AAA authentication / Radius-Servers

Similar Messages

• Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS

  I have a Nexus 7010 running
  Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
  >>ip radius source-interface mgmt 0
  >>radius-server key XXXXX
  >>radius-server host X.X.X.X key XXXXX authentication accounting
  >>radius-server host X.X.X.X key XXXXX authentication accounting aaa
  >>authentication login default group Radius_Group aaa authentication
  >>login console local aaa group server radius Radius_Group
  >>    server X.X.X.X
  >>    server X.X.X.X
  >>    source-interface mgmt0
  Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
  shell:roles="vdc-admin" in the  Attribute Value field in the RADIUS server
  Does anyone know if this works????
  Thanks

  I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
  Attribute: cisco-av-pair
  Requirement: Mandatory
  Value: shell:roles*"network-admin vdc-admin"
  For more information take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
  Hope this helps
  Thank you for rating helpful posts!

• AAA authentication with RADIUS

  Hi,
  aaa authentication login user-list group radius local
  radius-server host 10.1.1.3 auth-port 1645 acct-port 1646 key xxxx
  radius-server deadtime 10
  If i add more radius-server host such as
  radius-server host 10.1.1.4 auth-port 1645 acct-port 1646 key xxxx
  1. Server 10.1.1.4 will be backup for server 10.1.1.3?
  2. Can i configure to be radius group?
  Thanks

  Hi,
  you can try the following:
  Router(config)# aaa group server radius
  Router(config-sg radius)# server 10.1.1.3
  Router(config-sg radius)# server 10.1.1.4
  when you configure the aaa group like this 10.1.1.3 will be primary and 10.1.1.4 is secondary
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

• Cisco AAA authentication with windows radius server

  Cisco - Windows Radius problems
  I need to created a limited access group through radius that I can have new network analysts log into
  and not be able to commit changes or get into global config.
  Here are my current radius settings
  aaa new-model
  aaa group server radius IAS
   server name something.corp
  aaa authentication login USERS local group IAS
  aaa authorization exec USERS local group IAS
  radius server something.corp
   address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
   key mypassword
  line vty 0 4
   access-class 1 in
   exec-timeout 0 0
   authorization exec USERS
   logging synchronous
   login authentication USERS
   transport input ssh
  When I log in to the switch, the radius server is passing the corrrect attriubute
  ***Jan 21 13:59:51.897: RADIUS:   Cisco AVpair       [1]   18  "shell:priv-lvl=7"
  The switch is accepting it and putting you in the correct priv level.
  ***Radius-Test#sh priv
     Current privilege level is 7
  I am not sure why it logs you in with the prompt for  privileged EXEC mode when
  you are in priv level 7. This shows that even though it looks like your in priv exec
  mode, you are not.
  ***Radius-Test#sh run
                  ^
     % Invalid input detected at '^' marker.
     Radius-Test#
  Now this is where I am very lost.
  I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
  global config mode.
  ***Radius-Test#enable
     Radius-Test#
  Debug log -
  Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
  ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
  Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
  ***Radius-Test#sh priv
     Current privilege level is 15
     Radius-Test#
  I have tried to set
  ***privilege exec level 15 enable
  It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
  Even if I try to do
  ***privilege exec level 7 show running-config (or other variations)
  It will allow you to type sh run without errors, but it doest actually run the command.
  What am I doing wrong?
  I also want to get PKI working with radius.

  I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
  Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch?

• Dot1x with port security and redundant radius servers

  I have a strange issue with my dot1x port authentication.  I have two radius servers configured in my switch for redundancy, and on my switchport I have a Cisco IP phone and a PC.  Testing redundnacy with the radius servers, when I have both servers active and running, the port authentication works fine for both phone and pc.  When I fail the radius servers in the configuration, by disconnecting the NIC on it, the switch goes to the surviving radius server and authenticates, (I can see it in the running log) both the phone and PC get an access-accept, but only the phone works on the network and the port light stays amber showing it's blocking for the pc.  Strange, since it showed an accept on the radius server.
  This only seems to happen when the first one on the list is failed.  When the second one is failed, it obviously won't need to try it, so there's not an issue.  Any ideas?
  Here's the setup and configs:
  freeradius 2.1.12-4
  cisco 3560
  Switch Ports Model              SW Version            SW Image                
  *    1 52    WS-C3560G-48PS     12.2(53)SE2           C3560-IPBASEK9-M 
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  interface GigabitEthernet0/1
  switchport access vlan 100
  switchport mode access
  switchport voice vlan 110
  authentication event no-response action authorize vlan 901
  authentication host-mode multi-domain
  authentication port-control auto
  authentication periodic
  authentication violation protect
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 1
  no mdix auto
  spanning-tree portfast
  radius-server host 10.90.1.88 auth-port 1645 acct-port 1646 key 7 xxx
  radius-server host 10.90.1.85 auth-port 1645 acct-port 1646 key 7 xxx
  Here's an authentication string from the radius server:
  (there are two mac address.  The first one 00.13 is the PC and the second 30.37 is the phone)
  rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=204, length=160
  User-Name = "001372b639a6"
  User-Password = "001372b639a6"
  Service-Type = Call-Check
  Framed-MTU = 1500
  Called-Station-Id = "9C-AF-CA-23-D9-01"
  Calling-Station-Id = "00-13-72-B6-39-A6"
  Message-Authenticator = 0xfeef777a8033c24934306b3cce78c8f1
  NAS-Port-Type = Ethernet
  NAS-Port = 50001
  NAS-Port-Id = "GigabitEthernet0/1"
  NAS-IP-Address = 10.90.100.7
  Wed Sep 18 10:48:06 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
  Wed Sep 18 10:48:06 2013 : Info: +- entering group authorize {...}
  Wed Sep 18 10:48:06 2013 : Info: ++[preprocess] returns ok
  Wed Sep 18 10:48:06 2013 : Info: ++[chap] returns noop
  Wed Sep 18 10:48:06 2013 : Info: ++[mschap] returns noop
  Wed Sep 18 10:48:06 2013 : Info: ++[digest] returns noop
  Wed Sep 18 10:48:06 2013 : Info: [suffix] No '@' in User-Name = "001372b639a6", looking up realm NULL
  Wed Sep 18 10:48:06 2013 : Info: [suffix] No such realm "NULL"
  Wed Sep 18 10:48:06 2013 : Info: ++[suffix] returns noop
  Wed Sep 18 10:48:06 2013 : Info: [eap] No EAP-Message, not doing EAP
  Wed Sep 18 10:48:06 2013 : Info: ++[eap] returns noop
  Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: %{User-Name} -> 001372b639a6
  Wed Sep 18 10:48:06 2013 : Info: [sql] sql_set_user escaped user --> '001372b639a6'
  Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 3
  Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '001372b639a6'           ORDER BY id
  Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '001372b639a6'           ORDER BY id
  Wed Sep 18 10:48:06 2013 : Info: [sql] User found in radcheck table
  Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '001372b639a6'           ORDER BY id
  Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '001372b639a6'           ORDER BY id
  Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '001372b639a6'           ORDER BY priority
  Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = '001372b639a6'           ORDER BY priority
  Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Released sql socket id: 3
  Wed Sep 18 10:48:06 2013 : Info: ++[sql] returns ok
  Wed Sep 18 10:48:06 2013 : Info: ++[expiration] returns noop
  Wed Sep 18 10:48:06 2013 : Info: ++[logintime] returns noop
  Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns updated
  Wed Sep 18 10:48:06 2013 : Info: Found Auth-Type = PAP
  Wed Sep 18 10:48:06 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
  Wed Sep 18 10:48:06 2013 : Info: +- entering group PAP {...}
  Wed Sep 18 10:48:06 2013 : Info: [pap] login attempt with password "001372b639a6"
  Wed Sep 18 10:48:06 2013 : Info: [pap] Using clear text password "001372b639a6"
  Wed Sep 18 10:48:06 2013 : Info: [pap] User authenticated successfully
  Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns ok
  Wed Sep 18 10:48:06 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
  Wed Sep 18 10:48:06 2013 : Info: +- entering group post-auth {...}
  Wed Sep 18 10:48:06 2013 : Info: ++[exec] returns noop
  Sending Access-Accept of id 204 to 10.90.100.7 port 1645
  Wed Sep 18 10:48:06 2013 : Info: Finished request 0.
  Wed Sep 18 10:48:06 2013 : Debug: Going to the next request
  Wed Sep 18 10:48:06 2013 : Debug: Waking up in 4.9 seconds.
  Wed Sep 18 10:48:11 2013 : Info: Cleaning up request 0 ID 204 with timestamp +77
  Wed Sep 18 10:48:11 2013 : Info: Ready to process requests.
  rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=205, length=160
  User-Name = "3037a616cd49"
  User-Password = "3037a616cd49"
  Service-Type = Call-Check
  Framed-MTU = 1500
  Called-Station-Id = "9C-AF-CA-23-D9-01"
  Calling-Station-Id = "30-37-A6-16-CD-49"
  Message-Authenticator = 0xc9173e759dd759b9d414d192783e8a8e
  NAS-Port-Type = Ethernet
  NAS-Port = 50001
  NAS-Port-Id = "GigabitEthernet0/1"
  NAS-IP-Address = 10.90.100.7
  Wed Sep 18 10:48:13 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
  Wed Sep 18 10:48:13 2013 : Info: +- entering group authorize {...}
  Wed Sep 18 10:48:13 2013 : Info: ++[preprocess] returns ok
  Wed Sep 18 10:48:13 2013 : Info: ++[chap] returns noop
  Wed Sep 18 10:48:13 2013 : Info: ++[mschap] returns noop
  Wed Sep 18 10:48:13 2013 : Info: ++[digest] returns noop
  Wed Sep 18 10:48:13 2013 : Info: [suffix] No '@' in User-Name = "3037a616cd49", looking up realm NULL
  Wed Sep 18 10:48:13 2013 : Info: [suffix] No such realm "NULL"
  Wed Sep 18 10:48:13 2013 : Info: ++[suffix] returns noop
  Wed Sep 18 10:48:13 2013 : Info: [eap] No EAP-Message, not doing EAP
  Wed Sep 18 10:48:13 2013 : Info: ++[eap] returns noop
  Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: %{User-Name} -> 3037a616cd49
  Wed Sep 18 10:48:13 2013 : Info: [sql] sql_set_user escaped user --> '3037a616cd49'
  Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 2
  Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '3037a616cd49'           ORDER BY id
  Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '3037a616cd49'           ORDER BY id
  Wed Sep 18 10:48:13 2013 : Info: [sql] User found in radcheck table
  Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '3037a616cd49'           ORDER BY id
  Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '3037a616cd49'           ORDER BY id
  Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '3037a616cd49'           ORDER BY priority
  Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = '3037a616cd49'           ORDER BY priority
  Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Released sql socket id: 2
  Wed Sep 18 10:48:13 2013 : Info: ++[sql] returns ok
  Wed Sep 18 10:48:13 2013 : Info: ++[expiration] returns noop
  Wed Sep 18 10:48:13 2013 : Info: ++[logintime] returns noop
  Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns updated
  Wed Sep 18 10:48:13 2013 : Info: Found Auth-Type = PAP
  Wed Sep 18 10:48:13 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
  Wed Sep 18 10:48:13 2013 : Info: +- entering group PAP {...}
  Wed Sep 18 10:48:13 2013 : Info: [pap] login attempt with password "3037a616cd49"
  Wed Sep 18 10:48:13 2013 : Info: [pap] Using clear text password "3037a616cd49"
  Wed Sep 18 10:48:13 2013 : Info: [pap] User authenticated successfully
  Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns ok
  Wed Sep 18 10:48:13 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
  Wed Sep 18 10:48:13 2013 : Info: +- entering group post-auth {...}
  Wed Sep 18 10:48:13 2013 : Info: ++[exec] returns noop
  Sending Access-Accept of id 205 to 10.90.100.7 port 1645
  Cisco-AVPair = "device-traffic-class=voice"
  Wed Sep 18 10:48:13 2013 : Info: Finished request 1.
  Wed Sep 18 10:48:13 2013 : Debug: Going to the next request
  Wed Sep 18 10:48:13 2013 : Debug: Waking up in 4.9 seconds.
  Wed Sep 18 10:48:18 2013 : Info: Cleaning up request 1 ID 205 with timestamp +84
  Wed Sep 18 10:48:18 2013 : Info: Ready to process requests.
  Thanks!

  802.1X support    requires an authentication server that is configured for Remote    Authentication Dial-In User Service (RADIUS). 802.1X authentication does  not   work unless the network access switch can route packets to the  configured   RADIUS server.
  Please check the  below links which can be helpful in configurations:
  Link-1
  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html

• How to set two radius servers one is window NPS another is cisco radius server

  how to set two radius servers one is window NPS another is cisco radius server
  when i try the following command, once window priority is first , i type cisco radius user name, it authenticated fail
  i can not use both at the same time
  radius-server host 192.168.1.3  is window NPS
  radius-server host 192.168.1.1 is cisco radius
  http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/
  conf t
  no aaa authentication login default line
  no aaa authentication login local group radius
  no aaa authorization exec default group radius if-authenticated
  no aaa authorization network default group radius
  no aaa accounting connection default start-stop group radius
  aaa new-model
  aaa group server radius IAS
   server 192.168.1.1 auth-port 1812 acct-port 1813
   server 192.168.1.3 auth-port 1812 acct-port 1813
  aaa authentication login userAuthentication local group IAS
  aaa authorization exec userAuthorization local group IAS if-authenticated
  aaa authorization network userAuthorization local group IAS
  aaa accounting exec default start-stop group IAS
  aaa accounting system default start-stop group IAS
  aaa session-id common
  radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
  radius-server host 192.168.1.2 auth-port 1812 acct-port 1813
  radius-server host 192.168.1.3 auth-port 1645 acct-port 1646
  radius-server host 192.168.1.3 auth-port 1812 acct-port 1813
  privilege exec level 1 show config
  ip radius source-interface Gi0/1
  line vty 0 4
   authorization exec userAuthorization
   login authentication userAuthentication
   transport input telnet
  line vty 5 15
   authorization exec userAuthorization
   login authentication userAuthentication
   transport input telnet
  end
  conf t
  aaa group server radius IAS
   server 192.168.1.3 auth-port 1812 acct-port 1813
   server 192.168.1.1 auth-port 1812 acct-port 1813
  end

  The first AAA server listed in your config will always be used unless/until it becomes unavailable. At that point the NAD would move down to the next AAA server defined on the list and use that one until it becomes unavailable and then move to third one, and so on. 
  If you want to use two AAA servers at the same time then you will need to put a load balancer in front of them. Then the virtual IP (vip) will be listed in the NADs vs the individual AAA servers' IPs. 
  I hope this helps!
  Thank you for rating helpful posts!

• AAA Authentication and VRF-Lite

  Hi!
  I've run into a strange problem, when using AAA Radius authentication and VRF-Lite.
  The setting is as follows. A /31 linknet is setup between PE and CE (7206/g1 and C1812), where PE sub-if is a part of an MPLS VPN, and CE uses VRF-Lite to keep the local services seperated (where more than one VPN is used..).
  Access to the CE, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following setup:
  --> Config Begins <---
  aaa new-model
  aa group server radius radius-auth
  server x.x.4.23 auth-port 1645 acct-port 1646
  server x.x.7.139 auth-port 1645 acct-port 1646
  aaa authentication login default group radius-auth local
  aaa authentication enable default group radius-auth enable
  radius-server host x.x.4.23 auth-port 1645 acct-port 1646 key <key>
  radius-server host x.x.7.139 auth-port 1645 acct-port 1646 key <key>
  ip radius source-interface <outside-if> vrf 10
  ---> Config Ends <---
  The VRF-Lite instance is configured like this:
  ---> Config Begins <---
  ip vrf 10
  rd 65001:10
  ---> Config Ends <---
  Now - if I remove the VRF-Lite setup, and use global routing on the CE (which is okey for a single-vpn setup), the AAA/RADIUS authentication works just fine. When I enable "ip vrf forwarding 10" on the outside and inside interface, the AAA/RADIUS service is unable to reach the two defined servers.
  I compared the routing table when using VRF-Lite and global routing, and they are identical. All routes are imported via BGP correctly, and the service as a whole works without problems, in other words, the AAA/RADIUS part is the only service not working.

  Just wanted to help future people as some of the answers I found here were confusing.
  This is all you need from the AAA perspective:
  aaa new-model
  aaa group server radius RADIUS-VRF-X
  server-private 192.168.1.10 auth-port 1812 acct-port 1813 key 7 003632222D6E3839240475
  ip vrf forwarding X
  aaa authentication login default group RADIUS-VRF-X local
  aaa authorization exec default group X local if-authenticated
  Per VRF AAA reference:
  http://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_perv.html#wp1024168

• 5508 WLC version 7.6 maximum RADIUS Servers

  Hi All,
  Is there a maximum limit for RADIUS Servers that we can configure for Authentication under Security TAB in WLC 5508/8500 with version 7.6?
  We have 6 RADIUS Servers that needs to be configured for WLAN Client Authentication. 
  Thanks,
  CJ

  IIRC the limit is 16 servers on the WLC.  but you can only call up to three under the WLAN itself.
  If you need to be able to failover to anything beyond 3, than check the network user box in the AAA server configuration to make it globally available.
  HTH,
  Steve

• Aaa authentication

  I'm trying to set up authentication using a PIX 525 for some of our web servers. In preparation, I'm testing it on a PIX 515. For testing purposes, I'm not using a RADIUS or TACACS server.
  I've implemented the following commands:
  aaa-server LOCAL protocol local
  access-list authlist permit tcp any any eq www
  aaa authentication match authlist outside LOCAL
  When these commands are used, authentication works as advertised. When I change the access-list to:
  access-list authlist permit tcp any host 192.168.1.2 eq www
  where 192.168.1.2 is a webserver, authentication does not occur. (We want to require authentication for some web servers but not others.) I've tried variations of the commmand but none has worked. The PIX just passes all traffic.
  Any ideas?
  Noah

  Hi,
  Solution lies in, from where you are trying to access the server? and where you have applied the authentication to occur?
  192.168.1.2 definitely doesn't appears to be a global ip (if you are not working in a test scenario)
  outside in the authentication statement means that we want authentication to happen for all the traffic coming in on Outside interface to authenticate.
  Little topology detail will help.
  Regards,
  Prem

• AAA authentication for networking devices using ACS 4.1 SE

  Hi!!!
  I want to perform AAA authentication for networking devices using ACS 4.1 SE.
  I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
  I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
  For all users i need to have different privilege levels based upon which access will be granted.
  could u plz send me the config that is required to be done in the active devices as well as ACS!!!!

  Pradeep,
  Are you planning MAC authentication for some users while using EAP for others?
  For MAC authentication, just use the following in your AP.
  aaa authentication login mac_methods group radius
  In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
  In your SSID configuration, under client authentication settings,
  check "open authentication" and also select "MAC Authentication" from the drop-down list.
  If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
  Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
  You will not need to change anything in XP.
  NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
  HTH

• AAA Authentication for Traffic Passing through ASA

  I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
  Am I missing something?
  firewall# show run aaa
  aaa authentication http console TACACS+ LOCAL
  aaa authentication telnet console TACACS+ LOCAL
  aaa authentication serial console TACACS+ LOCAL
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication match guestnetwork_access guestnetwork RADIUS
  aaa authentication secure-http-client
  firewall# show access-li guestnetwork_access
  access-list guestnetwork_access; 2 elements
  access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
  access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
  firewall# show run aaa-s
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 192.168.250.14
  key xxxxx
  firewall# show run http
  http server enable

  your definition for the aaa-server is different to the aaa authentication server-group
  try
  aaa authentication http console RADIUS LOCAL
  aaa authentication telnet console RADIUS LOCAL

• [Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid

  Hi,
  I got many Cisco AP which are linked to 2 Cisco WLC.
  On each WLC, I configured a primary and a secondary RADIUS Server.
  RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
  Primary and secondary ACS configurations are synchronized.
  There are no problem between primary WLC and Cisco ACS (primary and secondary).
  When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"
  Secondary WLC automatically contacts secondary Cisco ACS and it works fine.
  Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."
  The two Cisco ACS are synchronized so I should have same error on them...
  Why does primary ACS generate this error?
  Thanks for your help,
  Patrick

  Tarik Admani wrote:Amjad,That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.Thanks,Tarik Admani
  *Please rate helpful posts*
  Yes. That is a good point.
  With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).
  The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.
  Rating useful replies is more useful than saying "Thank you"

• AAA using Radius with 802.1x

  Hello there,
  We're going to be implementing 802.1x on our network of some reaallly old switches (6509 Cat OS with MSFC 2).  We use radius for AAA authentication and I've been reading that .1x uses radius.  How is that going to work?  Do I just add another radius server in my radius server command and, more importantly, will .1x work on Cat OS running 8.2.1?  I've been trowling the forums and I can't seem to find anyone who's actually running .1x on the old Cat OS switches to see what kind of gotchas I can expect to run into.
  Any advise, assistance would be greatly appreciated!
  Thanks
  Kiley

  Salodh,
  Thanks but that document is for a 2950 and we have a 6509 but, the good thing is I just found out our Tier 3 engineers will not be adding dot1x to the 6509 since it has only trunks - no access ports.  Thanks very much for your reply!

• AAA using RADIUS

  GOod morning all,
  I am trying to configure AAA using RADIUS with ACS 4.1 SE and various Cisco Devices. I have configured the ACS to perform group mapping on personnel who I want to give access privileges. What I would like to do is give that group privilege level 15 and do away with enable passwords. However, I need local level authentication for our console options with enable privileges. Can this be done? Any help would be appreciated.
  Dwane

  For routers and IOS switches:
  aaa new-model
  aaa authentication banner *Unauthorized Access Prohibited*
  aaa authentication login default group radius
  radius-server host 10.10.10.10 (your acs device)
  radius-server key cisco123
  radius-server configure-nas
  username nmg password telnet
  aaa authentication ppp dialins group radius local
  aaa authentication login nmg local
  aaa authorization network default group radius local
  aaa accounting network default start-stop group radius
  aaa processes 16
  line 1 16
  login authentication
  For CatOS switches:
  Set radius-server 10.10.10.10
  show radius
  set radius key cisco123
  set authentication login radius enable
  set authentication enable radius enable
  show authentication
  set radius timeout 5
  set radius retransmit 3
  set radius deadtime 3
  For Pix Firewalls:
  aaa authentication ssh console radius LOCAL
  aaa authentication telnet console radius LOCAL
  aaa-server radgroup protocol RADIUS
  max-failed-attempts 2
  reactivation-mode depletion deadtime 5
  exit
  (NOTE: This will depending on the location of the pix firewall)
  aaa-server radgroup (inside) host 10.10.10.10
  key XXXXXXX
  exit
  aaa-server radgroup(inside) host 10.10.10.10
  key XXXXXX
  exit
  This is pretty much what we used for configurations on our test. It looks like most of your switches are IOS based so that will be nice for you.
  If you are using local authentication, you can create a group and assign the local addresses to that group. What I did in the radius IETF attribute, you ensure that [006] Service-Type is checked and scroll down to Administrative and click Submit & Restart.
  Hope this helps some. I had alot of help from Cisco TAC on this.
  Dwane

• AAA authentication on switch

  We are configuring 802.1x for wired client. ISE is our AAA server. While configuring, i came across 3 different command sets
  1) radius-server host  <primary aaa server> auth-port 1812 acct-port 1813 
      radius-server host  <secondary aaa server> auth-port 1812 acct-port 1813 
      radius server key <shared_key>
  2) aaa group server radius < RADIUS group name>
       server <Primary Radius Server IP> auth-port 1812 acct-port 1813
       server <Secondary Radius Server IP> auth-port 1812 acct-port 1813
  3)  aaa server radius dynamic-author 
       client <Primary Server> server-key <radius_key>
       client <Secondary Server> server-key <radius_key>
  Now, we already created aaa server group in step 2. 
  what is the significance of step 3. if i don't add client under dynamic-author, what effect it will have on overall configuration. Will CoA affect in posture due to this
  Thanks,
  Aditya

  Hello Aditya-
  The commands in step #3 configure the NAD (In your case the switch) to accept CoA (Change of Authorization) which is used for 802.1x based network authentications. If you are only interested in configuring the switch for device administration then you don't need those commands, however, if you are planning on deploying 802.1x then you do need them. For more info check out this link:
  http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-731907.html
  Thank you for rating helpful posts!