802.1x with ACS 4.2 (RADIUS) problem

Similar Messages

• 802.1x with ACS and Windows AD

  Hi
  Im trying to setup 802.1x with ACS 5.2 but am struggling as its very differnet to ACS 4.2.
  I have setup the ACS to be the domain and think i have setup up the External Idnetity Store, however when i try to authenticate a pc using authentication Medthod 'PEAP (EAP-MSCHAPv2), i get a failure reason '22056 Subject not found in the applicable identity store'
  Marco

  Hi Marco,
  i guess you've missed a mapping configuration in the Access Policy Section.
  Create a Access Service name it AS-802.1x select User Select Service Type and select Network Access. Select the Policy Structure Identity and Authorization. Select PEAP as allowed Protocol. Click Finish
  You'll see the new service click Identity.
  Select the identity source you've created then save.
  Click on authorization
  Select a default authorization rule permit access and save.
  Create a Service Access Rule name it 802.1x
  Select Protocol Radius as Condition and as Compound Condition select RADIUS-IETF:Service-Type match Framed then select the service you created before.
  then you can try again.
  regards
  alex

• 802.1x with ACS does not correctly work

  Hello
  I have here a WLan setup with a WDS, some 40 Accesspoints, an ACS 4.1 server and a Windows Domain Controller which has the users configured.
  I have a group mapping in ACS configured which points to a small group in the ADS.
  The groupmapping in ACS points to a specific group in ACS.
  There I've configured the following:
  [009\001] cisco-av-pair
  - ssid=xx-200 (the name of the SSID the clients connect)
  [006] Service-Type
  - Login
  [007] Framed-Protocol
  - PPP
  [025] Class
  - OU=pers; (this is not the special group where those users are in, but they are also in this one)
  [064] Tunnel-Type
  - Tag 1 Value Vlan
  [065] Tunnel-Medium-Type
  - Tag 1 Value 802
  [081] Tunnel-Private-Group-ID
  - Tag 1 Value 200 (the Vlan in which they should go)
  The good thing is, authentication with username password works.
  The bad thing is, every user can authenticate and get into this SSID instead of only the users in the special group which points to this groupmapping.
  The other ADS groups also point to other ACS groups, but they don't have the above values ([009\001] cisco-av-pair, [064] Tunnel-Type, [065] Tunnel-Medium-Type, [081] Tunnel-Private-Group-ID) configured.
  The logfile from the ACS also shows that the wrong users are mapped into the correct group like they should, but they still get access.
  Here the WDS configuration:
  aaa group server radius RADIUS_GROUP_WDS_RADIOMANAGEMENT
  server 10.1.1.30 auth-port 1645 acct-port 1646
  server 10.1.2.30 auth-port 1645 acct-port 1646
  aaa authentication login METHOD_WDS_RADIOMANAGEMENT group RADIUS_GROUP_WDS_RADIOMANAGEMENT
  aaa authentication enable default enable
  aaa session-id common
  radius-server host 10.1.1.30 auth-port 1645 acct-port 1646 key 7 xxxx
  radius-server host 10.1.2.30 auth-port 1645 acct-port 1646 key 7 xxxx
  radius-server retransmit 2
  radius-server timeout 18
  radius-server deadtime 1
  radius-server vsa send accounting
  wlccp authentication-server infrastructure METHOD_WDS_RADIOMANAGEMENT
  wlccp authentication-server client any METHOD_WDS_RADIOMANAGEMENT
  ssid xx-200
  The accesspoint config:
  aaa authentication login METHOD_RAD_WDS_CLIENT group radius
  aaa authentication enable default enable
  aaa session-id common
  dot11 ssid xx-200
  vlan 200
  authentication open eap METHOD_RAD_WDS_CLIENT
  authentication network-eap METHOD_RAD_WDS_CLIENT
  authentication key-management wpa
  interface Dot11Radio0
  encryption vlan 200 mode ciphers aes-ccm
  broadcast-key vlan 200 change 60
  ssid xx-200
  interface Dot11Radio0.200
  description
  encapsulation dot1Q 200
  no ip route-cache
  no cdp enable
  bridge-group 200
  bridge-group 200 subscriber-loop-control
  bridge-group 200 block-unknown-source
  no bridge-group 200 source-learning
  no bridge-group 200 unicast-flooding
  bridge-group 200 spanning-disabled
  interface FastEthernet0.200
  description
  encapsulation dot1Q 200
  no ip route-cache
  bridge-group 200
  no bridge-group 200 source-learning
  bridge-group 200 spanning-disabled
  I hope you can find why any user can authenticate and not just the ones in the groupmapping which has the radius attributes configured.
  Thanks,
  pato

  I have finally found something to look into :/
  000619: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: ssid [263] 6
  000620: Jan 18 16:50:11 A: RADIUS: 48 53 52 2D [xxx-]
  000621: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: interface [156] 4
  000622: Jan 18 16:50:11 A: RADIUS: 32 35 [25]
  This is with various debugging active on the WDS. And this might be the reason why it doesn't work.

• 802.1x with ACS 3.3 and windowsXP

  We are using RADIUS IETF in ACS and EAP MD5.
  My switch is 2950 whith this commands:
  radius-server host a.b.c.d
  radius-server key cisco
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  dot1x system-auth-control
  int fa 0/1
  dot1x port-control auto
  When we try authenticate appears this error: "CS user unknown" in ACS reports.
  Has somethings that we forget?
  Where I configure the respective VLAN to user when he authenticate?
  Thanks

  I`m using 2950 and Cisco ACS. In my Windows XP, I did only this"Ativar authenticaçao IEEE 802.1x para esta rede -->MD5 Challenge". I create one user in ACS database and assign the following IETF RADIUS attributes to this user:
  [64] Tunnel-Type = VLAN
  [65] Tunnel-Medium-Type = 802
  [81] Tunnel-Private-Group-Id = teste
  At my network icon apears: Authentication Fail
  See some debug message on my switch:
  03:09:14: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D607DC
  03:09:14: dot1x-ev:Managed Timer in sub-block attached as leaf to master
  03:09:14: dot1x-ev:Going to Send Request to AAA Client on RP for id = 0 and length = 25
  03:09:14: dot1x-ev:Got a Request from SP to send it to Radius with id 7
  03:09:14: dot1x-ev:Couldn't Find a process thats already handling the request for this id 0
  03:09:14: dot1x-ev:Inserted the request on to list of pending requests
  03:09:14: dot1x-ev:Found a free slot at slot 0
  03:09:14: dot1x-ev:Found a free slot at slot 0
  03:09:14: dot1x-ev:Request id = 7 and length = 25
  03:09:14: dot1x-ev:The Interface on which we got this AAA Request is FastEthernet0/1
  03:09:14: dot1x-ev:Username is SMSTESTE\joe
  03:09:14: dot1x-ev:MAC Address is 0026.540f.5555
  03:09:14: dot1x-ev:MAC Address copied is 0026.540f.4c43
  03:09:15: dot1x-ev:dot1x_post_message_to_auth_sm: Skipping tx for req_id for default supplicant
  03:09:34: dot1x-err:EAP packet not recvd
  03:09:34: dot1x-ev:going to send to backend on SP, length = 4
  03:09:34: dot1x-ev:Received VLAN is No Vlan
  03:09:34: dot1x-ev:Enqueued the response to BackEnd
  03:09:34: dot1x-ev:Received QUEUE EVENT in response to AAA Request
  03:09:34: dot1x-ev:Dot1x matching request-response found
  03:09:34: dot1x-ev:Length of recv eap packet from radius = 4
  03:09:34: dot1x-ev:Received VLAN Id -1
  03:09:34: dot1x-ev:dot1x_bend_fail_enter:0026.540f.5555: Current ID=0
  Can you help me?
  Thanks,

• 802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

  Currently Being Moderated
  802.1X for wired environments  using Radius/ACS for Dynamic Vlan Assignment
  Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
  If possible show:
  1. ACS/Radius Configurations.
  2. End User Switch Configurations
  Variables:
  Switch A
  MAC Address aaaa.bbbb.cccc     Vlan 10
              bbbb.cccc.dddd     Vlan 20
  Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
  Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
  Thanks in advance. .

  Hi Guys,
      Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
     So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
     Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
      Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
      If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

• 802.1x with AD support via ACS 4

  Hello ,
  I have been trying to configure 802.1x Authentication on a test switch . Authentication will be provided by the ACS server . This worked when I had the client setup for EAP-MD5 and had local user accounts on the ACS server . However this is impractical if we were to deploy this on a large scale. How can i configure 802.1X authentication to occur via the ACS with the ACS looking at the AD database . The trouble is AD does not support EAP-MD5. It supports PEAP but the problem I am having is "EAP-TLS or PEAP authentication failed during SSL handshake "
  Has anyone here setup 802.1x with AD integration via ACS 4.0 . Please help.
  Thanks.
  Karthik

  Hi Karthik,
  The SSL handshake will fail in our experience for any of the following reasons:
  - The supplicant cannot access the private key corresponding to it's certificate - check that the system a/c has pemissions over the private key found in c:\documents and settings\all users\application data\microsoft\crypto\rsa\machine keys
  - The ACS sever does not trust the Root Certificate for the PKI that issued the supplicants certificate - Is the Supplicants Root CA present in the ACS Certificate Trust List?
  - CRL checking is enabled and the CRL has expired or is inaccessible
  If you up the logging levels to full and examine the csauth log closely you should get more detail as to the reason
  Hope that helps
  Andy

• WPA2 802.1x with MS RADIUS, LDAP, Clean Access

  We are in a multivendor enviornment using NAC and WCS.  We would like to implement WPA2 Enterprise.  We currently authenticate with LDAP to place users in proper roles.
  Not 100% sure on this.  As far as I know, it is not possible to implement 802.1x with LDAP.....so how could we use LDAP and a Radius server together in order to implement WPA2 Enterprise?  Is this possible?  Any documentation out there that I have yet to find explaining this?
  Any help would be appreciated.
  Thanks in advance,
  Ben

  Hi,
  Let's clarify all possibilities and you can chose one from there :-)
  1) the Wireless Controller (WLC) can act as radius server. The feature is called "local eap". So the WLC authenticates the client (wpa2 if you like).
  The WLC can use an LDAP database as user database. The only restrictions are that you cannot use "mschapv2" methods. So only peap-gtc,eap-fast-gtc and eap-tls. Of those 3, only eap-tls is present on the client default windows supplicant.
  2) You can have a complete radius server like Cisco ACS. However the limitation coming with LDAP remains. Unless your database is Active Directory in which case ACS can integrate with it and allow for all eap methods.
  3) If you go for WPA enterprise, that means you will authenticate users 2 times. One with dot1x to join the wireless and one with NAC afterwards to get network connectivity. Again if you have active directory, you can go with "single sign on" so that users never have to enter their credentials. Otherwise they will have to enter them twice.
  Apart from that fact, NAC pretty much doesn't care if your wireless is open or dot1x-secured, it comes after the dot1x authentication anyway.
  I hope this clarifies ?
  Nicolas
  ===
  please rate answers that you find useful

• TACACS=admin RADIUS=802.1x same ACS?

  I have an ACS appliance set up for TACACS auth for administrative users. I need to configure 802.1x with RADIUS as I'm sending the VLAN ID back down when the user authenticates. Is this possible? Doesn't seem to be working for me. Also, I am doing this on both CatOS and IOS so IOS only solutions won't help.
  Thanks!

  Yes, it's possible. You need to set the following stndard RADIUS attributes via a per-group or per-user basis:
  [64] Tunnel-Type ? ?VLAN?
  [65] Tunnel-Medium-Type ? ?802?
  [81] Tunnel-Private-Group-ID - ""
  Hope this helps.

• Can't auth to Nortels networks devices using RADIUS with ACS 5.1

  Hi,
  I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
  After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
  I can't manage to login using RADIUS and i get the following message.
  "Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
  But in my ACS View, I can see : "Authentication succeeded."
  I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
  I've got no problems with RADIUS Auth using other brand devices
  Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS  Authentication ?
  Regards.

  Are you sure that setting up a compound condition will help ?
  To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
  Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
  Here is my steps in the ACS View
  11001  Received RADIUS  Access-Request
  11017  RADIUS created a new  session
  Evaluating Service Selection  Policy
  15004  Matched rule
  15012  Selected Access  Service - Default Network Access
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity  Store - Internal Users
  24210  Looking up User in  Internal Users IDStore - radius
  24212  Found User in Internal  Users IDStore
  22037  Authentication Passed
  Evaluating Group Mapping  Policy
  Evaluating Exception  Authorization Policy
  15042  No rule was matched
  Evaluating Authorization  Policy
  15006  Matched Default Rule
  15016  Selected Authorization  Profile - Permit Access
  11002  Returned RADIUS  Access-Accept
  So I think the ACS does its job

• 802.1x and Windows Domain Controller with ACS

  Wow, I am having a tough time getting my ACS and the Domain controller to work with 802.1x PEAP. Can somebody explane to me how to set up the domain controller (Active directry) to get a PEAP cert? Some other questions. If I am using PEAP and 802.1x how does my computer get a cert. from the CA if the port is disabled by 802.1x? And How do I set up my domain controller to work with ACS to authenticate users. I have been beating my self to death to figure this out. Any help would be ausome. I am really stuck on trying to make this work.
  Thanks a ton in advance
  Justin

  I as a Cisco customer would like to see answers to our questions based on some real world experience or something you've noticed in a lab environment.
  By simply posting links is not very helpful. The reason most of us come to this site and post our questions, is because we already went to the Cisco website and found the explanation to be vague. In the future, please post answers to our question, intead of referring us to a link.
  Thank you,
  John...

• 802.1x credentials failure with ACS 5.2

  Hi all,
  I recently tried to deploy an ACS appliance with version 5.2 installed on it for a customer.
  After setting up the WLC to use the ACS as a radius server, and successfully testing connection from the ACS to the AD,
  I get an error message " 12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate" anytime a client tries to connect to the network.
  This is surprising because I had already generated a certficate for the ACS from a CA and binded the CA signed certificate with the ACS, I also specified the CA in the client machine's wireless properties and checked the "validate certificate" button.
  When I tried to connect using the internal identity store, the client was successfully authenticated without any certificate issues.
  Any help on this will be appreciated.

  Hi,
  Can you please send me the pdf output of the authentication for the user which passes authentication to the internal identity store and for the user account that fails when pointing to AD? Are you using an identity sequence or are you modifying the identity settings? If it is ok please attach it to your next post. If not please PM me and i can setup a share for you to upload the files to securely.
  thanks,
  Tarik

• APC (UPS) RADIUS authentication with ACS 5.X

  I am trying to do RADIUS authentication for APC (UPS) using ACS 5.2 Appliance. It is working fine with ACS 4.2, but unfortunately not with ACS 5.2. I tried creating RADIUS VSA (Vendor Specific Attributes) for APC in ACS 5.2.
  According to the APC dictionary file
  VENDOR APC 318
  # Attributes
  ATTRIBUTE APC-Service-Type 1 integer APC
  ATTRIBUTE APC-Outlets 2 string APC
  VALUE APC-Service-Type Admin 1
  VALUE APC-Service-Type Device 2
  VALUE APC-Service-Type ReadOnly 3
  # For devices with outlet users only
  VALUE APC-Service-Type Outlet 4
  I have added the attributes in blue(attached), how do I add the VALUE's (shown red) in ACS 5.2? What else should I do to get this working?
  The hit count on the ACS shows that it is getting authentication request from the APC appliance.
  Thanks in advance.

  Hi,
  I am working on the same issue and i manage to login (using Ldap A/D backend authentication). When using the standard Radius attribute Service-Type (1 for read-only and 6 for admin) i manage to get this working. I am however trying to use the APC VSAs (as above) without any success. The objective is to have outlet management for specific users, admin or read-only others. Did u manage to get this working and how?
  ./G

• 802.1x with alcatel phone with cisco acs 5.0

  Hi All, can any one  has done the implementation of 802.1x with alcatel phone where pc will be behind the phone and cisco switch ports are configured as trunk. Trunk native vlan is data vlan for pc and trunk carrying voice vlan.
  when trunk mode is enabled I can not configure 802.1x on trunk interface. does any one help me to get rid of this situation..
  Thanks

  Hi,
  Did you find any solution?. Did you tried with the command switchport voice vlan?.
  Regards,
  Mauricio

• Tacacs+ problem with ACS 5.2

  I am new with ACS server 5.2 can someone please help me before I bang my head on the wall. I have configured the ACS server 5.2 but still cannot authenticate users. The router can ping the ACS server. With debugging I got the following error message:
  Switch#
  6d07h: TAC+: Using default tacacs server-group "tacacs+" list.
  6d07h: TAC+: Opening TCP/IP to 110.7.111.8/49 timeout=5
  6d07h: TAC+: TCP/IP open to 110.7.111.8/49 failed -- Connection timed out; remote host not responding
  6d07h: TAC+: Opening TCP/IP to 110.7.111.7/49 timeout=5
  6d07h: TAC+: TCP/IP open to 110.7.111.7/49 failed -- Connection timed out; remote host not responding
  6d07h: TAC+: send AUTHEN/START packet ver=192 id=3004581909
  6d07h: TAC+: Using default tacacs server-group "tacacs+" list.
  6d07h: TAC+: Opening TCP/IP to 110.7.111.8/49 timeout=5
  6d07h: TAC+: TCP/IP open to 110.7.111.8/49 failed -- Connection timed out; remote host not responding
  6d07h: TAC+: Opening TCP/IP to 110.7.111.7/49 timeout=5
  6d07h: TAC+: TCP/IP open to 110.7.111.7/49 failed -- Connection timed out; remote host not responding
  Your kind help will be highly appreciated.

  Did you add the switch as AAA client in ACS box? Make sure you use the correct switch IP when adding it in ACS.
  YOu can go to "monitoring and Report" on ACS to check the log to see what happened.

• Issue with ACS 4 and AAA. Port scan shows no Radius but does show tacacs

  to start I am new to ACS so if this is an easy issue to solve please forgive me. I am trying to get Authentication working with ACS 4. I setup everything according to the instructions and when I try to test authentication with VPN concentrator I get a No active server found error. I have tried using an Internal user to start and I also have tried an AD account. If I port scan the ACS server I do not see it advertising port 1645 but I do see Port 49 for tacacs and I also see Ports 2000-2002. CSRadius is running.

  Actually, to avoid any issues I made CSRadius listen on BOTH sets of ports :)
  So unless that got changed without my knowing it should be listening on 1645/6 and 1812/3
  Darra