AAA Radius

Hi,
I want to use AAA (Radius Server)to do PEAP Authentication,Can i use different Radius Vendors or I need to use CSACS ONLY ?

You can use any Radius server, most of them(actually I guess all of them) support PEAP authentication.
IAS, FunkSteel, CSACS etc....

Similar Messages

What do IPSEC mean under Security - AAA - Radius - Authentication

I can't find exact information regarding the IPSec checkbox in Security -> AAA -> Radius -> Authentication.
On the Cisco Wireless LAN Controller Configuration Guide 5.1, it says "Check the IPSec check box to enable the IP security mechanism, or uncheck it to disable this feature.
The default value is unchecked."
What is exactly mean by IP security mechanism?
Does this mean that I can terminate VPN client over my WLC?
Take note that this options appeared even though no crypto card installed in my controller.

This is old code from the Airespace days. There used to be a VPN module that would ride in the WLC. No longer supported, well can't buy it new, but if you had one already...you get the idea.
HTH,
Steve

AAA/Radius failures

Have a couple of switches setup for AAA/Radius (Microsoft IAS running Radius). All authentication fails when I configure it with a radius key (matching on switch and server).
When I remove the key, I still cant authenticate with my domain credentials, and can only authenticate using the local admin password configured on the switch on a few occasions.
To get back into the switch I have to stop the IAS service on the Microsoft Radius server, log into the switch with the local admin password, before restarting the IAS service.
How can I make AAA/Radius work effectively.

Mark
There are several things that you might do:
- reconfigure a switch and reconfigure the Radius server for that switch to eliminate the possibility of configuration mismatch. I would be sure to key in clear text keys rather than cut and paste some encrypted value which you assume will be the same on both ends.
- look on the server to see if there are any log entries that indicate that it saw authentication requests and why they failed.
- run debugs on the switches to see what they are reporting.
HTH
Rick

AAA Radius Authentication Queries

Have quite a few questions for Implementing Radius for my network devices :
Q.1.) How to safely implement aaa Radius authentication to make sure users have login using LOCAL database incase the Radius fails.
Q.2.) How to provide only read access for few users and full access to Adminstrators.
Q 3.) Incase if I save the config ..will it be possible to login to devices through any other alternative way ( assuming both the radius and Local credentials are not working).
Q 4.) How to recover the password for devices especially firewalls.
GReat it would be if someone can help me on these queries.. Thanks in advance.
Regards,
gHP.

VSAs are collected by the RADIUS server during the accounting process when AAA is configured with the Debit Card feature. Data items are collected for each call leg created on the gateway. A call leg is the internal representation of a connection on the gateway. Each call made through the gateway consists of two call legs: incoming and outgoing. The call leg information emitted by the gateways can be correlated by the connection ID, which is the same for all call legs of a connection.
Use the H.323 VSA method of accounting when configuring the AAA application.
There are two modes:
â¢Overloaded Session-ID
Use the gw-accounting h323 syslog command to configure this mode.
â¢VSA
Use the gw-accounting h323 vsa command to configure this mode.

ISE - AAA radius authentication for NAD access

Hi ,
I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
While testing the login access to the switches we've come up with 2 results :
1.A domain user can indeed login to the switch as intended.
2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
of the IT_department only .
I haven't been successfull , would appreciate any ideas on how to accomplish this .
Switch configurations :
=================
aaa new-model
aaa authentication login default group radius local
ISE Authentication policy
==================
Policy Name : NADs Authentication
Condition: "DEVICE:Device Type Equals :All Device Types#Wired"
Allowed Protocol : Default Network Access
use identity source : AD1

Thank you for the quick replys , and now ok , I've configured the following authorization policy :
Rule Name : Nad Auth
Conditions
if: Any
AND : AD1:ExternalGroups EQUALS IT_Departments
Permissions , then PermitAccess
What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?

Integrating AAA Radius-server with Micro-soft IAS for SSH

Hi,
I am configuring aaa-server on ASA-5505(Radius) and i am Using microsoft IAS for authentication for SSH connections on ASA, so during " test aaa-server authentication " i getting this message
ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch
All users are there on active directory And below are the debug radius and debug aaa authentication.
ASA# test aaa-server authentication SSH-TULIP-ASA host 172.16.1.10 usern$
INFO: Attempting Authentication test to IP address <172.16.1.10> (timeout: 12 seconds)
radius mkreq: 0xd4
alloc_rip 0xd83bb99c
    new request 0xd4 --> 124 (0xd83bb99c)
got user 'praveeny'
got password
add_req 0xd83bb99c session 0xd4 id 124
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
Raw packet data (length = 66).....
01 7c 00 42 37 a4 0d c2 d3 10 09 0e 2f 3c c5 1a    | .|.B7......./<..
4b 28 41 e6 01 0a 70 72 61 76 65 65 6e 79 02 12    | K(A...praveeny..
a1 8f e1 ae 58 dd c2 52 d6 37 f7 32 13 3a 1c 71    | ....X..R.7.2.:.q
04 06 ac 1e 1e 06 05 06 00 00 00 0e 3d 06 00 00    | ............=...
00 05                                              | ..
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 124 (0x7C)
Radius: Length = 66 (0x0042)
Radius: Vector: 37A40DC2D310090E2F3CC51A4B2841E6
Radius: Type = 1 (0x01) User-Name
Radius: Length = 10 (0x0A)
Radius: Value (String) =
70 72 61 76 65 65 6e 79                            | praveeny
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
a1 8f ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch
Tulip-ASA# e1 ae 58 dd c2 52 d6 37 f7 32 13 3a 1c 71    | ....X..R.7.2.:.q
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 172.30.30.6 (0xAC1E1E06)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0xE
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 172.16.1.10/1645
rip 0xd83bb99c state 7 id 124
rad_vrfy() : bad req auth
rad_procpkt: radvrfy fail
RADIUS_DELETE
remove_req 0xd83bb99c session 0xd4 id 124
free_rip 0xd83bb99c
radius: send queue empty
Thanks in advance all comments and suggestion are welcome
Regards,
Praveen

Hi,
RADIUS as a protocol does not support command accounting, ie., logging of commands that a users enters once authenticated to a router/switch. You will need to use TACACS+ for this purpose. The aaa command accounting commands that you used has been removed from IOS since 12.2T. Please take a look at this for details: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdp57020.
Thanks,
Wen

WLC AAA Radius to ISE - Multiple Domains in Single Forrest

I am currently having a problem configuring AAA for management access to our wireless controllers.
Our active directory structure is as below: (note all domains are part of the same forest and full trusts between the domains)
Root Domain
Americas domain UK Domain EU Domain APAC Domain
Because of the multiple domains that exist when admins login they need to use their full UPN ([email protected]), since just using username will only authenticate agains the Root Domain and there may be duplicate usernames between the domains.
I cant even see the radius request hitting ISE and i found out that this is due to a 24 character limit on the username field on the WLC's.
I dont have this issue with other IOS based devices.
I could just create some admin accounts in the root domain but the problem is that lobbyadmin staff also needs to authenticate and they will run into the same issue.
Dont know if someone has any suggestions for a possible workaround?

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_45_multiple_active_directories.pdf

AnyConnect SSL-client Certificate AND AAA RADIUS

Hi All,
I'm trying to setup Anyconnect VPN Phone feature. I have the license, and I have been able to get the phone to authenticate / register etc with a username / password.
I want to use the cert on the phone, use the CN as the username and just verify that against my ACS server via RADIUS.... Easier said than done. The ASA is grabbing the Username, but for the life of me, i can't get it to send the username over to the RADIUS server. I have enabled all sorts of aaa and radius debugging and just get no output at all...
Here are some relevant log messages I'm getting:
Starting SSL handshake with client outside:72.91.xx.xx/42501 for TLSv1 session
Certificate was successfully validated. serial number: 5C7DB8EB000000xxxxxx, subject name: cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc..
Certificate chain was successfully validated with warning, revocation status was not checked.
Tunnel group search using certificate maps failed for peer certificate: serial number: 5C7DB8EB000000xxxxxx, subject name: cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc., issuer_name: cn=Cisco Manufacturing CA,o=Cisco Systems.
Device completed SSL handshake with client outside:72.91.xx.xx/42501
Group SSLClientProfile: Authenticating ssl-client connection from 72.91.14.42 with username, CP-7942G-SEP002155551BD7, from client certificate
Teardown TCP connection 35754 for outside:72.91.xx.xx/42501 to identity:173.227.xxx.xxx/443 duration 0:00:05 bytes 5473 TCP Reset by appliance
Relevant Config:
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
authentication-server-group RADIUS
default-group-policy GroupPolicy1
tunnel-group SSLClientProfile webvpn-attributes
authentication aaa certificate
radius-reject-message
pre-fill-username ssl-client
group-alias SSLClientProfile enable
group-url https://URL enable
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value <ip1> <ip2>
vpn-tunnel-protocol ssl-client
default-domain value xxxxxxxx
address-pools value VPNPOOL
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.102.242
key *****
aaa-server RADIUS (inside) host 192.168.240.242
key *****
ASA version 8.4
What am I doing wrong? It will not send the request to the AAA server, very much frustating me...

PRogress....
I changed the authentication to Certificate ONLY and set authorization to be RADIUS... now it's sending the request to my ACS server. Next question: What's the password that's being sent? Is it blank? I've tried the phone's whole username, tried the MAC and tried just the SEP part. No Dice. Thoughts?

Aaa radius server control privilege level

I've got radius authentication working on my switch, but I'm trying to allow two types of users login using Windows Active Directory. NetworkUsers who can view configuration and NetworkAdmins who can do anything. I would like for NetworkAdmins to when they login go directly into privilege level 15 but cant get that part to work. Here is my setup:
Windows 2008 R2 Domain controller with NPS installed.
Radius client: I have the IP of the switch along with the key. I have cisco selected under the vendor name in the advance tab
Network Policies:
NetworkAdmins which has the networkadmin group under conditions and under settings i have nothing listed under Standard and for Vendor Specific i have :
Cisco-AV-Pair Cisco shell:priv-lvl=15
My switch config:
aaa new-model
aaa group server radius MTFAAA
server name dc-01
server name dc-02
aaa authentication login NetworkAdmins group MTFAAA local
aaa authorization exec NetworkAdmins group MTFAAA local
radius server dc-01
address ipv4 10.0.1.10 auth-port 1645 acct-port 1646
key 7 ******
radius server dc-02
address ipv4 10.0.1.11 auth-port 1645 acct-port 1646
key 7 ******
No matter what i do it doesnt default to privilege level 15 when i login. Any thoughts

Have you specified the authorization exec group under line vty? I think it is authorization exec command. Something like that.

Authentication Interface in AAA Radius Configuration

Hello,
we are trying to authenticate against an Radius Server.
can you tell me witch interface will be used for the authentication Process?
With best regards

At least it looks like this:
Client ------------> Lightweight Access Point ----------------> WiSM --------X--------------> Radius Server
The WISM is Firmware is state 4.2 and the RADIUS Server is configured in the AAA setting as the Authentication Server and the Accounting Server.
The WISM has multiple Interfaces factoy default: Managment, ap-manager, service-port and virtual
we added the interface test-Radius which is configured with the WLAN the Client connects to.
In the Trap view i can see that the Controller cannot reach the Radius Server.
I think the Controller uses the Interface management to get contact to the Radius.
But the Radius is only reachable over the test-Radius interface.
Can somebody tell me where i configure the controller to use the client interface "test-radius" to get in contect to the Radius?
Best regards

AAA Radius Authentication for Calling Card Platform

Hi,
I am using AS5350 and I am using it for calling card application using Clear Box as my RADIUS Server for AAA. My question now, how would I know if cisco is sending the dtmf for "enter card number.au" on the RADIUS server ? Does the card number included on the VSA ? below are my configurations and the debug info. The problem here is that the card number that I entered doesn't able to match against the configuration on my Clear Box/SQL Database. I want to know what should I expect from CiscoAS5350 to send a vsa for enter_card_number ?
aaa new-model
aaa group server radius ClearBox
server 192.168.1.1 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication login h323 group ClearBox
aaa authorization exec h323 group ClearBox
aaa accounting exec default start-stop group ClearBox
aaa accounting network default start-stop group ClearBox
aaa accounting connection h323 start-stop group ClearBox
aaa session-id unique
radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
radius-server key 7 0355481F031F761D
radius-server vsa send accounting
radius-server vsa send authentication
call application voice prepaid tftp://192.168.1.2/debitcard-multi-lang-Cisco.1.1.0.2.tcl
call application voice prepaid pin-len 10
call application voice prepaid warning-time 300
call application voice prepaid redirect-number 8662195822
call application voice prepaid language 1 en
call application voice prepaid language 2 sp
call application voice prepaid language 3 ch
call application voice prepaid set-location en 0 tftp://192.168.1.2/prompts/
call application voice prepaid set-location sp 0 tftp://192.168.1.2/prompts/
call application voice prepaid set-location ch 0 tftp://192.168.1.2/prompts/
gw-accounting aaa
==================================================
Getting session id for NET(00003600) : db=6418E654
AA/ACCT/NET(00003600): add, count 1
Getting session id for NET(00003601) : db=6410D098
AAA/ACCT/NET(00003601): add, count 1
AAA/ACCT/CONN(00003601): Pick method list 'h323'
AAA/ACCT/SETMLIST(00003601): Handle 94000002, mlist 62D3B124, Name h323
Getting session id for CONN(00003601) : db=6410D098
AAA/ACCT/CONN(00003601): Queueing record is START
AAA/ACCT(00003601): Accouting method=ClearBox (RADIUS)
AAA/ACCT/EVENT/(00003601): ATTR ADD
AAA/ACCT/CONN(00003601): START protocol reply PASS
AAA/ACCT/EVENT/(00003601): VOICE DOWN
AAA/ACCT/HC(00003601): Update VOICE/000020D3
AAA/ACCT/HC(00003601): VOICE/000020D3 [sess] (rx/tx) base 0/0 pre 0/0 call 0/0
AAA/ACCT/HC(00003601): VOICE/000020D3 [sess] (rx/tx) adjusted, pre 0/0 call 0/0
AAA/ACCT/CONN(00003601): Queueing record is STOP osr 1
AAA/ACCT(00003601): del node, session 174133
AAA/ACCT/CONN(00003601): free_rec, count 1
AAA/ACCT/CONN(00003601): Setting session id 174144 : db=6410D098
AAA/ACCT/HC(00003601): Update VOICE/000020D3
AAA/ACCT/HC(00003601): Deregister VOICE/000020D3
AAA/ACCT/EVENT/(00003601): CALL STOP
AAA/ACCT/CALL STOP(00003601): Sending stop requests
AAA/ACCT(00003601): Send all stops
AAA/ACCT/NET(00003601): STOP
AAA/ACCT/NET(00003601): Method list not found
AAA/ACCT/CONN(00003601): STOP protocol reply PASS
AAA/ACCT/CONN(00003601) Record not present

VSAs are collected by the RADIUS server during the accounting process when AAA is configured with the Debit Card feature. Data items are collected for each call leg created on the gateway. A call leg is the internal representation of a connection on the gateway. Each call made through the gateway consists of two call legs: incoming and outgoing. The call leg information emitted by the gateways can be correlated by the connection ID, which is the same for all call legs of a connection.
Use the H.323 VSA method of accounting when configuring the AAA application.
There are two modes:
â¢Overloaded Session-ID
Use the gw-accounting h323 syslog command to configure this mode.
â¢VSA
Use the gw-accounting h323 vsa command to configure this mode.

AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

Hi,
I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
ping inside 10.10.10.56
However when I configure the ASA for the AAA group with commands:
aaa-server ACSAuth protocol radius
aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
Then when I do the show run, here is the result:
aaa-server ACSAuth protocol radius
aaa-server host 10.10.10.56
key AcsSecret123
From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
(seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
Your help will be really appreciated!
Thanks.
Best Regards,
Jo

AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

AAA Radius accounting command is not taking in 3750 switch

Hi Cisco Support community,
I am facing a issue with radius accounting in Cisco 3750 switch with version 12.2. I am unable to start accounting for radius server.
This is the config that is on the switch for Radius.
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec my-authradius group radius if-authenticated.
radius-server attribute 6 on-for-login-auth
radius-server dead-criteria time 20 tries 5
radius-server host 10.100.1.225 auth-port 1645 acct-port 1646 key 7 14341A5801103F3904266021
radius-server host 10.100.1.226 auth-port 1645 acct-port 1646 key 7 05280E5C2C585B1B390B4406
When i try to add the following command for accounting, this is not saving.
(aaa accounting commands 0 default start-stop group radius
aaa accounting commands 1 default start-stop group radius
aaa accounting commands 15 default start-stop group radius)
If i do paste this command one by one after start-stop group it is showing only two options either tacacs+ or server, no radius option is there as well.
I tried to create a server group and add the radius server in the group. Even then when i am trying to implement the aaa accounting command with the server command it is not showing in show run.
Can anyone please help me with this issue.

Hi,
thanks for your reply but the thing is that i want to see the command that are being run by a user on this particular device. If i use the network command it will only show me the network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).
I have read the document from this link and it is stating that we can use command accounting. Below is the link
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html.
Can anyone please tell me if this a version issue because even in version 15.4 i was not seeing the radius option in the end
aaa accounting commands 15 default start-stop group (radius)- in radius place it was showing only Tacacs+ or group.

AAA RADIUS 3750x

Hello!
I am troubleshooting a new 3750x stack install - everything is wonderful save two issues, one being RADIUS. I have mirrored the config of another working stack identically but am having no love with my RADIUS. Debug radius auth showed this - any ideas?
I have tried a few things including specifying my management VLAN interface as the source for RADIUS but it did not have any effect.
I am running 15.0(2)SE on IPBASEK9-M
10:22:43: RADIUS: AAA Unsupported Attr: interface         [221] 4
10:22:43: RADIUS:   74 74                [ tt]
Thanks for your help

Hello - thank you for the replies and sorry for the delay
1 - Win 2k8R2 and the new client has been added to the server. I did not directly copy the config but build the new switch from scratch and just confirmed the settings match the other stack in prod.
Below is the relevant running config with some IPs scrubbed
version 15.0
no service pad
service timestamps debug uptime
service timestamps log datetime msec localtime
service password-encryption
hostname 3750
boot-start-marker
boot-end-marker
enable secret 4 AzOv8DBnWTvZk7TujZRsOLtF2TgDG0tElrIlbSOtolk
enable password 7 080F435C1D1C0947425C4D
username citjmf1 privilege 15 secret 4 5ou3p2/fFuAg1bx5ec2m4Okz4syLs3u2iDSkhU/Oe4.
username citjnc1 privilege 15 secret 4 LD86/rbfwBjQ5CiTYnoGnAH/v4ToI7qHtKnVuw31gUs
aaa new-model
aaa group server radius group1
server 10.10.220.130 auth-port 182 acct-port 1813
aaa authentication login default group group1 local
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
switch 1 provision ws-c3750x-48
switch 2 provision ws-c3750x-48
system mtu routing 1500
ip domain-name
ip name-server
ip name-server
vtp domain
vtp mode transparent
udld aggressive
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
port-channel load-balance src-dst-ip
interface Vlan555
description Management
ip address x.x.x.x 255.255.255.0
ip default-gateway
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 x.x.x.x
logging history informational
radius-server host x.x.x.x auth-port 1812 acct-port 1813
radius-server key 7 13201A02021E010A7A767B
end
Below is the output of debug radius and debug aaa authen
I have confirmed the config is correct on the RADIUS server and I see no reason for this to not work.
Log Buffer (4096 bytes):
2d21h: AAA/BIND(0000008E): Bind i/f
2d21h: AAA/AUTHEN/LOGIN (0000008E): Pick method list 'default'
2d21h: RADIUS/ENCODE(0000008E): ask "Password: "
2d21h: RADIUS/ENCODE(0000008E): send packet; GET_PASSWORD
2d21h: RADIUS/ENCODE(0000008E):Orig. component type = Exec
2d21h: RADIUS: AAA Unsupported Attr: interface         [221] 4
2d21h: RADIUS:   74 74                [ tt]
2d21h: RADIUS/ENCODE(0000008E): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
2d21h: RADIUS(0000008E): Config NAS IP: 0.0.0.0
2d21h: RADIUS(0000008E): Config NAS IPv6: ::
2d21h: RADIUS/ENCODE(0000008E): acct_session_id: 132
2d21h: RADIUS(0000008E): sending
2d21h: RADIUS/DECODE: No response from radius-server; parse response; FAIL
2d21h: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
2d21h: AAA/AUTHEN/LOGIN (0000008E): Pick method list 'default'
2d21h: RADIUS/ENCODE(0000008E): ask "Password: "
2d21h: RADIUS/ENCODE(0000008E): send packet; GET_PASSWORD
2d21h: RADIUS/ENCODE(0000008E):Orig. component type = Exec
2d21h: RADIUS: AAA Unsupported Attr: interface         [221] 4
2d21h: RADIUS:   74 74                [ tt]
2d21h: RADIUS/ENCODE(0000008E): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
2d21h: RADIUS(0000008E): Config NAS IP: 0.0.0.0
2d21h: RADIUS(0000008E): Config NAS IPv6: ::
2d21h: RADIUS/ENCODE(0000008E): acct_session_id: 132
2d21h: RADIUS(0000008E): sending
2d21h: RADIUS/DECODE: No response from radius-server; parse response; FAIL
2d21h: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
2d21h: AAA: parse name=tty1 idb type=-1 tty=-1
2d21h: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
2d21h: AAA/MEMORY: create_user (0x3E3C4D0) user='citjnc1' ruser='NULL' ds0=0 port='tty1' rem_addr='10.10.10.122' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
2d21h: AAA/AUTHEN/START (4180928019): port='tty1' list='' action=LOGIN service=ENABLE
2d21h: AAA/AUTHEN/START (4180928019): console enable - default to enable password (if any)
2d21h: AAA/AUTHEN/START (4180928019): Method=ENABLE
2d21h: AAA/AUTHEN (4180928019): status = GETPASS
2d21h: AAA/AUTHEN/CONT (4180928019): continue_login (user='(undef)')
2d21h: AAA/AUTHEN (4180928019): status = GETPASS
2d21h: AAA/AUTHEN/CONT (4180928019): Method=ENABLE
2d21h: AAA/AUTHEN(4180928019): password incorrect
2d21h: AAA/AUTHEN (4180928019): status = FAIL
2d21h: AAA/MEMORY: free_user (0x3E3C4D0) user='NULL' ruser='NULL' port='tty1' rem_addr='10.10.10.122' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
2d21h: AAA: parse name=tty1 idb type=-1 tty=-1
2d21h: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
2d21h: AAA/MEMORY: create_user (0x7AF0A24) user='citjnc1' ruser='NULL' ds0=0 port='tty1' rem_addr='10.10.10.122' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
2d21h: AAA/AUTHEN/START (3135930977): port='tty1' list='' action=LOGIN service=ENABLE
2d21h: AAA/AUTHEN/START (3135930977): console enable - default to enable password (if any)
2d21h: AAA/AUTHEN/START (3135930977): Method=ENABLE
2d21h: AAA/AUTHEN (3135930977): status = GETPASS
2d21h: AAA/AUTHEN/CONT (3135930977): continue_login (user='(undef)')
2d21h: AAA/AUTHEN (3135930977): status = GETPASS
2d21h: AAA/AUTHEN/CONT (3135930977): Method=ENABLE
2d21h: AAA/AUTHEN (3135930977): status = PASS
2d21h: AAA/MEMORY: free_user (0x7AF0A24) user='NULL' ruser='NULL' port='tty1' rem_addr='10.10.10.122' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
I see I am not getting a response from my Radius server

AAA RADIUS issue

Hello everybody.
I am having some trouble when lots of users try to connect via Anyconnect on my ASA (5545-X).
At the peak some users complaints they cannot authenticate and I see these messages flaping on logs:
%ASA-2-113022: AAA Marking RADIUS server 1.1.1.1 in aaa-server group SRV-RADIUS1 as FAILED
%ASA-2-113023: AAA Marking RADIUS server 1.1.1.1 in aaa-server group SRV-RADIUS1 as ACTIVE
After a while it get back working normaly and has no more message like that.
Changing the "timeout" parameter (default is 10) to a higher number is a good idea? Or the problem could be at Radius server?
aaa-server SRV-RADIUS1 protocol radius
aaa-server SRV-RADIUS1 (inside) host 1.1.1.1
time-out 20
thnks

Hi Vitor and sorry for the delayed reply! Your English is just fine! :)
I am glad that changing the "timeout" value have solved the problem.
On your second question: I never had to filter any attributes out of the ASA and I am not sure if it is possible. With that being said, I don't think that the issue was/is with the ASA sending too much logging/Radius info. If you only had around 10 concurrent users during your peak hours then there is no way that they overwhelmed the Radius server :) The fact that the issue went away after changing the "timeout" value leads me to believe that the problem is related to something else. For instance, RTT (round trip delay) between the aaa server and your ASA or link saturation that causes bandwidth starvation which cases the server to timeout in the ASA...just some ideas here :)
I hope this helps!
Thank you for rating helpful posts!

AAA Radius

Similar Messages

Maybe you are looking for