AAA not authenticating to Win Radius server

Similar Messages

• Cisco AAA authentication with windows radius server

  Cisco - Windows Radius problems
  I need to created a limited access group through radius that I can have new network analysts log into
  and not be able to commit changes or get into global config.
  Here are my current radius settings
  aaa new-model
  aaa group server radius IAS
   server name something.corp
  aaa authentication login USERS local group IAS
  aaa authorization exec USERS local group IAS
  radius server something.corp
   address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
   key mypassword
  line vty 0 4
   access-class 1 in
   exec-timeout 0 0
   authorization exec USERS
   logging synchronous
   login authentication USERS
   transport input ssh
  When I log in to the switch, the radius server is passing the corrrect attriubute
  ***Jan 21 13:59:51.897: RADIUS:   Cisco AVpair       [1]   18  "shell:priv-lvl=7"
  The switch is accepting it and putting you in the correct priv level.
  ***Radius-Test#sh priv
     Current privilege level is 7
  I am not sure why it logs you in with the prompt for  privileged EXEC mode when
  you are in priv level 7. This shows that even though it looks like your in priv exec
  mode, you are not.
  ***Radius-Test#sh run
                  ^
     % Invalid input detected at '^' marker.
     Radius-Test#
  Now this is where I am very lost.
  I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
  global config mode.
  ***Radius-Test#enable
     Radius-Test#
  Debug log -
  Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
  ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
  Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
  ***Radius-Test#sh priv
     Current privilege level is 15
     Radius-Test#
  I have tried to set
  ***privilege exec level 15 enable
  It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
  Even if I try to do
  ***privilege exec level 7 show running-config (or other variations)
  It will allow you to type sh run without errors, but it doest actually run the command.
  What am I doing wrong?
  I also want to get PKI working with radius.

  I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
  Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch?

• VPN Tunnel w/ 802.1X port authentication against remote RADIUS server

  I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X.  The tunnel works fine and comes up if theirs correct traffic.  I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.
  If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work.  I'll see the following.  This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone.  No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.
  *Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.
  *Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.
  *Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.
  *Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.
  If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly.  In this situation, I can ping the RADIUS servers from VLAN10.  If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.
  Current configuration : 6199 bytes
  ! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by
  version 15.2
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname router1
  boot-start-marker
  boot-end-marker
  aaa new-model
  aaa local authentication default authorization default
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa session-id common
  clock timezone EST -5 0
  clock summer-time EDT recurring
  ip cef
  ip dhcp pool pool
  import all
  network 192.168.28.0 255.255.255.248
  bootfile PXEboot.com
  default-router 192.168.28.1
  dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2
  domain-name domain.local
  option 66 ip 192.168.23.10
  option 67 ascii PXEboot.com
  option 150 ip 192.168.23.10
  lease 0 2
  ip dhcp pool phonepool
  network 192.168.28.128 255.255.255.248
  default-router 192.168.28.129
  dns-server 192.168.26.10 192.168.1.100
  option 150 ip 192.168.1.132
  domain-name domain.local
  lease 0 2
  ip dhcp pool guestpool
  network 10.254.0.0 255.255.255.0
  dns-server 8.8.8.8 4.2.2.2
  domain-name local
  default-router 10.254.0.1
  lease 0 2
  no ip domain lookup
  ip domain name remote.domain.local
  no ipv6 cef
  multilink bundle-name authenticated
  license udi pid CISCO892-K9
  dot1x system-auth-control
  username somebody privilege 15 password 0 password
  redundancy
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 5
  crypto isakmp key secretpassword address 123.123.123.123
  crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac
  mode tunnel
  crypto map pix 10 ipsec-isakmp
  set peer 123.123.123.123
  set transform-set pix-set
  match address 110
  interface BRI0
  no ip address
  encapsulation hdlc
  shutdown
  isdn termination multidrop
  interface FastEthernet0
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet1
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet2
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet3
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet4
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  spanning-tree portfast
  interface FastEthernet5
  switchport access vlan 12
  switchport voice vlan 11
  no ip address
  spanning-tree portfast
  interface FastEthernet6
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  spanning-tree portfast
  interface FastEthernet7
  switchport access vlan 10
  switchport voice vlan 11
  no ip address
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  interface FastEthernet8
  no ip address
  shutdown
  duplex auto
  speed auto
  interface GigabitEthernet0
  ip address dhcp
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map pix
  interface Vlan1
  no ip address
  interface Vlan10
  ip address 192.168.28.1 255.255.255.248
  ip nat inside
  ip virtual-reassembly in
  interface Vlan11
  ip address 192.168.28.129 255.255.255.248
  interface Vlan12
  ip address 10.254.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source list 101 interface GigabitEthernet0 overload
  ip route 0.0.0.0 0.0.0.0 dhcp
  ip radius source-interface Vlan10
  ip sla auto discovery
  access-list 101 deny   ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 101 permit ip 192.168.28.0 0.0.0.255 any
  access-list 101 permit ip 10.254.0.0 0.0.0.255 any
  access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255
  radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey
  radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey
  control-plane
  mgcp profile default
  line con 0
  line aux 0
  line vty 0 4
  transport input all
  ntp source FastEthernet0
  ntp server 192.168.26.10
  ntp server 192.168.1.100
  end

  I have 802.1X certificate authentication enabled on the computers.  As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication.  It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.

• 3750 switch not forwarding EAPoL to RADIUS server

  I have a 3750 switch stack running version 12.2(53)SE2 IPBASEK9-M. I have dot1x configured on the switch and have a Windows 7 PC connected with 802.1x configured on the interface. I see the EAPoL start message from the PC, but I don't see any RADIUS packets from the switch to the RADIUS server. I have a simple dot1x config just to try to get it working prior to adding additional features such as guest-vlan...
  Config and debug file attached.
  I don't know if the ip dhcp snooping and arp inspection configuration is causing an issue with this or not. I see the EAPoL packet received on the switch as seen in the debug attachment, but I still never see the RADIUS packet. I did set both to trust on the interface but still the same outcome. I can't disable it since it is a production switch with a test interface.
  Any ideas?
  Thanks,
  Mark

  Hi Mark,
  The config seems to be OK, nothing I would miss if I assume that mandatory
  commands not shown in your config are in place
  aaa-new-model is required for dot1x to function, I don't seee that command.
  I have configured dot1x just a few times but I always used the commands
  aaa authorization network default group radius
  and
  radius-server vsa send
  (honestly, I'm not sure whether they are required, it's just a template which
  I know as working)
  Careful if this is a production system
  AAA New-Model will radically change every authentication behaviour on the
  switch if it is not already configured
  The main issue seems that the catalys is not sending an "EAP-Request/Identity"
  back, Radius-Packets will only be sent after the "EAP-Response/Identity":
  (taken from http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/sw8021x.html)
  Do you have any other dot1x client?
  You can use a cisco router for testing dot1x if you have
  test system at hand:
  conf term
  dot1x credentials DOT1XTEST
    username testuser
    password testpassword
    exit
  interface [name-of-interface-connected-to-catalyst]
    dot1x pae supplicant
    dot1x credentials DOT1XTEST
  Another approach:
  use the classic config (not auth-manager but "dot1x syntax") you are
  using a very new version of IOS, might be buggy:
  Switch(config)# aaa new-model
  Switch(config)# aaa authentication dot1x default group radius
  Switch(config)# aaa authorization network default group radius
  Switch(config)# radius-server host [IP-address] auth-port [port] key [port]
  Switch(config)# dot1x system-auth-control
  Switch(config)# interface [interface]
  Switch(config-if)# switchport mode access
  Switch(config-if)# dot1x port-control auto
  Hope something is helpful
  Additional debug hints:
  use
  show dot1x all
  show dot1x interface [interface-name] detail
  show dot1x interface [interface-name] satistic
  Do see something like "RxResp = x" with x>0?
  rgds, MiKa

• Wnm Not Authenticated on backup radius

  Hi,
  I have a WLSE with 2.12 version firmware and AP 1210 serie with 12.3(7)JA firmware. I have several site location with 2 radius server (a main and a backup).
  When I turn off the main radius server, to make test, all the AP go to the backup to register. But the WNm status stay on Not Authenticated. ow can I do to change the status to Security Keys Setup ?
  I hope you understand me. Thanks for helping me.

  Step 1 Browse to the Wireless Services Summary page
  Step 2 Click WDS to browse to the WDS/WNM Summary page.
  Step 3 On the WDS/WNM Summary page, click Settings to browse to the WDS/WNM Settings page
  Step 4 Check the Use this AP as Wireless Domain Services check box.
  Step 5 In the Wireless Domain Services Priority field, enter a priority number from 1 to 255 to set the priority of this WDS candidate. The WDS access point candidate with the highest priority number becomes the acting WDS access point.
  Step 6 (Optional) If you use a Wireless LAN Solutions Engine (WLSE) on your network, check the Configure Wireless Network Manager check box and enter the IP address of the WLSE device in the Wireless Network Manager IP Address field. The WDS access point collects radio measurement information from access points and client devices and sends the aggregated data to the WLSE device.
  Step 7 Click Apply.
  Step 8 Click Server Groups to browse to the WDS Server Groups page
  Step 9 Create a group of servers to be used for 802.1x authentication for the infrastructure devices (access points) that use the WDS access point. Enter a group name in the Server Group Name field.
  Step 10 Select the primary server from the Priority 1 drop-down menu. (If a server that you need to add to the group does not appear in the Priority drop-down menus, click Define Servers to browse to the Server Manager page. Configure the server there, and then return to the WDS Server Groups page.)
  Step 11 (Optional) Select backup servers from the Priority 2 and 3 drop-down menus.
  Step 12 Click Apply.
  Step 13 Configure the list of servers to be used for 802.1x authentication for CCKM-enabled client devices. You can specify a separate list for clients using a certain type of authentication, such as EAP, LEAP, or MAC-based, or specify a list for client devices using any type of authentication. Enter a group name for the server or servers in the Server Group Name field.
  Step 14 Select the primary server from the Priority 1 drop-down menu. (If a server that you need to add to the group does not appear in the Priority drop-down menus, click Define Servers to browse to the Server Manager page. Configure the server there, and then return to the WDS Server Groups page.)
  Step 15 (Optional) Select backup servers from the Priority 2 and 3 drop-down menus.
  Step 16 (Optional) Select Restrict SSIDs to limit use of the server group to client devices using specific SSIDs. Enter an SSID in the SSID field and click Add. To remove an SSID, highlight it in the SSID list and click Remove.
  Step 17 Click Apply.
  Step 18 Configure the WDS access point for EAP authentication

• Problems with re authentications in a wireless with WLC working with web authentication and a radius server

  Hi everyone, im having problems in a wireless network, the SSID has security layer 2 WPA, layer 3 web authentication (internal default page), and external RADIUS.
  When a client makes a roaming from one AP to another one or when he has a idle time, he needs to re authenticate in the web login page. Somebody knows a solution to avoid this behavior?. Or somebody has a troubleshooting way to determine why the clients have this problems??

  A few things I can share that might help .. Your actually feet on the ground will be importnat to see this issue for yourself.
  I know when a client or if the AP sends a DEAUTH frame the client will need to reestablish its connection and it will 100% of the time require a new web auth. If a client loses connection while roaming and a DEAUTH is sent on either side you will get the page. If youre client isnt romaing cleanly this can be a problem.
  Another problem is your using EAP. Are you using CCK or a device that supports OKC. What does your radius server say when a client roams ?
  You could also simply your config and then reapply your security and see where it breaks. By this I mean. For testing, create a SSID turn off security and leave layer 3 web auth on. Roam and see what happens. If it works, then start to apply the security and see where it breaks.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• WLC WLAN Authentication from External RADIUS Server

  Dears,
  How to make WLC Receive PoD (Packet of Disconnect) from the RADIUS server to terminate the session and disconnect authenticating clients.
  Thanks,

  Hi Ahmed,
  Its not documented well, but here is it:
  CSCso52532 No Documentation for sending RADIUS Disconnect-Request (RFC 3576)
  . If a user has to be logged out then, following attributes are expected
    - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value.
           SSH_RADIUS_SERVICE_TYPE_LOGIN(1)
         - SSH_RADIUS_AVP_CALLING_STATION_ID(31) - this is needed, if
                we want to delete  particular user  session via particular device
                (like PDA, Phone or PC)
         - SSH_RADIUS_AVP_USER_NAME(1)
  . If a management user has to be logged out then, following attributes
  are expected
    - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value
    - SSH_RADIUS_SERVICE_TYPE_ADMINISTRATIVE
                        OR
     - SSH_RADIUS_SERVICE_TYPE_NAS_PROMPT
     - SSH_RADIUS_AVP_USER_NAME(1)
     - SSH_RADIUS_AVP_FRAMED_IP_ADDRESS(8)
  Eg:
  *Dec 17 12:59:08.926:   Packet contains 14 AVPs:
  *Dec 17 12:59:08.926:       AVP[01] User-Name................................user@domain (17 bytes)
  *Dec 17 12:59:08.926:       AVP[02] Nas-Port.................................0x0000000d (13) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[03] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[04] Framed-IP-Address........................0x0a003f1b (167788315) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[05] NAS-Identifier...........................wlcRM_1 (7 bytes)
  *Dec 17 12:59:08.926:       AVP[06] Airespace / WLAN-Identifier..............0x00000004 (4) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[07] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
  *Dec 17 12:59:08.926:       AVP[08] Acct-Authentic...........................0x00000001 (1) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[11] Tunnel-Group-Id..........................0x3633 (13875) (2 bytes)
  *Dec 17 12:59:08.926:       AVP[12] Acct-Status-Type.........................0x00000001 (1) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[13] Calling-Station-Id.......................10.0.63.27 (10 bytes)
  *Dec 17 12:59:08.926:       AVP[14] Called-Station-Id........................10.0.71.251 (11 bytes)
  *Dec 17 12:59:10.943: 00:1c:26:cb:27:71 Accounting-Response received from RADIUS server 10.0.71.249 for mobile 00:1c:26:cb:27:71 receiveId = 0
  *Dec 17 12:59:34.044: Received a 'RFC-3576 Disconnect-Request' from 10.0.71.249
  *Dec 17 12:59:34.044:   Packet contains 6 AVPs:
  *Dec 17 12:59:34.044:       AVP[01] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
  *Dec 17 12:59:34.044:       AVP[02] User-Name................................user@domain (17 bytes)
  *Dec 17 12:59:34.044:       AVP[03] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
  *Dec 17 12:59:34.044:       AVP[04] Calling-Station-Id.......................10.0.63.27 (10 bytes)
  *Dec 17 12:59:34.044:       AVP[05] Called-Station-Id........................10.0.71.251 (11 bytes)
  *Dec 17 12:59:34.044:       AVP[06] Service-Type.............................0x00000001 (1) (4 bytes)
  *Dec 17 12:59:34.044: Error cause 503 generated for 'RFC-3576 Disconnect-Request' from 10.0.71.249 (Session Identification attributes not valid)
  *Dec 17 12:59:34.045: Sent a 'RFC-3576 Disconnect-Nak' to 10.0.71.249:3799
  *Dec 17 12:59:36.561: ****Enter processIncomingMessages: response code=5
  **Share your knowledge. It’s a way to achieve immortality.
  --Dalai Lama**
  Please Rate if helpful.
  Regards
  Ed

• Visual Composer is not running on Win 2003 Server

  Hi,
  after installing Visual Composer on a Win 2003 Server (with applying OSS note 804496).
  The analyzer from note 772559 do not notice errors.
  But I get a HTTP Error 403 - Forbidden: Access es denied --> You are not authorized to view this page.
  It is a Test system and I have allowed all I can, but it is not working.
  Does somebody have an idea why I got this error message? Do I have to configure something that is not described in the Installation Guide?

  Hi Ignacio,
  I did not change the file. I use the same on a Win2000 Server and it's working there.
  By the way, the URL http://ep-tst/vcserver/~server.ini is working, so it could not be a permission problem, could it?
  The default.htm is the default page in the VCServer directory..."http://ep-tst/VCServer/default.htm" is not working, too.
  And the title shows "Loading... - Microsoft IE".
  Do you have an other idea?
  Thanks&Regards,
  Mathias

• Not able to remove "radius-server-source-port-1645-1646"

  Hii Guys! I'm trying to remove the "radius-server-source-port -1645-1646" command but it's not happening.. Command executes but it's still showing up in running configuration...... It's on 2960 switch running 12.2 lanbasek9 IOS.

  Hmm..... That's not the case.... Tried this already
  Even I've seen its kinda default command in some old IOS....... But not getting a firm URL or link to confirm it..... So not sure if it's issue with IOS or something else

• Connection to Licence Server fails - not authenticated

  System:
  SAP B1 2007A PL42
  SAP Client, SAP Server and SAP Service Manager are running on my local computer.
  Service Manager and Licenze Server are running.
  Try to login as manger to a client database in SAP B1.
  The login fails with error message "Connection to Licence Server is not authenticated" ("Verbindung zu Lizenz Server ist nicht authentifiziert!").
  Login to other client databases installed in the same system without any problem.
  Thank you for your help!
  Frank Romeni

  Hi Frank,
  Does the database name contain a '&' sign? If it does, could you please try restoring the database with a name that does not contain the '&' sign.
  When the database name is forwarded to the licence service in an XML format and there are certain characters which are not allowed to be in an XML: > < & ' " \                                                             
  The database name must not include such characters and this is what causes the error message you are receiving.                                                                               
  In order to solve this issue, please follow the steps below:                                                                               
  1. Detach DB, check datafile.mdf and logfile_log.log for special signs. If necessary rename.
  2. Attach it again. Make sure no special sign e.g. like "&" are used for the name of DB as well
  hope it helps,
  Regards,
  Ladislav
  SAP Business One Forum Team

• Web Authentication with MS IAS Server

  I'm trying to configure my 2106 WLC to authenticate with an MS IAS Radius Server. I had this working, but my boss did not want to do any configuration on the client side and now wants to do all authentication through Web authentication with the Radius server. The wireless client connects and is redirected to the login page like they're supposed to, but when I enter my credentials the login fails. However, if I enter the login of a local user to the controller the authentication works.
  I see in the logs the following error: AAA Authentication Failure for UserName:chevym User Type: WLAN USER. The authentication is reaching the server too, but the logs don't tell you much.
  Here is what is in the server logs: 192.168.0.77,chevym,07/29/2008,05:58:16,IAS,TESTLAB1,25,311 1 192.168.0.221 07/28/2008 17:27:10 48,4127,2,4130,TESTLAB\chevym,4129,TESTLAB\chevym,4154,Use Windows authentication for all users,4155,1,4128,Wireless LAN Controller,4116,9,4108,192.168.0.77,4136,3,4142,19
  I don't really understand any of that and I'm not really sure if I have the server itself configured correctly for what I want to do. Does anyone have instructions on how to do this?

  I had another thread going on this, but since it appears to be an IAS problem, I've been posting on the MS forum instead of here.
  I'm trying to set up wireless laptop-WLC-IAS authentication using PEAP.
  The machine authenticates on boot, but any login by any user results in this message in the Windows Event log on the IAS server:
  Event Type: Warning
  Event Source: IAS
  Event Category: None
  Event ID: 2
  Date: 9/3/2008
  Time: 11:00:55 PM
  User: N/A
  Computer: DC1
  Description:
  User SCOTRNCPQ003.scdl.local was denied access.
  Fully-Qualified-User-Name = SCDL\SCOTRNCPQ003.scdl.local
  NAS-IP-Address = 10.10.10.10
  NAS-Identifier = scohc0ciswlc
  Called-Station-Identifier = 00-21-55-C0-7D-70:Domain Staff
  Calling-Station-Identifier = 00-90-4B-4C-92-B7
  Client-Friendly-Name = WLAN Controller
  Client-IP-Address = 10.10.10.10
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 29
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server =
  Policy-Name =
  Authentication-Type = EAP
  EAP-Type =
  Reason-Code = 8
  Reason = The specified user account does not exist.
  The policy is the default connection policy created when installing IAS.
  In ADUC, I've tried setting both the machine and users Dial-In properties to Allow Access or Control through policy, with the same result.
  I've gone through the policy and there isn't anything there, other than the Day-Time rule which is set to allow access for all hours of the whole day, every day.
  In the last few days, I've read about the Ignore User Dial In properties, but can't find where/how you set this.
  It sounded to me as if this had been resolved in this thread, so I wanted to know how this had been accomplished.

• No Radius-accept-request received on Radius server

  Hi,
  I'm trying to access my network through 802.1X Radius authentication. My PC is connected to a 2950 switch with following configuration:
  aaa new-model
  aaa authentication dot1x default group radius
  dot1x system-auth-control
  radius-server host 11.0.0.2 key Ralf
  on interface level(connection to PC):
  switchport mode access
  switchport access vlan 8
  dot1x port-control auto
  on interface level(connection to Radius server):
  switchport mode access
  switchport access vlan 8
  I enabled 802.1X authentication on my PC via the service 'Wired Autoconfig' and in the tab authentication (one of the tabs of the interface configuration)
  I choose PEAP.
  Result:
  When I trace my PC-interface with Wireshark, I see an EAPOL- EAP-Request and a EAP-Response message. The next message in the flow should be a Radius-Accept-request message but it seems that this message is never sent. Although, when i open a 'debug radius' session on the switch, the logs are indicating that the accept-request message is sent. Strange because I see no message coming in on the Radius-server interface.
  The Radius-server has IP-address 11.0.0.2 and my PC 11.0.0.3.
  Does anybody see a reason why the Radius-Accept-Request message is not received on my Radius-server interface?
  Kind regards,Ralf.

  Hi,
  When using PEAP, the authnetication is not as simple as that.
  This is the PEAP authentication process:
  Here you can see the switch as the AP.
  So, after the first  EAP-Response message, the ACS must reply with an Access-Challenge containing the EAP-TLS start, so the encryption tunnel can be started.
  One possible reason for this not to happen is simply because the ACS does not support PEAP and/or does not conatin the server certificate needed to build the TLS tunnel.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Can't authenticate Mac VPN client from RADIUS server

  Hello,
  I'm a real noob here so please bear with me.
  I have been able to configure my PIX 515E to allow VPN connections onto my network, but what I need to do is set up some sort of user authentication to control access at a user level. From what I've read here and in the Configuration Guide I should be able to do this authentication with a RADIUS server. I'm running a Corriente Networks Elektron Security server which has RADIUS server capabilities. It is running on my (inside) interface at IP 192.168.10.26.
  I thought that I had everything configured properly but it never seems to authenticate. I connect, the XAUTH window pops up, I add my username and password as it's configured on my RADIUS server, but when I click OK it just cycles the progress bar at the bottom and eventually times out. The client log doesn't show me anything and the log on the RADIUS server shows me nothing. Any ideas? this seems like it should be simple because I can connect until I attempt to authenticate to the RADIUS server.
  TIA for any direction you can provide me.
  Christine

  If it helps, here is my config with a some of the non-related bits deleted:
  interface ethernet0 auto
  interface ethernet1 auto
  interface ethernet2 auto
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 DMZ security50
  enable password ********* encrypted
  passwd ******* encrypted
  hostname pixfirewall
  domain-name acme.com
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol http 80
  fixup protocol http 82
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  access-list inside_outbound_nat0_acl permit ip any 192.168.10.0 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip host 192.168.10.26 192.168.10.192 255.255.255.224
  access-list inside_outbound_nat0_acl permit ip host 192.168.10.69 192.168.10.192 255.255.255.224
  access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.0
  access-list outside_cryptomap_dyn_40 permit ip any 192.168.10.192 255.255.255.224
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500
  ip address outside 207.XXX.XXX.130 255.255.255.0
  ip address inside 192.168.10.1 255.255.255.0
  ip address DMZ 192.168.100.1 255.255.255.0
  multicast interface inside
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool CBI_VPN_Pool 192.168.10.201-192.168.10.220
  pdm location 192.168.10.50 255.255.255.255 inside
  pdm group CBI_Servers inside
  pdm logging warnings 100
  pdm history enable
  arp timeout 14400
  global (outside) 200 interface
  global (DMZ) 200 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  nat (inside) 200 192.168.10.0 255.255.255.0 0 0
  static (inside,outside) 207.XXX.XXX.150 192.168.10.27 netmask 255.255.255.255 0 0
  static (inside,outside) 207.XXX.XXX.132 192.168.10.26 dns netmask 255.255.255.255 0 0
  access-group 100 in interface outside
  route outside 0.0.0.0 0.0.0.0 207.XXX.XXX.129 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server radius-authport 1812
  aaa-server radius-acctport 1812
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 192.168.10.26 ************* timeout 10
  aaa-server LOCAL protocol local
  http server enable
  http 192.168.10.3 255.255.255.255 inside
  no floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
  crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map client authentication RADIUS
  crypto map outside_map interface outside
  crypto map inside_map interface inside
  isakmp enable outside
  isakmp nat-traversal 3600
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  vpngroup Test_VPN address-pool CBI_VPN_Pool
  vpngroup Test_VPN dns-server 142.77.2.101 142.77.2.36
  vpngroup Test_VPN default-domain acme.com
  vpngroup Test_VPN idle-time 1800
  vpngroup Test_VPN authentication-server RADIUS
  vpngroup Test_VPN user-authentication
  vpngroup Test_VPN user-idle-timeout 1200
  vpngroup Test_VPN password ********
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.10.100-192.168.10.254 inside
  dhcpd dns 142.77.2.101 142.77.2.36
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd auto_config outside
  dhcpd enable inside

• Cisco ISE: External RADIUS Server

  Hi,
  I would like to forward RADIUS from PSN to another PSN. I already defined "External RADIUS Servers".
  So, how can I use this external RADIUS server to process my request ?
  Looking at the user guide but didn't find any information about this setting (For rule based not simple rule)
  If anyone use this, please suggest this to me.
  Thanks,
  Pongsatorn

  Defining an External RADIUS Server
  The Cisco Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.
  The Cisco Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description or both.
  To create an external RADIUS server, complete the following steps:
  Step 1 Choose Administration > Network Resources > External RADIUS Servers.
  The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.
  Step 2 Click Add to add an external RADIUS server.
  Step 3 Enter the values as described:
  •Name—(Required) Enter the name of the external RADIUS server.
  •Description—Enter a description of the external RADIUS server.
  •Host IP—(Required) Enter the IP address of the external RADIUS server.
  •Shared Secret—(Required) Enter the shared secret between Cisco Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.
  •Enable KeyWrap—This option increases RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.
  •Key Encryption Key—This key is used for session encryption (secrecy).
  •Message Authenticator Code Key—This key is used for keyed HMAC calculation over RADIUS messages.
  •Key Input Format—Specify the format you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.)
  –ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.
  –Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.
  •Authentication Port—(Required) Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.
  •Accounting Port—(Required) Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.
  •Server Timeout—(Required) Enter the number of seconds that the Cisco Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.
  •Connection Attempts—(Required) Enter the number of times that the Cisco Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.
  Step 4 Click Submit to save the external RADIUS server configuration.

• Cisco aironet 2600 series AP configuration with windows 2008 R2 Radius server.

  I want to know the configuration of Cisco aironet 2600 series AP with windows 2008 R2 Radius server.  
  I have
  1. AD & DHCP Server
  2. Cisco Aironet 2600 Access Point.
  I want to connect wifi devices through this AP. Authentication should be through Radius server and AD.

  Hi , 
  Below link should support your requirement 
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116584-configure-wirelesslan-00.html
  Minimal command : -
  AP(config)# aaa new-model
   AP(config)# radius-server host 172.20.0.1 auth-port 1645 acct-port 1645 key XXXXXX
   AP(config)# radius-server deadtime 10
  HTH
  Sandy