802.1x authentication not trying second Radius server

Similar Messages

• 802.1x wireless authentication not working via RADIUS

  I've tried to implement 802.1x authentication in a windows 2012 domain environment using protected-EAP authentication. I read through guide after guide and still i am unable to get it to work. I'm confident the server side and WLC config is all correct. I have run the command debug client d0:df:9a:f6:30:40 which is my test laptop and i can see the WLC sending EAP-Request/Identify messages but it seems it never gets a reply. I have attached a copy of the debug. 
  Please can someone help me if possible?
  Laptop > AP > WLC > RADIUS SERVER

  Hmmm, peap. So PEAP requires the server be validated via a certificate trust. Did you download the WLC certificate and install it on the client (use self-signed cert), or did you install a new certificate on the WLC? In either case your client has to "trust" the Certificate Authority who signed the certificate used by the authentication device. If you use the self signed certificate you have to download the cert from the WLC and install on the client to validate the server, then the client is validated on the WLC with windows credentials or a saved username/password.
  Are you trying to do single sign-on? Is the client a member of the domain? Does the user belong to the domain? Did you do the certificate stuff above? if you need to test this without validating the server (JUST FOR TESTING PURPOSES) you can go under the WLAN profile on the client chose security, settings and uncheck validate server certificate. Then on user credentials verify you are using the correct client credentials on the client and try again. 
  If this works the certificate is the issue, you can troubleshoot from there. You DO NOT WANT TO LEAVE validate server certificate unchecked as that can create a BIG SECURITY HOLE. Just based on your description I am leaning towards a cert issue. If you can provide more details, would be great. Screenshots of your client EAP-PEAP setup, screenshot of windows cert store showing trusted root certification authorities with trusted CA your WLC is using. 
  Do you ever see logs on the AD server, with login attempts? If not the client is not able to verify the WLC's certificate and therefore won't send credentials. 
  LDAP configuration is pretty straightforward, if you just want to test this for the first time and are having issues with just getting a PEAP client to work you can attempt with a LOCAL EAP user on the WLC to verify the client and WLC are correct then add the LDAP server as Authentication Source, just ensure your server priorities are correct if you do this.
  Hopefully this helps
  ~Please rate useful post~

• WLC not integrating with Radius Server

  Hello world,
  I have the following situation:
  One WLC 2000 Series (software version 7.0.230.0) with multiple SSID`s, one is with 802.1x integrated with a Radius Server.
  Everything worked fine until fiew days ago, when users were unable to logon via they`re certificates on Windows XP.
  The infrastracture didn`t suffer modifications.
  What i have checked: Radius certification isn`t expired, client certification isn`t expired, the password between controller and Radius is correct.
  There are no ACL`s between the WLC and the remote Server. I can ping the devices, other SSIDs on the same controller (wpa/psk) are working correct.
  The AP`s are 1242.
  I have tried deleting the SSID, configure it back. The OS on Windows Server is  2003 Standard. The AP`s are configured H-Reap.
  I have increased the Server Timeout from Radius Authentication Servers from 2 to 30 sec.
  The message logs recived on WLC Trap Logs:
  RADIUS server X.X.X.X:1812 failed to respond to request (ID 161) for client xx.xx.xx.xx.xx.xx/ user 'unknown'
  The message from the debug dot1x aaa enable:
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLING_STATION_ID(31) index=1
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLED_STATION_ID(30) index=2
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT(5) index=3
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_VAP_ID(1) index=7
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_SERVICE_TYPE(6) index=8
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_FRAMED_MTU(12) index=9
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_EAP_MESSAGE(79) index=11
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_RAD_STATE(24) index=12
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_MESS_AUTH(80) index=13
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df AAA EAP Packet created request = 0x1cff348c.. !!!!
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Sending EAP Attribute (code=2, length=6, id=10) for mobile xx.xx.xx.xx.xx.xx.
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00000000: 02 0a 00 06 0d 00                                 ......
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
  *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] AAA response 'Interim Response'
  *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] Returning AAA response
  *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df AAA Message 'Interim Response' received for mobile xx.xx.xx.xx.xx.xx.
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.329: 00:15:e9:33:75:df Skipping AVP (0/27) for mobile xx.xx.xx.xx.xx.xx.
  The messages on Windows 2003 Standard:
  User Y was denied access.
  Fully-Qualified-User-Name = xx.domain.com/Users_T/user
  NAS-IP-Address = X.X>X.X
  NAS-Identifier = Cisco_
  Called-Station-Identifier = ---------------------
  Calling-Station-Identifier = ---------------------
  Client-Friendly-Name = ---------------------
  Client-IP-Address = ---------------------
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 1
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = Wireless Policy
  Authentication-Type = EAP
  EAP-Type = Smart Card or other certificate
  Reason-Code = 262
  Reason = The supplied message is incomplete.  The signature was not verified.User Y was denied access.
  Fully-Qualified-User-Name = xx.domain.com/Users_T/user
  NAS-IP-Address = X.X>X.X
  NAS-Identifier = Cisco_
  Called-Station-Identifier = ---------------------
  Calling-Station-Identifier = ---------------------
  Client-Friendly-Name = ---------------------
  Client-IP-Address = ---------------------
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 1
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = Wireless Policy
  Authentication-Type = EAP
  EAP-Type = Smart Card or other certificate
  Reason-Code = 262
  Reason = The supplied message is incomplete.  The signature was not verified.
  Can anyone help why i cannot log the users via 802.1x ?

  Okay that is good..... this is what I would do next.  I would create a test ssid that uses PEAP MSchapv2 and create a new policy in IAS that is basic.  Allow 802.1x wireless and user group only and see if you can reconfigure one of the XP machines for PEAP.  Can you also post a screen shot of your polices (connection and network) so we can review it. 

• 802.1X authentication not happening in Voice Domain for IP Phone

  I am trying to lab as many scenarios as I can for 802.1x.  I seem to have hit a problem with IP Phones running EAP-MD5 authentication.  The phone sare always being authenticated in the Data Domain.  This is regardless of whether or no the port configuration is in: host-mode multi-auth  ,or, host-mode multi-domain.  After a while of both ports appearing to authenticate in the data VLAN, neither the PC or Phone will work
  I have checked that my ACS5.1 server is sending the appropriate AV pair of "device-traffic-class=voice" as I can see it in a wireshark trace.
  What other aspects might i need to check to get the phone to authenticate itself properly?
  The problem shows itself as:
  C3750G#sh authentication sessions int gi 1/0/16
              Interface:  GigabitEthernet1/0/16
            MAC Address:  001d.452d.53e0
             IP Address:  Unknown
              User-Name:  CP-7942G-SEP001D452D53E0
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-domain
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  C0A8FE2500000014000F6B8F
        Acct Session ID:  0x00000036
                 Handle:  0xC8000014
  Runnable methods list:
         Method   State
         dot1x    Authc Success
              Interface:  GigabitEthernet1/0/16
            MAC Address:  0014.c209.896f
             IP Address:  192.168.10.2
              User-Name:  TEST\TestAdmin
                 Status:  Running
                 Domain:  UNKNOWN
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-domain
       Oper control dir:  both
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  C0A8FE2500000013000F5A42
        Acct Session ID:  0x00000034
                 Handle:  0x27000013
  Runnable methods list:
         Method   State
         dot1x    Running
  My port config is:
  interface GigabitEthernet1/0/16
  description * 802.1x Multi Domain (1Phone + 1PC) *
  switchport access vlan 10
  switchport mode access
  switchport voice vlan 11
  priority-queue out
  authentication host-mode multi-domain
  authentication port-control auto
  udld port aggressive
  mls qos trust dscp
  dot1x pae authenticator
  spanning-tree portfast
  end

  For information, the debugs you request are:
  Jan 29 10:58:46.317: %ILPOWER-7-DETECT: Interface Gi1/0/16: Power Device detected: IEEE PD
  Jan 29 10:58:46.770: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/16: Power granted
  Jan 29 10:58:50.377: AAA/BIND(0000001D): Bind i/f
  Jan 29 10:58:52.373: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/16, changed state to up
  Jan 29 10:58:53.380: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/16, changed state to up
  Jan 29 10:58:54.789: %AUTHMGR-5-START: Starting 'dot1x' for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSessionID C0A                                                     8FE2500000018002FB1D0
  Jan 29 10:58:56.920: AAA/AUTHEN/8021X (0000001D): Pick method list 'default'
  Jan 29 10:58:56.920: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X
  Jan 29 10:58:56.920: RADIUS(0000001D): Config NAS IP: 192.168.254.37
  Jan 29 10:58:56.920: RADIUS/ENCODE(0000001D): acct_session_id: 54
  Jan 29 10:58:56.920: RADIUS(0000001D): sending
  Jan 29 10:58:56.920: RADIUS(0000001D): Send Access-Request to 192.168.254.51:1645 id 1645/52, len 237
  Jan 29 10:58:56.920: RADIUS:  authenticator 89 81 92 2C AA 6B E6 E6 - CA 2C 3A 0D E1 C5 28 ED
  Jan 29 10:58:56.928: RADIUS:  User-Name           [1]   26  "CP-7942G-SEP001D452D53E0"
  Jan 29 10:58:56.928: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  Jan 29 10:58:56.928: RADIUS:  Framed-MTU          [12]  6   1500
  Jan 29 10:58:56.928: RADIUS:  Called-Station-Id   [30]  19  "30-37-A6-AB-8E-90"
  Jan 29 10:58:56.928: RADIUS:  Calling-Station-Id  [31]  19  "00-1D-45-2D-53-E0"
  Jan 29 10:58:56.928: RADIUS:  EAP-Message         [79]  31
  Jan 29 10:58:56.928: RADIUS:   02 01 00 1D 01 43 50 2D 37 39 34 32 47 2D 53 45 50 30 30 31 44  [CP-7942G-SEP001D]
  Jan 29 10:58:56.928: RADIUS:   34 35 32 44 35 33 45 30          [ 452D53E0]
  Jan 29 10:58:56.928: RADIUS:  Message-Authenticato[80]  18
  Jan 29 10:58:56.928: RADIUS:   83 AF F8 DB 44 0D 0A 46 70 2F 1E 8D 67 CE BC DD             [ DFp/g]
  Jan 29 10:58:56.928: RADIUS:  EAP-Key-Name        [102] 2   *
  Jan 29 10:58:56.928: RADIUS:  Vendor, Cisco       [26]  49
  Jan 29 10:58:56.928: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A8FE2500000018002FB1D0"
  Jan 29 10:58:56.928: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  Jan 29 10:58:56.928: RADIUS:  NAS-Port            [5]   6   50116
  Jan 29 10:58:56.928: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet1/0/16"
  Jan 29 10:58:56.928: RADIUS:  NAS-IP-Address      [4]   6   192.168.254.37
  Jan 29 10:58:56.928: RADIUS(0000001D): Started 4 sec timeout
  Jan 29 10:58:56.928: RADIUS: Received from id 1645/52 192.168.254.51:1645, Access-Challenge, len 76
  Jan 29 10:58:56.928: RADIUS:  authenticator DA 45 B9 F8 80 48 A0 4B - F7 99 9B 1F DE 4F B2 9E
  Jan 29 10:58:56.928: RADIUS:  State               [24]  30
  Jan 29 10:58:56.937: RADIUS:   32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F  [25SessionID=ACS/]
  Jan 29 10:58:56.937: RADIUS:   38 35 36 37 30 35 31 38 2F 33 33 3B      [ 85670518/33;]
  Jan 29 10:58:56.937: RADIUS:  EAP-Message         [79]  8
  Jan 29 10:58:56.937: RADIUS:   01 51 00 06 0D 20                [ Q ]
  Jan 29 10:58:56.937: RADIUS:  Message-Authenticato[80]  18
  Jan 29 10:58:56.937: RADIUS:   3C F4 D9 93 82 EA FB 25 A7 9D C4 8F 14 3F 33 4F             [ <??3O]
  Jan 29 10:58:56.937: RADIUS(0000001D): Received from id 1645/52
  Jan 29 10:58:56.937: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
  Jan 29 10:58:57.046: AAA/AUTHEN/8021X (0000001D): Pick method list 'default'
  Jan 29 10:58:57.046: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X
  Jan 29 10:58:57.046: RADIUS(0000001D): Config NAS IP: 192.168.254.37
  Jan 29 10:58:57.046: RADIUS/ENCODE(0000001D): acct_session_id: 54
  Jan 29 10:58:57.046: RADIUS(0000001D): sending
  Jan 29 10:58:57.046: RADIUS(0000001D): Send Access-Request to 192.168.254.51:1645 id 1645/53, len 244
  Jan 29 10:58:57.046: RADIUS:  authenticator BE 9B 32 59 45 BF 15 45 - E4 43 02 B5 B5 D7 ED 83
  Jan 29 10:58:57.046: RADIUS:  User-Name           [1]   26  "CP-7942G-SEP001D452D53E0"
  Jan 29 10:58:57.046: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  Jan 29 10:58:57.046: RADIUS:  Framed-MTU          [12]  6   1500
  Jan 29 10:58:57.054: RADIUS:  Called-Station-Id   [30]  19  "30-37-A6-AB-8E-90"
  Jan 29 10:58:57.054: RADIUS:  Calling-Station-Id  [31]  19  "00-1D-45-2D-53-E0"
  Jan 29 10:58:57.054: RADIUS:  EAP-Message         [79]  8
  Jan 29 10:58:57.054: RADIUS:   02 51 00 06 03 04                 [ Q]
  Jan 29 10:58:57.054: RADIUS:  Message-Authenticato[80]  18
  Jan 29 10:58:57.054: RADIUS:   E0 B5 99 82 7E 9E 35 0F 78 D9 BD 4B 96 97 34 47            [ ~5xK4G]
  Jan 29 10:58:57.054: RADIUS:  EAP-Key-Name        [102] 2   *
  Jan 29 10:58:57.054: RADIUS:  Vendor, Cisco       [26]  49
  Jan 29 10:58:57.054: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A8FE2500000018002FB1D0"
  Jan 29 10:58:57.054: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  Jan 29 10:58:57.054: RADIUS:  NAS-Port            [5]   6   50116
  Jan 29 10:58:57.054: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet1/0/16"
  Jan 29 10:58:57.054: RADIUS:  State               [24]  30
  Jan 29 10:58:57.054: RADIUS:   32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F  [25SessionID=ACS/]
  Jan 29 10:58:57.054: RADIUS:   38 35 36 37 30 35 31 38 2F 33 33 3B      [ 85670518/33;]
  Jan 29 10:58:57.054: RADIUS:  NAS-IP-Address      [4]   6   192.168.254.37
  Jan 29 10:58:57.054: RADIUS(0000001D): Started 4 sec timeout
  Jan 29 10:58:57.054: RADIUS: Received from id 1645/53 192.168.254.51:1645, Access-Challenge, len 95
  Jan 29 10:58:57.054: RADIUS:  authenticator D9 62 B7 27 8F 55 E9 88 - 41 01 D0 83 52 DF 36 29
  Jan 29 10:58:57.054: RADIUS:  State               [24]  30
  Jan 29 10:58:57.054: RADIUS:   32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F  [25SessionID=ACS/]
  Jan 29 10:58:57.063: RADIUS:   38 35 36 37 30 35 31 38 2F 33 33 3B      [ 85670518/33;]
  Jan 29 10:58:57.063: RADIUS:  EAP-Message         [79]  27
  Jan 29 10:58:57.063: RADIUS:   01 52 00 19 04 10 AA 6A A2 BC 63 1A C0 93 B8 58 67 F7 1A A5 FD 45 41 43 53         [ RjcXgEAC                                                     S]
  Jan 29 10:58:57.063: RADIUS:  Message-Authenticato[80]  18
  Jan 29 10:58:57.063: RADIUS:   29 D2 66 87 4A 2F B3 9E B5 EC F9 4E 9F 62 82 5E           [ )fJ/Nb^]
  Jan 29 10:58:57.063: RADIUS(0000001D): Received from id 1645/53
  Jan 29 10:58:57.063: RADIUS/DECODE: EAP-Message fragments, 25, total 25 bytes
  Jan 29 10:58:57.079: AAA/AUTHEN/8021X (0000001D): Pick method list 'default'
  Jan 29 10:58:57.079: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X
  Jan 29 10:58:57.079: RADIUS(0000001D): Config NAS IP: 192.168.254.37
  Jan 29 10:58:57.079: RADIUS/ENCODE(0000001D): acct_session_id: 54
  Jan 29 10:58:57.079: RADIUS(0000001D): sending
  Jan 29 10:58:57.079: RADIUS(0000001D): Send Access-Request to 192.168.254.51:1645 id 1645/54, len 284
  Jan 29 10:58:57.079: RADIUS:  authenticator 91 F4 7C C1 4E 79 27 AB - 2F 36 20 A8 9C 3F A9 76
  Jan 29 10:58:57.079: RADIUS:  User-Name           [1]   26  "CP-7942G-SEP001D452D53E0"
  Jan 29 10:58:57.088: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  Jan 29 10:58:57.088: RADIUS:  Framed-MTU          [12]  6   1500
  Jan 29 10:58:57.088: RADIUS:  Called-Station-Id   [30]  19  "30-37-A6-AB-8E-90"
  Jan 29 10:58:57.088: RADIUS:  Calling-Station-Id  [31]  19  "00-1D-45-2D-53-E0"
  Jan 29 10:58:57.088: RADIUS:  EAP-Message         [79]  48
  Jan 29 10:58:57.088: RADIUS:   02 52 00 2E 04 10 45 2F B1 FC 60 CF 09 08 7B C4 F9 56 74 AF 44 E9 43 50 2D 37 39 34 32  [R.E/                                                     `{VtDCP-7942]
  Jan 29 10:58:57.088: RADIUS:   47 2D 53 45 50 30 30 31 44 34 35 32 44 35 33 45  [G-SEP001D452D53E]
  Jan 29 10:58:57.088: RADIUS:   30                 [ 0]
  Jan 29 10:58:57.088: RADIUS:  Message-Authenticato[80]  18
  Jan 29 10:58:57.088: RADIUS:   45 42 58 9F 75 14 09 A1 FC DD CD 26 B4 88 42 CF            [ EBXu&B]
  Jan 29 10:58:57.088: RADIUS:  EAP-Key-Name        [102] 2   *
  Jan 29 10:58:57.088: RADIUS:  Vendor, Cisco       [26]  49
  Jan 29 10:58:57.088: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A8FE2500000018002FB1D0"
  Jan 29 10:58:57.088: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  Jan 29 10:58:57.088: RADIUS:  NAS-Port            [5]   6   50116
  Jan 29 10:58:57.088: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet1/0/16"
  Jan 29 10:58:57.088: RADIUS:  State               [24]  30
  Jan 29 10:58:57.088: RADIUS:   32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F  [25SessionID=ACS/]
  Jan 29 10:58:57.088: RADIUS:   38 35 36 37 30 35 31 38 2F 33 33 3B      [ 85670518/33;]
  Jan 29 10:58:57.088: RADIUS:  NAS-IP-Address      [4]   6   192.168.254.37
  Jan 29 10:58:57.088: RADIUS(0000001D): Started 4 sec timeout
  Jan 29 10:58:57.222: RADIUS: Received from id 1645/54 192.168.254.51:1645, Access-Accept, len 126
  Jan 29 10:58:57.222: RADIUS:  authenticator 7B A5 E0 B2 D6 15 90 26 - 8F 8F 64 B0 E6 94 D8 C7
  Jan 29 10:58:57.222: RADIUS:  User-Name           [1]   26  "CP-7942G-SEP001D452D53E0"
  Jan 29 10:58:57.222: RADIUS:  Class               [25]  22
  Jan 29 10:58:57.222: RADIUS:   43 41 43 53 3A 41 43 53 2F 38 35 36 37 30 35 31  [CACS:ACS/8567051]
  Jan 29 10:58:57.222: RADIUS:   38 2F 33 33              [ 8/33]
  Jan 29 10:58:57.222: RADIUS:  EAP-Message         [79]  6
  Jan 29 10:58:57.222: RADIUS:   03 52 00 04                 [ R]
  Jan 29 10:58:57.222: RADIUS:  Message-Authenticato[80]  18
  Jan 29 10:58:57.222: RADIUS:   E8 2E 9B FD C2 A8 D7 5E 86 DD 3C 67 FF 37 75 02            [ .^Jan 29 10:58:57.222: RADIUS:  Vendor, Cisco       [26]  34
  Jan 29 10:58:57.222: RADIUS:   Cisco AVpair       [1]   28  "device-traffic-class=voice"
  Jan 29 10:58:57.222: RADIUS(0000001D): Received from id 1645/54
  Jan 29 10:58:57.222: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
  Jan 29 10:58:57.222: AAA/AUTHOR (0000001D): Method list id=0 not configured. Skip author
  Jan 29 10:58:57.222: %DOT1X-5-SUCCESS: Authentication successful for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSess                                                     ionID
  Jan 29 10:58:57.222: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (001d.452d.53e0) on Interfac                                                     e Gi1/0/16 AuditSessionID C0A8FE2500000018002FB1D0
  Jan 29 10:58:57.239: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
  Jan 29 10:58:58.262: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSess                                                     ionID C0A8FE2500000018002FB1D0

• ISE 1.1.1 (Fallback to local Vlan if radius server is found to be dead) not working

  We have configured following commands on switch to fallback to local Vlan if both radius server (policy persona's) is found dead. For test purpose we shutdown both servers (policy persona's) but fallback didn't work. We have 3750 switch running image 12.2(55)SE6 having following configuration.
  We do not know whether we configured switch in proper way or do we need to modify it.
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting system default start-stop group radius
  aaa server radius dynamic-author
  client 10.10.10.10 server-key 7 12345678 (Policy Persona 1)
  client 10.10.10.11 server-key 7 12345678 (Policy Persona 2)
  server-key 7 12345678
  ip device tracking
  epm logging
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 30 tries 3
  radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 1)
  radius-server host 10.10.10.11 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 2)
  radius-server vsa send accounting
  radius-server vsa send authentication
  Port Configuration
  interface GigabitEthernet0/1
  switchport access vlan 305
  switchport mode access
  ip access-group ACL-DEFAULT in
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 305
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication open
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  Please help....
  Thanks

  Tabish-
  The pre-auth ACL that you have on your port is used for what's called a "Low-Impact" mode type of setup. With Low-Impact mode you are allowing services defined in the pre-auth ACL until the user/devices is authenticated. Once authenticated the pre-auth ACL gets replaced with the dACL/authorization policy that you have defined in the authorization profile. As a result, it is not possible to use "fail-open" configuration with low-impact as there is nothing to replace that pre-auth ACL since your NAD device(s) are unavailable.
  If you want to use the "fail-open" features you will have to use the "High Securty/Closed Mode." In that mode you cannot utilize the pre-auth ACL and essentially only EPoL traffic is allowed on port until authenticated.
  For more info you should reference the TrustSec design guide located at:
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
  Thank you for rating!

• WPA2-Enterprise + EAP (PEAP) and 802.1x to authenticate to RADIUS server NPS

  I need to connect my iPhone and my iPad to the corporate wireless network using WPA2-Enterprise and 802.1x to authenticate against a RADIUS server with my corporate user. What is the procedure to configure the clients? Certificates is not necessary on the client. Radius server is a NPS of Microsoft and the WLC is a 5508 of Cisco.
  thanks !!!

  WPA and WPA2 are all actually interim protocols that are used until the standardization of IEEE 802.11i standard. Wi-fi appliance decided that ratification and standardization of 802.11i standards will take more time. So, they came up with WPA.
  Now, WPA2 is advanced version of WPA. WPA2 uses AES as encryption algorithm. Whereas, WPA use TKIP as encryption mode which in turn uses RC4 encryption algorithm.
  WPA and WPA2 are actually are of 2 types respectively.
  WPA/WPA2-PSK - This is mainly for small offices. This uses Pre-Shared Key for authentication.
  WPA/WPA2 -Enterprise - This uses a RADIUS Server for authentication. This is an extension to 802.1x authentication. But this uses stronger encryption scheme(WPA uses RC4 and WPA2 uses AES).
  Any authentication mechanism that involves a separation authentication server for authentication like ACS server is called 802.1x authentication.
  EAP stands for Extensible Authentication Protocol. It refers to the type or method of 802.1x Authentication by the RADIUS/Tacacs server. A RADIUS server can authenticate a wireless client with various EAP methods.
  LEAP is one type of EAP. It uses username and password for authenticating wireless clients. LEAP is cisco proprietory.
  There are also EAP types which uses other user credentials like Certificates, SIM etc for authentcation.
  The following document might clarify your doubts.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e8297.shtml

• New command for radius-server source-ports

  I am trying to find the new command fro radius-server source-ports 1645-1646 since it appears to be depricated.  We use tacacs so we do not have the radius server specified but we do need to put in the ports.  Can someone please tell me the new command for radius-server source-ports?
  Thanks

  Both of the links that Peter posted are interesting and helpful. I would like to take a slightly different approach in answering your question.
  In every version of IOS there are certain commands that get inserted into running-config when a particular feature is activated. It looks like in your version the radius-server source-ports is one of those commands. I do not think it is anything that you should be concerned about.
  And I do not believe that having the radius-server source-ports command would prevent TACACS from working. I believe that there is likely to be some fault in your configuration. If you would post the aaa parts of the config then maybe we could see what the problem is.
  In my experience configuring aaa some of the common problems include not correctly identifying the TACACS server, not having exactly the same key configured on the Cisco device and the TACACS server, not having connectivity to the TACACS server (can the Cisco device ping the server, and can the server ping the device), or errors in the authentication or authorization prameters specified.
  Post some information and we will see what we can do.
  HTH
  Rick

• Cisco ISE with both internal and External RADIUS Server

  Hi
  I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
  I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
  So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
  I will like to know if it is possible to configure it and how I can do it ?
  Thanks in advance for your help
  Regards
  Blaise

  Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
  Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
  The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

• WPA with 802.1x authentication

  Hi experts,
  I need clarification in a fundamental concept.
  Is it possible to configure WPA with 802.1x authentication without external AAA / ACS server.
  If the username and password is configured in local device, is it possible to create 802.1x authentication without RADIUS server
  Thanks in advance
  regards,RB

  You can't do 802.1x without RADIUS. But you can use Local EAP on an Autonomous AP or on a LAP Controller. They can both act as RADIUS servers. Here's an example config for an autonomous AP:
  aaa group server radius rad_eap
  server 192.168.0.1 auth-port 1812 acct-port 1813
  aaa authentication login eap_methods group rad_eap
  dot11 ssid ccie
  authentication open eap eap_methods
  authentication network-eap eap_methods
  guest-mode
  radius-server local
  nas 192.168.0.1 key cisco
  user test password test
  radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key cisco
  LAP Controller local EAP is configurable through GUI

• WLC 5508 and Microsoft Radius Server 2008

  Hi, I am trying to setup WLC 5508 for a customer who want to use MS NPS for Radius authentication, however there aren't many good documents showing how to configure the MS NPS.
  I have couple of questions:
  1, Does WLC 5508 support MS NPS on Server 2008 R2?
  2, Are there any good document showing how to configure this?
  Thanks

  Hadisharifi,
  There is no single document that we can pick for configuring WLC and NPS. However, you may visit the below listed document for NPS  and WLC side configuration:
  Configure the WLC for RADIUS Authentication through an External RADIUS Server
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c2
  Fo the NPS side configuration, you may consider the attached document.
  Regds,
  JK
  Do rate helpful posts-

• Problems w/config AP1200 - WPA Enterprise/Local RADIUS Server

  I have been attempting to reconfigure a AP1200 in our lab environment from using static WEP keys to WPA/TKIP. I can make the solution work with WPA-PSK, but not enterprise. I believe I have everything configured correctly but cannot "validate identity" on the client. Below are the details to my configuration.
  SSID: labssid (Open authentication with EAP)
  Cipher: TKIP
  Key management: Mandatory (WPA)
  I have a Cisco ACS server but am attempting to get this running intially using the local RADIUS server on the Access Point. I have a user defined locally called "test" with a password of "test".
  I am using an IBM ThinkPad T43 with the built-in wireless (Intel PRO/Wireless 2915ABG NIC) for testing. I have the "Use Windows to configure my wireless network settings" checked so I am using the inherant Windows configuration screens. However, I have also attempted to use the IBM NIC configuration utility and receive the same failures. I have the client device configured as follows:
  1. Network authentication: WPA
  2. Data encryption: TKIP
  3. Authentication: Protected EAP (PEAP) (only option other than smartcard, cert.)
  3a. (PROPERTIES) - AuthMethod: Secured Password (EAP-MSCHAP v2)
  4. Authenticate as computer whe computer information is avail (UNCHECKED)
  5. Authenticate as guest when user or computer is unavailable (UNCHECKED)
  When I attempt to provide my test/test credientials the Access Point logs the following:
  Station 0016.6f77.9ccd Authentication failed
  When I look at the Local RADIUS server stats, for each authentication failure the following stat is recorded:
  "Unknown EAP Type"
  If I try to authenticate 5 times, there will be 5 Unknown EAP Type stats logged.
  What am I missing?

  I didn't realize the local RADIUS couldn't do PEAP. That makes sense now, as in testing I decided to point the AP at my ACS server and was able to authenticate. I'm having an issue authenticating at times because it seems the AP looses it's connection TO the ACS server. The Access Point logs the following:
  1. Station 0016.6f77.9ccd Authentication failed
  2. RADIUS server 192.168.102.82:1645,1646 has returned.
  3. RADIUS server 192.168.102.82:1645,1646 is not responding.
  The "not responding" and "returned" logs are recorded at the exact same time period. In my most recent case, it was "Aug 31 18:19:36.981". Both have that time stamp. It's as if the AP looses some heartbeat to the RADIUS server and doesn't check to see if it's alive until a certain interval. When I'm not able to authenticate, if I log into the ACS and manually "restart" the services through the GUI, I authenticate right away. I'm thinking this is an ACS issue not an AP issue, but am wondering if anyone else has ever noticed this behavior.

• WLC Radius Server Load Balance

  Hi,
  Can someone provide me detailed description on how WLC Radius Server Load balance works.
  Becuase, I encounted a problem of User Authenticated with the 1st Radius Server, but Accounting Records are actually on 2nd Server .
  Any response will be very appreciated
  -Angela

  Hi Angela,
  I pasted below the part of config guide explaining the different modes. In summary :
  -Fallback off means : when 1st radius server shows dead , WLC moves to the second. And will only change again when the 2nd is dead too.
  -Passive means : whent 1st radius is dead, WLC moves to the second. If there is a new authentication coming in, it will try the 1st radius server again
  -Active means : WLC constantly sends radius probes to detect when primary is back up.
  config radius fallback-test mode {off | passive | active}
  where
  •off disables RADIUS server fallback.
  •passive causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller simply ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
  •active causes the controller to revert to a server with a lower priority from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller simply ignores all inactive servers for all active RADIUS requests. Once the primary server receives a response from the recovered ACS server, the active fallback RADIUS server no longer sends probe messages to the server requesting the active probe authentication.

• WLC 5508 Radius Server

  what is the authentication list precedence for radius authentication?
  global list       network user checkbox
  per wlan        aaa server add
  global list       network user uncheck
  i  have 3 radius server, 2 of which are use for gloabl authentication(all  ap are hreap) and a 3rd one use only for 1 site, when the 2 first radius  server fails the wlc use the 3rd one, but the 3rd only has database for  1 site users,
  do  i need to uncheck the network user checkbox on the 3rd radius and  create a hreap group then associate the 3rd one?  i dont want the 3rd  radius to be able for the gloabl list to take this as normal globla  radius. any commnets?

  Osvaldo,
  Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
  Quote:
  Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
  Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
  AAA server defined on WLAN takes precedence over global.

• Cisco aironet 2600 series AP configuration with windows 2008 R2 Radius server.

  I want to know the configuration of Cisco aironet 2600 series AP with windows 2008 R2 Radius server.  
  I have
  1. AD & DHCP Server
  2. Cisco Aironet 2600 Access Point.
  I want to connect wifi devices through this AP. Authentication should be through Radius server and AD.

  Hi , 
  Below link should support your requirement 
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116584-configure-wirelesslan-00.html
  Minimal command : -
  AP(config)# aaa new-model
   AP(config)# radius-server host 172.20.0.1 auth-port 1645 acct-port 1645 key XXXXXX
   AP(config)# radius-server deadtime 10
  HTH
  Sandy

• VPN Tunnel w/ 802.1X port authentication against remote RADIUS server

  I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X.  The tunnel works fine and comes up if theirs correct traffic.  I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.
  If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work.  I'll see the following.  This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone.  No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.
  *Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.
  *Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.
  *Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.
  *Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.
  If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly.  In this situation, I can ping the RADIUS servers from VLAN10.  If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.
  Current configuration : 6199 bytes
  ! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by
  version 15.2
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname router1
  boot-start-marker
  boot-end-marker
  aaa new-model
  aaa local authentication default authorization default
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa session-id common
  clock timezone EST -5 0
  clock summer-time EDT recurring
  ip cef
  ip dhcp pool pool
  import all
  network 192.168.28.0 255.255.255.248
  bootfile PXEboot.com
  default-router 192.168.28.1
  dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2
  domain-name domain.local
  option 66 ip 192.168.23.10
  option 67 ascii PXEboot.com
  option 150 ip 192.168.23.10
  lease 0 2
  ip dhcp pool phonepool
  network 192.168.28.128 255.255.255.248
  default-router 192.168.28.129
  dns-server 192.168.26.10 192.168.1.100
  option 150 ip 192.168.1.132
  domain-name domain.local
  lease 0 2
  ip dhcp pool guestpool
  network 10.254.0.0 255.255.255.0
  dns-server 8.8.8.8 4.2.2.2
  domain-name local
  default-router 10.254.0.1
  lease 0 2
  no ip domain lookup
  ip domain name remote.domain.local
  no ipv6 cef
  multilink bundle-name authenticated
  license udi pid CISCO892-K9
  dot1x system-auth-control
  username somebody privilege 15 password 0 password
  redundancy
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 5
  crypto isakmp key secretpassword address 123.123.123.123
  crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac
  mode tunnel
  crypto map pix 10 ipsec-isakmp
  set peer 123.123.123.123
  set transform-set pix-set
  match address 110
  interface BRI0
  no ip address
  encapsulation hdlc
  shutdown
  isdn termination multidrop
  interface FastEthernet0
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet1
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet2
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet3
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet4
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  spanning-tree portfast
  interface FastEthernet5
  switchport access vlan 12
  switchport voice vlan 11
  no ip address
  spanning-tree portfast
  interface FastEthernet6
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  spanning-tree portfast
  interface FastEthernet7
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet8
  no ip address
  shutdown
  duplex auto
  speed auto
  interface GigabitEthernet0
  ip address dhcp
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map pix
  interface Vlan1
  no ip address
  interface Vlan10
  ip address 192.168.28.1 255.255.255.248
  ip nat inside
  ip virtual-reassembly in
  interface Vlan11
  ip address 192.168.28.129 255.255.255.248
  interface Vlan12
  ip address 10.254.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source list 101 interface GigabitEthernet0 overload
  ip route 0.0.0.0 0.0.0.0 dhcp
  ip radius source-interface Vlan10
  ip sla auto discovery
  access-list 101 deny   ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 101 permit ip 192.168.28.0 0.0.0.255 any
  access-list 101 permit ip 10.254.0.0 0.0.0.255 any
  access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255
  radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey
  radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey
  control-plane
  mgcp profile default
  line con 0
  line aux 0
  line vty 0 4
  transport input all
  ntp source FastEthernet0
  ntp server 192.168.26.10
  ntp server 192.168.1.100
  end

  I have 802.1X certificate authentication enabled on the computers.  As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication.  It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.