AAA RADIUS issue
Hello everybody.
I am having some trouble when lots of users try to connect via Anyconnect on my ASA (5545-X).
At the peak some users complaints they cannot authenticate and I see these messages flaping on logs:
%ASA-2-113022: AAA Marking RADIUS server 1.1.1.1 in aaa-server group SRV-RADIUS1 as FAILED
%ASA-2-113023: AAA Marking RADIUS server 1.1.1.1 in aaa-server group SRV-RADIUS1 as ACTIVE
After a while it get back working normaly and has no more message like that.
Changing the "timeout" parameter (default is 10) to a higher number is a good idea? Or the problem could be at Radius server?
aaa-server SRV-RADIUS1 protocol radius
aaa-server SRV-RADIUS1 (inside) host 1.1.1.1
time-out 20
thnks
Hi Vitor and sorry for the delayed reply! Your English is just fine! :)
I am glad that changing the "timeout" value have solved the problem.
On your second question: I never had to filter any attributes out of the ASA and I am not sure if it is possible. With that being said, I don't think that the issue was/is with the ASA sending too much logging/Radius info. If you only had around 10 concurrent users during your peak hours then there is no way that they overwhelmed the Radius server :) The fact that the issue went away after changing the "timeout" value leads me to believe that the problem is related to something else. For instance, RTT (round trip delay) between the aaa server and your ASA or link saturation that causes bandwidth starvation which cases the server to timeout in the ASA...just some ideas here :)
I hope this helps!
Thank you for rating helpful posts!
Similar Messages
-
Hi folks.
I'm deploying BNG at ASR9k with IOS XR 4.3.1 and have some problems with RADIUS exchange. My current config is:
radius source-interface Loopback220 vrf default
radius-server host x.y.z.198 auth-port 1812 acct-port 1813
key test
aaa attribute format USERNAME
format-string length 253 "%s" outer-vlan-id
aaa attribute format NAS_PORT_FORMAT
circuit-id plus remote-id separator .
aaa radius attribute nas-port format e SSSSAAPPPPPVVVVVVVVVVVVVVVVVVVVV
aaa radius attribute nas-port-id format NAS_PORT_FORMAT
aaa group server radius BNG
server x.y.z.198 auth-port 1812 acct-port 1813
source-interface Loopback220
aaa accounting subscriber default group BNG
aaa authorization subscriber default group BNG
aaa authentication subscriber default group BNG
aaa authentication ppp default group BNG
dhcp ipv4
vrf INTERNET proxy profile IPV4_GROUP
profile IPV4_GROUP proxy
class INTERNET
match vrf INTERNET
helper-address vrf INTERNET x1.y1.z1.77 giaddr x2.y2.z2.129
limit lease per-remote-id 150
relay information option vpn
relay information option
relay information policy keep
relay information option allow-untrusted
interface TenGigE0/1/0/0.1 proxy profile IPV4_GROUP
Radius server is reachable from BNG with loopback220 source IP address.
interface TenGigE0/1/0/0.1
ipv4 point-to-point
ipv4 unnumbered Loopback200
service-policy type control subscriber IP_POLICY_BASIC
encapsulation dot1q 145 second-dot1q 1960
ipsubscriber ipv4 l2-connected
initiator dhcp
dynamic-template
type ipsubscriber IP_BASIC
ipv4 unnumbered Loopback200
class-map type control subscriber match-any DHCP
match protocol dhcpv4
end-class-map
policy-map type control subscriber IP_POLICY_BASIC
event session-start match-first
class type control subscriber DHCP do-until-failure
10 activate dynamic-template IP_BASIC
20 authorize aaa list default format USERNAME password test
end-policy-map
Radius debug info:
LC/0/1/CPU0:Aug 1 00:19:41.493 FET: radiusd[322]: ENTERING 'handle_nas_req'
LC/0/1/CPU0:Aug 1 00:19:41.493 FET: radiusd[322]: ENTERING 'radiusd_get_nas_identifier'
LC/0/1/CPU0:Aug 1 00:19:41.493 FET: radiusd[322]: ENTERING 'build_radius_pkt'
LC/0/1/CPU0:Aug 1 00:19:41.493 FET: radiusd[322]: EXITTING 'radiusd_get_nas_identifier'
LC/0/1/CPU0:Aug 1 00:19:41.493 FET: radiusd[322]: ENTERING 'build_radius_pkt_from_list'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: ENTERING 'radiusd_get_prepend_nas_id_to_session_id'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: EXITTING 'radiusd_get_prepend_nas_id_to_session_id'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: EXITTING 'build_radius_pkt_from_list'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: EXITTING 'build_radius_pkt'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: ENTERING 'radius_send_request_message'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: ENTERING 'radius_get_next_server'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: Server x.y.z.198/1812/1813 is UP & Quarantined: NO
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: radius_get_next_server: Setting the preferred server handle to NULL
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: Sending request to x.y.z.198:1812, with retry_limit: 3 and delay: 5
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: EXITTING 'radius_get_next_server'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: ENTERING 'radius_set_ident_sock'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: EXITTING 'radius_set_ident_sock'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: ENTERING 'radius_ctx_db_insert_rctx'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: EXITTING (value 1) 'radius_ctx_db_insert_rctx'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: Sending request with id : 14/1347259508
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: ENTERING 'send_radius_packet'
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: ENTERING 'radius_add_mand_attrs'
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: EXITTING 'radius_add_mand_attrs'
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: ENTERING 'radius_get_nas_ip_address'
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: Calling best local address using daemon address=x.y.z.198
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: ENTERING 'get_ip_addr_from_fib'
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: Address x.y.z.198 does not have a source address
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: Got IP address: 0.0.0.0
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: IP source address aaa util format: 0.0.0.0
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: EXITTING 'get_ip_addr_from_fib'
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: NAS best local address = 0.0.0.0
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: EXITTING 'radius_get_nas_ip_address'
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: Reencoding NAS-IP prev 0.0.0.0 new 0.0.0.0
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: ENTERING 'radius_get_next_server'
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: Server x.y.z.198/1812/1813 is UP & Quarantined: NO
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: Failed aaa_sg_server_get_next_server with error 'qos-ea' detected the 'fatal' condition 'set exp imposition in egress is not permitted' rc = AFDF1600
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: EXITTING 'radius_get_next_server' with error [A247C800] 'Subsystem(1167)' detected the 'fatal' condition 'Code(36)'
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: NAS-IP-Address not found, Moving to next server in the server group
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: Nas-IP-Address not found, dropping request
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: Failed to send the request
Any workaround or recommendation to solve the issue?a have same problem on 5.1.1 software
aaa accounting system default start-stop group BNG
aaa group server radius BNG
server-private XX.XXX.XXX.8 auth-port 1812 acct-port 1813
key 7 000500140D551F031D324D5A490D000406
source-interface Loopback1
aaa authentication ppp default group BNG
aaa authentication login default local
dynamic-template
type ppp PPP_TPL
ppp authentication chap
ppp ipcp dns 8.8.8.8
ipv4 unnumbered Loopback2
interface Loopback1
ipv4 address 10.254.254.254 255.255.255.255
interface Loopback2
ipv4 address 10.254.254.253 255.255.255.255
interface MgmtEth0/RSP0/CPU0/0
ipv4 address 10.252.0.90 255.255.255.0
interface MgmtEth0/RSP0/CPU0/1
shutdown
interface TenGigE0/0/2/1.556
ipv4 address 10.56.0.1 255.255.255.0
service-policy type control subscriber PPP_PM
pppoe enable bba-group pppoe
encapsulation dot1q 556
aaa attribute format NAS_PORT_FORMAT
circuit-id plus remote-id separator .
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU type 32
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU
aaa radius attribute nas-port-id format NAS_PORT_FORMAT
aaa accounting subscriber default group BNG
aaa authorization subscriber default group BNG
aaa authentication subscriber default group BNG
pppoe bba-group pppoe
service selection disable
class-map type control subscriber match-any PPP
match protocol ppp
end-class-map
policy-map type control subscriber PPP_PM
event session-start match-first
class type control subscriber PPP do-until-failure
1 activate dynamic-template PPP_TPL
event session-activate match-first
class type control subscriber PPP do-until-failure
1 authenticate aaa list default
end-policy-map
Radius -server sends Access-Accept but on its router it isn't visible
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: Send Access-Request to XX.XXX.XXX.8:1812 id 169, len 220
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: authenticator D3 8C BA E1 87 32 81 3C - E7 47 78 79 20 C1 AC 57
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: Vendor,Cisco [26] 41
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: Cisco AVpair [1] 35 client-mac-address=000e.0c75.b6d9
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: Acct-Session-Id [44] 10 0400003b
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: NAS-Port [5] 6 2701140681
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: NAS-Port-Id [87] 3 .
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: Vendor,Cisco [26] 9
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: cisco-nas-port [2] 3 .
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: User-Name [1] 11 user1
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: Service-Type [6] 6 Framed[0]
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: RADIUS: CHAP-Password [3] 19 *
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: RADIUS: CHAP-Challenge [60] 18 r^K d ^BZ-^E^B^_^S^Xd^U)
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: Unsuppoted attribute.
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: RADIUS: Vendor,Cisco [26] 33
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: RADIUS: Cisco AVpair [1] 27 connect-progress=LCP Open
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: RADIUS: Framed-Protocol [7] 6 PPP[0]
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: RADIUS: NAS-Port-Type [61] 6 PPPoEoVLAN[0]
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: RADIUS: Event-Timestamp [55] 6 1394102897
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: RADIUS: Nas-Identifier [32] 14 asr9k_pppoe
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: RADIUS: NAS-IP-Address [4] 6 XX.XXX.XXX.9
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: Updating last used server
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: EXITTING 'send_radius_packet'
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: Got global deadtime 0
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: Using global deadtime = 0 sec
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: ENTERING 'start_dead_detect_timer'
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: EXITTING 'start_dead_detect_timer'
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: ENTERING 'radius_timer_update'
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: EXITTING 'radius_timer_update'
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: Updated timer thread rad_ident 169 remote_port 1812 remote_addr 0x30fb908c, socket 1342480676 rctx 0x5015b530
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: ENTERING 'radius_timer_set_addl_context'
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: EXITTING 'radius_timer_set_addl_context'
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: ENTERING 'radius_timer_set_addl_context'
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: EXITTING 'radius_timer_set_addl_context'
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: ENTERING 'radius_timer_set_addl_context'
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: EXITTING 'radius_timer_set_addl_context'
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: ENTERING 'radius_timer_set_addl_context'
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: EXITTING 'radius_timer_set_addl_context'
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: Successfully sent packet and started timeout handler for rctx 0x5015b530
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: EXITTING 'radius_send_request_message'
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: EXITTING 'radius_timeout_handler'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: ENTERING 'radius_timeout_handler'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: ENTERING 'radius_timer_get_addl_context'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: ENTERING 'radius_timer_get_addl_context'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: ENTERING 'radius_timer_get_addl_context'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: ENTERING 'radius_timer_get_addl_context'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: Timeout happened for req rad_ident 169 remote_port 1812 remote_addr 0x50 socket 1342480676 rctx 5015b530
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: ENTERING 'radius_ctx_db_get_and_remove_rctx'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: rctx found is 0x5015b530
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: EXITTING 'radius_ctx_db_get_and_remove_rctx'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: ENTERING 'radius_send_request_message'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: Reached retry count for the server 3,Trying to move to next server
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: ENTERING 'radius_get_next_server'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: Server XX.XXX.XXX28/1812/1813 is UP & Quarantined: NO
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: EXITTING 'radius_get_next_server' with error [A247C800] 'Subsystem(1167)' detected the 'fatal' condition 'Code(36)'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: EXITTING 'radius_send_request_message' with error [A247C800] 'Subsystem(1167)' detected the 'fatal' condition 'Code(36)'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: ENTERING 'rad_nas_reply_to_client'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: rad_nas_reply_to_client: Received response from id : 169,packet type 1
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: rad_nas_reply_to_client: Sending failover message to client
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: EXITTING 'rad_nas_reply_to_client'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: EXITTING 'radius_timeout_handler'
I tried with group of radius and without it and different source-interface interfaces doesn't help
There are thoughts where to look? -
What do IPSEC mean under Security - AAA - Radius - Authentication
I can't find exact information regarding the IPSec checkbox in Security -> AAA -> Radius -> Authentication.
On the Cisco Wireless LAN Controller Configuration Guide 5.1, it says "Check the IPSec check box to enable the IP security mechanism, or uncheck it to disable this feature.
The default value is unchecked."
What is exactly mean by IP security mechanism?
Does this mean that I can terminate VPN client over my WLC?
Take note that this options appeared even though no crypto card installed in my controller.This is old code from the Airespace days. There used to be a VPN module that would ride in the WLC. No longer supported, well can't buy it new, but if you had one already...you get the idea.
HTH,
Steve -
Have a couple of switches setup for AAA/Radius (Microsoft IAS running Radius). All authentication fails when I configure it with a radius key (matching on switch and server).
When I remove the key, I still cant authenticate with my domain credentials, and can only authenticate using the local admin password configured on the switch on a few occasions.
To get back into the switch I have to stop the IAS service on the Microsoft Radius server, log into the switch with the local admin password, before restarting the IAS service.
How can I make AAA/Radius work effectively.Mark
There are several things that you might do:
- reconfigure a switch and reconfigure the Radius server for that switch to eliminate the possibility of configuration mismatch. I would be sure to key in clear text keys rather than cut and paste some encrypted value which you assume will be the same on both ends.
- look on the server to see if there are any log entries that indicate that it saw authentication requests and why they failed.
- run debugs on the switches to see what they are reporting.
HTH
Rick -
AAA Radius Authentication Queries
Have quite a few questions for Implementing Radius for my network devices :
Q.1.) How to safely implement aaa Radius authentication to make sure users have login using LOCAL database incase the Radius fails.
Q.2.) How to provide only read access for few users and full access to Adminstrators.
Q 3.) Incase if I save the config ..will it be possible to login to devices through any other alternative way ( assuming both the radius and Local credentials are not working).
Q 4.) How to recover the password for devices especially firewalls.
GReat it would be if someone can help me on these queries.. Thanks in advance.
Regards,
gHP.VSAs are collected by the RADIUS server during the accounting process when AAA is configured with the Debit Card feature. Data items are collected for each call leg created on the gateway. A call leg is the internal representation of a connection on the gateway. Each call made through the gateway consists of two call legs: incoming and outgoing. The call leg information emitted by the gateways can be correlated by the connection ID, which is the same for all call legs of a connection.
Use the H.323 VSA method of accounting when configuring the AAA application.
There are two modes:
â¢Overloaded Session-ID
Use the gw-accounting h323 syslog command to configure this mode.
â¢VSA
Use the gw-accounting h323 vsa command to configure this mode. -
Hi,
I want to use AAA (Radius Server)to do PEAP Authentication,Can i use different Radius Vendors or I need to use CSACS ONLY ?You can use any Radius server, most of them(actually I guess all of them) support PEAP authentication.
IAS, FunkSteel, CSACS etc.... -
WLC AAA Radius to ISE - Multiple Domains in Single Forrest
I am currently having a problem configuring AAA for management access to our wireless controllers.
Our active directory structure is as below: (note all domains are part of the same forest and full trusts between the domains)
Root Domain
Americas domain UK Domain EU Domain APAC Domain
Because of the multiple domains that exist when admins login they need to use their full UPN ([email protected]), since just using username will only authenticate agains the Root Domain and there may be duplicate usernames between the domains.
I cant even see the radius request hitting ISE and i found out that this is due to a 24 character limit on the username field on the WLC's.
I dont have this issue with other IOS based devices.
I could just create some admin accounts in the root domain but the problem is that lobbyadmin staff also needs to authenticate and they will run into the same issue.
Dont know if someone has any suggestions for a possible workaround?http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_45_multiple_active_directories.pdf
-
AAA Radius accounting command is not taking in 3750 switch
Hi Cisco Support community,
I am facing a issue with radius accounting in Cisco 3750 switch with version 12.2. I am unable to start accounting for radius server.
This is the config that is on the switch for Radius.
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec my-authradius group radius if-authenticated.
radius-server attribute 6 on-for-login-auth
radius-server dead-criteria time 20 tries 5
radius-server host 10.100.1.225 auth-port 1645 acct-port 1646 key 7 14341A5801103F3904266021
radius-server host 10.100.1.226 auth-port 1645 acct-port 1646 key 7 05280E5C2C585B1B390B4406
When i try to add the following command for accounting, this is not saving.
(aaa accounting commands 0 default start-stop group radius
aaa accounting commands 1 default start-stop group radius
aaa accounting commands 15 default start-stop group radius)
If i do paste this command one by one after start-stop group it is showing only two options either tacacs+ or server, no radius option is there as well.
I tried to create a server group and add the radius server in the group. Even then when i am trying to implement the aaa accounting command with the server command it is not showing in show run.
Can anyone please help me with this issue.Hi,
thanks for your reply but the thing is that i want to see the command that are being run by a user on this particular device. If i use the network command it will only show me the network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).
I have read the document from this link and it is stating that we can use command accounting. Below is the link
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html.
Can anyone please tell me if this a version issue because even in version 15.4 i was not seeing the radius option in the end
aaa accounting commands 15 default start-stop group (radius)- in radius place it was showing only Tacacs+ or group. -
Hello!
I am troubleshooting a new 3750x stack install - everything is wonderful save two issues, one being RADIUS. I have mirrored the config of another working stack identically but am having no love with my RADIUS. Debug radius auth showed this - any ideas?
I have tried a few things including specifying my management VLAN interface as the source for RADIUS but it did not have any effect.
I am running 15.0(2)SE on IPBASEK9-M
10:22:43: RADIUS: AAA Unsupported Attr: interface [221] 4
10:22:43: RADIUS: 74 74 [ tt]
Thanks for your helpHello - thank you for the replies and sorry for the delay
1 - Win 2k8R2 and the new client has been added to the server. I did not directly copy the config but build the new switch from scratch and just confirmed the settings match the other stack in prod.
Below is the relevant running config with some IPs scrubbed
version 15.0
no service pad
service timestamps debug uptime
service timestamps log datetime msec localtime
service password-encryption
hostname 3750
boot-start-marker
boot-end-marker
enable secret 4 AzOv8DBnWTvZk7TujZRsOLtF2TgDG0tElrIlbSOtolk
enable password 7 080F435C1D1C0947425C4D
username citjmf1 privilege 15 secret 4 5ou3p2/fFuAg1bx5ec2m4Okz4syLs3u2iDSkhU/Oe4.
username citjnc1 privilege 15 secret 4 LD86/rbfwBjQ5CiTYnoGnAH/v4ToI7qHtKnVuw31gUs
aaa new-model
aaa group server radius group1
server 10.10.220.130 auth-port 182 acct-port 1813
aaa authentication login default group group1 local
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
switch 1 provision ws-c3750x-48
switch 2 provision ws-c3750x-48
system mtu routing 1500
ip domain-name
ip name-server
ip name-server
vtp domain
vtp mode transparent
udld aggressive
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
port-channel load-balance src-dst-ip
interface Vlan555
description Management
ip address x.x.x.x 255.255.255.0
ip default-gateway
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 x.x.x.x
logging history informational
radius-server host x.x.x.x auth-port 1812 acct-port 1813
radius-server key 7 13201A02021E010A7A767B
end
Below is the output of debug radius and debug aaa authen
I have confirmed the config is correct on the RADIUS server and I see no reason for this to not work.
Log Buffer (4096 bytes):
2d21h: AAA/BIND(0000008E): Bind i/f
2d21h: AAA/AUTHEN/LOGIN (0000008E): Pick method list 'default'
2d21h: RADIUS/ENCODE(0000008E): ask "Password: "
2d21h: RADIUS/ENCODE(0000008E): send packet; GET_PASSWORD
2d21h: RADIUS/ENCODE(0000008E):Orig. component type = Exec
2d21h: RADIUS: AAA Unsupported Attr: interface [221] 4
2d21h: RADIUS: 74 74 [ tt]
2d21h: RADIUS/ENCODE(0000008E): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
2d21h: RADIUS(0000008E): Config NAS IP: 0.0.0.0
2d21h: RADIUS(0000008E): Config NAS IPv6: ::
2d21h: RADIUS/ENCODE(0000008E): acct_session_id: 132
2d21h: RADIUS(0000008E): sending
2d21h: RADIUS/DECODE: No response from radius-server; parse response; FAIL
2d21h: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
2d21h: AAA/AUTHEN/LOGIN (0000008E): Pick method list 'default'
2d21h: RADIUS/ENCODE(0000008E): ask "Password: "
2d21h: RADIUS/ENCODE(0000008E): send packet; GET_PASSWORD
2d21h: RADIUS/ENCODE(0000008E):Orig. component type = Exec
2d21h: RADIUS: AAA Unsupported Attr: interface [221] 4
2d21h: RADIUS: 74 74 [ tt]
2d21h: RADIUS/ENCODE(0000008E): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
2d21h: RADIUS(0000008E): Config NAS IP: 0.0.0.0
2d21h: RADIUS(0000008E): Config NAS IPv6: ::
2d21h: RADIUS/ENCODE(0000008E): acct_session_id: 132
2d21h: RADIUS(0000008E): sending
2d21h: RADIUS/DECODE: No response from radius-server; parse response; FAIL
2d21h: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
2d21h: AAA: parse name=tty1 idb type=-1 tty=-1
2d21h: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
2d21h: AAA/MEMORY: create_user (0x3E3C4D0) user='citjnc1' ruser='NULL' ds0=0 port='tty1' rem_addr='10.10.10.122' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
2d21h: AAA/AUTHEN/START (4180928019): port='tty1' list='' action=LOGIN service=ENABLE
2d21h: AAA/AUTHEN/START (4180928019): console enable - default to enable password (if any)
2d21h: AAA/AUTHEN/START (4180928019): Method=ENABLE
2d21h: AAA/AUTHEN (4180928019): status = GETPASS
2d21h: AAA/AUTHEN/CONT (4180928019): continue_login (user='(undef)')
2d21h: AAA/AUTHEN (4180928019): status = GETPASS
2d21h: AAA/AUTHEN/CONT (4180928019): Method=ENABLE
2d21h: AAA/AUTHEN(4180928019): password incorrect
2d21h: AAA/AUTHEN (4180928019): status = FAIL
2d21h: AAA/MEMORY: free_user (0x3E3C4D0) user='NULL' ruser='NULL' port='tty1' rem_addr='10.10.10.122' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
2d21h: AAA: parse name=tty1 idb type=-1 tty=-1
2d21h: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
2d21h: AAA/MEMORY: create_user (0x7AF0A24) user='citjnc1' ruser='NULL' ds0=0 port='tty1' rem_addr='10.10.10.122' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
2d21h: AAA/AUTHEN/START (3135930977): port='tty1' list='' action=LOGIN service=ENABLE
2d21h: AAA/AUTHEN/START (3135930977): console enable - default to enable password (if any)
2d21h: AAA/AUTHEN/START (3135930977): Method=ENABLE
2d21h: AAA/AUTHEN (3135930977): status = GETPASS
2d21h: AAA/AUTHEN/CONT (3135930977): continue_login (user='(undef)')
2d21h: AAA/AUTHEN (3135930977): status = GETPASS
2d21h: AAA/AUTHEN/CONT (3135930977): Method=ENABLE
2d21h: AAA/AUTHEN (3135930977): status = PASS
2d21h: AAA/MEMORY: free_user (0x7AF0A24) user='NULL' ruser='NULL' port='tty1' rem_addr='10.10.10.122' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
I see I am not getting a response from my Radius server -
ISE - AAA radius authentication for NAD access
Hi ,
I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
While testing the login access to the switches we've come up with 2 results :
1.A domain user can indeed login to the switch as intended.
2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
of the IT_department only .
I haven't been successfull , would appreciate any ideas on how to accomplish this .
Switch configurations :
=================
aaa new-model
aaa authentication login default group radius local
ISE Authentication policy
==================
Policy Name : NADs Authentication
Condition: "DEVICE:Device Type Equals :All Device Types#Wired"
Allowed Protocol : Default Network Access
use identity source : AD1Thank you for the quick replys , and now ok , I've configured the following authorization policy :
Rule Name : Nad Auth
Conditions
if: Any
AND : AD1:ExternalGroups EQUALS IT_Departments
Permissions , then PermitAccess
What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ? -
We keep get the following error. And everytime we got this, the clients have been force to re-authentication.
Any idea?
Thanks,
RADIUS server 10.108.32.33:1812 activated on WLAN 1
RADIUS server 10.140.4.9:1812 deactivated on WLAN 1Go to clients. Look up the client by mac address and look at the PEM state. It will tell you why the client is failing ..
DHCP_REQ is meaning there is a DHCP issue
8021x_REQ means it failed auth
You could also turn off exclude as a test, perhaps these clients are a little slow to auth.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
Integrating AAA Radius-server with Micro-soft IAS for SSH
Hi,
I am configuring aaa-server on ASA-5505(Radius) and i am Using microsoft IAS for authentication for SSH connections on ASA, so during " test aaa-server authentication " i getting this message
ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch
All users are there on active directory And below are the debug radius and debug aaa authentication.
ASA# test aaa-server authentication SSH-TULIP-ASA host 172.16.1.10 usern$
INFO: Attempting Authentication test to IP address <172.16.1.10> (timeout: 12 seconds)
radius mkreq: 0xd4
alloc_rip 0xd83bb99c
new request 0xd4 --> 124 (0xd83bb99c)
got user 'praveeny'
got password
add_req 0xd83bb99c session 0xd4 id 124
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
Raw packet data (length = 66).....
01 7c 00 42 37 a4 0d c2 d3 10 09 0e 2f 3c c5 1a | .|.B7......./<..
4b 28 41 e6 01 0a 70 72 61 76 65 65 6e 79 02 12 | K(A...praveeny..
a1 8f e1 ae 58 dd c2 52 d6 37 f7 32 13 3a 1c 71 | ....X..R.7.2.:.q
04 06 ac 1e 1e 06 05 06 00 00 00 0e 3d 06 00 00 | ............=...
00 05 | ..
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 124 (0x7C)
Radius: Length = 66 (0x0042)
Radius: Vector: 37A40DC2D310090E2F3CC51A4B2841E6
Radius: Type = 1 (0x01) User-Name
Radius: Length = 10 (0x0A)
Radius: Value (String) =
70 72 61 76 65 65 6e 79 | praveeny
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
a1 8f ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch
Tulip-ASA# e1 ae 58 dd c2 52 d6 37 f7 32 13 3a 1c 71 | ....X..R.7.2.:.q
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 172.30.30.6 (0xAC1E1E06)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0xE
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 172.16.1.10/1645
rip 0xd83bb99c state 7 id 124
rad_vrfy() : bad req auth
rad_procpkt: radvrfy fail
RADIUS_DELETE
remove_req 0xd83bb99c session 0xd4 id 124
free_rip 0xd83bb99c
radius: send queue empty
Thanks in advance all comments and suggestion are welcome
Regards,
PraveenHi,
RADIUS as a protocol does not support command accounting, ie., logging of commands that a users enters once authenticated to a router/switch. You will need to use TACACS+ for this purpose. The aaa command accounting commands that you used has been removed from IOS since 12.2T. Please take a look at this for details: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdp57020.
Thanks,
Wen -
Dear guys,
I deployed Cisco ISE for Network Access Control. My topology as described as attached image. I configured Cisco ISE as Radius Server for Client Access Control. But, I got some problems such as:
No Accounting Start. (I have configured accouting on Switch 2960).
Radius Request Dropped (attached image). These NAS IP Address are Servers on same subnet with Cisco ISE.
I would greatly appreciate any help you can give me in working this problem.
Have a nice day,
Thanks and Regrads,Sorry for late reply.
Here is my switch config.
Current configuration : 8630 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Switch
boot-start-marker
boot-end-marker
no logging console
enable password ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting delay-start all
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius
aaa server radius dynamic-author
client A.B.C.D server-key keystrings
aaa session-id common
system mtu routing 1500
vtp mode transparent
ip dhcp snooping
ip device tracking
crypto pki trustpoint TP-self-signed-447922560
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-447922560
revocation-check none
rsakeypair TP-self-signed-447922560
crypto pki certificate chain TP-self-signed-447922560
certificate self-signed 01
xxxxx
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 139,153,401-402,999,1501-1502
interface FastEthernet0/11
switchport access vlan 139
switchport mode access
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication periodic
authentication timer inactivity 180
authentication violation restrict
mab
interface FastEthernet0/12
switchport access vlan 139
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 139
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
interface GigabitEthernet0/1
switchport mode trunk
interface GigabitEthernet0/2
interface Vlan1
no ip address
interface Vlan139
ip address E.F.G.H 255.255.255.0
ip default-gateway I.J.K.L
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit icmp any any
permit tcp any host A.B.C.D eq 8443
permit tcp any host A.B.C.D eq 443
permit tcp any host A.B.C.D eq www
permit tcp any host A.B.C.D eq 8905
permit tcp any host A.B.C.D eq 8909
permit udp any host A.B.C.D eq 8905
permit udp any host A.B.C.D eq 8909
deny ip any any
ip access-list extended ACL-WEBAUTH-REDIRECT
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
ip radius source-interface Vlan139
snmp-server community keystrings RW
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host A.B.C.D version 2c keystrings mac-notification
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host A.B.C.D auth-port 1812 acct-port 1813 key STRINGSKEY
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
line vty 5 15
end
My switch version is
WS-2960 12.2(55)SE5 C2960-LANBASEK9-M
I would greatly appreciate any help you can give me in working this problem. -
AnyConnect SSL-client Certificate AND AAA RADIUS
Hi All,
I'm trying to setup Anyconnect VPN Phone feature. I have the license, and I have been able to get the phone to authenticate / register etc with a username / password.
I want to use the cert on the phone, use the CN as the username and just verify that against my ACS server via RADIUS.... Easier said than done. The ASA is grabbing the Username, but for the life of me, i can't get it to send the username over to the RADIUS server. I have enabled all sorts of aaa and radius debugging and just get no output at all...
Here are some relevant log messages I'm getting:
Starting SSL handshake with client outside:72.91.xx.xx/42501 for TLSv1 session
Certificate was successfully validated. serial number: 5C7DB8EB000000xxxxxx, subject name: cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc..
Certificate chain was successfully validated with warning, revocation status was not checked.
Tunnel group search using certificate maps failed for peer certificate: serial number: 5C7DB8EB000000xxxxxx, subject name: cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc., issuer_name: cn=Cisco Manufacturing CA,o=Cisco Systems.
Device completed SSL handshake with client outside:72.91.xx.xx/42501
Group SSLClientProfile: Authenticating ssl-client connection from 72.91.14.42 with username, CP-7942G-SEP002155551BD7, from client certificate
Teardown TCP connection 35754 for outside:72.91.xx.xx/42501 to identity:173.227.xxx.xxx/443 duration 0:00:05 bytes 5473 TCP Reset by appliance
Relevant Config:
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
authentication-server-group RADIUS
default-group-policy GroupPolicy1
tunnel-group SSLClientProfile webvpn-attributes
authentication aaa certificate
radius-reject-message
pre-fill-username ssl-client
group-alias SSLClientProfile enable
group-url https://URL enable
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value <ip1> <ip2>
vpn-tunnel-protocol ssl-client
default-domain value xxxxxxxx
address-pools value VPNPOOL
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.102.242
key *****
aaa-server RADIUS (inside) host 192.168.240.242
key *****
ASA version 8.4
What am I doing wrong? It will not send the request to the AAA server, very much frustating me...PRogress....
I changed the authentication to Certificate ONLY and set authorization to be RADIUS... now it's sending the request to my ACS server. Next question: What's the password that's being sent? Is it blank? I've tried the phone's whole username, tried the MAC and tried just the SEP part. No Dice. Thoughts? -
Aaa radius server control privilege level
I've got radius authentication working on my switch, but I'm trying to allow two types of users login using Windows Active Directory. NetworkUsers who can view configuration and NetworkAdmins who can do anything. I would like for NetworkAdmins to when they login go directly into privilege level 15 but cant get that part to work. Here is my setup:
Windows 2008 R2 Domain controller with NPS installed.
Radius client: I have the IP of the switch along with the key. I have cisco selected under the vendor name in the advance tab
Network Policies:
NetworkAdmins which has the networkadmin group under conditions and under settings i have nothing listed under Standard and for Vendor Specific i have :
Cisco-AV-Pair Cisco shell:priv-lvl=15
My switch config:
aaa new-model
aaa group server radius MTFAAA
server name dc-01
server name dc-02
aaa authentication login NetworkAdmins group MTFAAA local
aaa authorization exec NetworkAdmins group MTFAAA local
radius server dc-01
address ipv4 10.0.1.10 auth-port 1645 acct-port 1646
key 7 ******
radius server dc-02
address ipv4 10.0.1.11 auth-port 1645 acct-port 1646
key 7 ******
No matter what i do it doesnt default to privilege level 15 when i login. Any thoughtsHave you specified the authorization exec group under line vty? I think it is authorization exec command. Something like that.
Maybe you are looking for
-
How to convert inode number to path (for Eudora to Mail conversion)
I've seen a header line in my Eudora client that has what I believe to be an inode number in it that represents a path: X-Attachments: :Server:622049:style.css: Server is the volume name and the 622049 appears to be the inode file system path to the
-
How to debug an OLAP variant which is in Infopackage Data selection Tab
Hi experts, How can I debug an OLAP variant used in the data selection tab for an infopackage? The loading is done via process chains. I am trying to debug the SAP delivered OLAP variant 0P_PPER3 of infoobject 0FISCPER3 (SAP exit). If I am not mistak
-
My mac updated, now top site page has changed and is in edit mode constantly-help?
When I restarted my mac after a scheduled update, the top site page still had all my saved sites on it but it was much bigger and the style and background have all changed. It also appears to be in edit mode and I can't see an edit button (like usual
-
Unable to run v7 appl. on a pc with 2 versions(v7.3.4 & v8.0
Currently i have v7.3.4 and v8.0.4 client installed on the same machine(NT workstation). I have 2 applications which require both these versions. For both these versions i have created seperate aliases from their respective sqlnet easy config setting
-
My Nike+ Connect Keeps Crashing while uploading workout
Mac OS X 10.8.5 Nike+ Connect Version: 6.2.4 Nike+ Connect keeps on crashing while uploading my workout. Has anyone had this issue before? Any fix/ideas? Below is the details of the report: Process: Nike+ Connect [1519] Path: /A