WPA enterprise, global radius settings.
  I selected global radius "active server ip address 1" for the first network and global radius "active server ip address 2" for the second but it does not work. After saving the 2 networks only connect to the first IP of the radius and the select field only display "active server ip address 1" for both networks.
  Is it a bug ? or something I haven't understood ?
  Using firmware 1.0.5.3.
  Thank you.

  Hi flallart1
  Personally I can't confirm this behavior as I have no WAP321 unit by hand. But I wanted to say something about your setup.
  You've configured RADIUS server with two different IP's.
  Each RADIUS IP provides different authentication rules - like different user database or different set of authorization rules.
  You have added both RADIUS IPs inside Global RADIUS setting configuration.
  And inside each SSID (Virtual Access Point) setting you kept "Use global RADIUS server settings" checked, but you have explicitly selected "Active Server" for that particular SSID for which is suited.
  What "Active Server" means: Enables the administrative selection of the active RADIUS server, rather than having the WAP device attempt to contact each configured server in sequence and choose the first server that is up.
  In reality this means that from existing pool of available RADIUS servers you can choose preferred server by your own. But in case that preferred RADIUS server is not reachable, another one will be used for that SSID. But this is not good behavior in your case - because once that situation happen and your WAP selected different IP for particular SSID, your authentication scheme will be completely different as second RADIUS IP provides different authentication/authorization rulebase. If that RADIUS IP change happen, all clients already connected to that SSID according rulebase of first RADIUS IP will be denied in few next minutes, because re-authentication will fail as now it will be done according rulebase of second RADIUS IP. Also new clients will not be able to connect which normally works for them.
  In your case you should ignore global RADIUS settings and explicitly configure RADIUS IP inside each SSID (Virtual Access Point) - i.e. IP of RADIUS server which is only related to that SSID. In your scenario, there is no Backup RADIUS IP as both of them provides different authentication.

• Do we support RADIUS over IPv6 in ACS 5.5?

  Hi,
  Could you please let me know if we support RADIUS over IPv6?

  It is hard to see the information in your screen shot but ACS 5.4 and later support IPv6 for network devices:
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/user/guide/acsuserguide/net_resources.html
  Also, if you type an invalid IP address in ACS you would get the following error:
  A valid IPv4 address consists of four numbers (0-255) separated by periods, e.g. 123.0.255.3
  A valid IPv6 address is n:n:n:n:n:n:n:n where the 'n's are either digits (0-9) or letters (A-F)
  I hope this is what you were looking for!
  Thank you for rating helpful posts!

• TACACS auth and RADIUS accounting with ACS

  I am having RADIUS accounting issues with an ASA 5520 that uses TACACS for authentication. Both are hosted on the same ACS server. I can send RADIUS info to my Microsoft IAS box but get Syslog ID 113022 errors when trying to send to the ACS RADIUS. A packet capture shows the RADIUS accounting request getting to the ACS box (Windows Server 2003 R2) but syslog shows failedauth. Any ideas?

  Thank you for the response. I did verify the syslog explanation you gave below and the AAA server is online as TACACS message are getting to it. My configuration for the ASA for RADIUS is as follows
  Server Group - RADIUS
  Protocol - RADIUS
  Accounting Mode - Simultaneous
  Reactivation Mode - Timed
  Max Failed attempts - 3
  Two servers in the Server Group
  ACS - Not working
  Microsoft IAS - Working
  I have tried removing the IAS server and changing the accounting mode to single and still getting auth failures.
  ACS is configured as follows
  Network Configuration
  AAA Clients - ASA authenticate using TACACS+
  AAA Servers - None listed. When I tried to add the ACS machine the error said the server already existed (In another Network Device Group)

• WLC 4400 and RADIUS accounting

  Have trawled what docs there are and cant find out if the RADIUS accounting messages from the 4400 include the name of the lightweight AP handling the user session.
  I'm guessing there might be a new Cisco VSA for it.
  Anyone know?
  Thanks

  The error message could be because of any unused protocol.

• Does icloud, imessage and facetime application have IPv6 support ?

  Hi Everybody,
           Since all ISP's started IPv6 deployment just wanted to know whether icloud, imessage and facetime application have IPv6 support?

  Backup phone in iTunes . On your phone, Go to Settings, General, reset, Erase All Content and Settings. Restore as new on iTunes . Then restore your phone from the backup in iTunes.

• Radius accounting for QoS pppoe policy-map

  Hi folks
  I have a radius pushing an AVPAIR ip:sub-qos-policy-out to a virtual template for clients connected to a BRAS through PPPOE.
  The AVPAIR is correctly applied to each and every pppoe session but the following link  http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sbbbrs1c.html  is indicating that I should be able to push back to the RADIUS some traffic info per class-map/policy map. This would allow some Quota stuff and getting some info about traffic used per customer
  From what I have been able to configure, i'm not getting any of this stats back to the RADIUS
  the debug radius accounting :
  *Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E):Orig. component type = PPPoE
  *Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E): Acct-session-id pre-pended with Nas Port = 0/0/3/0
  *Mar 12 05:29:00.419: RADIUS(0000000E): Config NAS IP: 0.0.0.0
  *Mar 12 05:29:00.419: RADIUS(0000000E): sending
  *Mar 12 05:29:00.419: RADIUS/ENCODE: Best Local IP-Address 192.168.38.133 for Radius-Server 192.168.38.131
  *Mar 12 05:29:00.419: RADIUS(0000000E): Send Accounting-Request to 192.168.38.131:1813 id 1646/55, len 299
  *Mar 12 05:29:00.419: RADIUS:  authenticator ED 94 CF EE BD 73 30 7E - 93 07 A4 C3 50 A6 03 DE
  *Mar 12 05:29:00.419: RADIUS:  Acct-Session-Id     [44]  18  "0/0/3/0_00000005"
  *Mar 12 05:29:00.419: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
  *Mar 12 05:29:00.419: RADIUS:  Framed-IP-Address   [8]   6   10.10.10.2
  *Mar 12 05:29:00.419: RADIUS:  User-Name           [1]   9   "olivier"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  35
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   29  "connect-progress=LAN Ses Up"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  29
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   23  "nas-tx-speed=10000000"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  29
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   23  "nas-rx-speed=10000000"
  *Mar 12 05:29:00.419: RADIUS:  Acct-Session-Time   [46]  6   2582
  *Mar 12 05:29:00.419: RADIUS:  Acct-Input-Octets   [42]  6   7232
  *Mar 12 05:29:00.419: RADIUS:  Acct-Output-Octets  [43]  6   7232
  *Mar 12 05:29:00.419: RADIUS:  Acct-Input-Packets  [47]  6   517
  *Mar 12 05:29:00.419: RADIUS:  Acct-Output-Packets [48]  6   517
  *Mar 12 05:29:00.419: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
  *Mar 12 05:29:00.419: RADIUS:  Acct-Status-Type    [40]  6   Watchdog                  [3]
  *Mar 12 05:29:00.419: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  15
  *Mar 12 05:29:00.419: RADIUS:   cisco-nas-port     [2]   9   "0/0/3/0"
  *Mar 12 05:29:00.419: RADIUS:  NAS-Port            [5]   6   50331648
  *Mar 12 05:29:00.419: RADIUS:  NAS-Port-Id         [87]  9   "0/0/3/0"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  41
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=aabb.cc00.6430"
  *Mar 12 05:29:00.419: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  *Mar 12 05:29:00.419: RADIUS:  NAS-IP-Address      [4]   6   192.168.38.133
  *Mar 12 05:29:00.419: RADIUS:  Ascend-Session-Svr-K[151] 10
  *Mar 12 05:29:00.419: RADIUS:   37 39 38 32 45 41 38 30          [ 7982EA80]
  *Mar 12 05:29:00.419: RADIUS:  Acct-Delay-Time     [41]  6   0
  *Mar 12 05:29:00.419: RADIUS(0000000E): Started 5 sec timeout
  *Mar 12 05:29:00.419: RADIUS: Received from id 1646/55 192.168.38.131:1813, Accounting-response, len 20
  *Mar 12 05:29:00.419: RADIUS:  authenticator A7 0E 79 40 C5 B5 CF DC - 09 46 27 48 52 BE 01 7D
  What I get in the freeradius log :
  Tue Mar 11 22:30:04 2014
          Acct-Session-Id = "0/0/3/0_00000005"
          Framed-Protocol = PPP
          Framed-IP-Address = 10.10.10.2
          User-Name = "olivier"
          Cisco-AVPair = "connect-progress=LAN Ses Up"
          Cisco-AVPair = "nas-tx-speed=10000000"
          Cisco-AVPair = "nas-rx-speed=10000000"
          Acct-Session-Time = 2646
          Acct-Input-Octets = 7428
          Acct-Output-Octets = 7428
          Acct-Input-Packets = 531
          Acct-Output-Packets = 531
          Acct-Authentic = RADIUS
          Acct-Status-Type = Interim-Update
          NAS-Port-Type = Virtual
          Cisco-NAS-Port = "0/0/3/0"
          NAS-Port = 50331648
          NAS-Port-Id = "0/0/3/0"
          Cisco-AVPair = "client-mac-address=aabb.cc00.6430"
          Service-Type = Framed-User
          NAS-IP-Address = 192.168.38.133
          X-Ascend-Session-Svr-Key = "7982EA80"
          Acct-Delay-Time = 0
          Acct-Unique-Session-Id = "523eac6ae326a778"
          Timestamp = 1394602204
          Request-Authenticator = Verified
  user config in the users file on the freeradius server :
  olivier Cleartext-Password := "olivier"
          Service-Type = Framed-User,
          Cisco-AVPair += "ip:addr-pool=pppoepool",
          Cisco-AVpair += "ip:sub-qos-policy-out=TEST"
  I see that the policy map name is pulled correctly from the radius server and applied to the session :
  #sh policy-map session uid 14
   SSS session identifier 14 -
    Service-policy output: TEST
      Class-map: TEST (match-all)
        0 packets, 0 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: any
        police:
            cir 8000 bps, bc 1500 bytes
          conformed 0 packets, 0 bytes; actions:
            transmit
          exceeded 0 packets, 0 bytes; actions:
            drop
          conformed 0 bps, exceed 0 bps
      Class-map: class-default (match-any)
        0 packets, 0 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: any
  Any input very welcome

  Cisco sever is working fine. When you do use non-standard or non-RFC requests from your NAS to the AAA server for instance, you have to configure your server accordingly to instruct it how to handle this kind of requests.
  This is typically done with something called "dictionary", which should be included in your radius server. The server typically decodes all RFC 2865 VSAs (or should), but when a new NAS model is introduced into the network, you can modify it to add any VSAs not appearing in the dictionary, which is your case.
  As an example, imagine you want to change the attribute cisco-vsa-port-string to tagged-string, your dictionary will look somethign similar than:
  And finally you will have to modify with a text editor, or XML editor and change type="tagged-string" supposing your device comply with RFC 2868. Probably
  the AAA server will have to restarted for taking this
  changes into account.
  Also,since this does apply to all devices for this vendor, you've got other option more, which is define your own dictionary for a specific vendor, or even if you wish for a specific NAS or group or NASes.
  In NavisRadius you could associate a dictionary to a
  device adding a client-class:
  # Client-IP Client-Secret Client-Class
  10.0.0.1 secret taos-old
  And then specifying the dictionary later in client_properties for this device:
  # This file contains information about client classes # and is used to set per-client specific information.
  # TAOS Devices in OLD mode with RFC conflicts
  taos-old
  Client-Dictionary=max_dictionary
  # Other devices now, etc.
  Hope it helps

• After ISE 1.2 upgrade I get "5413 RADIUS Accounting-Request dropped."

  Hello,
  I have a two admin node setup for ISE. I just upgraded one of my two ISE Admin nodes to Version 1.2. I still have one of my admin  nodes at 1.1.4. When I disable my Version 1.1.4 node and allow wireless authentications to be handled by the Version 1.2 node I get the message..."5413 RADIUS Accounting-Request dropped". None of my wireless edge devices will be allowed on the network during this time. When I re-enable my 1.1.4 node my wireless devices are then allowed on the network.
  I am currently using ISE to authenticate wireless connectivity.
  I also get the failure reason... "11038 RADIUS Accounting-Request header contains invalid Authentication field".
  Any ideas?
  Bob

  The 5413 RADIUS Accounting-Request dropped may be because the session was active on ISE1 and is now sending update messages to ISE2. Also, verify your shared secret radius key matches on both the wlc and ISE servers. I would try clearing the WLC connection for the test user when switching.  Just turning off wireless and back on doesn't do it.  Also, are you using PEAP-MSChapv2 or EAP-TLS for authenticating the clients.  What type of certificate is presented, public or private?

• ISE 1.2 - WLC 5508 - NAS sends RADIUS accounting update messages too frequently

  I'm getting this error in ISE referring to my Cisco 5508 WLC.  I'm not sure how to turn down the frequency.  Any ideas?
  NAS sends RADIUS accounting update messages too frequently
  Verify NAS configuration. Verify known NAS issues.

  I opened up a TAC case with Cisco yesterday and this is the response i got from them:
  There is bug on the WLC side to reduce the number acct updates:
  CSCug14713- WLC sends acct-update twice in the same millisecond
  This is fixed in 8.x on the WLC.
  So, it looks at though we just have to deal with it until they release an 8.x version for the WLC. In the meantime, you can disable the alerts in ISE.
  Administration>Settings>Alarm Settings>Misconfigured Network Device Detected
  Edit that alarm and set it to disabled

• ISE 1.2 - Error 12929 NAS sends RADIUS accounting update messages too frequently

  We are currently running Cisco ISE 1.2, and every day under the "Misconfigured Network Devices" section on the main ISE Page, I have a huge list of different devices that are all being flagged with the following error message:
  "12929 NAS sends RADIUS accounting update messages too frequently." " NAS sends RADIUS accounting update messages too frequently
  Verify NAS configuration. Verify known NAS issues."
  The list of devices seems to all be Cisco switches; albeit different models, IOS versions, ect.  
  i have searched on this issue, and the closest thing to a fix I can find is that it would be fixed in a WLC update, but that was 9 months ago.    I would like to know what causes this issue, and what needs to be altered in ISE, or on the switches to resolve this.
  Thank You.

   CSCuh20269    WLC sends acc updates too frequently, indicates user roams to itself  is the defect specifically on the WLC that is fixed in one of the 7.6 releases.
  Along with the config Jatin mentioned, you may want to try pulling an Accounting report from ISE periodically and analyze the traffic/isolate the endpoints/supplicants that may be causing  a lot of activity (For ex frequent IP changes ) which results in frequent accounting updates.
  Regards,
  Gurudatt
  Escalation engineer, SAMPG | CCIE#28227
  Cisco systems

• Cisco ISE with both internal and External RADIUS Server

  Hi
  I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
  I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
  So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
  I will like to know if it is possible to configure it and how I can do it ?
  Thanks in advance for your help
  Regards
  Blaise

  Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
  Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
  The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

• ISCSI Initiator favourites revert to using the IPv6 or the apipa IP address from other NICs instead of the source IP address that I specified

  Windows 2008 R2
  ISCSI Initiator favourites revert to using the IPv6 or the apipa IP address from other NICs instead of the source IP address that I specified. 
  When I manually connect to multiple targets and specify the correct ISCSI source IP address, I check the favourites and everything looks okay. But when the server is rebooted I check the favourites again and the source IP is now referencing the IPv6 and
  sometimes the apipa address. 
  I have unbound IPv6 from the ISCSI NICS but this has made no difference.
  Can anyone explain why this is happening?
  Although the server still reconnects to the storage oaky, I’m concerned that if a path goes down that is might try to use the wrong interface to re-establish a connection.
  Thanks.  

  Hi,
  IPV6 is supported with MS iSCSI. Do you have Multiple Connections per Session (MCS) configured? Is your storage configured to use both IPv4 and IPv6?
  If yes, please see if http://support.microsoft.com/kb/2014131 helps.
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• No RADIUS accounting with SF 302?

  Hello all,
  I have configured my SF 302-08P switch to perform 802.1X & MAC authentication. This works fine in both cases but I cannot get the switch to send accounting requests to my RADIUS server. Even when the server sends back an Acct-Interim-Interval attribute in the Access-Accept message, the switch doesn't generate accounting requests. Is it a known restriction or am I missing something?
  I'm a little bit surprised since the datasheet claims that both RADIUS authentication and accounting are supported for 802.1X. The switch version is 1.0.0.27.
  Regards,
  Simon

  Hi Simon,
  Yep according to the RFC2866 it states"
  When a client is configured to use RADIUS Accounting, at the start of
     service delivery it will generate an Accounting Start packet
     describing the type of service being delivered and the user it is
     being delivered to, and will send that to the RADIUS Accounting
     server, which will send back an acknowledgement that the packet has
     been received.  At the end of service delivery the client will
     generate an Accounting Stop packet describing the type of service
     that was delivered and optionally statistics such as elapsed time,
     input and output octets, or input and output packets.  It will send
     that to the RADIUS Accounting server, which will send back an
     acknowledgement that the packet has been received."
  The delay in my response was trying to simulate the scenario, but I don't have all the pieces here.
  Have a Chat to the boys/gals at SBSC to get some clarification.
  http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
  regards Dave

• WLC 5508 Radius accounting issue

  I have a WLAN configured with 802.1x PEAP pointing to an external RADIUS server.  It works fine for the most part, but I'm having problem closing accounting sessions in RADIUS.  I've found this is related to the client table in the WLC.  The user session does not end in RADIUS unless the WLC officially removes the client from the db, which takes 5-6 minutes from what I can see (probably due to the default idle timeout of 300 seconds). 
  For example:
  1.  I connect my tablet to the test WLAN.  It associates and authenticates successfully and the WLC sends the accounting info to my RADIUS server, opening up a user session.  If I turn off the wifi in the tablet, the client entry stays in the WLC client table until it times out.  The WLC removes my tablet from the client table after 5-6 minutes, and then the session closes in the accounting table.  I can force the session to close much earlier by manually removing the client from the WLC.
  2.  Same as #1, but this time instead of turning of the wifi in the tablet, I choose to connect to a different WLAN in the WLC.  The user session in the accounting DB never closes.  If I reconnect back to the original test WLAN with 802.1x, it opens up yet another user session in RADIUS accounting.  Now I have a "dead" user session in accounting that is going to be open forever unless I delete it from SQL.
  Is this an issue with the end user client not sending the disassociation frame properly, or a config problem with the WLC?  How can I make it so that every time a client drops from an AP or moves to a different WLAN, the WLC would immediately send accounting updates to my RADIUS server and close the user session properly?
  Thanks,
  Wil

  Well like you said, the WLC will keep the client in the DB until the idle timer expires. This is normal and I don't think you will be able to change this unless you set the idle timer to a lower value.
  Sent from Cisco Technical Support iPhone App

• AAA Radius accounting command is not taking in 3750 switch

         Hi Cisco Support community,
  I am facing a issue with radius accounting in Cisco 3750 switch with version 12.2. I am unable to start accounting for radius server.
  This is the config that is on the switch for Radius.
  aaa authentication login default group radius local
  aaa authentication dot1x default group radius
  aaa authorization exec my-authradius group radius if-authenticated.
  radius-server attribute 6 on-for-login-auth
  radius-server dead-criteria time 20 tries 5
  radius-server host 10.100.1.225 auth-port 1645 acct-port 1646 key 7 14341A5801103F3904266021
  radius-server host 10.100.1.226 auth-port 1645 acct-port 1646 key 7 05280E5C2C585B1B390B4406
  When i try to add the following command for accounting, this is not saving.
  (aaa accounting commands 0 default start-stop group radius
  aaa accounting commands 1 default start-stop group radius
  aaa accounting commands 15 default start-stop group radius)
  If i do paste this command one by one after start-stop group it is showing only two options either tacacs+ or server, no radius option is there as well.
  I  tried to create a server group and add the radius server  in the group.  Even then when i am trying to implement the aaa accounting command with the server command it is not showing in show run.
  Can anyone please help me with this issue.

  Hi,
  thanks for your reply but the thing is that  i want to see the command that are being run by a user on  this particular device. If i use the network command it will only show me the  network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).
  I have read the document from this link and it is stating that we can use command accounting. Below is the link
  http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html. 
  Can anyone please tell me if this a version issue because even in version 15.4 i was not seeing the radius option in the end
  aaa accounting commands 15 default start-stop group (radius)- in radius place it was showing only Tacacs+ or group.