AAA Radius Authentication Queries

Similar Messages

• What do IPSEC mean under Security - AAA - Radius - Authentication

  I can't find exact information regarding the IPSec checkbox in Security -> AAA -> Radius -> Authentication.
  On the Cisco Wireless LAN Controller Configuration Guide 5.1, it says "Check the IPSec check box to enable the IP security mechanism, or uncheck it to disable this feature.
  The default value is unchecked."
  What is exactly mean by IP security mechanism?
  Does this mean that I can terminate VPN client over my WLC?
  Take note that this options appeared even though no crypto card installed in my controller.

  This is old code from the Airespace days. There used to be a VPN module that would ride in the WLC. No longer supported, well can't buy it new, but if you had one already...you get the idea.
  HTH,
  Steve

• ISE - AAA radius authentication for NAD access

  Hi ,
  I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
  for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
  While testing the login access to the switches we've come up with 2 results :
  1.A domain user can indeed login to the switch as intended.
  2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
  So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
  of the IT_department only .
  I haven't been successfull , would appreciate any ideas on how to accomplish this .
  Switch configurations :
  =================
  aaa new-model
  aaa authentication login default group radius local
  ISE Authentication policy
  ==================
  Policy Name : NADs Authentication
  Condition:  "DEVICE:Device Type Equals :All Device Types#Wired"
  Allowed Protocol : Default Network Access
  use identity source : AD1

  Thank you for the quick replys , and now  ok , I've configured the following authorization policy :
  Rule Name : Nad Auth
  Conditions
  if: Any
  AND : AD1:ExternalGroups EQUALS IT_Departments
  Permissions , then PermitAccess
  What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
  How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?

• AAA Radius Authentication for Calling Card Platform

  Hi,
  I am using AS5350 and I am using it for calling card application using Clear Box as my RADIUS Server for AAA. My question now, how would I know if cisco is sending the dtmf for "enter card number.au" on the RADIUS server ? Does the card number included on the VSA ? below are my configurations and the debug info. The problem here is that the card number that I entered doesn't able to match against the configuration on my Clear Box/SQL Database. I want to know what should I expect from CiscoAS5350 to send a vsa for enter_card_number ?
  aaa new-model
  aaa group server radius ClearBox
  server 192.168.1.1 auth-port 1812 acct-port 1813
  aaa authentication login default local
  aaa authentication login h323 group ClearBox
  aaa authorization exec h323 group ClearBox
  aaa accounting exec default start-stop group ClearBox
  aaa accounting network default start-stop group ClearBox
  aaa accounting connection h323 start-stop group ClearBox
  aaa session-id unique
  radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
  radius-server key 7 0355481F031F761D
  radius-server vsa send accounting
  radius-server vsa send authentication
  call application voice prepaid tftp://192.168.1.2/debitcard-multi-lang-Cisco.1.1.0.2.tcl
  call application voice prepaid pin-len 10
  call application voice prepaid warning-time 300
  call application voice prepaid redirect-number 8662195822
  call application voice prepaid language 1 en
  call application voice prepaid language 2 sp
  call application voice prepaid language 3 ch
  call application voice prepaid set-location en 0 tftp://192.168.1.2/prompts/
  call application voice prepaid set-location sp 0 tftp://192.168.1.2/prompts/
  call application voice prepaid set-location ch 0 tftp://192.168.1.2/prompts/
  gw-accounting aaa
  ==================================================
  Getting session id for NET(00003600) : db=6418E654
  AA/ACCT/NET(00003600): add, count 1
  Getting session id for NET(00003601) : db=6410D098
  AAA/ACCT/NET(00003601): add, count 1
  AAA/ACCT/CONN(00003601): Pick method list 'h323'
  AAA/ACCT/SETMLIST(00003601): Handle 94000002, mlist 62D3B124, Name h323
  Getting session id for CONN(00003601) : db=6410D098
  AAA/ACCT/CONN(00003601): Queueing record is START
  AAA/ACCT(00003601): Accouting method=ClearBox (RADIUS)
  AAA/ACCT/EVENT/(00003601): ATTR ADD
  AAA/ACCT/CONN(00003601): START protocol reply PASS
  AAA/ACCT/EVENT/(00003601): VOICE DOWN
  AAA/ACCT/HC(00003601): Update VOICE/000020D3
  AAA/ACCT/HC(00003601): VOICE/000020D3 [sess] (rx/tx) base 0/0 pre 0/0 call 0/0
  AAA/ACCT/HC(00003601): VOICE/000020D3 [sess] (rx/tx) adjusted, pre 0/0 call 0/0
  AAA/ACCT/CONN(00003601): Queueing record is STOP osr 1
  AAA/ACCT(00003601): del node, session 174133
  AAA/ACCT/CONN(00003601): free_rec, count 1
  AAA/ACCT/CONN(00003601): Setting session id 174144 : db=6410D098
  AAA/ACCT/HC(00003601): Update VOICE/000020D3
  AAA/ACCT/HC(00003601): Deregister VOICE/000020D3
  AAA/ACCT/EVENT/(00003601): CALL STOP
  AAA/ACCT/CALL STOP(00003601): Sending stop requests
  AAA/ACCT(00003601): Send all stops
  AAA/ACCT/NET(00003601): STOP
  AAA/ACCT/NET(00003601): Method list not found
  AAA/ACCT/CONN(00003601): STOP protocol reply PASS
  AAA/ACCT/CONN(00003601) Record not present

  VSAs are collected by the RADIUS server during the accounting process when AAA is configured with the Debit Card feature. Data items are collected for each call leg created on the gateway. A call leg is the internal representation of a connection on the gateway. Each call made through the gateway consists of two call legs: incoming and outgoing. The call leg information emitted by the gateways can be correlated by the connection ID, which is the same for all call legs of a connection.
  Use the H.323 VSA method of accounting when configuring the AAA application.
  There are two modes:
  •Overloaded Session-ID
  Use the gw-accounting h323 syslog command to configure this mode.
  •VSA
  Use the gw-accounting h323 vsa command to configure this mode.

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

• 802.1x RADIUS authentication problem with Cat 2950 to CiscoSecure ACS 3.3

  I wondered if anyone can help or shed any light on the following problem.
  I am getting an authentication error when doing a RADIUS authentication to CiscoSecure ACS 3.3 running on a Windows 2003 server, the authentication request is coming from a Catalyst 2950 switch which is doing 802.1x for Windows XP clients. This problem only happens when the XP client connects to 2950 switches, Cat 3550s and 3560s work fine.
  The Cat2950 is running 12.1.20 (EA1) which is more or less the latest IOS.
  The error I get from ACS 3.3 is "Invalid message authenticator in EAP request" when the 2950 tries to authenticate an XP client for 802.1x to the ACS server using RADIUS.
  Doing a RADIUS and 802.1x debug on the 2950 I see a message about 'Unknown EAP type', I am using PEAP on the XP client doing EAP-MS-CHAPv2 authentication, the same XP client authenticates fine with 3550 and 3560 switches problem only affects 2950s. Can anyone confirm the 2950 supports EAP-MS-CHAPv2?
  I have checked and re-checked the shared secret and it definitely matches on 2950 and ACS.
  One thing I noticed in the RADIUS debug is the 2950 sends 18 bytes for attribute 79 when the RFC defines attribute 79 should be 3 bytes or less, I don't know if this is related to the problem or is correct behaviour.

  Hi, I am new with 802.1x, and was hoping that someone would help with these queries:
  1. How is a certificate requested without being allowed on a network that is not authenticated with 802.1x. I had to first connect to an active network, retrieve a certificate with the proper username and password, and then physically connect to the port on the 2950 switch which was enabled to do 802.1x
  2. My config is as below:
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authenication login default group radius
  dot1x system-auth-control
  interface f0/1
  switchport mode access
  dot1x port-control auto
  end
  I able to login using the radius server, so radius is working (on ports other than f1/0). However when connecting to f1/0, the port on the 2950 remains blocked.
  3. The certificate is issued by the ca server, is viewable via Internet explorer,and is issued to the correct username which is on the active directory.
  I even tried using local authenication with 802.1x, this did not work
  4. If I have a certificate, will this automatically give me access to the 802.1x port?
  5. I have windows 2000, and authenication is set to 'Smart Card or other certificate.
  Am I missing anything?
  Any advise will be greatly appreciated
  Chris

• Local Radius Authentication - Fails

  Hello all,
  Access Point 1230AG (c1200-k9w7-mx.123-2.JA)
  Client Adapter ABG (PCI)
  I am new to Wireless Lan configuration with Aironet products (first project). I am configuring an Access Point for a small LAN and i can not get local radius authentication working. The password always fails if I try:
  test aaa group radius xxxxx port 1812 new-code
  although the password is matching..........
  another thing is that in the configuration, it always defaults to 'nthash' mode. is this normal? in other words if i type:
  radius-server local
  user dgarnett password xxxx
  when i do a 'show run' it displays as
  user xxxx
  I also get the following during a debug:
  There is no RADIUS DB Some Radius attributes may not be stored
  any help greatly appreciated
  ap#test aaa group radius dgarnett 123456789 port 1812 new-code
  Trying to authenticate with Servergroup radius
  User rejected
  ap#
  Feb 19 20:57:44.535: RADIUS(00000000): Config NAS IP: 10.14.14.14
  Feb 19 20:57:44.535: RADIUS(00000000): Config NAS IP: 10.14.14.14
  Feb 19 20:57:44.535: RADIUS(00000000): sending
  Feb 19 20:57:44.535: RADIUS(00000000): Send Access-Request to 10.14.14.14:1812 id 21645/14, len 64
  Feb 19 20:57:44.535: RADIUS: authenticator 9C C4 E8 64 80 8B 64 8A - E7 5F 0A 64 14 2F 5D B6
  Feb 19 20:57:44.536: RADIUS: User-Password [2] 18 *
  Feb 19 20:57:44.536: RADIUS: User-Name [1] 10 "dgarnett"
  Feb 19 20:57:44.536: RADIUS: Service-Type [6] 6 Login [1]
  Feb 19 20:57:44.536: RADIUS: NAS-IP-Address [4] 6 10.14.14.14
  Feb 19 20:57:44.536: RADIUS: Nas-Identifier [32] 4 "ap"
  Feb 19 20:57:44.537: RADSRV: Client dgarnett password failed
  Feb 19 20:57:44.537: RADIUS: Received from id 21645/14 10.14.14.14:1812, Access-Reject, len 88
  Feb 19 20:57:44.538: RADIUS: authenticator 3C B3 9A 7F 61 27 3A A6 - 84 39 B6 DF 22 DF 45 26
  Feb 19 20:57:44.538: RADIUS: State [24] 50
  Feb 19 20:57:44.538: RADIUS: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF [????????????????]
  Feb 19 20:57:44.539: RADIUS: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF [????????????????]
  Feb 19 20:57:44.539: RADIUS: 6B 7C 18 EA F0 20 A4 E5 B1 28 0E BD 57 61 24 9A [k|??? ???(??Wa$?]
  Feb 19 20:57:44.539: RADIUS: Message-Authenticato[80] 18 *
  Feb 19 20:57:44.539: RADIUS(00000000): Received from id 21645/14
  Feb 19 20:57:44.539: RADIUS(00000000): Unique id not in use
  Feb 19 20:57:44.540: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored

  Just as an update.......I set this up authenticating to an external (ACSNT) Radius server and it authenticates successfully. But still will not for the local dbase. My goal is to use the Corporate ACS as primary and the local as backup. I think my problem has to do with the Radius attributes 24 (State) and 80 (Message Auth). I also think that it points back to the NTHash stuff. Please advise as I am not new security practices and wireless, but I am new to Cisco Wireless networking.

• Radius authentication with ISE - wrong IP address

  Hello,
  We are using ISE for radius authentication.  I have setup a new Cisco switch stack at one of our locations and setup the network device in ISE.  Unfortunately, when trying to authenticate, the ISE logs show a failure of "Could not locate Network Device or AAA Client" The reason for this failure is the log shows it's coming from the wrong IP address.  The IP address of the switch is 10.xxx.aaa.241, but the logs show it is 10.xxx.aaa.243.  I have removed and re-added the radius configs on both ISE and the switch, but it still comes in as .243.  There is another switch stack at that location (same model, IOS etc), that works properly.
  The radius config on the switch:
  aaa new-model
  aaa authentication login default local
  aaa authentication login Comm group radius local
  aaa authentication enable default enable
  aaa authorization exec default group radius if-authenticated
  ip radius source-interface Vlanyy
  radius server 10.xxx.yyy.zzz
   address ipv4 10.xxx.yyy.zzz auth-port 1812 acct-port 1813
   key 7 abcdefg
  The log from ISE:
  Overview
  Event  5405 RADIUS Request dropped 
  Username  
  Endpoint Id  
  Endpoint Profile  
  Authorization Profile  
  Authentication Details
  Source Timestamp  2014-07-30 08:48:51.923 
  Received Timestamp  2014-07-30 08:48:51.923 
  Policy Server  ise
  Event  5405 RADIUS Request dropped 
  Failure Reason  11007 Could not locate Network Device or AAA Client 
  Resolution  Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices 
  Root cause  Could not find the network device or the AAA Client while accessing NAS by IP during authentication. 
  Username  
  User Type  
  Endpoint Id  
  Endpoint Profile  
  IP Address  
  Identity Store  
  Identity Group  
  Audit Session Id  
  Authentication Method  
  Authentication Protocol  
  Service Type  
  Network Device  
  Device Type  
  Location  
  NAS IP Address  10.xxx.aaa.243 
  NAS Port Id  tty2 
  NAS Port Type  Virtual 
  Authorization Profile  
  Posture Status  
  Security Group  
  Response Time  
  Other Attributes
  ConfigVersionId  107 
  Device Port  1645 
  DestinationPort  1812 
  Protocol  Radius 
  NAS-Port  2 
  AcsSessionID  ise1/186896437/1172639 
  Device IP Address  10.xxx.aaa.243 
  CiscoAVPair  
     Steps
    11001  Received RADIUS Access-Request 
    11017  RADIUS created a new session 
    11007  Could not locate Network Device or AAA Client 
    5405  
  As a test, I setup a device using the .243 address.  While ISE claims it authenticates, it really doesn't.  I have to use my local account to access the device.
  Any advice on how to resolve this issue would be appreciated.  Please let me know if more information is needed.

  Well from the debug I would say there may be an issue with the addressing of the radius server on the switch.
  radius-server host 10.xxx.xxx.xxx key******** <--- Make sure this address and Key matches what you have in ISE PSN and that switch. Watch for spaces in your key at the begining or end of the string.
  What interface should your switch be sending the radius request?
  ip radius source-interface VlanXXX vrf default
  Here is what my debug looks like when it is working correctly.
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): ask "Password: "
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265):Orig. component type = EXEC
  Aug  4 15:58:47 EST: RADIUS(00000265): Config NAS IP: 10.xxx.xxx.251
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): acct_session_id: 613
  Aug  4 15:58:47 EST: RADIUS(00000265): sending
  Aug  4 15:58:47 EST: RADIUS(00000265): Send Access-Request to 10.xxx.xxx.35:1645 id 1645/110, len 104
  Aug  4 15:58:47 EST: RADIUS:  authenticator 97 FB CF 13 2E 6F 62 5D - 5B 10 1B BD BA EB C9 E3
  Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 15:58:47 EST: RADIUS:  Reply-Message       [18]  12 
  Aug  4 15:58:47 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
  Aug  4 15:58:47 EST: RADIUS:  User-Password       [2]   18  *
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port            [5]   6   3                        
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty3"
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Aug  4 15:58:47 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
  Aug  4 15:58:47 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
  Aug  4 15:58:47 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
  Aug  4 15:58:47 EST: RADIUS(00000265): Started 5 sec timeout
  Aug  4 15:58:47 EST: RADIUS: Received from id 1645/110 10.xxx.xxx.35:1645, Access-Accept, len 127
  Aug  4 15:58:47 EST: RADIUS:  authenticator 1B 98 AB 4F B1 F4 81 41 - 3D E1 E9 DB 33 52 54 C1
  Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 15:58:47 EST: RADIUS:  State               [24]  40 
  Aug  4 15:58:47 EST: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61  [ReauthSession:0a]
  Aug  4 15:58:47 EST: RADIUS:   30 63 66 65 32 33 30 30 30 31 46 37 30 37 35 33  [0cfe230001F70753]
  Aug  4 15:58:47 EST: RADIUS:   44 46 45 35 46 37            [ DFE5F7]
  Aug  4 15:58:47 EST: RADIUS:  Class               [25]  58 
  Aug  4 15:58:47 EST: RADIUS:   43 41 43 53 3A 30 61 30 63 66 65 32 33 30 30 30  [CACS:0a0cfe23000]
  Aug  4 15:58:47 EST: RADIUS:   31 46 37 30 37 35 33 44 46 45 35 46 37 3A 50 52  [1F70753DFE5F7:PR]
  Aug  4 15:58:47 EST: RADIUS:   59 49 53 45 30 30 32 2F 31 39 33 37 39 34 36 39  [YISE002/19379469]
  Aug  4 15:58:47 EST: RADIUS:   38 2F 32 30 36 33 31 36          [ 8/206316]
  Aug  4 15:58:47 EST: RADIUS(00000265): Received from id 1645/110
  ---------------------------------------------------------------------------------------------------------------This is after I added the incorrect Radius server address.
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): ask "Password: "
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268):Orig. component type = EXEC
  Aug  4 16:05:19 EST: RADIUS(00000268): Config NAS IP: 10.xxx.xxx.251
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): acct_session_id: 616
  Aug  4 16:05:19 EST: RADIUS(00000268): sending
  Aug  4 16:05:19 EST: RADIUS(00000268): Send Access-Request to 10.xxx.xxx.55:1645 id 1645/112, len 104
  Aug  4 16:05:19 EST: RADIUS:  authenticator FC 94 BA 5D 75 1F 84 08 - E0 56 05 3A 7F BC FB BB
  Aug  4 16:05:19 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 16:05:19 EST: RADIUS:  Reply-Message       [18]  12 
  Aug  4 16:05:19 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
  Aug  4 16:05:19 EST: RADIUS:  User-Password       [2]   18  *
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port            [5]   6   7                        
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty7"
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Aug  4 16:05:19 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
  Aug  4 16:05:19 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
  Aug  4 16:05:19 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
  Aug  4 16:05:19 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:23 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:23 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:23 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:29 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:29 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:29 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:33 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
  Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
  Aug  4 16:05:33 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:33 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:38 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:38 EST: RADIUS: Fail-over to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:38 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:43 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:43 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:43 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:48 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:48 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:48 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:53 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
  Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
  Aug  4 16:05:53 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:53 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:57 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:57 EST: RADIUS: No response from (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:57 EST: RADIUS/DECODE: parse response no app start; FAIL
  Aug  4 16:05:57 EST: RADIUS/DECODE: parse response; FAIL
  This is a default template I use for all my devices routers or switches hope it helps. I have two PSN's that is why we have two radius-server host commands..
  aaa authentication login vty group radius local enable
  aaa authentication login con group radius local enable
  aaa authentication dot1x default group radius
  aaa authorization network default group radius 
  aaa accounting system default start-stop group radius
  ip radius source-interface VlanXXX vrf default
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 30 tries 3
  radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
  radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
  radius-server vsa send accounting
  radius-server vsa send authentication
  You can use this in the switch to test radius
  test aaa group radius server 10.xxx.xxx.xxx <username> <password>

• ACS 4.0.2 Radius Authentication Setup

  Dear Experts,
  I am having ACS 4.0.2 in my network, which I want to use for 802.1x Radius Authentication for Clients on PEAP-MSCHAPv2 methodology.
  As per the documentation " EAP Authentication with RADIUS Server",  Doc ID: 44844
  I have configured Network Configuration and populated AAA client IP range and Secret Key.
  Question1:
  Under Authenticate Using option, there are various RADIUS flavors available for selection. For a Non Cisco AAA client, should I select RADIUS IETF?
  Question 2:
  In the above snap shot, It has an option called Global Authentication Setup, where we can setup EAP configuration. Under PEAP subsection there is an option to "Allow EAP-MSCHAPv2" check box.
  After checking that, is a restart required to the ACS Server? Would it cause any disruptions to the existing services on the ACS?
  Kindly help as it is not mentioned in the documentation available with me.
  Regards,
  Karthik

  Hello,
  As per the ASCII and HEXA settings concern you might want to ignore those fields and leave them as they are by default.
  As per the "Bad request from NAS" and "Invalid message authenticator in EAP request" it is 99% of the times a Shared Secret Mismatch.
  Under the ACS Interface Configuration > Advanced Options > Is the Network Device Groups option enabled? If yes, please check the Shared Secret Key at the NDG level where the device was created. Remember the NDG Shared Secret takes precedence over the one configured on the AAA Client entry itself.
  Attaching an Example:
  AAA client with Shared Secret as "Cisco123":
  NDG Entry (which allocates AAA clients) with Shared Secret as "cisco"
  In order to check the NDG Shared Secret go to Network Configuration > Click the appropriate NDG > Scroll to the bottom and click on Edit Properties.:

• Integrating AAA Radius-server with Micro-soft IAS for SSH

  Hi,
  I am configuring aaa-server on ASA-5505(Radius) and i am Using microsoft IAS for authentication for SSH connections on ASA, so during " test aaa-server authentication " i getting this message
  ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch
  All users are there on active  directory  And below are the debug radius and debug aaa authentication.
  ASA# test aaa-server authentication SSH-TULIP-ASA host 172.16.1.10 usern$
  INFO: Attempting Authentication test to IP address <172.16.1.10> (timeout: 12 seconds)
  radius mkreq: 0xd4
  alloc_rip 0xd83bb99c
      new request 0xd4 --> 124 (0xd83bb99c)
  got user 'praveeny'
  got password
  add_req 0xd83bb99c session 0xd4 id 124
  RADIUS_REQUEST
  radius.c: rad_mkpkt
  RADIUS packet decode (authentication request)
  Raw packet data (length = 66).....
  01 7c 00 42 37 a4 0d c2 d3 10 09 0e 2f 3c c5 1a    |  .|.B7......./<..
  4b 28 41 e6 01 0a 70 72 61 76 65 65 6e 79 02 12    |  K(A...praveeny..
  a1 8f e1 ae 58 dd c2 52 d6 37 f7 32 13 3a 1c 71    |  ....X..R.7.2.:.q
  04 06 ac 1e 1e 06 05 06 00 00 00 0e 3d 06 00 00    |  ............=...
  00 05                                              |  ..
  Parsed packet data.....
  Radius: Code = 1 (0x01)
  Radius: Identifier = 124 (0x7C)
  Radius: Length = 66 (0x0042)
  Radius: Vector: 37A40DC2D310090E2F3CC51A4B2841E6
  Radius: Type = 1 (0x01) User-Name
  Radius: Length = 10 (0x0A)
  Radius: Value (String) =
  70 72 61 76 65 65 6e 79                            |  praveeny
  Radius: Type = 2 (0x02) User-Password
  Radius: Length = 18 (0x12)
  Radius: Value (String) =
  a1 8f ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch
  Tulip-ASA# e1 ae 58 dd c2 52 d6 37 f7 32 13 3a 1c 71    |  ....X..R.7.2.:.q
  Radius: Type = 4 (0x04) NAS-IP-Address
  Radius: Length = 6 (0x06)
  Radius: Value (IP Address) = 172.30.30.6 (0xAC1E1E06)
  Radius: Type = 5 (0x05) NAS-Port
  Radius: Length = 6 (0x06)
  Radius: Value (Hex) = 0xE
  Radius: Type = 61 (0x3D) NAS-Port-Type
  Radius: Length = 6 (0x06)
  Radius: Value (Hex) = 0x5
  send pkt 172.16.1.10/1645
  rip 0xd83bb99c state 7 id 124
  rad_vrfy() : bad req auth
  rad_procpkt: radvrfy fail
  RADIUS_DELETE
  remove_req 0xd83bb99c session 0xd4 id 124
  free_rip 0xd83bb99c
  radius: send queue empty
  Thanks in advance all comments and suggestion are welcome
  Regards,
  Praveen

  Hi,
  RADIUS as a protocol does not support command accounting, ie., logging of commands that a users enters once authenticated to a router/switch. You will need to use TACACS+ for this purpose. The aaa command accounting commands that you used has been removed from IOS since 12.2T. Please take a look at this for details: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdp57020.
  Thanks,
  Wen

• ACS Express radius authentication AD authorization

  I work at a University and for some reason we have multiple systems for authentication and authorization.  That being said I am trying to use radius to do authentication and AD for authorization for VPNs.  I have the radius authentication working against our radius server.  I have my ACS express setup to join the AD domain and everything looks good there.  I setup the AD server as a radius object in AAA server groups on my ASA.  Then I add the server below in the servers in selected groups window.  I put all the info in there and when I hit test I click authorization and put in the username that I know is in the domain group I have associated with this on the ACS.  The test fails and with authorization failed with invalid password.  When I look at the logs on the ACS I see
  01/06/2011 20:14:26 acsxp/server Warning Server 0 AD Agent Plain Text Authentication Failed for user: username@domain
  01/06/2011 20:14:26 acsxp/server Warning Server 0 Authentication for user username failed for reason = 0
  01/06/2011 20:14:26 acsxp/server Error Protocol 0 Request from 172.20.5.2: User username rejected . by RemoteServer: AD (InvalidPassword). 
  Username and domain are correct I just edited them for posting.  It seems like it is trying to authenticate rather than authorize.  All I want it to do is say yes the user is in this group or no the user is not in this group?  You can't even fill in the password when testing authorization?  Maybe I have something setup wrong on the ACS side but when I look at AD under users and identity stores, it says it is joined to the domain.  When I do AD domain diagnostics under troubleshooting everything looks good.  I have the ASA I am testing from defined as a device and in the ASA device group.  Under access services in Radius access services I have one service that I setup that connects to the AD and it found the group so I know it is connecting.  Any idea what I am doing wrong or where to look?
  Any help would be GREATLY appreciated!
  Thanks
  Joe

  Hi Joe,
  We could take a deeper look at what is happening through some logs and debugs:
  1. On ACS Express, under
  Reports & Troubleshooting > Troubleshooting > Server Logs
  please set the Express Server Trace Level to 5 and the Web Server Trace Level to 4.
  Also, for the Log Level under OS Logging, please set its value to "Debug".
  If previous old logs are not essential to you, you may also wanna delete all the log files first, so that we capture logs for the last day only.
  2. On the ASA, please enable the following debugs
  debug aaa authentication
  debug aaa authorization
  debug radius
  3. Then please first recreate a successful authentication attempt, and then recreate the authorization test issue with the same user account for which you tested the successful authentication.
  4. After the issue is recreated, please attach the debugs from the ASA and following files from the ACS Server Logs:
  acsxp_adagent.log
  acsxp_agent_server.log
  acsxp_mcd.log
  acsxp_server.log
  acsxp_server_trace.log
  Regards,
  Fede
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• RADIUS Authentication for Guest users

  Hi,
  I currently use a 4402 WLC located in our DMZ to authenticate Guest users - local authentication is in place.  I would not like to setup RADIUS authentication via a Cisco NAC server.  In order not to affect current guest users, I created a new WLAN and configured with RADIUS server details under WLANs->Edit->Security.  I can associate to new WLAN and obtain a DHCP address no problem, but when I browse to an external website, I do not get prompted for authentication from the RADIUS server.  I don't see any auth requests hitting our firewal, so am assuming the problem is with the WLC config.
  Can anyone provide any details of what config is required?
  Security Policy - Web-Auth
  Security-> L2 - None
  Security-> L3 - Authentication
  Security-> AAA Servers - Auth and Acc server set
  Many thanks
  Liam

  your setup sounds pretty okay. have you got local user accounts set up on the WLC for the test WLAN? if you do, check to see that the priority order for web authentication for the test WLAN prefers the AAA account. you will have to do it directly on your controller as i do not think you have that option in WCS.
  hope that helps

• WLC 4402 RADIUS Authentication with IAS

  Hello
  I configured a WLAN with PEAP (CHAP v2)and Radius authentication to a Win 2003 IAS Radius Server.
  On the controller 4402 the layer 2 security is set to WPA1+WPA2 with 802.1x authentication.
  The IAS server don't use the configured policy when a authentication reguest arrive.
  I there an issue with special RADIUS attributes or configuration items on the IAS Server?
  The following event appear in the windows logs:
  User STANS\kaesmr was denied access.
  Fully-Qualified-User-Name = STANS\kaesmr
  NAS-IP-Address = 172.17.25.6
  NAS-Identifier = keynet-01
  Called-Station-Identifier = 00-18-74-FB-CA-20:keynet
  Calling-Station-Identifier = 00-16-CE-52-C8-EB
  Client-Friendly-Name = Wireless-Controller
  Client-IP-Address = 172.17.25.6
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 1
  Proxy-Policy-Name = Windows-Authentifizierung f?r alle Benutzer verwenden
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = <undetermined>
  Authentication-Type = Extension
  EAP-Type = <undetermined>
  Reason-Code = 21
  Reason = The request was rejected by a third-party extension DLL file.

  What I understand from your post is that the authentication is not handled by your IAS server. IF I am correct, the problem might be with the "Allow AA override" option disabled in your WLAN. If it is enabled, then the AAA server or your IAS server will override the security parameters set locally on the controller.
  So, first ensure whether "Allow AAA override" is enabled under Controller--->WLAN field.
  Also, chek out the logs of the IAS server for obtaining more info on this.

• Aaa radius server control privilege level

  I've got radius authentication working on my switch, but I'm trying to allow two types of users login using Windows Active Directory. NetworkUsers who can view configuration and NetworkAdmins who can do anything. I would like for NetworkAdmins to when they login go directly into privilege level 15 but cant get that part to work. Here is my setup:
  Windows 2008 R2 Domain controller with NPS installed.
  Radius client: I have the IP of the switch along with the key. I have cisco selected under the vendor name in the advance tab
  Network Policies:
  NetworkAdmins which has the networkadmin group under conditions and under settings i have nothing listed under Standard and for Vendor Specific i have :
  Cisco-AV-Pair    Cisco    shell:priv-lvl=15
  My switch config:
  aaa new-model
  aaa group server radius MTFAAA
   server name dc-01
   server name dc-02
  aaa authentication login NetworkAdmins group MTFAAA local
  aaa authorization exec NetworkAdmins group MTFAAA local
  radius server dc-01
   address ipv4 10.0.1.10 auth-port 1645 acct-port 1646
   key 7 ******
  radius server dc-02
   address ipv4 10.0.1.11 auth-port 1645 acct-port 1646
   key 7 ******
  No matter what i do it doesnt default to privilege level 15 when i login. Any thoughts

  Have you specified the authorization exec group under line vty? I think it is authorization exec command. Something like that.

• AAA/Radius failures

  Have a couple of switches setup for AAA/Radius (Microsoft IAS running Radius). All authentication fails when I configure it with a radius key (matching on switch and server).
  When I remove the key, I still cant authenticate with my domain credentials, and can only authenticate using the local admin password configured on the switch on a few occasions.
  To get back into the switch I have to stop the IAS service on the Microsoft Radius server, log into the switch with the local admin password, before restarting the IAS service.
  How can I make AAA/Radius work effectively.

  Mark
  There are several things that you might do:
  - reconfigure a switch and reconfigure the Radius server for that switch to eliminate the possibility of configuration mismatch. I would be sure to key in clear text keys rather than cut and paste some encrypted value which you assume will be the same on both ends.
  - look on the server to see if there are any log entries that indicate that it saw authentication requests and why they failed.
  - run debugs on the switches to see what they are reporting.
  HTH
  Rick