AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

Similar Messages

• ISE - AAA radius authentication for NAD access

  Hi ,
  I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
  for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
  While testing the login access to the switches we've come up with 2 results :
  1.A domain user can indeed login to the switch as intended.
  2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
  So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
  of the IT_department only .
  I haven't been successfull , would appreciate any ideas on how to accomplish this .
  Switch configurations :
  =================
  aaa new-model
  aaa authentication login default group radius local
  ISE Authentication policy
  ==================
  Policy Name : NADs Authentication
  Condition:  "DEVICE:Device Type Equals :All Device Types#Wired"
  Allowed Protocol : Default Network Access
  use identity source : AD1

  Thank you for the quick replys , and now  ok , I've configured the following authorization policy :
  Rule Name : Nad Auth
  Conditions
  if: Any
  AND : AD1:ExternalGroups EQUALS IT_Departments
  Permissions , then PermitAccess
  What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
  How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?

• AAA Radius Authentication for Calling Card Platform

  Hi,
  I am using AS5350 and I am using it for calling card application using Clear Box as my RADIUS Server for AAA. My question now, how would I know if cisco is sending the dtmf for "enter card number.au" on the RADIUS server ? Does the card number included on the VSA ? below are my configurations and the debug info. The problem here is that the card number that I entered doesn't able to match against the configuration on my Clear Box/SQL Database. I want to know what should I expect from CiscoAS5350 to send a vsa for enter_card_number ?
  aaa new-model
  aaa group server radius ClearBox
  server 192.168.1.1 auth-port 1812 acct-port 1813
  aaa authentication login default local
  aaa authentication login h323 group ClearBox
  aaa authorization exec h323 group ClearBox
  aaa accounting exec default start-stop group ClearBox
  aaa accounting network default start-stop group ClearBox
  aaa accounting connection h323 start-stop group ClearBox
  aaa session-id unique
  radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
  radius-server key 7 0355481F031F761D
  radius-server vsa send accounting
  radius-server vsa send authentication
  call application voice prepaid tftp://192.168.1.2/debitcard-multi-lang-Cisco.1.1.0.2.tcl
  call application voice prepaid pin-len 10
  call application voice prepaid warning-time 300
  call application voice prepaid redirect-number 8662195822
  call application voice prepaid language 1 en
  call application voice prepaid language 2 sp
  call application voice prepaid language 3 ch
  call application voice prepaid set-location en 0 tftp://192.168.1.2/prompts/
  call application voice prepaid set-location sp 0 tftp://192.168.1.2/prompts/
  call application voice prepaid set-location ch 0 tftp://192.168.1.2/prompts/
  gw-accounting aaa
  ==================================================
  Getting session id for NET(00003600) : db=6418E654
  AA/ACCT/NET(00003600): add, count 1
  Getting session id for NET(00003601) : db=6410D098
  AAA/ACCT/NET(00003601): add, count 1
  AAA/ACCT/CONN(00003601): Pick method list 'h323'
  AAA/ACCT/SETMLIST(00003601): Handle 94000002, mlist 62D3B124, Name h323
  Getting session id for CONN(00003601) : db=6410D098
  AAA/ACCT/CONN(00003601): Queueing record is START
  AAA/ACCT(00003601): Accouting method=ClearBox (RADIUS)
  AAA/ACCT/EVENT/(00003601): ATTR ADD
  AAA/ACCT/CONN(00003601): START protocol reply PASS
  AAA/ACCT/EVENT/(00003601): VOICE DOWN
  AAA/ACCT/HC(00003601): Update VOICE/000020D3
  AAA/ACCT/HC(00003601): VOICE/000020D3 [sess] (rx/tx) base 0/0 pre 0/0 call 0/0
  AAA/ACCT/HC(00003601): VOICE/000020D3 [sess] (rx/tx) adjusted, pre 0/0 call 0/0
  AAA/ACCT/CONN(00003601): Queueing record is STOP osr 1
  AAA/ACCT(00003601): del node, session 174133
  AAA/ACCT/CONN(00003601): free_rec, count 1
  AAA/ACCT/CONN(00003601): Setting session id 174144 : db=6410D098
  AAA/ACCT/HC(00003601): Update VOICE/000020D3
  AAA/ACCT/HC(00003601): Deregister VOICE/000020D3
  AAA/ACCT/EVENT/(00003601): CALL STOP
  AAA/ACCT/CALL STOP(00003601): Sending stop requests
  AAA/ACCT(00003601): Send all stops
  AAA/ACCT/NET(00003601): STOP
  AAA/ACCT/NET(00003601): Method list not found
  AAA/ACCT/CONN(00003601): STOP protocol reply PASS
  AAA/ACCT/CONN(00003601) Record not present

  VSAs are collected by the RADIUS server during the accounting process when AAA is configured with the Debit Card feature. Data items are collected for each call leg created on the gateway. A call leg is the internal representation of a connection on the gateway. Each call made through the gateway consists of two call legs: incoming and outgoing. The call leg information emitted by the gateways can be correlated by the connection ID, which is the same for all call legs of a connection.
  Use the H.323 VSA method of accounting when configuring the AAA application.
  There are two modes:
  •Overloaded Session-ID
  Use the gw-accounting h323 syslog command to configure this mode.
  •VSA
  Use the gw-accounting h323 vsa command to configure this mode.

• What are steps configure Certificate based authentication for Wireless clients with ACS 5.3?

  I need to autheticate my clients connecting via wireless.
  clients have user certificate installed on them, i need help configuring the ACS to do the authentication.
  can some one please help me with the steps.
  Thanks

  Two primary steps
  - define the trust certificates needed to verify the clients user certificates
  Users and Identity Stores > Certificate Authorities
  - change result of identity policy to select a certificate authorization profile. If have the defautl config
  Access Policies > Access Services > Default Network Access > Identity
  by default can select the "CN Username" as a result

• AAA authentication for networking devices using ACS 4.1 SE

  Hi!!!
  I want to perform AAA authentication for networking devices using ACS 4.1 SE.
  I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
  I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
  For all users i need to have different privilege levels based upon which access will be granted.
  could u plz send me the config that is required to be done in the active devices as well as ACS!!!!

  Pradeep,
  Are you planning MAC authentication for some users while using EAP for others?
  For MAC authentication, just use the following in your AP.
  aaa authentication login mac_methods group radius
  In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
  In your SSID configuration, under client authentication settings,
  check "open authentication" and also select "MAC Authentication" from the drop-down list.
  If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
  Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
  You will not need to change anything in XP.
  NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
  HTH

• NAC guest server with RADIUS authentication for guests issue.

  Hi all,
  We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
  The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
  https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
  -----START QUOTE-----
  Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
  •Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
  •Self Service—This option allows guest self service. After selection proceed to Step 8.
  •Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
  ----- END QUOTE-----
  Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
  Regards
  Kevin Woodhouse

  Well I will try to answer your 2nd questions.... will it work... yes.  It is like any other radius server (high end:))  But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD.  Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
  Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right.  Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that.  That is my opinion.

• AAA Radius Authentication Queries

  Have quite a few questions for Implementing Radius for my network devices :
  Q.1.) How to safely implement aaa Radius authentication to make sure users have login using LOCAL database incase the Radius fails.
  Q.2.) How to provide only read access for few users and full access to Adminstrators.
  Q 3.) Incase if I save the config ..will it be possible to login to devices through any other alternative way ( assuming both the radius and Local credentials are not working).
  Q 4.) How to recover the password for devices especially firewalls.
  GReat it would be if someone can help me on these queries.. Thanks in advance.
  Regards,
  gHP.

  VSAs are collected by the RADIUS server during the accounting process when AAA is configured with the Debit Card feature. Data items are collected for each call leg created on the gateway. A call leg is the internal representation of a connection on the gateway. Each call made through the gateway consists of two call legs: incoming and outgoing. The call leg information emitted by the gateways can be correlated by the connection ID, which is the same for all call legs of a connection.
  Use the H.323 VSA method of accounting when configuring the AAA application.
  There are two modes:
  •Overloaded Session-ID
  Use the gw-accounting h323 syslog command to configure this mode.
  •VSA
  Use the gw-accounting h323 vsa command to configure this mode.

• Radius authentication for privileged access

  Hello,
            I have configured Cisco 6513 for radius authentication with following commands.
  aaa new-model
  aaa authentication login authradius group radius line
  aaa accounting exec acctradius start-stop group radius
  radius-server host <radius-ip> auth-port 1812 acct-port 1646 key 6912911
  line vty 0 4
  accounting exec acctradius
  login authentication authradius
       This is working pretty fine. I want to configure radius authentication for priviledged access / for enable access.
       I am using TeKRadius as Radius server.
       Please help.
  Thanks and Regards,
  Pratik

  Hi Pratik
  Sorry I mostly use only TACACS+ for AAA as it provides better granularity of access controls.
  You'll need to make some specific changes to your RADIUS config so that nominated users ( the ones you want to be able to go to enable mode ) get put straight into enable mode upon login.
  There's a guide here http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ which details the steps if you're using the Microsoft IAS radius server - you should be able to figure out that changes you need to make to your own server from there.
  Nick
  Message was edited by: NickNac79 - Spelt the OP's name wrong, sorry.

• What do IPSEC mean under Security - AAA - Radius - Authentication

  I can't find exact information regarding the IPSec checkbox in Security -> AAA -> Radius -> Authentication.
  On the Cisco Wireless LAN Controller Configuration Guide 5.1, it says "Check the IPSec check box to enable the IP security mechanism, or uncheck it to disable this feature.
  The default value is unchecked."
  What is exactly mean by IP security mechanism?
  Does this mean that I can terminate VPN client over my WLC?
  Take note that this options appeared even though no crypto card installed in my controller.

  This is old code from the Airespace days. There used to be a VPN module that would ride in the WLC. No longer supported, well can't buy it new, but if you had one already...you get the idea.
  HTH,
  Steve

• Radius authentication for the browser-based webtop

  Hiya all,
  With help of the radius-authentication module for apache (http://www.freeradius.org/mod_auth_radius/) and web-authentication it is possible to use radius-authentication for the classic-webtop. Has anyone got Radius authentication working for the browser-basedwebtop?
  SSGD version:
  Sun Secure Global Desktop Software for Intel Solaris 10+ (4.30.915)
  Architecture code: i3so0510
  This host: SunOS sgd1.<removed> 5.10 Generic_118855-36 i86pc i386 i86pc
  I have the radius-module running for authentication of a single directory with the apache-config-lines:
  SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
  <LocationMatch "/secure">
  Order Allow,Deny
  Allow from env=sgd_noauth_ok
  AuthName "Radius authentication for SGD"
  Authtype Basic
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 540
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  When changing the line <LocationMatch "/secure"> to <LocationMatch "/sgd"> the browser asks for a authentication and then a 'Not Found' page is being displayed.
  When using the config-lines from http://docs.sun.com/source/819-6255/webauth_config_browser.html the login-page is being displayed normally and SSGD works.
  The main difference I can find between the location /secure and /sgd is: /secure is a simple directory and /sgd is a JkMount to Tomcat.
  Changing the JkLogLevel to debug gives the following info in the JkLogFile:
  Radius authentication:
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd' from 5 maps
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (486): Found an exact match tta -> /sgd
  With the password-authentication file:
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd/' from 5 maps
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (475): Found a wildchar match tta -> /sgd/*
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_get_worker_for_name::jk_worker.c (111): found a worker tta
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker axis
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker tta
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker examples
  It seems that the JkMount is not being evaluated correctly after using the radius-authentication.
  Any help will be usefull since I am allready stuck on this problem for a couple of days :(
  Thanks,
  Remold | Everett

  I got response from the Fat Bloke on the mailing list.
  Adding the following line in the apache httpd.conf seams to help and resolved my problem:
  Alias /sgd "/opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
  Thanks The Fat Bloke !!
  - Remold
  These instructions are for a 4.2 SGD installation using SGD's third
  party web authentication with mod_auth_radius.so (www.freeradius.org).
  With 4.2 Sun didn't distribute enough of the Apache configured tree
  to enable the use of axps to build the mod_auth_radius module, 4.3 is
  better - Sun now install a modified axps and include files, I haven't
  tried this with 4.3 yet though.
  I built the mod_auth_radius module for Apache 1.3.33 (shipped with 4.2)
  So, this is how we got this working with Radius (tested with SBR
  server and freeradius.org server.)
  Install SGD in the usual way.
  Enable 3rd party authentication:
  According to:
  http://docs.sun.com/source/819-4309-10/en-us/base/standard/
  webauth_config_browser.html
  Configure the Tomcat component of the Secure Global Desktop Web
  Server to
  trust the web server authentication. On each array member, edit the
  /opt/tarantella/webserver/tomcat/version/conf/server.xml file. Add the
  following attribute to the connector element (<Connector>) for the
  Coyote/JK2 AJP 1.3 Connector:
  tomcatAuthentication="false"
  # cat /opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/
  conf/server.xml
  <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
  <Connector port="8009" minProcessors="5" maxProcessors="75"
  tomcatAuthentication="false"
  enableLookups="true" redirectPort="8443"
  acceptCount="10" debug="0" connectionTimeout="0"
  useURIValidationHack="false"
  protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
  "By default, for security reasons, Secure Global Desktop
  Administrators can't
  log in to the browser-based webtop with web server authentication.
  The standard
  login page always displays for these users even if they have been
  authenticated
  by the web server. To change this behavior, run the following command:"
  # tarantella config edit --tarantella-config-login-thirdparty-
  allowadmins 1
  Without this, after authenticating via webauth, the user will be
  prompted for a
  second username and password combination.
  # /opt/tarantella/bin/tarantella objectmanager &
  # /opt/tarantella/bin/tarantella arraymanager &
  In Array Manager:
  Select "Secure Global Desktop Login" on left side and click
  "Properites" at bottom
  Under "Secure Global Desktop Login Properties"
  cd /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/conf
  edit httpd.conf:
  ### For SGD Apache based authentication
  Include conf/httpd4radius.conf
  at the end of httpd.conf add:
  Alias /sgd "/opt/tarantella/webserver/tomcat/
  5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
  # cat httpd4radius.conf
  LoadModule radius_auth_module libexec/mod_auth_radius.so
  AddModule mod_auth_radius.c
  # Add to the BOTTOM of httpd.conf
  # If we're using mod_auth_radius, then add it's specific
  # configuration options.
  <IfModule mod_auth_radius.c>
  # AddRadiusAuth server[:port] <shared-secret> [ timeout [ : retries ]]
  # Use localhost, the old RADIUS port, secret 'testing123',
  # time out after 5 seconds, and retry 3 times.
  AddRadiusAuth radiusserver:1812 testing123 5:3
  # AuthRadiusBindAddress <hostname/ip-address>
  # Bind client (local) socket to this local IP address.
  # The server will then see RADIUS client requests will come from
  # the given IP address.
  # By default, the module does not bind to any particular address,
  # and the operating system chooses the address to use.
  # AddRadiusCookieValid <minutes-for-which-cookie-is-valid>
  # the special value of 0 (zero) means the cookie is valid forever.
  AddRadiusCookieValid 5
  </IfModule>
  <LocationMatch /radius >
  Order Allow,Deny
  AuthType Basic
  AuthName "RADIUS Authentication"
  AuthAuthoritative off
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 5
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
  <LocationMatch /sgd >
  Order Allow,Deny
  Allow from env=sgd_noauth_ok
  AuthType Basic
  AuthName "RADIUS Authentication"
  AuthAuthoritative off
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 5
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  Put appropriate mod_auth_radius.so into
  /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/libexec
  # mkdir /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/radius/
  # cat /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/htpasswd/index.html
  <HTML>
  <HEAD>
  <TITLE> Test Page for RADIUS authentication </TITLE>
  </HEAD>
  <BODY>
  <B> You have reached the test page for RADIUS authentication.
  </BODY>
  </HTML>
  I hope this helps!
  -FB

• RADIUS Authentication for PI 2.1 with Windows Server 2008 (Windows NPS)

  Hello Community,
  can someone please provide a step-by-step guide (or at least the VSA part) for RADIUS configuration on a Windows 2008 R2 server for Prime Infrastructure 2.1 please?
  We already tried several setups with guides for PI 1.4 without success. The NPS itself authenticates and grants access, but on PI the login always fails.
  Thank you in advance,
  Benjamin

  I'm having the same issue and have a few questions/comments.
  I can get root/admin access working via NPS/radius by justing telling NPS to send PI the  NCS:role0=Root (or Admin) and NCS:virtual-domain0=ROOT-DOMAIN radius attributes.
  But I also have some users who I just want to give read only access.  I cannot seem to get this to work.  At first I configured NPS to send PI the NCS:role0=Monitor Lite and NCS:virtual-domain0=ROOT_DOMAIN attributes.  A user could login, but would immediate get a "You do not have access to the page Monitoring Dashboards" error.  Not to mention almost nothing shows in the menu.  So I tried adding all of the individual tasks related to the "Monitor Lite" role into the radius policy:
  NCS:role0=Monitor Lite
  NCS:task0=Services Menu Access
  NCS:task1=Alarm Stat Panel Access
  NCS:task2=Automated Feedback
  NCS:task3=Monitor Menu Access
  NCS:task4=Theme Changer Access
  NCS:task5=Maps Read Only
  NCS:task6=Help Menu Access
  NCS:task7=License Check
  NCS:task8=Rogue Location
  NCS:task9=Reports Menu Access
  NCS:task10=Monitor Tags
  NCS:task11=Alarm Browser Access
  NCS:task12=Configure Menu Access
  NCS:task13=Search Access
  NCS:task14=Tools Menu Access
  NCS:task15=Administration Menu Access
  NCS:task16=Monitor Clients
  NCS:task17=Home Menu Access
  NCS:task18=Client Location
  NCS:task19=OnlineHelp
  NCS:task20=TAC Case Management Tool
  but I'm not having any luck.  The NPS radius logs always show success, but the read-only users always get the same error and almost nothing visible in the menus.
  Has anyone successfully configured radius with something other than Admin or Root privileges?
  Thanks!

• RADIUS Authentication for Guest users

  Hi,
  I currently use a 4402 WLC located in our DMZ to authenticate Guest users - local authentication is in place.  I would not like to setup RADIUS authentication via a Cisco NAC server.  In order not to affect current guest users, I created a new WLAN and configured with RADIUS server details under WLANs->Edit->Security.  I can associate to new WLAN and obtain a DHCP address no problem, but when I browse to an external website, I do not get prompted for authentication from the RADIUS server.  I don't see any auth requests hitting our firewal, so am assuming the problem is with the WLC config.
  Can anyone provide any details of what config is required?
  Security Policy - Web-Auth
  Security-> L2 - None
  Security-> L3 - Authentication
  Security-> AAA Servers - Auth and Acc server set
  Many thanks
  Liam

  your setup sounds pretty okay. have you got local user accounts set up on the WLC for the test WLAN? if you do, check to see that the priority order for web authentication for the test WLAN prefers the AAA account. you will have to do it directly on your controller as i do not think you have that option in WCS.
  hope that helps

• RADIUS authentication for SGE2010 switch

  I am trying to configure a SGE2010 switch to use RADIUS authentication. At the moment, the NPS (Windows Server 2008r2 RADIUS) server is receiving the access request and is returning an access accept.
  The switch does not let us log in.
  Cisco-sw1(config)# 09-Nov-2009 21:10:35 %AAA-W-REJECT: New telnet connection for
  user P@ssw0rd, source 192.168.10.213 destination   REJECTED
  Note: It is printing the user's password instead of the username.
  I suspect it is something to do with the cisco-AV-pair attribute. I have tried the following values but nothing works:
  Shell:priv-lvl=15
  Shell = 15
  Level = 15
  Relevant lines from switch configuration:
  radius-server host 192.168.1.23 key P@llssw0rd88
  aaa authentication enable default none
  aaa authentication login default radius
  Any help would be more than greatly appreciated.

  The problem isn't that it is rejecting me. Using network monitor I can see it is accepting the request but for some reason just won't log me in.
  A link was sent to me to another website where it show that you have to go into the settings tab of the policy and change the radius attribute
  to Service-Type Administrative.
  After doing that, I was able to log into the switch with any of the windows domain users I had specified.
  This is the link that gave me the answer
  http://wiki.freeradius.org/Linksys

• Mac OS X Server 10.5 Radius authentication for non airport devices

  We have an Astaro Security Gateway 220 that we are planning to use for VPN and other services, we would like to use our Xserve to do authentication for our VPN like we already do for our other services on the device. To do so requires that we use Radius as the communication protocol between the server and the gateway, it works just fine to test authenticate as long as I don't set a Nas-Identifier for the test but as soon as I do it fails. The Nas-Identifiers are used to determine which services the account has access to and are named logically for that, things like http, pptp, etc. are used. I can't figure out how to get the gateway to be able to authenticate users, I don't need to be able to limit based on user which services they can access, any service that has a restricted set of users other than just valid users will be handled separately outside this system. If anyone can give me any good ideas on how to solve this it would be appreciated, we currently are only looking at radius fore this, while we use airports for our wireless we don't link them into the server currently though there is a slight chance it will happen in the future.
  Thanks,
  Glenn McGurrin

  I found the problem. When turning off ClamAv virus scanning and Spam filtering everything runs fine again. So now we only have to repair those functions...

• RADIUS authentication for IDS admin

  Hi,
  We've decided to centralize our accounts and are using ACS to authenticate admin access to switches, firewalls and to the CS-MARS by RADIUS. I'd like to extend that authentication also to the IDSMs running on our switches and to our CSS1100 boxes. Can this be done? how about network sensor appliances (i.e. 4200)? I've looked into the documentation but haven't found what I'm looking for. Any help is appreciated.
  Thanks, Joe

  The current released versions of IPS does not support RADIUS authentication. However the support is being introduced in later versions like 7.1.x
  Madhu