AAA/Radius failures
Have a couple of switches setup for AAA/Radius (Microsoft IAS running Radius). All authentication fails when I configure it with a radius key (matching on switch and server).
When I remove the key, I still cant authenticate with my domain credentials, and can only authenticate using the local admin password configured on the switch on a few occasions.
To get back into the switch I have to stop the IAS service on the Microsoft Radius server, log into the switch with the local admin password, before restarting the IAS service.
How can I make AAA/Radius work effectively.
Mark
There are several things that you might do:
- reconfigure a switch and reconfigure the Radius server for that switch to eliminate the possibility of configuration mismatch. I would be sure to key in clear text keys rather than cut and paste some encrypted value which you assume will be the same on both ends.
- look on the server to see if there are any log entries that indicate that it saw authentication requests and why they failed.
- run debugs on the switches to see what they are reporting.
HTH
Rick
Similar Messages
-
Integrating AAA Radius-server with Micro-soft IAS for SSH
Hi,
I am configuring aaa-server on ASA-5505(Radius) and i am Using microsoft IAS for authentication for SSH connections on ASA, so during " test aaa-server authentication " i getting this message
ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch
All users are there on active directory And below are the debug radius and debug aaa authentication.
ASA# test aaa-server authentication SSH-TULIP-ASA host 172.16.1.10 usern$
INFO: Attempting Authentication test to IP address <172.16.1.10> (timeout: 12 seconds)
radius mkreq: 0xd4
alloc_rip 0xd83bb99c
new request 0xd4 --> 124 (0xd83bb99c)
got user 'praveeny'
got password
add_req 0xd83bb99c session 0xd4 id 124
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
Raw packet data (length = 66).....
01 7c 00 42 37 a4 0d c2 d3 10 09 0e 2f 3c c5 1a | .|.B7......./<..
4b 28 41 e6 01 0a 70 72 61 76 65 65 6e 79 02 12 | K(A...praveeny..
a1 8f e1 ae 58 dd c2 52 d6 37 f7 32 13 3a 1c 71 | ....X..R.7.2.:.q
04 06 ac 1e 1e 06 05 06 00 00 00 0e 3d 06 00 00 | ............=...
00 05 | ..
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 124 (0x7C)
Radius: Length = 66 (0x0042)
Radius: Vector: 37A40DC2D310090E2F3CC51A4B2841E6
Radius: Type = 1 (0x01) User-Name
Radius: Length = 10 (0x0A)
Radius: Value (String) =
70 72 61 76 65 65 6e 79 | praveeny
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
a1 8f ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch
Tulip-ASA# e1 ae 58 dd c2 52 d6 37 f7 32 13 3a 1c 71 | ....X..R.7.2.:.q
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 172.30.30.6 (0xAC1E1E06)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0xE
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 172.16.1.10/1645
rip 0xd83bb99c state 7 id 124
rad_vrfy() : bad req auth
rad_procpkt: radvrfy fail
RADIUS_DELETE
remove_req 0xd83bb99c session 0xd4 id 124
free_rip 0xd83bb99c
radius: send queue empty
Thanks in advance all comments and suggestion are welcome
Regards,
PraveenHi,
RADIUS as a protocol does not support command accounting, ie., logging of commands that a users enters once authenticated to a router/switch. You will need to use TACACS+ for this purpose. The aaa command accounting commands that you used has been removed from IOS since 12.2T. Please take a look at this for details: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdp57020.
Thanks,
Wen -
What do IPSEC mean under Security - AAA - Radius - Authentication
I can't find exact information regarding the IPSec checkbox in Security -> AAA -> Radius -> Authentication.
On the Cisco Wireless LAN Controller Configuration Guide 5.1, it says "Check the IPSec check box to enable the IP security mechanism, or uncheck it to disable this feature.
The default value is unchecked."
What is exactly mean by IP security mechanism?
Does this mean that I can terminate VPN client over my WLC?
Take note that this options appeared even though no crypto card installed in my controller.This is old code from the Airespace days. There used to be a VPN module that would ride in the WLC. No longer supported, well can't buy it new, but if you had one already...you get the idea.
HTH,
Steve -
AAA Radius Authentication Queries
Have quite a few questions for Implementing Radius for my network devices :
Q.1.) How to safely implement aaa Radius authentication to make sure users have login using LOCAL database incase the Radius fails.
Q.2.) How to provide only read access for few users and full access to Adminstrators.
Q 3.) Incase if I save the config ..will it be possible to login to devices through any other alternative way ( assuming both the radius and Local credentials are not working).
Q 4.) How to recover the password for devices especially firewalls.
GReat it would be if someone can help me on these queries.. Thanks in advance.
Regards,
gHP.VSAs are collected by the RADIUS server during the accounting process when AAA is configured with the Debit Card feature. Data items are collected for each call leg created on the gateway. A call leg is the internal representation of a connection on the gateway. Each call made through the gateway consists of two call legs: incoming and outgoing. The call leg information emitted by the gateways can be correlated by the connection ID, which is the same for all call legs of a connection.
Use the H.323 VSA method of accounting when configuring the AAA application.
There are two modes:
â¢Overloaded Session-ID
Use the gw-accounting h323 syslog command to configure this mode.
â¢VSA
Use the gw-accounting h323 vsa command to configure this mode. -
Web Auth with AAA (RAIDUS) Failure
Hi Guys,
We are having an issue with out Web Auth Using AAA Servers. We get the following error: AAA Authentication Failure for UserName:14t.park User Type: WLAN USER, This error is from the Web Interface, I have been looking at the debug settings to see if there is anything that might give me more detail of what is going on but I can see anything under the Web-Auth Debug for AAA Authentication.
I have checked on our RAIDUS Servers and I can't find any errors relating to Authentication with the NPS.
Does anyone have any suggestions?Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Hi,
I want to use AAA (Radius Server)to do PEAP Authentication,Can i use different Radius Vendors or I need to use CSACS ONLY ?You can use any Radius server, most of them(actually I guess all of them) support PEAP authentication.
IAS, FunkSteel, CSACS etc.... -
I just moved from a windows 2003 IAS server over to window 2008 NPS and I am getting this message on the WLC. AAA Authentication Failure for UserName:VESLABCT10_15DO\Administrator User Type: WLAN USER. this is a test user. I double checked the password both for NPS and WLC. It worked great under windows 2003 IAS. I installed certifcates services on the windows 2008 and exported the certificate and install the certificate on the client. Any suggestions
Maybe check on the NPS logs the reason of the failure ? WLC is just a forwarder in this case :-)
-
Client AAA Authentication Failure
Hi, I have configured a WLAN for AAA authentication and have configured AAA/Radius authentication on the WLC, however the clients don't get authenticated when they try to join. I have run a debug and I am getting an authentication rejected message from the radius server. Below is the output.
Access-Challenge received from RADIUS server 10.24.12.32 for mobile x.x.x.x receiveId = 5
*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.915: x.x.x.x Processing Access-Challenge for mobile x.x.x.x
*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.915: x.x.x.x WARNING: updated EAP-Identifier 1 ===> 27 for STA x.x.x.x
*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.915: x.x.x.x Sending EAP Request from AAA to mobile x.x.x.x (EAP Id 27)
*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.935: x.x.x.x Received EAPOL EAPPKT from mobile x.x.x.x
*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.935: x.x.x.x Received EAP Response from mobile x.x.x.x (EAP Id 27, EAP Type 3)
*aaaQueueReader: Nov 18 15:52:47.935: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Nov 18 15:52:47.935: x.x.x.x Successful transmission of Authentication Packet (id 76) to 10.24.12.32:1812, proxy state x.x.x.x-00:00
*radiusTransportThread: Nov 18 15:52:47.938: ****Enter processIncomingMessages: response code=3
****Enter processRadiusResponse: response code=3
*radiusTransportThread: Nov 18 15:52:47.938: x.x.x.x Access-Reject received from RADIUS server 10.24.12.32 for mobile x.x.x.x receiveId = 5Thanks for the reply, I checked the logs and it shows the correct username who has attempted to login and then for the same user it shows the machine name trying to login. Could it be something to do with the client's configuration?
Are there any specific config that needs to be made on the clients who are mostly windows based devices, the user doesn't get prompted to enter a username or password even when 802.1X is selected for the Authentication. -
AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN
Hi,
I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
ping inside 10.10.10.56
However when I configure the ASA for the AAA group with commands:
aaa-server ACSAuth protocol radius
aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
Then when I do the show run, here is the result:
aaa-server ACSAuth protocol radius
aaa-server host 10.10.10.56
key AcsSecret123
From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
(seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
Your help will be really appreciated!
Thanks.
Best Regards,
JoAAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html -
ISE - AAA radius authentication for NAD access
Hi ,
I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
While testing the login access to the switches we've come up with 2 results :
1.A domain user can indeed login to the switch as intended.
2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
of the IT_department only .
I haven't been successfull , would appreciate any ideas on how to accomplish this .
Switch configurations :
=================
aaa new-model
aaa authentication login default group radius local
ISE Authentication policy
==================
Policy Name : NADs Authentication
Condition: "DEVICE:Device Type Equals :All Device Types#Wired"
Allowed Protocol : Default Network Access
use identity source : AD1Thank you for the quick replys , and now ok , I've configured the following authorization policy :
Rule Name : Nad Auth
Conditions
if: Any
AND : AD1:ExternalGroups EQUALS IT_Departments
Permissions , then PermitAccess
What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ? -
Autonomous AP, 12.3.8JE3. EAP-FAST on local radius failure
Hi all,
I've been trying to configure EAPFAST on Autonomous AP 1242 with the above firmware using local radius. Here are the config:
aaa new
aaa group server radius rad_eap
server x.x.x.x auth 1812 acct 1813
aaa authentication login eap_methods group rad_eap
dot11 ssid EAPFAST
vlan 10
authentication open eap eap_methods
authentication key wpa
int d0
encryption vlan 10 mode cipher aes
ssid EAPFAST
no shut
int d0.10
en do 10
bridge 10
int f0.10
en do 10
bridge 10
int f0.100
en do 100 na
bridge 1
int bvi
ip add x.x.x.x 255.255.255.0
radius-server local
eapfast authority info XYZ
eapfast server-key primary auto
nas x.x.x.x key ####
group FAST
eapfast pac expiry 2 grace 2
username eapfast password eapfast group FAST
radius-server host x.x.x.x auth 1812 acct 1813 key ####
For all my tests, I can get the 7921 phone to work. But using CSSC or even win7 supplicant, I can never get the authentication to go through. I think the eap authentication is stuck at pac provisioning. If i am to manual provision the pac using tftp, it will work. Any clue?
AlvinHi,
I was thinking it might be a firmware issue because during some debugs with pac provisoning, there are some errors reporting of some missing cipher suites. I shall try with a new firmware.
Alvin -
WLC AAA Radius to ISE - Multiple Domains in Single Forrest
I am currently having a problem configuring AAA for management access to our wireless controllers.
Our active directory structure is as below: (note all domains are part of the same forest and full trusts between the domains)
Root Domain
Americas domain UK Domain EU Domain APAC Domain
Because of the multiple domains that exist when admins login they need to use their full UPN ([email protected]), since just using username will only authenticate agains the Root Domain and there may be duplicate usernames between the domains.
I cant even see the radius request hitting ISE and i found out that this is due to a 24 character limit on the username field on the WLC's.
I dont have this issue with other IOS based devices.
I could just create some admin accounts in the root domain but the problem is that lobbyadmin staff also needs to authenticate and they will run into the same issue.
Dont know if someone has any suggestions for a possible workaround?http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_45_multiple_active_directories.pdf
-
AnyConnect SSL-client Certificate AND AAA RADIUS
Hi All,
I'm trying to setup Anyconnect VPN Phone feature. I have the license, and I have been able to get the phone to authenticate / register etc with a username / password.
I want to use the cert on the phone, use the CN as the username and just verify that against my ACS server via RADIUS.... Easier said than done. The ASA is grabbing the Username, but for the life of me, i can't get it to send the username over to the RADIUS server. I have enabled all sorts of aaa and radius debugging and just get no output at all...
Here are some relevant log messages I'm getting:
Starting SSL handshake with client outside:72.91.xx.xx/42501 for TLSv1 session
Certificate was successfully validated. serial number: 5C7DB8EB000000xxxxxx, subject name: cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc..
Certificate chain was successfully validated with warning, revocation status was not checked.
Tunnel group search using certificate maps failed for peer certificate: serial number: 5C7DB8EB000000xxxxxx, subject name: cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc., issuer_name: cn=Cisco Manufacturing CA,o=Cisco Systems.
Device completed SSL handshake with client outside:72.91.xx.xx/42501
Group SSLClientProfile: Authenticating ssl-client connection from 72.91.14.42 with username, CP-7942G-SEP002155551BD7, from client certificate
Teardown TCP connection 35754 for outside:72.91.xx.xx/42501 to identity:173.227.xxx.xxx/443 duration 0:00:05 bytes 5473 TCP Reset by appliance
Relevant Config:
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
authentication-server-group RADIUS
default-group-policy GroupPolicy1
tunnel-group SSLClientProfile webvpn-attributes
authentication aaa certificate
radius-reject-message
pre-fill-username ssl-client
group-alias SSLClientProfile enable
group-url https://URL enable
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value <ip1> <ip2>
vpn-tunnel-protocol ssl-client
default-domain value xxxxxxxx
address-pools value VPNPOOL
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.102.242
key *****
aaa-server RADIUS (inside) host 192.168.240.242
key *****
ASA version 8.4
What am I doing wrong? It will not send the request to the AAA server, very much frustating me...PRogress....
I changed the authentication to Certificate ONLY and set authorization to be RADIUS... now it's sending the request to my ACS server. Next question: What's the password that's being sent? Is it blank? I've tried the phone's whole username, tried the MAC and tried just the SEP part. No Dice. Thoughts? -
Aaa radius server control privilege level
I've got radius authentication working on my switch, but I'm trying to allow two types of users login using Windows Active Directory. NetworkUsers who can view configuration and NetworkAdmins who can do anything. I would like for NetworkAdmins to when they login go directly into privilege level 15 but cant get that part to work. Here is my setup:
Windows 2008 R2 Domain controller with NPS installed.
Radius client: I have the IP of the switch along with the key. I have cisco selected under the vendor name in the advance tab
Network Policies:
NetworkAdmins which has the networkadmin group under conditions and under settings i have nothing listed under Standard and for Vendor Specific i have :
Cisco-AV-Pair Cisco shell:priv-lvl=15
My switch config:
aaa new-model
aaa group server radius MTFAAA
server name dc-01
server name dc-02
aaa authentication login NetworkAdmins group MTFAAA local
aaa authorization exec NetworkAdmins group MTFAAA local
radius server dc-01
address ipv4 10.0.1.10 auth-port 1645 acct-port 1646
key 7 ******
radius server dc-02
address ipv4 10.0.1.11 auth-port 1645 acct-port 1646
key 7 ******
No matter what i do it doesnt default to privilege level 15 when i login. Any thoughtsHave you specified the authorization exec group under line vty? I think it is authorization exec command. Something like that.
-
Authentication Interface in AAA Radius Configuration
Hello,
we are trying to authenticate against an Radius Server.
can you tell me witch interface will be used for the authentication Process?
With best regardsAt least it looks like this:
Client ------------> Lightweight Access Point ----------------> WiSM --------X--------------> Radius Server
The WISM is Firmware is state 4.2 and the RADIUS Server is configured in the AAA setting as the Authentication Server and the Accounting Server.
The WISM has multiple Interfaces factoy default: Managment, ap-manager, service-port and virtual
we added the interface test-Radius which is configured with the WLAN the Client connects to.
In the Trap view i can see that the Controller cannot reach the Radius Server.
I think the Controller uses the Interface management to get contact to the Radius.
But the Radius is only reachable over the test-Radius interface.
Can somebody tell me where i configure the controller to use the client interface "test-radius" to get in contect to the Radius?
Best regards
Maybe you are looking for
-
Hi! What is the advantage of using a javabean?Am new to JSP and I feel that I can use an include file in a JSP page rather than using a bean.May I know the advantage pl!Can anybody help?Thanks.
-
In the develop module, when I switch to B&W treatment, my understanding was that a different set of sliders such as fill light, brightness would appear. I just see the same sliders as with color treatment. Any thoughts - Thanks
-
I thought that maybe I didn't need the app, Preview, and so I moved the "contents" to the trash. Then I realized I couldn't delete the app anyways, so I moved the "contents" back to the applications page, but now I can't move them back into the app,
-
How to hide/disable option "Export In Query Ready Mode" in HTML FR reports
Hi all, is there a way to hide or disable the option "Export In Query Ready Mode" for HTML FR reports? Thanks in advance! Regards André
-
Function module for BOM item update
Hi, Please enlightenn us, which FM is do the update for BOM item datas. ( current FM is updated line item one item then come out and log in again updating another line item , thus cause more error are facing.) we want a FM to update