AAA authentication with RADIUS

Similar Messages

• AAA Authorization with RADIUS and RSA SecurID Authentication Manager

  Hi there.
  I am in the process of implementing a new RSA SecurID deployment, and unfortunately the bulk of the IOS devices here do not support native SecurID (SDI) protocol. With the older RSA SecurID deployment version, it supported TACACS running on the system, now in 8.x it does not.  Myself, along with RSA Support, are having problems getting TACACS working correctly with the new RSA Deployment, so the idea turned to possibly just using RADIUS
  I have setup the RADIUS server-host, and configured the AAA authentication and authorization commands as follows:
  #aaa new-model
  #radius-server host 1.1.1.1 timeout 10 retransmit 3 key cisco123!
  #aaa authentication login default group radius enable
  #aaa authorization exec default group radius local
  I have also tried
  #aaa authorization exec default group radius if-authenticated local
  I can successfully authenticate via SSH to User Mode using my SecurID passcode -- however, when I go to enter Priv Exec mode, it wont take the SecurID passcode - I just get an "access denied"
  I've ran tcpdump on the RSA Primary Instance, looking for 1645/1646 traffic, and I dont get anything
  I've turned on RADIUS debugging on the IOS device, and I dont get anything either
  I did see this disclaimer in a Cisco doc: "The RADIUS method does not work on a per-username basis."  -- not sure if this is related to my issue?
  I'm beginning to wonder if IOS/AAA cant pass authorization-exec process to RSA SecurID

  I don't have a solution, but can confirm I have the same problem and am also trying to find a solution.
  I see no data sent to the RSA server when using the wireless AP. With other equipment on the same ACS, I do see the attempts going to the RSA server.
  The first reply doesn't seem to apply to me, since it's not sending a request from the ACS machine to the RSA machine.

• Cisco AAA authentication with windows radius server

  Cisco - Windows Radius problems
  I need to created a limited access group through radius that I can have new network analysts log into
  and not be able to commit changes or get into global config.
  Here are my current radius settings
  aaa new-model
  aaa group server radius IAS
   server name something.corp
  aaa authentication login USERS local group IAS
  aaa authorization exec USERS local group IAS
  radius server something.corp
   address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
   key mypassword
  line vty 0 4
   access-class 1 in
   exec-timeout 0 0
   authorization exec USERS
   logging synchronous
   login authentication USERS
   transport input ssh
  When I log in to the switch, the radius server is passing the corrrect attriubute
  ***Jan 21 13:59:51.897: RADIUS:   Cisco AVpair       [1]   18  "shell:priv-lvl=7"
  The switch is accepting it and putting you in the correct priv level.
  ***Radius-Test#sh priv
     Current privilege level is 7
  I am not sure why it logs you in with the prompt for  privileged EXEC mode when
  you are in priv level 7. This shows that even though it looks like your in priv exec
  mode, you are not.
  ***Radius-Test#sh run
                  ^
     % Invalid input detected at '^' marker.
     Radius-Test#
  Now this is where I am very lost.
  I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
  global config mode.
  ***Radius-Test#enable
     Radius-Test#
  Debug log -
  Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
  ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
  Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
  ***Radius-Test#sh priv
     Current privilege level is 15
     Radius-Test#
  I have tried to set
  ***privilege exec level 15 enable
  It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
  Even if I try to do
  ***privilege exec level 7 show running-config (or other variations)
  It will allow you to type sh run without errors, but it doest actually run the command.
  What am I doing wrong?
  I also want to get PKI working with radius.

  I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
  Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch?

• Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008

  Hi Guys,
  I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser  
  This is my Configure file on Aironet 2702i
  Aironet2702i#show run
  Building configuration...
  Current configuration : 8547 bytes
  ! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
  version 15.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname Aironet2702i
  logging rate-limit console 9
  aaa new-model
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login default local
  aaa authentication login DTSGROUP group radius
  aaa authentication login webauth group radius
  aaa authentication login weblist group radius
  aaa authentication dot1x default group radius
  aaa authorization exec default local 
  aaa session-id common
  clock timezone +0700 7 0
  no ip source-route
  no ip cef 
  ip admission name webauth proxy http
  ip admission name webauth method-list authentication weblist 
  no ip domain lookup
  ip domain name dts.com.vn
  dot11 syslog
  dot11 activity-timeout unknown default 1000
  dot11 activity-timeout client default 1000
  dot11 activity-timeout repeater default 1000
  dot11 activity-timeout workgroup-bridge default 1000
  dot11 activity-timeout bridge default 1000
  dot11 vlan-name DTSGroup vlan 46
  dot11 vlan-name L6-Webauthen-test vlan 45
  dot11 vlan-name NetworkL7 vlan 43
  dot11 vlan-name SGCTT vlan 44
  dot11 ssid DTS-Group
     vlan 46
     authentication open eap DTSGROUP 
     authentication key-management wpa version 2
     mbssid guest-mode
  dot11 ssid DTS-Group-Floor7
     vlan 43
     authentication open 
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
  dot11 ssid L6-Webauthen-test
     vlan 45
     web-auth
     authentication open 
     dot1x eap profile DTSGROUP
     mbssid guest-mode
  dot11 ssid SaigonCTT-Public
     vlan 44
     authentication open 
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
  dot11 arp-cache optional
  dot11 adjacent-ap age-timeout 3
  eap profile DTSGROUP
   description testwebauth-radius
   method peap
   method mschapv2
   method leap
  username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
  username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
  ip ssh version 2
  bridge irb
  interface Dot11Radio0
   no ip address
   encryption vlan 44 mode ciphers aes-ccm 
   encryption vlan 46 mode ciphers aes-ccm 
   encryption mode ciphers aes-ccm 
   encryption vlan 43 mode ciphers aes-ccm 
   encryption vlan 1 mode ciphers aes-ccm 
   ssid DTS-Group
   ssid DTS-Group-Floor7
   ssid L6-Webauthen-test
   ssid SaigonCTT-Public
   countermeasure tkip hold-time 0
   antenna gain 0
   stbc
   mbssid
   packet retries 128 drop-packet
   channel 2412
   station-role root
   rts threshold 2340
   rts retries 128
   ip admission webauth
  interface Dot11Radio0.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio0.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 subscriber-loop-control
   bridge-group 43 spanning-disabled
   bridge-group 43 block-unknown-source
   no bridge-group 43 source-learning
   no bridge-group 43 unicast-flooding
  interface Dot11Radio0.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 subscriber-loop-control
   bridge-group 44 spanning-disabled
   bridge-group 44 block-unknown-source
   no bridge-group 44 source-learning
   no bridge-group 44 unicast-flooding
   ip admission webauth
  interface Dot11Radio0.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 subscriber-loop-control
   bridge-group 45 spanning-disabled
   bridge-group 45 block-unknown-source
   no bridge-group 45 source-learning
   no bridge-group 45 unicast-flooding
   ip admission webauth
  interface Dot11Radio0.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 subscriber-loop-control
   bridge-group 46 spanning-disabled
   bridge-group 46 block-unknown-source
   no bridge-group 46 source-learning
   no bridge-group 46 unicast-flooding
  interface Dot11Radio1
   no ip address
   shutdown
   encryption vlan 46 mode ciphers aes-ccm 
   encryption vlan 44 mode ciphers aes-ccm 
   encryption vlan 1 mode ciphers aes-ccm 
   encryption vlan 43 mode ciphers aes-ccm 
   encryption vlan 45 mode ciphers ckip-cmic 
   ssid DTS-Group
   ssid DTS-Group-Floor7
   ssid SaigonCTT-Public
   countermeasure tkip hold-time 0
   antenna gain 0
   peakdetect
   dfs band 3 block
   stbc
   mbssid
   packet retries 128 drop-packet
   channel 5745
   station-role root
   rts threshold 2340
   rts retries 128
  interface Dot11Radio1.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio1.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 subscriber-loop-control
   bridge-group 43 spanning-disabled
   bridge-group 43 block-unknown-source
   no bridge-group 43 source-learning
   no bridge-group 43 unicast-flooding
  interface Dot11Radio1.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 subscriber-loop-control
   bridge-group 44 spanning-disabled
   bridge-group 44 block-unknown-source
   no bridge-group 44 source-learning
   no bridge-group 44 unicast-flooding
   ip admission webauth
  interface Dot11Radio1.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 subscriber-loop-control
   bridge-group 45 spanning-disabled
   bridge-group 45 block-unknown-source
   no bridge-group 45 source-learning
   no bridge-group 45 unicast-flooding
   ip admission webauth
  interface Dot11Radio1.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 subscriber-loop-control
   bridge-group 46 spanning-disabled
   bridge-group 46 block-unknown-source
   no bridge-group 46 source-learning
   no bridge-group 46 unicast-flooding
  interface GigabitEthernet0
   no ip address
   duplex auto
   speed auto
   dot1x pae authenticator
   dot1x authenticator eap profile DTSGROUP
   dot1x supplicant eap profile DTSGROUP
  interface GigabitEthernet0.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface GigabitEthernet0.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 spanning-disabled
   no bridge-group 43 source-learning
  interface GigabitEthernet0.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 spanning-disabled
   no bridge-group 44 source-learning
  interface GigabitEthernet0.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 spanning-disabled
   no bridge-group 45 source-learning
  interface GigabitEthernet0.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 spanning-disabled
   no bridge-group 46 source-learning
  interface GigabitEthernet1
   no ip address
   shutdown
   duplex auto
   speed auto
  interface GigabitEthernet1.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface GigabitEthernet1.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 spanning-disabled
   no bridge-group 43 source-learning
  interface GigabitEthernet1.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 spanning-disabled
   no bridge-group 44 source-learning
  interface GigabitEthernet1.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 spanning-disabled
   no bridge-group 45 source-learning
  interface GigabitEthernet1.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 spanning-disabled
   no bridge-group 46 source-learning
  interface BVI1
   mac-address 58f3.9ce0.8038
   ip address 172.16.1.62 255.255.255.0
   ipv6 address dhcp
   ipv6 address autoconfig
   ipv6 enable
  ip forward-protocol nd
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1 
  radius-server attribute 32 include-in-access-req format %h
  radius server 172.16.50.99
   address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
   key 7 104A1D0A4B141D06421224
  bridge 1 route ip
  line con 0
   logging synchronous
  line vty 0 4
   exec-timeout 0 0
   privilege level 15
   logging synchronous
   transport input ssh
  line vty 5 15
   exec-timeout 0 0
   privilege level 15
   logging synchronous
   transport input ssh
  end
  This is My Logfile on Radius Win 2008 : 
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
  Account Name: xxxxxxxxxxxxxxxx
  Account Domain: xxxxxxxxxxx
  Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
  Client Machine:
  Security ID: S-1-0-0
  Account Name: -
  Fully Qualified Account Name: -
  OS-Version: -
  Called Station Identifier: -
  Calling Station Identifier: -
  NAS:
  NAS IPv4 Address: 172.16.1.62
  NAS IPv6 Address: -
  NAS Identifier: Aironet2702i
  NAS Port-Type: Async
  NAS Port: -
  RADIUS Client:
  Client Friendly Name: Aironet2702i
  Client IP Address: 172.16.1.62
  Authentication Details:
  Connection Request Policy Name: Use Windows authentication for all users
  Network Policy Name: DTSWIRELESS
  Authentication Provider: Windows
  Authentication Server: xxxxxxxxxxxxxx
  Authentication Type: PAP
  EAP Type: -
  Account Session Identifier: -
  Logging Results: Accounting information was written to the local log file.
  Reason Code: 66
  Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
  So i will explain problems what i have seen:
  SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
  SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
  => I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
  Any idea or recommend for me ?
  Thanks for see my case  

  Hi Dhiresh Yadav,
  Many thanks for your reply me,
  I will explain again for clear my problems.
  At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
  I had login SSID by Account create in AD =>  It's work okay with me. Done
  Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
  dot11 ssid L6-Webauthen-test
     vlan 45
     web-auth
     authentication open 
     dot1x eap profile DTSGROUP
     mbssid guest-mode
  After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
  This is My Logfile on Radius Win 2008 : 
  Network Policy Server denied access to a user.
  NAS:
  NAS IPv4 Address: 172.16.1.62
  NAS IPv6 Address: -
  NAS Identifier: Aironet2702i
  NAS Port-Type: Async
  NAS Port: -
  RADIUS Client:
  Client Friendly Name: Aironet2702i
  Client IP Address: 172.16.1.62
  Authentication Details:
  Connection Request Policy Name: Use Windows authentication for all users
  Network Policy Name: DTSWIRELESS
  Authentication Provider: Windows
  Authentication Server: xxxxxxxxxxxxxx
  Authentication Type: PAP
  EAP Type: -
  Account Session Identifier: -
  Logging Results: Accounting information was written to the local log file.
  Reason Code: 66
  Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
  Im  think ROOT CAUSE is :
  PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet

• PIX 525 aaa authentication with both tacacs and local

  Hi,
  I have configured the aaa authentication for the PIX with tacacs protocol (ACS Server).
  It works fine, now i would like to add the back up authentication, as follows:
  - If the ACS goes down i can to be authenticated with the local database.
  Is it possible with PIX, if yes how?

  Hi,
  I am trying to configure aaa using TACACS+ , i am not able to close.Problems are
  1.It dosent ask for username /password in first level.
  2.on second level it asks for user name it dosent authenticate the user .
  Cud u pls let me know if the following config is correct.If not cud u help me .
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (outside) host ip.ip.ip.ip key timeout 15
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
  aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
  aaa authen enable console TACACS+

• Mac adress authentication with Radius

  Hello all
  we have an WiFi architecture based on two Radius servers (ACS 3.2)
  We make a Mac adress authentication with WEP on these Radius servers. Ours Wirelless cards are Proxim Orinoco. When we used the user and the passord identified by the mac adress manualy that works.
  But, the authentication by Mac adress with the wireless card don't work. The log on the radius servers are "CS PASSWORD INVALID".
  Ideas ?
  Regards

  First ensure the password on the access point and the authentication server is the same. I have had this trouble getting authenitcated with ACS for admin authentication. Installing it on another machine made it work. So try uninstalling ACS completely using the recovery CD and reinstall it to check if this works.

• SG300: MAC authentication with Radius VLAN assignment problems

  Hi,
  I just can't get the dynamic vlans working. I've tried everything, switch in L3 mode, switch in L2, several port configs, several tunnel configs in Radius server (freeradius 2.1.1)
  Here's the final switch config:
  config-file-header
  switchf460dc
  v1.3.7.18 / R750_NIK_1_35_647_358
  CLI v1.0
  set system mode switch
  file SSD indicator encrypted
  ssd-control-start
  ssd config
  ssd file passphrase control unrestricted
  no ssd file integrity control
  ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
  no spanning-tree
  vlan database
  vlan 12,100,110,666
  exit
  voice vlan oui-table add 0001e3 Siemens_AG_phone________
  voice vlan oui-table add 00036b Cisco_phone_____________
  voice vlan oui-table add 00096e Avaya___________________
  voice vlan oui-table add 000fe2 H3C_Aolynk______________
  voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
  voice vlan oui-table add 00d01e Pingtel_phone___________
  voice vlan oui-table add 00e075 Polycom/Veritel_phone___
  voice vlan oui-table add 00e0bb 3Com_phone______________
  dot1x system-auth-control
  no bonjour enable
  hostname switchf460dc
  line ssh
  exec-timeout 0
  exit
  encrypted radius-server host 192.168.99.93 key xXx priority 1 usage dot1.x
  logging host 1.2.3.4 severity debugging
  passwords aging 0
  ip ssh server
  snmp-server server
  snmp-server community public ro 192.168.99.93 view Default
  clock timezone " " +1
  clock summer-time web recurring eu
  clock source sntp
  sntp unicast client enable
  sntp server 172.16.1.1
  interface vlan 12
   ip address 192.168.99.170 255.255.255.0
   no ip address dhcp
  interface gigabitethernet5
   dot1x host-mode multi-sessions
   dot1x reauthentication
   dot1x authentication mac
   dot1x radius-attributes vlan static
   dot1x port-control auto
   switchport mode general
   switchport general allowed vlan add 100,110,666 untagged
   no macro auto smartport
  interface gigabitethernet6
   switchport mode access
   switchport access vlan 110
  interface gigabitethernet9
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet10
   switchport trunk allowed vlan add 12,100,110
  exit
  ip default-gateway 192.168.99.1
  On the switch side I would expect VLAN 666 to be set but it's not there:
  switchf460dc#show dot1x users
                            MAC               Auth   Auth   Session        VLAN
  Port     Username         Address           Method Server Time
  gi5      0090dca15880     00:90:dc:a1:58:80 MAC    Remote 01:09:25
  This is the radius users file. It's a simple file for test.
  DEFAULT Auth-Type := Accept
          Tunnel-Type = VLAN,
          Tunnel-Medium-Type = IEEE-802,
          Tunnel-Private-Group-Id = 666
  I am attaching a screenshot of the Radius reply sent by the server.
  I also tried setting "copy_request_to_tunnel = yes" and "use_tunneled_reply = yes" as found in another post, no success.
  It may be that the tag is missing in the Radius reply? If yes, how do I add it?
  Any ideas?
  Thanks.
  Update Dec 11: I tried with FW 1.4.0, and using the same config the switch doesn't perform any Radius requests at all anymore.

  I was wrong when I said that 1.4.0 wouldn't work at all. I simply had a device connected which didn't produce much traffic. My bad.
  So 1.4.0 works as far as the auth is concerned, but no improvement as far as dynamic VLAN is concerned. So there is no improvement over 1.3.7, or there is a config issue.
  I have opened SR 633001533 although the last appointment for WebEx went by without anyone getting back to me. I'll try again on Monday.
  Feel free to get back to me if you need anything to make experiments. I'll keep this thread updated too.

• Web authentication with Radius server problem

  Hello,
  I'm having problem to web authenticate users via radius server for one WLC. Here is the outpu from WLC:
  *emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created for mobile, length = 7
  *emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created in mscb for mobile, length = 7
  *aaaQueueReader: Mar 26 14:17:31.537: Unable to find requested user entry for aaaaaa
  *aaaQueueReader: Mar 26 14:17:31.537: ReProcessAuthentication previous proto 8, next proto 1
  *aaaQueueReader: Mar 26 14:17:31.537: AuthenticationRequest: 0x1e08eb94
  *aaaQueueReader: Mar 26 14:17:31.538:   Callback.....................................0x10908d90
  *aaaQueueReader: Mar 26 14:17:31.538:   protocolType.................................0x00000001
  *aaaQueueReader: Mar 26 14:17:31.538:   proxyState...................................20:7D:xx:xx:D8:F0-00:00
  *aaaQueueReader: Mar 26 14:17:31.538:   Packet contains 11 AVPs (not shown)
  *aaaQueueReader: Mar 26 14:17:31.538: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *aaaQueueReader: Mar 26 14:17:31.538: 20:7d:xx:xx:d8:f0 Successful transmission of Authentication Packet (id 67) to 10.xx.33.249:1645, proxy state 20:7d:xx:xx:d8:f0-00:01
  *aaaQueueReader: Mar 26 14:17:31.538: 00000000: 01 43 00 8c 48 7c a7 ff  df 06 53 30 c0 be e1 8e  .C..H|....S0....
  *aaaQueueReader: Mar 26 14:17:31.538: 00000010: d7 fd 8b d3 01 09 73 65  66 72 73 76 65 02 12 7b  ......aaaaaa..{
  *aaaQueueReader: Mar 26 14:17:31.538: 00000020: ae 2e f5 eb fa cf f5 cc  3b 08 65 d7 04 0e ba 06  ........;.e.....
  *aaaQueueReader: Mar 26 14:17:31.538: 00000030: 06 00 00 00 01 04 06 0a  2e 09 14 05 06 00 00 00  ................
  *aaaQueueReader: Mar 26 14:17:31.538: 00000040: 0d 20 0d 73 65 76 73 74  2d 6c 77 63 31 30 3d 06  ...xxxxx-lwc10=.
  *aaaQueueReader: Mar 26 14:17:31.538: 00000050: 00 00 00 13 1a 0c 00 00  37 63 01 06 00 00 00 01  ........7c......
  *aaaQueueReader: Mar 26 14:17:31.538: 00000060: 1f 0e 31 39 32 2e 31 36  38 2e 31 2e 36 31 1e 0c  ..192.168.1.61..
  *aaaQueueReader: Mar 26 14:17:31.538: 00000070: 31 30 2e 34 36 2e 39 2e  32 30 50 12 95 11 7c d9  10.xx.9.20P...|.
  *aaaQueueReader: Mar 26 14:17:31.538: 00000080: 75 8e 01 6e bf 62 38 f8  38 ab 68 4a              u..n.b8.8.hJ
  *radiusTransportThread: Mar 26 14:17:31.603: 00000000: 03 43 00 14 e5 8c e7 75  52 04 af e0 07 b7 fb 96  .C.....uR.......
  *radiusTransportThread: Mar 26 14:17:31.603: 00000010: c1 4a fb 40                                       .J.@
  *radiusTransportThread: Mar 26 14:17:31.603: ****Enter processIncomingMessages: response code=3
  *radiusTransportThread: Mar 26 14:17:31.603: ****Enter processRadiusResponse: response code=3
  *radiusTransportThread: Mar 26 14:17:31.603: 20:7d:xx:xx:d8:f0 Access-Reject received from RADIUS server 10.xx.33.249 for mobile 20:7d:xx:xx:d8:f0 receiveId = 0
  *radiusTransportThread: Mar 26 14:17:31.603: ReProcessAuthentication previous proto 1, next proto 2
  *radiusTransportThread: Mar 26 14:17:31.603: AuthenticationRequest: 0x1da9fa4c
  *radiusTransportThread: Mar 26 14:17:31.603:    Callback.....................................0x10908d90
  *radiusTransportThread: Mar 26 14:17:31.603:    protocolType.................................0x00000002
  *radiusTransportThread: Mar 26 14:17:31.603:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
  *radiusTransportThread: Mar 26 14:17:31.603:    Packet contains 11 AVPs (not shown)
  *radiusTransportThread: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Returning AAA Error 'No Server' (-7) for mobile 20:7d:xx:xx:d8:f0
  *radiusTransportThread: Mar 26 14:17:31.605: AuthorizationResponse: 0x2dd03648
  *radiusTransportThread: Mar 26 14:17:31.605:    structureSize................................32
  *radiusTransportThread: Mar 26 14:17:31.605:    resultCode...................................-7
  *radiusTransportThread: Mar 26 14:17:31.605:    protocolUsed.................................0x00000002
  *radiusTransportThread: Mar 26 14:17:31.605:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
  *radiusTransportThread: Mar 26 14:17:31.605:    Packet contains 0 AVPs:
  *emWeb: Mar 26 14:17:31.605: Authentication failed for aaaaaa
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Username entry deleted for mobile
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Plumbing web-auth redirect rule due to user logout
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Deleting mobile policy rule 42461
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Adding Web RuleID 42464 for mobile 20:7d:xx:xx:d8:f0
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Web Authentication failure for station
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Reached ERROR: from line 5069
  That was pretty clear for me that Radius is refusing to give user access.
  Fully-Qualified-User-Name = NMEA\aaaaaa
  NAS-IP-Address = 10.xx.9.20
  NAS-Identifier = xxxxx-lwc10
  Called-Station-Identifier = 10.xx.9.20
  Calling-Station-Identifier = 192.168.1.61
  Client-Friendly-Name = YYY10.xx
  Client-IP-Address = 10.xx.9.20
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 13
  Proxy-Policy-Name = Use Windows authentication forall users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = YYYYY Wireless Users
  Authentication-Type = PAP
  EAP-Type = <undetermined>
  Reason-Code = 66
  Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy
  That output is from WLC 5508 version 7.0.235
  What is strange, that user was able to authenticate from other before refresh WLC 4402 ver 4.2.207. I cannot change WLC because of AP which cannot run old version.
  this is output from working client connection from old WLC
  NAS-IP-Address = 10.xx.9.13
  NAS-Identifier = xxxxx-lwc03
  Client-Friendly-Name = YYY10.46
  Client-IP-Address = 10.xx.9.13
  Calling-Station-Identifier = 192.168.19.246
  NAS-Port-Type = <not present>
  NAS-Port = <not present>
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = YYYYY Wireless Guest Access
  Authentication-Type = PAP
  EAP-Type = <undetermined>
  I know there is different Policy Name used, but my question is why it is not using the same as on old WLC when configuration is same.
  Is there any way I can force users to use different policy from WLC or AP configuration or is this solely configuration of Radius?
  Is it maybe problem of version 7.0.235?
  Any toughts would be much appriciated.

  Scott,
  You are probably right. The condition that is checked for the first policy name (we have 2) is to match
  NAS-Port-Type = Wireless - IEEE 802.11, and this is basically used to differentiate guests from other company users.
  as you can see from the logs the one that is working correctly is not sending NAS-Port-Type. The question is why.
  As I said before.
  WLC 5508 ver. 7.0.235 is sending NAS-Port-Type
  WLC 4402 ver. 4.2.207 is not.
  The same user was working OK on 4402 WLC and after refresh and associating APs to 5508 it all broke, so client did not changed anything on adapter.

• Issue with authentication with RADIUS when using VPN

  Our customer has a problem with auhtentication against Radius vhen he is using VPN or SSL VPN. Authentication on SSH or TELNET via RADIUS is working fine . When I configure on VPN (and SSL VPN) authentication against the local database, everything is working fine and tunnel is established.
  In attachement is running-config of customer's gateway and capture file of communication between RADIUS server and gateway (radius access request starting at 85th line).
  I found in this file at AVP attributes that the gateway is sending ipsec profile name (in this case "VPN") instead of username.

  SSLVPN is configured to use the local database of usernames only in this config. It is not configured to use RADIUS.

• IEEE 802.1x Authentication with RADIUS failed

  Hello guys,
  I've a little strange Situation.
  If user start his Computer (Windows 7 enterprise) and computer is connected via LAN it works fine.
  If user start his Computer (Windows 7 enterprise) and computer is connected via WLAN it works also fine.
  But if user start his Computer (Windows 7 enterprise) that is connected via LAN it is not more possible to connect to WLAN (parallel). I've implemented an IEEE 802.1 RADIUS authenticiation.
  It does not work with this special user account. I've tested it already successful with couple other accounts.
  Does someone has experience with such Situation?
  Regards
  Rodik

  It does not work with this special user account. I've tested it already successful with couple other accounts.
  Hi,
  Did you mean that this problem just occures to the single User Account but others works fine at same computer, isn't it?
  When it connect Wlan failed, is there any error message? Have you tried to reinstall the WLan device driver for test?
  it would be better to provide more details about the Wlan connect failed.
  Roger Lu
  TechNet Community Support

• Cisco AAA and Free Radius enable secret failure

  Hi,
  I am currently testing aaa authentication with free radius.
  I can authenticate users through the radius server, however i cannot authenticate the enable secret.
  Here is the router configurations
  aaa new-model
     aaa authentication login default group radius local
     aaa authentication login localauth local
     aaa authentication ppp default if-needed group radius local
     aaa authentication enable default group radius enable
     aaa authorization exec default group radius local
     aaa authorization network default group radius local
     aaa accounting delay-start
     aaa accounting exec default start-stop group radius
     aaa accounting network default start-stop group radius
  radius-server host 192.168.0.135 auth-port 1812 acct-port 1813 key cisco
  I have created a user for the enable secret as such:
  $enable15$   Auth-Type := local
          Service-Type = NAS-Prompt-User
  The router cannot authenticate when logging for priviliged mode. I cannot find any log on the radius server as well.
  PLease help.

  It should be $enab15$ as the user that IOS sends to the radius server.
  Sent from Cisco Technical Support iPhone App

• Radius authentication with ISE - wrong IP address

  Hello,
  We are using ISE for radius authentication.  I have setup a new Cisco switch stack at one of our locations and setup the network device in ISE.  Unfortunately, when trying to authenticate, the ISE logs show a failure of "Could not locate Network Device or AAA Client" The reason for this failure is the log shows it's coming from the wrong IP address.  The IP address of the switch is 10.xxx.aaa.241, but the logs show it is 10.xxx.aaa.243.  I have removed and re-added the radius configs on both ISE and the switch, but it still comes in as .243.  There is another switch stack at that location (same model, IOS etc), that works properly.
  The radius config on the switch:
  aaa new-model
  aaa authentication login default local
  aaa authentication login Comm group radius local
  aaa authentication enable default enable
  aaa authorization exec default group radius if-authenticated
  ip radius source-interface Vlanyy
  radius server 10.xxx.yyy.zzz
   address ipv4 10.xxx.yyy.zzz auth-port 1812 acct-port 1813
   key 7 abcdefg
  The log from ISE:
  Overview
  Event  5405 RADIUS Request dropped 
  Username  
  Endpoint Id  
  Endpoint Profile  
  Authorization Profile  
  Authentication Details
  Source Timestamp  2014-07-30 08:48:51.923 
  Received Timestamp  2014-07-30 08:48:51.923 
  Policy Server  ise
  Event  5405 RADIUS Request dropped 
  Failure Reason  11007 Could not locate Network Device or AAA Client 
  Resolution  Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices 
  Root cause  Could not find the network device or the AAA Client while accessing NAS by IP during authentication. 
  Username  
  User Type  
  Endpoint Id  
  Endpoint Profile  
  IP Address  
  Identity Store  
  Identity Group  
  Audit Session Id  
  Authentication Method  
  Authentication Protocol  
  Service Type  
  Network Device  
  Device Type  
  Location  
  NAS IP Address  10.xxx.aaa.243 
  NAS Port Id  tty2 
  NAS Port Type  Virtual 
  Authorization Profile  
  Posture Status  
  Security Group  
  Response Time  
  Other Attributes
  ConfigVersionId  107 
  Device Port  1645 
  DestinationPort  1812 
  Protocol  Radius 
  NAS-Port  2 
  AcsSessionID  ise1/186896437/1172639 
  Device IP Address  10.xxx.aaa.243 
  CiscoAVPair  
     Steps
    11001  Received RADIUS Access-Request 
    11017  RADIUS created a new session 
    11007  Could not locate Network Device or AAA Client 
    5405  
  As a test, I setup a device using the .243 address.  While ISE claims it authenticates, it really doesn't.  I have to use my local account to access the device.
  Any advice on how to resolve this issue would be appreciated.  Please let me know if more information is needed.

  Well from the debug I would say there may be an issue with the addressing of the radius server on the switch.
  radius-server host 10.xxx.xxx.xxx key******** <--- Make sure this address and Key matches what you have in ISE PSN and that switch. Watch for spaces in your key at the begining or end of the string.
  What interface should your switch be sending the radius request?
  ip radius source-interface VlanXXX vrf default
  Here is what my debug looks like when it is working correctly.
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): ask "Password: "
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265):Orig. component type = EXEC
  Aug  4 15:58:47 EST: RADIUS(00000265): Config NAS IP: 10.xxx.xxx.251
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): acct_session_id: 613
  Aug  4 15:58:47 EST: RADIUS(00000265): sending
  Aug  4 15:58:47 EST: RADIUS(00000265): Send Access-Request to 10.xxx.xxx.35:1645 id 1645/110, len 104
  Aug  4 15:58:47 EST: RADIUS:  authenticator 97 FB CF 13 2E 6F 62 5D - 5B 10 1B BD BA EB C9 E3
  Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 15:58:47 EST: RADIUS:  Reply-Message       [18]  12 
  Aug  4 15:58:47 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
  Aug  4 15:58:47 EST: RADIUS:  User-Password       [2]   18  *
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port            [5]   6   3                        
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty3"
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Aug  4 15:58:47 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
  Aug  4 15:58:47 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
  Aug  4 15:58:47 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
  Aug  4 15:58:47 EST: RADIUS(00000265): Started 5 sec timeout
  Aug  4 15:58:47 EST: RADIUS: Received from id 1645/110 10.xxx.xxx.35:1645, Access-Accept, len 127
  Aug  4 15:58:47 EST: RADIUS:  authenticator 1B 98 AB 4F B1 F4 81 41 - 3D E1 E9 DB 33 52 54 C1
  Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 15:58:47 EST: RADIUS:  State               [24]  40 
  Aug  4 15:58:47 EST: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61  [ReauthSession:0a]
  Aug  4 15:58:47 EST: RADIUS:   30 63 66 65 32 33 30 30 30 31 46 37 30 37 35 33  [0cfe230001F70753]
  Aug  4 15:58:47 EST: RADIUS:   44 46 45 35 46 37            [ DFE5F7]
  Aug  4 15:58:47 EST: RADIUS:  Class               [25]  58 
  Aug  4 15:58:47 EST: RADIUS:   43 41 43 53 3A 30 61 30 63 66 65 32 33 30 30 30  [CACS:0a0cfe23000]
  Aug  4 15:58:47 EST: RADIUS:   31 46 37 30 37 35 33 44 46 45 35 46 37 3A 50 52  [1F70753DFE5F7:PR]
  Aug  4 15:58:47 EST: RADIUS:   59 49 53 45 30 30 32 2F 31 39 33 37 39 34 36 39  [YISE002/19379469]
  Aug  4 15:58:47 EST: RADIUS:   38 2F 32 30 36 33 31 36          [ 8/206316]
  Aug  4 15:58:47 EST: RADIUS(00000265): Received from id 1645/110
  ---------------------------------------------------------------------------------------------------------------This is after I added the incorrect Radius server address.
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): ask "Password: "
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268):Orig. component type = EXEC
  Aug  4 16:05:19 EST: RADIUS(00000268): Config NAS IP: 10.xxx.xxx.251
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): acct_session_id: 616
  Aug  4 16:05:19 EST: RADIUS(00000268): sending
  Aug  4 16:05:19 EST: RADIUS(00000268): Send Access-Request to 10.xxx.xxx.55:1645 id 1645/112, len 104
  Aug  4 16:05:19 EST: RADIUS:  authenticator FC 94 BA 5D 75 1F 84 08 - E0 56 05 3A 7F BC FB BB
  Aug  4 16:05:19 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 16:05:19 EST: RADIUS:  Reply-Message       [18]  12 
  Aug  4 16:05:19 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
  Aug  4 16:05:19 EST: RADIUS:  User-Password       [2]   18  *
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port            [5]   6   7                        
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty7"
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Aug  4 16:05:19 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
  Aug  4 16:05:19 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
  Aug  4 16:05:19 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
  Aug  4 16:05:19 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:23 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:23 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:23 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:29 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:29 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:29 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:33 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
  Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
  Aug  4 16:05:33 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:33 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:38 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:38 EST: RADIUS: Fail-over to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:38 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:43 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:43 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:43 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:48 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:48 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:48 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:53 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
  Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
  Aug  4 16:05:53 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:53 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:57 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:57 EST: RADIUS: No response from (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:57 EST: RADIUS/DECODE: parse response no app start; FAIL
  Aug  4 16:05:57 EST: RADIUS/DECODE: parse response; FAIL
  This is a default template I use for all my devices routers or switches hope it helps. I have two PSN's that is why we have two radius-server host commands..
  aaa authentication login vty group radius local enable
  aaa authentication login con group radius local enable
  aaa authentication dot1x default group radius
  aaa authorization network default group radius 
  aaa accounting system default start-stop group radius
  ip radius source-interface VlanXXX vrf default
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 30 tries 3
  radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
  radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
  radius-server vsa send accounting
  radius-server vsa send authentication
  You can use this in the switch to test radius
  test aaa group radius server 10.xxx.xxx.xxx <username> <password>

• Using CHAP with RADIUS authentication

  Hi
  I have configured a Cisco 877 router to send RADIUS requests when a user logs in to the console (Line Console or Line VTY) using the following config:
  aaa new-model
  aaa authentication login default group radius
  aaa authentication ppp default group radius
  radius-server host 10.0.0.1 auth-port 1812 acct-port 1812 key mysharedkey
  When I log the RADIUS packets I see that the Cisco router is sending the initial AccessRequest using PAP.
  How can I configure the router to send it's inial AccessRequest packet using CHAP?
  Apologies if this has already been discussed, I have searched high and low for an answer.
  Thanks in advance.
  John

  Hi Carlos
  Thanks for your response. I understand what it says in the RFC:
  The NAS then sends an Access-Request
     packet to the RADIUS server with the CHAP username as the User-Name
     and with the CHAP ID and CHAP response as the CHAP-Password
     (Attribute 3).
  But, by default the NAS (in this case the Cisco 877 router) is sending a RADIUS packet with a PAP encoded password by default. As the NAS initiates the AccessRequest I need to configure it to send the correct attributes for the CHAP challenge. This is configured on the RADIUS server so it knows the NAS is going to send CHAP but the NAS initiates the request and I guess needs to be configured to do so.
  Is this possible on a Cisco 877? How?
  Thanks
  John

• Radius authentication with MSCHAP

  Hi,
  I have a few 2960 and 3650 switches in my network. I have the aaa authentication login configured for RADIUS but it is only using PAP which is unencrypted.
  The 2960 switches are running version 15.2 and the 3650 are on 3.02. The RADIUS server I am using is Microsoft NPS which can do other methods of encryption.
  Is it possible to do mschap or any other type of encryption with the switches to authenticate management access?
  Regards,
  Waqas

  This sample configuration shows how to set up a remote access VPN connection between a Cisco VPN Client (4.x for Windows) and the PIX 500 Series Security Appliance 7.x using a Cisco Secure Access Control Server (ACS version 3.2) for extended authentication (Xauth).
  http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml

• Cisco PI 1.3 - Internal Server Error with RADIUS-authentication

  Hi,
  I have a problem with a Cisco Prime Infrastructure 1.3 (Appliance, fully patched) that I'm trying to authenticate against a Radiator RADIUS-server.
  From the RADIUS-server's point of view it looks fine, but I just get an HTTP Status 500 internal error (see attached image) when trying to log in.
  I'm not the one managing the RADIUS-server but I got the following debug sent from them:
  Wed Oct 30 08:52:06 2013: DEBUG: Packet dump:
  *** Received from 10.36.0.132 port 17235 ....
  Code:       Access-Request
  Identifier: 102
  Authentic:  REMOVED
  Attributes:
          User-Name = "test-user"
          User-Password = REMOVED
          NAS-IP-Address = 10.36.0.132
          Message-Authenticator = REMOVED
  Wed Oct 30 08:52:06 2013: DEBUG: Handling request with Handler 'Client-Identifier=/^prime[.]net[.]REMOVED[.]se$/', Identifier 'Network-Prime-AAA'
  Wed Oct 30 08:52:06 2013: DEBUG:  Deleting session for test-user, 10.36.0.132,
  Wed Oct 30 08:52:06 2013: DEBUG: Handling with Radius::AuthUNIX:
  Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthUNIX looks for match with test-user [test-user]
  Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthUNIX ACCEPT: : test-user [test-user]
  Wed Oct 30 08:52:06 2013: DEBUG: AuthBy UNIX result: ACCEPT,
  Wed Oct 30 08:52:06 2013: DEBUG: Handling with Radius::AuthFILE:
  Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthFILE looks for match with test-user [test-user]
  Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthFILE ACCEPT: : test-user [test-user]
  Wed Oct 30 08:52:06 2013: DEBUG: AuthBy FILE result: ACCEPT,
  Wed Oct 30 08:52:06 2013: DEBUG: Access accepted for test-user
  Wed Oct 30 08:52:06 2013: DEBUG: Packet dump:
  *** Sending to 10.36.0.132 port 17235 ....
  Code:       Access-Accept
  Identifier: 102
  Authentic:  REMOVED
  Attributes:
          cisco-avpair = "NCS:virtual-domain0=ROOT-DOMAIN"
          cisco-avpair = "NCS:role0=Admin"
          cisco-avpair = "NCS:task0=View Alerts and Events"
          cisco-avpair = "NCS:task1=Device Reports"
  ..the rest of the AV-pairs removed
  Does anyone have any idea on what the the problem is, or some tips on how to troubleshoot? (rebooting and ncs stop/start has no impact on the issue)
  //Charlie

  I ran into a similar issue this morning in my lab.  After I issued ncs status - the database service came back as not running.  I stop/started the Prime services and it came up.  Once all the services were running my WLC imported with no issues.  I also deployed another server for another lab and it had issues with the clocking being out of sync.