802.1x + ACS + AD
I am wondering is it possible to accomplish following scenario.
I want to authenticate users connecting to my network using 802.1x based on Active Directory, but to be able to put users from external database (AD) to different Vlans based on some specific information on Active Directory. If it is possible what information can i use on AD and how to configure ACS 4.1 (1) for this?
Thanks:
Michal
Nevermind I already managed that
Under Windows Database Mapping, define group in AD and them map them to different Groups and assign them vlans.
Tested and it works just fine
Similar Messages
-
802.1x - ACS authentication issue.....
I will attempt to explain the history of our wireless controller configurations as best I can. We are currently using a 4400 controller running 7.x software which authenticates to and ACS 4.1 appliance. All of this was set up prior to my arrival on the job and the previous engineers had already left with no documentation in place so I'm trying to piece it together. The ACS is setup to map to AD for specific groups.
In the controller we have an SSID called triton which is our corporate SSID that all internal users connect to. Three different interfaces have been defined, a general one for most users and two others( lets call them INT1 and INT2) that place users on separate ip networks. The reason for this is those ip networks can reach certain services that are not allowed for general users. ACS maps those users upon authentication to the Vlans associated with those separate ip networks.
Problem 1. When I first took this job, users could not map drives or any services because only user authentication was taking place..After some troubleshooting and realization that ACS was authenticating, placing the "Domain Computers" group as an ACS group mapping fixed that issue, allowing the computers to authenticate prior and therefore execute the login script
Problem 2. Recently it has come to my attention that some of the users on one of the other interfaces (INT1 and INT2) that should be placed in the vlans associated with their AD group mapping are not. Upon further investigation it was discovered that the reason they are not is that the authentication is not correct. When the computer first authenticates before the user logs on its shows in ACS as host/xxxxx.yyyy.org where the user authentication shows as xxxxx/username . So some of the computers never change from authenticating as a host to a user and the ip address ends up in the wrong vlan.
Please help. I'm not extremely familiar with Cisco 802.1x setup and the documentation is poor at best.Ok, maybe I should be asking what the proper way to set up both machine authentication and user authentication through the 4400 and ACS 4.1 is then.
The topology that I know of is this. Single 4.1 ACS appliance and single 4400 controller with approximately 35 LWAPP's. In the past ONLY user authentication was being used which presented problems with Group Policies and login scripts executing. Adding the AD "Domain Computers" group as an ACS mapped group solved that problem by allowing the domain computers to authenticate and gain access to the network prior to logon (but maybe they were still actually using "user authentication"?). Not sure if this was the proper way to solve the issue but it worked and we at the time didn't notice any side effects. Although now we are seeing users end up in the wrong VLans and when we look at the logs in the controller the computer they are on is only registering as host/xxxx.yyyy.org (machine authentication) which drops them into the default vlan instead of the vlan which they should be based upon AD group membership from ACS.
I am very familiar with other wireless products and controllers such as Aruba. In the Aruba, when the machine first booted up and gained access to the network it was using machine authentication, but as soon as the user logged on the supplicant would push the user credentials and change the method to user authentication. In the Aruba we used the windows supplicant. I'd like to do the same with Cisco.
As far as I can tell, there is only a server side (ACS) certificate from Thwate that is used to authenticate. -
802.1X ACS Self Signed External Windows DB
I can configure the ACS server whit Self Signed and integrate it into a Windows database?
The users will be authenticate whit 802.1X configured in a WLAN in WLC4400.Thanks Sthephen,
I have configured this in the ACS:
1. The ACS server is member server, for example LAB.
2. In External User Database / Windows Database / Configure / In the configure domain list I select the domain called LAB.
3. System Configuration/ACS Certificate Setup/Generate Self-Signed. I enter all parameter requerided and the certificate is created.
4. The certificate is installed in the wireless client and the wireless profile is configured selecting the certificate. In the windows profile of the wireless conection, I uncheck the Automatically use my Windows logon name and password, this option is disable to use the local database of the ACS.
The only configuration necessary for the integration of the ACS server whit the Windows domain. Is that the server is a member of the Windows domain and select the domain in the domain list in the acs? and check the option "Automatically use my Windows logon name and password" -
Scale 802.1X ACS in High Security Mode any Idea's?
Scenario
Platform ACS V 5.1.0.44
Switch 4510R with 8 48 port modules (384 ports)
802.1x authentication of the ports in High Security Mode (VLAN assignments required)
Authentication Method Cert based eap-tls to machine
we currently have 4 Data Vlans that users and assets drop into on this switch
How do I scale this as I cant differentiate the cert to distribute the users across the 4 vlans in ACS?
I think I can use unique Identity groups for the MAB of assets but the users has me really scratching my head.Looks like a Switching group has been looking at this as a possible answer for the stack switches but I cant configure vlan groups on 4510's
and would theres no config guide on how to apply it in ACS 5.1 (use attrib 81 like we do for vlan assignment?)
12.2(52)SE
IEEE 802.1x User Distribution to allow deployments with multiple VLANs (for a group of users) to improve scalability of the network by load balancing users across different VLANs. Authorized users are assigned to the least populated VLAN in the group, assigned by RADIUS server.
12.2(52)SE
3750-E, 3560-E
But then you get bit with even using VLAN assignments on large stacks
•When IEEE 802.1x authentication with VLAN assignment is enabled, a CPUHOG message might appear if the switch is authenticating supplicants in a switch stack.
The workaround is not use the VLAN assignment option. (CSCse22791) -
802.1x ACS RSA Secure ID/Safeword Token server
Hello, We are trying to impliment wireless scurity in our network. We want to issue badges with attached tokens so clients can come into our office and login to our wireless network, They would then be prompted for their login and password which would be their Badge ID an their token credentials.
We are using an airespace wireless security device, We specify ACS as the 802.1x radius server. Airespace is sending the requests to ACS just fine but ACS does not seem to like what it's seeing. We also imported a custom VSA vendor file for the airespace wireless security device. The log below reflects this.
We have tested by creating local ACS users, and authentication works and we can get onto our network. But when we specify the AAA servers as our Radius Token Server, Set the unknown user DB to that Server and test auth, We are not granted permission to our WLAN. It's as if Cisco does not recognize the PEAP auth information and rejects it by default. We ARE required to get this working with XPSP1, as we would hate to have to install software on every clients laptop.
A wireless client of ours DID work when we specified EAP-GTC on the client side, But it will never work when we specify PEAP on the client side, We never seem to see communications from ACS to our Safeword token server regardless of what we do(including the successful EAP-GTC login). Our radius strings are correct etc. Safeword is listening on 1812, But also has protols EASSP-1/2 listening on ports we have set manually(are these relevant to our needs?)
The failed attempts log show "External DB Auth Failed"
Here is a snip of the CSRadius/RDS.log when we try to auth, when we sniff traffic we see the eap request and the radius reject on the wire, but we never see ACS ask the token server. If anyone can make any suggestions on how we could troubleshoot further/test or make forward progress in any way please do. Thank you all in advance.
Cisco RDS log attached.The problem could be with your Secure ID RSA server.
-
802.1x - ACS 3.3 with AD Integration
I'm running into an issue using AD integration and 802.1x. A previous thread on this indicated the 802.1x authentication occured prior to the domain login process.
However, when I attempt to login to a machine using a domain account and that account profile is not cached on the machine, the authentication fails indicating it could no contact te specified domain.
Obviously the 802.1x authentication is not occuring to open the port then pass the domain credentials to the AD. The ACS is configuerd to pass unknown users to the AD for authentication at which point the ACS should import the account.
Why is the 802.1x failing for uncached user accounts?Try this steps:>
1.Check your NTLM version.
NTLMv2 is not supported between ACS and AD. Supported is only NTLM.
2.Check Authentication Method
For the authenticating dot1x users on the external database you need use either PEAP or EAP-TLS as the authentication method. Both of these involve certificates. EAP-MD5 is not supported on External database for authentication.
Try this links:>
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp33/ra/rawi.htm
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/o.htm#wp624132
http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_note09186a008031479e.html -
802.1x(ACS) with avaya phones
Hi All ,
We are implementing wired dot1x for our wired users with EAP-TLS. When I am connecting laptop it is getting authenticated and it is working fine. For Voip(Avaya) we are using MAB .When we connect VOIP , after 30 seconds ACS is giving Access-accept(auth success) . But Voip is stuck up in Bad router state and VOIP is not working. If I connect the laptop behind the voip it is getting authenticated and it is working fine eventhough voip is stuck up.
Is there a way we can reduce 802.1x auth timings , so that VOIP can register succesfully?
The switch interface config is ,
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authetication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
Thanks,
VijayHi,
i am using AVAYA as well in production. They support 802.1X.
Configure Voice VLAN on each Port.
Let ACS send the radius attribute device-traffic-class=voice under
Policy Elements/Authorization and Permissions/Network Access/Authorization Profiles VOICE VLAN
and select Permission to join static.
A good guide: IP Telephony for 802.1X Design Guide
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html
Regards Horst -
Problems with 802.1x,ACS and Windows Server 2000
Hi,
My components: ACS 3.3 running on a Server with Windows 2000 Server SP4 , 2950 Catalyst (AAA-Client) ,
Laptop with Windows XP SP2 (802.1x Client)
I have everything configured according to Cisco documentation, but I am getting one error in the ACS's log.( Failed Attempts active.csv)
Authen-Failure-Code : EAP-TLS or PEAP authentication failed during SSL handshake
I have a valide certificate on my Radius(ACS) server and about machine authentication I have a valide certificate on my laptop. (I have installed this certificate before i started to login at the 802.1x port of the switch)
Does anyone have any idea what the problem is?
Here is the Config of the Catalyst 2950 if that will help:
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname ACS-Client1
aaa new-model
aaa authentication dot1x default group radius
enable secret xxxx
username xxxx privilege xxx password xxx
ip subnet-zero
ip ssh time-out 120
ip ssh authentication-retries 3
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
dot1x system-auth-control
interface FastEthernet0/13
switchport mode access
dot1x port-control auto
dot1x timeout quiet-period 3
dot1x timeout reauth-period 1
dot1x reauthentication
interface GigabitEthernet0/2
interface Vlan1
ip address 10.10.3.253 255.255.255.0
no ip route-cache
ip default-gateway 10.10.3.254
ip http server
radius-server host 10.10.3.1 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key radius
line con 0
password xxx
line vty 0 4
password xxx
line vty 5 15
password xxx
endYes we get to solve this problem. Because it is a only a test senario, we installed everything new, win2000 server SP4,the certificate service and the winXP on the client.
The config of the switch is ok, we set the reauth-period and quiet-period to default.
Then we test the whole configuration with the IAS-Radius (MS). After this we install the ACS, following this document:(Certificates were already installed)
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml
Attention, we used the AEGIS Client not the XP Client! -
802.1x ACS 5.2 and AD
Hi,
I would like to enable 802.1x to replace an existing Cisco port security implementation. This will provide us
a greater mobility as workstations are moved within the network.
Planning on using 802.x for devices that are on the AD domain and MAB for devices that don't either have
in-built supplicants or not in the domain.
Can someone please advice if I am able to do this without using certificates? Would EAP work without having certificates?
I see that when the Windows supplicant is being configured to enable 802.1x, it is asking for certificate.
ThanksPatrick,
You can do PEAP with Certificate Checking turned off. It's not as secure, but it would give you the option of user authentication without worrying about certificates at all. For the non-supplicant devices, you will have to have a database of MAC addresses ready to do MAB.
HTH,
Faisal
If you find this post helpful, please rate so others can find the answer easily -
Compatibility 802.1X and mac-filter from ACS
If the clients identities and mac address are stored in the same ACS server.
In WLC,could a wlan be configured layer2 security with both 802.1x and mac-filtering?
this is really a critical problem for me!
Thanks~Hi,
I am assuming you are asking if you configure a x mac of wlan client in MAC filer and the same as user naem in 802.1x ACS database as user name , could you configure it ? what is the effect?
If my understading of your queston is correct the answer is
Any wlan client will not be allowed to associate to the network unless a match is seen in mac filter in wlc.
But once that is done it will not able to access network resources unless 802.1x authentication is completed by ACS against the wlan clients user name which is again a mac address of client.
i dont see a value for doing this. except that you will block unnecessary authentication request getting to ACS by filtering it in the 1st instance.
another scenario is if you are using mac filtering also on ACS , it should be preceeded by mac filtering and then ACS authentication , as above as far as ssequence goes hence the same logic applies here.
Thanks -
This is an opportunity to learn and ask more questions about Cisco Trustsec solution. The Trustsec solution is designed to flatten the network regardless of the access method but still provide fully distributed and differentiated access control no matter whether you are coming from wired or WiFi or remote access, the Trustsec solution provides a consistent access control policy.
Ankur Bajaj is a customer support engineer from the AAA team at the Cisco Technical Assistance Center in Richardson, Texas, USA. He has 14 years of total experience. He has worked on a wide range of Cisco Security Technologies such as Cisco ASA, VPN deployments, NAC solution, ACS and ISE deployment. Ankur has CCIE # 22135 in Security.
Mrinal Jaiswal has been with Cisco since 2007 with previous experience as a software developer. He works with AAA and Wireless Technical Assistance. Mrinal holds a CCIE in security #31389, MCSA in 2003 track, MCAD in .net, GNIIT from NIIT.
Beau Wallace is an engineer for the RTP AAA TAC team, supporting multiple solutions including ISE, TrustSec, 802.1x, ACS, NAC, etc. He attended East Carolina University and lives in Raleigh, NC. He holds CCNP, RHCSA, and Security+ Certifications
This Discussion starts Dec 16th through Dec 19th, 2014
Remember to use the rating system to let the exerts know if you have received an adequate response.
The experts might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in Security community, sub-community, AAA, Identity and NAC discussion forum shortly after the event. This event lasts through December 19, 2014. Visit this forum often to view responses to your questions and the questions of other community members.Hi Marvin, first, you would want to ensure the router or switch you use has support for SG-ACLs and enforcement via:
http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html
One you know that works, you can configure SG-ACLs with a source or destination on "unknown". This keyword indicates traffic where we cannot discover what SGT should be assigned to that traffic, or in other words, outside the trustsec domain. We use a relatively common command-set on enforcement supporting platforms, take a look at the following link for command syntax:
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/sgacl_config.html
Let me know if the unknown tag was what you were looking for!
Edits: Spelling. -
Hi,
Can any one help me to configure the EAP in Cisco ACS 4.1 ,In fact I am using the Cisco ACS for wireless clients through WLC4402,in which I have enabled the 802.1X,ACS also configure for the basic authentication.
I want to use the EAP authentication.
Thanks and Regards,
S.VenkataramanPlease find attached PEAP config guide.
Regards,
~JG
Do rate helpful posts -
ACS 5.3 Configuring 802.1x
Trying to configure 802.1x with ACS 5.3, have some general doubts about how to make it, this is what I got for the moment:
ACS 5.3 = 192.168.240.28
AD = 192.168.251.97
Switch = 192.168.240.171
IOS device config
Already configured and running Device Administration using Tacacs, mising with Radius aaa commands:
aaa group server tacacs+ TACACS_PLUS
server 192.168.240.28
aaa group server radius RADIUS_1x
server 192.168.240.28 auth-port 1812 acct-port 1813
aaa authentication login default group TACACS_PLUS
aaa authentication login no_tacacs enable local
aaa authentication enable default group RADIUS_1x
aaa authentication dot1x default group RADIUS_1x
aaa authorization config-commands
aaa authorization exec no_tacacs local
aaa authorization commands 15 TACACS_PLUS group tacacs+
aaa authorization network default group RADIUS_1x
aaa authorization auth-proxy default group RADIUS_1x
aaa accounting send stop-record authentication failure
aaa accounting update newinfo
aaa accounting dot1x default start-stop group RADIUS_1x
aaa accounting exec default start-stop group TACACS_PLUS
aaa accounting network default start-stop group TACACS_PLUS
aaa accounting connection default start-stop group TACACS_PLUS
aaa accounting system default start-stop group RADIUS_1x
tacacs-server host 192.168.240.28 port 49 key 7 104D0617040717180F05
tacacs-server directed-request
radius-server attribute 8 include-in-access-req
radius-server host 192.168.240.28 auth-port 1812 acct-port 1813
radius-server timeout 20
radius-server key 7 094F410718151201080D
radius-server vsa send authentication
dot1x system-auth-control
errdisable detect cause security-violation shutdown vlan
errdisable recovery cause security-violation
interface GigabitEthernet0/24
switchport mode access
switchport voice vlan 7
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x timeout quiet-period 15
spanning-tree portfast
spanning-tree bpduguard enable
ACS 5.3 Configuration until now
I have a document on how to configure this on ACS 4.2, but I have some problems trying to configure on ACS 5.3.
I'll appreciate a lot any ideas that could help me on this.
Regards,
Juan CarlosOk Carlos, I make it simple, just AD as condition and authorization profile, I tested with compliant client, and still receiving timeout, and Network Access Authorization still in 0, here is the debug:
001250: Jan 19 18:40:58.028 GDL: AAA/BIND(0000002F): Bind i/f
001251: Jan 19 18:40:58.237 GDL: %AUTHMGR-5-START: Starting 'dot1x' for client (f04d.a2a2.a028) on Interface Gi0/24 AuditSessionID C0A8F0AB0000001101B6C743
001252: Jan 19 18:41:00.007 GDL: %LINK-3-UPDOWN: Interface GigabitEthernet0/24, changed state to up
001253: Jan 19 18:41:01.014 GDL: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/24, changed state to up
001254: Jan 19 18:41:08.547 GDL: AAA/AUTHEN/8021X (0000002F): Pick method list 'default'
001255: Jan 19 18:41:08.547 GDL: RADIUS/ENCODE(0000002F):Orig. component type = Dot1X
001256: Jan 19 18:41:08.547 GDL: RADIUS(0000002F): Config NAS IP: 0.0.0.0
001257: Jan 19 18:41:08.547 GDL: RADIUS(0000002F): Config NAS IPv6: ::
001258: Jan 19 18:41:08.555 GDL: RADIUS/ENCODE(0000002F): acct_session_id: 37
001259: Jan 19 18:41:08.555 GDL: RADIUS(0000002F): sending
001260: Jan 19 18:41:08.555 GDL: RADIUS/ENCODE: Best Local IP-Address 192.168.240.171 for Radius-Server 192.168.240.28
001261: Jan 19 18:41:08.555 GDL: RADIUS(0000002F): Send Access-Request to 192.168.240.28:1812 id 1645/27, len 246
001262: Jan 19 18:41:08.555 GDL: RADIUS: authenticator 27 15 50 22 ED AB FC 34 - F1 24 56 87 30 6F 7D F9
001263: Jan 19 18:41:08.555 GDL: RADIUS: User-Name [1] 18 "juancarlos.arias"
001264: Jan 19 18:41:08.555 GDL: RADIUS: Service-Type [6] 6 Framed [2]
001265: Jan 19 18:41:08.555 GDL: RADIUS: Vendor, Cisco [26] 27
001266: Jan 19 18:41:08.555 GDL: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
001267: Jan 19 18:41:08.555 GDL: RADIUS: Framed-MTU [12] 6 1500
001268: Jan 19 18:41:08.555 GDL: RADIUS: Called-Station-Id [30] 19 "00-1C-0E-08-69-98"
001269: Jan 19 18:41:08.555 GDL: RADIUS: Calling-Station-Id [31] 19 "F0-4D-A2-A2-A0-28"
001270: Jan 19 18:41:08.555 GDL: RADIUS: EAP-Message [79] 23
001271: Jan 19 18:41:08.555 GDL: RADIUS: 02 01 00 15 01 6A 75 61 6E 63 61 72 6C 6F 73 2E 61 72 69 61 73 [ juancarlos.arias]
001272: Jan 19 18:41:08.555 GDL: RADIUS: Message-Authenticato[80] 18
001273: Jan 19 18:41:08.555 GDL: RADIUS: E5 92 90 F9 39 F2 EA A9 E4 B2 C9 02 12 9D EA B0 [ 9]
001274: Jan 19 18:41:08.555 GDL: RADIUS: EAP-Key-Name [102] 2 *
001275: Jan 19 18:41:08.555 GDL: RADIUS: Vendor, Cisco [26] 49
001276: Jan 19 18:41:08.555 GDL: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A8F0AB0000001101B6C743"
001277: Jan 19 18:41:08.555 GDL: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
001278: Jan 19 18:41:08.555 GDL: RADIUS: NAS-Port [5] 6 50024
001279: Jan 19 18:41:08.555 GDL: RADIUS: NAS-Port-Id [87] 21 "GigabitEthernet0/24"
001280: Jan 19 18:41:08.555 GDL: RADIUS: NAS-IP-Address [4] 6 192.168.240.171
001281: Jan 19 18:41:08.555 GDL: RADIUS(0000002F): Sending a IPv4 Radius Packet
001282: Jan 19 18:41:08.555 GDL: RADIUS(0000002F): Started 20 sec timeout
001283: Jan 19 18:41:26.507 GDL: RADIUS(0000002F): Request timed out
001284: Jan 19 18:41:26.507 GDL: RADIUS: Retransmit to (192.168.240.28:1812,1813) for id 1645/27
001285: Jan 19 18:41:26.507 GDL: RADIUS(0000002F): Started 20 sec timeout
Complete Report:
aaa group server tacacs+ TACACS_PLUS
server 192.168.240.28
aaa group server radius RADIUS_1x
server 192.168.240.28 auth-port 1812 acct-port 1813
aaa authentication login default group TACACS_PLUS
aaa authentication login no_tacacs enable local
aaa authentication enable default group RADIUS_1x
aaa authentication dot1x default group RADIUS_1x
aaa authorization config-commands
aaa authorization exec no_tacacs local
aaa authorization commands 15 TACACS_PLUS group tacacs+
aaa authorization network default group RADIUS_1x
aaa authorization auth-proxy default group RADIUS_1x
aaa accounting send stop-record authentication failure
aaa accounting update newinfo
aaa accounting dot1x default start-stop group RADIUS_1x
aaa accounting exec default start-stop group TACACS_PLUS
aaa accounting network default start-stop group TACACS_PLUS
aaa accounting connection default start-stop group TACACS_PLUS
aaa accounting system default start-stop group RADIUS_1x
dot1x system-auth-control
interface GigabitEthernet0/24
switchport mode access
switchport voice vlan 7
authentication port-control auto
authentication violation protect
dot1x pae authenticator
dot1x timeout quiet-period 15
spanning-tree portfast
spanning-tree bpduguard enable
tacacs-server host 192.168.240.28 key 7 104D0617040717180F05
tacacs-server directed-request
radius-server attribute 8 include-in-access-req
radius-server host 192.168.240.28 auth-port 1812 acct-port 1813 key 7 15110402053A2E372B32
radius-server timeout 20
radius-server key 7 0110090A5A1B031C224D
radius-server vsa send authentication
The compliant client should have access to Vlan 60. -
802.1x with ACS does not correctly work
Hello
I have here a WLan setup with a WDS, some 40 Accesspoints, an ACS 4.1 server and a Windows Domain Controller which has the users configured.
I have a group mapping in ACS configured which points to a small group in the ADS.
The groupmapping in ACS points to a specific group in ACS.
There I've configured the following:
[009\001] cisco-av-pair
- ssid=xx-200 (the name of the SSID the clients connect)
[006] Service-Type
- Login
[007] Framed-Protocol
- PPP
[025] Class
- OU=pers; (this is not the special group where those users are in, but they are also in this one)
[064] Tunnel-Type
- Tag 1 Value Vlan
[065] Tunnel-Medium-Type
- Tag 1 Value 802
[081] Tunnel-Private-Group-ID
- Tag 1 Value 200 (the Vlan in which they should go)
The good thing is, authentication with username password works.
The bad thing is, every user can authenticate and get into this SSID instead of only the users in the special group which points to this groupmapping.
The other ADS groups also point to other ACS groups, but they don't have the above values ([009\001] cisco-av-pair, [064] Tunnel-Type, [065] Tunnel-Medium-Type, [081] Tunnel-Private-Group-ID) configured.
The logfile from the ACS also shows that the wrong users are mapped into the correct group like they should, but they still get access.
Here the WDS configuration:
aaa group server radius RADIUS_GROUP_WDS_RADIOMANAGEMENT
server 10.1.1.30 auth-port 1645 acct-port 1646
server 10.1.2.30 auth-port 1645 acct-port 1646
aaa authentication login METHOD_WDS_RADIOMANAGEMENT group RADIUS_GROUP_WDS_RADIOMANAGEMENT
aaa authentication enable default enable
aaa session-id common
radius-server host 10.1.1.30 auth-port 1645 acct-port 1646 key 7 xxxx
radius-server host 10.1.2.30 auth-port 1645 acct-port 1646 key 7 xxxx
radius-server retransmit 2
radius-server timeout 18
radius-server deadtime 1
radius-server vsa send accounting
wlccp authentication-server infrastructure METHOD_WDS_RADIOMANAGEMENT
wlccp authentication-server client any METHOD_WDS_RADIOMANAGEMENT
ssid xx-200
The accesspoint config:
aaa authentication login METHOD_RAD_WDS_CLIENT group radius
aaa authentication enable default enable
aaa session-id common
dot11 ssid xx-200
vlan 200
authentication open eap METHOD_RAD_WDS_CLIENT
authentication network-eap METHOD_RAD_WDS_CLIENT
authentication key-management wpa
interface Dot11Radio0
encryption vlan 200 mode ciphers aes-ccm
broadcast-key vlan 200 change 60
ssid xx-200
interface Dot11Radio0.200
description
encapsulation dot1Q 200
no ip route-cache
no cdp enable
bridge-group 200
bridge-group 200 subscriber-loop-control
bridge-group 200 block-unknown-source
no bridge-group 200 source-learning
no bridge-group 200 unicast-flooding
bridge-group 200 spanning-disabled
interface FastEthernet0.200
description
encapsulation dot1Q 200
no ip route-cache
bridge-group 200
no bridge-group 200 source-learning
bridge-group 200 spanning-disabled
I hope you can find why any user can authenticate and not just the ones in the groupmapping which has the radius attributes configured.
Thanks,
patoI have finally found something to look into :/
000619: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: ssid [263] 6
000620: Jan 18 16:50:11 A: RADIUS: 48 53 52 2D [xxx-]
000621: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: interface [156] 4
000622: Jan 18 16:50:11 A: RADIUS: 32 35 [25]
This is with various debugging active on the WDS. And this might be the reason why it doesn't work. -
Acs & 802.1x & external db (odbc)
Hello
I'm evaluating 802.1x authentication per eap-tls with ACS-Server (4.0). The authentication have to be done with an external odbc database (- we cannot use AD/windows database for this project). The certs on the server and on the client are ok. The SQL-Server returns OK. BUT: the authentication fails with "certificate name or binary comparison failed". In the auth.log file there are entries like:
AUTH 01/09/2007 14:40:05 I 1554 3440 pvAuthenticateUser: authenticate 'host/pcqj1c.sitest.net' against ODBCACS
AUTH 01/09/2007 14:40:05 I 0376 3440 External DB [ODBCAuthDll.dll]: FindUser start for user [host/pcqj1c.sitest.net]
AUTH 01/09/2007 14:40:05 I 0376 3440 External DB [ODBCAuthDll.dll]: Authentication OK for user [host/pcqj1c.sitest.net]
AUTH 01/09/2007 14:40:06 I 0897 3440 AuthenProcessResponse: process response for 'host/pcqj1c.sitest.net'
AUTH 01/09/2007 14:40:06 E 0361 3440 EAP: TLS: No match between name in certificate and user account
The CN in the clients cert is "pcqj1c.sitest.net"
Can anybody help ?
regards
RolandI am in a installation with 802.1x.
I have install a Cisco ACS and cisco 2950 Switch and I am authorizating users via MS-CHAPv2 against the Cisco ACS
ACS is validating users against a Microsoft Active directory.
I have the following problem: When user logs in, it takes between 45 to 90 seg to log the user and change the vlan.
I have install Windows XP Service Pack 2 and patches:
xp-kb817778-x86-esn
xp-kb826942-x86-esn
I have change the switch software to the latest release.
How can I reduce this delay? Any idea?
Maybe you are looking for
-
Need some advice. I have a 60 GB Macbook, Intel chip set, Tiger, that I want to upgrade to Snow Leopard and install the new SL OSX. So, I purchased the $169 box set and a new 320 GB HD and a sleeve for the old Internal HD. My thoughts are 1. Take out
-
What files do I need to download for NI6025E
We have a program that uses nidaqex.h and nidaq32.lib. The program is written in Borland C++ Builder 2006. Now we need to get the program to work in a newer PC. The old Borland C++ Builder 2006 refuses to install on the newer PC so we planed to use E
-
hi experts, I have a problem, i want to make a query that the names repeated, does not visualize. For example: Name 1 - address 1 - Telephone 1 Name 1 - address 2 - Telephone 2 Name 1 - address 3 - Telephone 3 Name 2 - addres
-
Hi All, What are all the Tables associated with the Release Process. Advance thanks Regards Arjun
-
B1DE installer = signature problem
Hi all, Sorry to bother you and I really did read dozens and dozens of entries in this forum about this already, but to no avail. I've been running a vb6 created addon for a while (it even runs nicely in debug mode and in 2004 with new license key).