AAA/Radius failures

Similar Messages

• Integrating AAA Radius-server with Micro-soft IAS for SSH

  Hi,
  I am configuring aaa-server on ASA-5505(Radius) and i am Using microsoft IAS for authentication for SSH connections on ASA, so during " test aaa-server authentication " i getting this message
  ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch
  All users are there on active  directory  And below are the debug radius and debug aaa authentication.
  ASA# test aaa-server authentication SSH-TULIP-ASA host 172.16.1.10 usern$
  INFO: Attempting Authentication test to IP address <172.16.1.10> (timeout: 12 seconds)
  radius mkreq: 0xd4
  alloc_rip 0xd83bb99c
      new request 0xd4 --> 124 (0xd83bb99c)
  got user 'praveeny'
  got password
  add_req 0xd83bb99c session 0xd4 id 124
  RADIUS_REQUEST
  radius.c: rad_mkpkt
  RADIUS packet decode (authentication request)
  Raw packet data (length = 66).....
  01 7c 00 42 37 a4 0d c2 d3 10 09 0e 2f 3c c5 1a    |  .|.B7......./<..
  4b 28 41 e6 01 0a 70 72 61 76 65 65 6e 79 02 12    |  K(A...praveeny..
  a1 8f e1 ae 58 dd c2 52 d6 37 f7 32 13 3a 1c 71    |  ....X..R.7.2.:.q
  04 06 ac 1e 1e 06 05 06 00 00 00 0e 3d 06 00 00    |  ............=...
  00 05                                              |  ..
  Parsed packet data.....
  Radius: Code = 1 (0x01)
  Radius: Identifier = 124 (0x7C)
  Radius: Length = 66 (0x0042)
  Radius: Vector: 37A40DC2D310090E2F3CC51A4B2841E6
  Radius: Type = 1 (0x01) User-Name
  Radius: Length = 10 (0x0A)
  Radius: Value (String) =
  70 72 61 76 65 65 6e 79                            |  praveeny
  Radius: Type = 2 (0x02) User-Password
  Radius: Length = 18 (0x12)
  Radius: Value (String) =
  a1 8f ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch
  Tulip-ASA# e1 ae 58 dd c2 52 d6 37 f7 32 13 3a 1c 71    |  ....X..R.7.2.:.q
  Radius: Type = 4 (0x04) NAS-IP-Address
  Radius: Length = 6 (0x06)
  Radius: Value (IP Address) = 172.30.30.6 (0xAC1E1E06)
  Radius: Type = 5 (0x05) NAS-Port
  Radius: Length = 6 (0x06)
  Radius: Value (Hex) = 0xE
  Radius: Type = 61 (0x3D) NAS-Port-Type
  Radius: Length = 6 (0x06)
  Radius: Value (Hex) = 0x5
  send pkt 172.16.1.10/1645
  rip 0xd83bb99c state 7 id 124
  rad_vrfy() : bad req auth
  rad_procpkt: radvrfy fail
  RADIUS_DELETE
  remove_req 0xd83bb99c session 0xd4 id 124
  free_rip 0xd83bb99c
  radius: send queue empty
  Thanks in advance all comments and suggestion are welcome
  Regards,
  Praveen

  Hi,
  RADIUS as a protocol does not support command accounting, ie., logging of commands that a users enters once authenticated to a router/switch. You will need to use TACACS+ for this purpose. The aaa command accounting commands that you used has been removed from IOS since 12.2T. Please take a look at this for details: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdp57020.
  Thanks,
  Wen

• What do IPSEC mean under Security - AAA - Radius - Authentication

  I can't find exact information regarding the IPSec checkbox in Security -> AAA -> Radius -> Authentication.
  On the Cisco Wireless LAN Controller Configuration Guide 5.1, it says "Check the IPSec check box to enable the IP security mechanism, or uncheck it to disable this feature.
  The default value is unchecked."
  What is exactly mean by IP security mechanism?
  Does this mean that I can terminate VPN client over my WLC?
  Take note that this options appeared even though no crypto card installed in my controller.

  This is old code from the Airespace days. There used to be a VPN module that would ride in the WLC. No longer supported, well can't buy it new, but if you had one already...you get the idea.
  HTH,
  Steve

• AAA Radius Authentication Queries

  Have quite a few questions for Implementing Radius for my network devices :
  Q.1.) How to safely implement aaa Radius authentication to make sure users have login using LOCAL database incase the Radius fails.
  Q.2.) How to provide only read access for few users and full access to Adminstrators.
  Q 3.) Incase if I save the config ..will it be possible to login to devices through any other alternative way ( assuming both the radius and Local credentials are not working).
  Q 4.) How to recover the password for devices especially firewalls.
  GReat it would be if someone can help me on these queries.. Thanks in advance.
  Regards,
  gHP.

  VSAs are collected by the RADIUS server during the accounting process when AAA is configured with the Debit Card feature. Data items are collected for each call leg created on the gateway. A call leg is the internal representation of a connection on the gateway. Each call made through the gateway consists of two call legs: incoming and outgoing. The call leg information emitted by the gateways can be correlated by the connection ID, which is the same for all call legs of a connection.
  Use the H.323 VSA method of accounting when configuring the AAA application.
  There are two modes:
  •Overloaded Session-ID
  Use the gw-accounting h323 syslog command to configure this mode.
  •VSA
  Use the gw-accounting h323 vsa command to configure this mode.

• Web Auth with AAA (RAIDUS) Failure

  Hi Guys,
  We are having an issue with out Web Auth Using AAA Servers. We get the following error: AAA Authentication Failure for UserName:14t.park User Type: WLAN USER, This error is from the Web Interface, I have been looking at the debug settings to see if there is anything that might give me more detail of what is going on but I can see anything under the Web-Auth Debug for AAA Authentication.
  I have checked on our RAIDUS Servers and I can't find any errors relating to Authentication with the NPS.
  Does anyone have any suggestions?

  Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• AAA Radius

  Hi,
  I want to use AAA (Radius Server)to do PEAP Authentication,Can i use different Radius Vendors or I need to use CSACS ONLY ?

  You can use any Radius server, most of them(actually I guess all of them) support PEAP authentication.
  IAS, FunkSteel, CSACS etc....

• AAA Authentication Failure

  I just moved from a windows 2003 IAS server over to window 2008 NPS and I am getting  this message on the WLC. AAA Authentication Failure for UserName:VESLABCT10_15DO\Administrator User Type:  WLAN USER. this is a test user. I double checked the password both for NPS and WLC. It worked great under windows 2003 IAS. I installed certifcates services on the windows 2008 and exported the certificate and install the certificate on the client. Any suggestions

  Maybe check on the NPS logs the reason of the failure ? WLC is just a forwarder in this case :-)

• Client AAA Authentication Failure

  Hi, I have configured a WLAN for AAA authentication and have configured AAA/Radius authentication on the WLC, however the clients don't get authenticated when they try to join. I have run a debug and I am getting an authentication rejected message from the radius server. Below is the output.
  Access-Challenge received from RADIUS server 10.24.12.32 for mobile x.x.x.x receiveId = 5
  *Dot1x_NW_MsgTask_4: Nov 18 15:52:47.915: x.x.x.x Processing Access-Challenge for mobile x.x.x.x
  *Dot1x_NW_MsgTask_4: Nov 18 15:52:47.915: x.x.x.x WARNING: updated EAP-Identifier 1 ===> 27 for STA x.x.x.x
  *Dot1x_NW_MsgTask_4: Nov 18 15:52:47.915: x.x.x.x Sending EAP Request from AAA to mobile x.x.x.x (EAP Id 27)
  *Dot1x_NW_MsgTask_4: Nov 18 15:52:47.935: x.x.x.x Received EAPOL EAPPKT from mobile x.x.x.x
  *Dot1x_NW_MsgTask_4: Nov 18 15:52:47.935: x.x.x.x Received EAP Response from mobile x.x.x.x (EAP Id 27, EAP Type 3)
  *aaaQueueReader: Nov 18 15:52:47.935: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *aaaQueueReader: Nov 18 15:52:47.935: x.x.x.x Successful transmission of Authentication Packet (id 76) to 10.24.12.32:1812, proxy state x.x.x.x-00:00
  *radiusTransportThread: Nov 18 15:52:47.938: ****Enter processIncomingMessages: response code=3
  ****Enter processRadiusResponse: response code=3
  *radiusTransportThread: Nov 18 15:52:47.938: x.x.x.x Access-Reject received from RADIUS server 10.24.12.32 for mobile x.x.x.x receiveId = 5

  Thanks for the reply, I checked the logs and it shows the correct username who has attempted to login and then for the same user it shows the machine name trying to login. Could it be something to do with the client's configuration?
  Are there any specific config that needs to be made on the clients who are mostly windows based devices, the user doesn't get prompted to enter a username or password even when 802.1X is selected for the Authentication.

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

• ISE - AAA radius authentication for NAD access

  Hi ,
  I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
  for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
  While testing the login access to the switches we've come up with 2 results :
  1.A domain user can indeed login to the switch as intended.
  2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
  So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
  of the IT_department only .
  I haven't been successfull , would appreciate any ideas on how to accomplish this .
  Switch configurations :
  =================
  aaa new-model
  aaa authentication login default group radius local
  ISE Authentication policy
  ==================
  Policy Name : NADs Authentication
  Condition:  "DEVICE:Device Type Equals :All Device Types#Wired"
  Allowed Protocol : Default Network Access
  use identity source : AD1

  Thank you for the quick replys , and now  ok , I've configured the following authorization policy :
  Rule Name : Nad Auth
  Conditions
  if: Any
  AND : AD1:ExternalGroups EQUALS IT_Departments
  Permissions , then PermitAccess
  What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
  How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?

• Autonomous AP, 12.3.8JE3. EAP-FAST on local radius failure

  Hi all,
  I've been trying to configure EAPFAST on Autonomous AP 1242 with the above firmware using local radius. Here are the config:
  aaa new
  aaa group server radius rad_eap
  server x.x.x.x auth 1812 acct 1813
  aaa authentication login eap_methods group rad_eap
  dot11 ssid EAPFAST
  vlan 10
  authentication open eap eap_methods
  authentication key wpa
  int d0
  encryption vlan 10 mode cipher aes
  ssid EAPFAST
  no shut
  int d0.10
  en do 10
  bridge 10
  int f0.10
  en do 10
  bridge 10
  int f0.100
  en do 100 na
  bridge 1
  int bvi
  ip add x.x.x.x 255.255.255.0
  radius-server local
  eapfast authority info XYZ
  eapfast server-key primary auto
  nas x.x.x.x key ####
  group FAST
    eapfast pac expiry 2 grace 2
  username eapfast password eapfast group FAST
  radius-server host x.x.x.x auth 1812 acct 1813 key ####
  For all my tests, I can get the 7921 phone to work. But using CSSC or even win7 supplicant, I can never get the authentication to go through. I think the eap authentication is stuck at pac provisioning. If i am to manual provision the pac using tftp, it will work. Any clue?
  Alvin

  Hi,
  I was thinking it might be a firmware issue because during some debugs with pac provisoning, there are some errors reporting of some missing cipher suites. I shall try with a new firmware.
  Alvin

• WLC AAA Radius to ISE - Multiple Domains in Single Forrest

  I am currently having a problem configuring AAA for management access to our wireless controllers.
  Our active directory structure is as below: (note all domains are part of the same forest and full trusts between the domains)
  Root Domain
  Americas domain                UK Domain              EU Domain            APAC Domain
  Because of the multiple domains that exist when admins login they need to use their full UPN ([email protected]), since just using username will only authenticate agains the Root Domain and there may be duplicate usernames between the domains.
  I cant even see the radius request hitting ISE and i found out that this is due to a 24 character limit on the username field on the WLC's. 
  I dont have this issue with other IOS based devices. 
  I could just create some admin accounts in the root domain but the problem is that lobbyadmin staff also needs to authenticate and they will run into the same issue.
  Dont know if someone has any suggestions for a possible workaround?

  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_45_multiple_active_directories.pdf

• AnyConnect SSL-client Certificate AND AAA RADIUS

  Hi All,
  I'm trying to setup Anyconnect VPN Phone feature. I have the license, and I have been able to get the phone to authenticate / register etc with a username / password.
  I want to use the cert on the phone, use the CN as the username and just verify that against my ACS server via RADIUS.... Easier said than done. The ASA is grabbing the Username, but for the life of me, i can't get it to send the username over to the RADIUS server. I have enabled all sorts of aaa and radius debugging and just get no output at all...
  Here are some relevant log messages I'm getting:
  Starting SSL handshake with client outside:72.91.xx.xx/42501 for TLSv1 session
  Certificate was successfully validated. serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc..
  Certificate chain was successfully validated with warning, revocation status was not checked.
  Tunnel group search using certificate maps failed for peer certificate:  serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc., issuer_name:  cn=Cisco Manufacturing CA,o=Cisco Systems.
  Device completed SSL handshake with client outside:72.91.xx.xx/42501
  Group SSLClientProfile: Authenticating ssl-client connection from  72.91.14.42 with username, CP-7942G-SEP002155551BD7, from client  certificate
  Teardown TCP connection 35754 for outside:72.91.xx.xx/42501 to  identity:173.227.xxx.xxx/443 duration 0:00:05 bytes 5473 TCP Reset by  appliance
  Relevant Config:
  tunnel-group SSLClientProfile type remote-access
  tunnel-group SSLClientProfile general-attributes
  authentication-server-group RADIUS
  default-group-policy GroupPolicy1
  tunnel-group SSLClientProfile webvpn-attributes
  authentication aaa certificate
  radius-reject-message
  pre-fill-username ssl-client
  group-alias SSLClientProfile enable
  group-url https://URL enable
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  wins-server none
  dns-server value <ip1> <ip2>
  vpn-tunnel-protocol ssl-client
  default-domain value xxxxxxxx
  address-pools value VPNPOOL
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 192.168.102.242
  key *****
  aaa-server RADIUS (inside) host 192.168.240.242
  key *****
  ASA version 8.4
  What am I doing wrong? It will not send the request to the AAA server, very much frustating me...

  PRogress....
  I changed the authentication to Certificate ONLY and set authorization to be RADIUS... now it's sending the request to my ACS server. Next question: What's the password that's being sent? Is it blank? I've tried the phone's whole username, tried the MAC and tried just the SEP part. No Dice. Thoughts?

• Aaa radius server control privilege level

  I've got radius authentication working on my switch, but I'm trying to allow two types of users login using Windows Active Directory. NetworkUsers who can view configuration and NetworkAdmins who can do anything. I would like for NetworkAdmins to when they login go directly into privilege level 15 but cant get that part to work. Here is my setup:
  Windows 2008 R2 Domain controller with NPS installed.
  Radius client: I have the IP of the switch along with the key. I have cisco selected under the vendor name in the advance tab
  Network Policies:
  NetworkAdmins which has the networkadmin group under conditions and under settings i have nothing listed under Standard and for Vendor Specific i have :
  Cisco-AV-Pair    Cisco    shell:priv-lvl=15
  My switch config:
  aaa new-model
  aaa group server radius MTFAAA
   server name dc-01
   server name dc-02
  aaa authentication login NetworkAdmins group MTFAAA local
  aaa authorization exec NetworkAdmins group MTFAAA local
  radius server dc-01
   address ipv4 10.0.1.10 auth-port 1645 acct-port 1646
   key 7 ******
  radius server dc-02
   address ipv4 10.0.1.11 auth-port 1645 acct-port 1646
   key 7 ******
  No matter what i do it doesnt default to privilege level 15 when i login. Any thoughts

  Have you specified the authorization exec group under line vty? I think it is authorization exec command. Something like that.

• Authentication Interface in AAA Radius Configuration

  Hello,
  we are trying to authenticate against an Radius Server.
  can you tell me witch interface will be used for the authentication Process?
  With best regards

  At least it looks like this:
  Client   ------------> Lightweight Access Point  ----------------> WiSM --------X--------------> Radius Server
  The WISM is Firmware is state 4.2 and the RADIUS Server is configured in the AAA setting as the Authentication Server and the Accounting Server.
  The WISM has multiple Interfaces factoy default: Managment, ap-manager, service-port and virtual
                      we added the interface test-Radius which is configured with the WLAN the Client connects to.
  In the Trap view i can see that the Controller cannot reach the Radius Server.
  I think the Controller uses the Interface management to get contact to the Radius.
  But the Radius is only reachable over the test-Radius interface.
  Can somebody tell me where i configure the controller to use the client interface "test-radius" to get in contect to the Radius?
  Best regards