AAA using Radius with 802.1x
Hello there,
We're going to be implementing 802.1x on our network of some reaallly old switches (6509 Cat OS with MSFC 2). We use radius for AAA authentication and I've been reading that .1x uses radius. How is that going to work? Do I just add another radius server in my radius server command and, more importantly, will .1x work on Cat OS running 8.2.1? I've been trowling the forums and I can't seem to find anyone who's actually running .1x on the old Cat OS switches to see what kind of gotchas I can expect to run into.
Any advise, assistance would be greatly appreciated!
Thanks
Kiley
Salodh,
Thanks but that document is for a 2950 and we have a 6509 but, the good thing is I just found out our Tier 3 engineers will not be adding dot1x to the 6509 since it has only trunks - no access ports. Thanks very much for your reply!
Similar Messages
-
GOod morning all,
I am trying to configure AAA using RADIUS with ACS 4.1 SE and various Cisco Devices. I have configured the ACS to perform group mapping on personnel who I want to give access privileges. What I would like to do is give that group privilege level 15 and do away with enable passwords. However, I need local level authentication for our console options with enable privileges. Can this be done? Any help would be appreciated.
DwaneFor routers and IOS switches:
aaa new-model
aaa authentication banner *Unauthorized Access Prohibited*
aaa authentication login default group radius
radius-server host 10.10.10.10 (your acs device)
radius-server key cisco123
radius-server configure-nas
username nmg password telnet
aaa authentication ppp dialins group radius local
aaa authentication login nmg local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
aaa processes 16
line 1 16
login authentication
For CatOS switches:
Set radius-server 10.10.10.10
show radius
set radius key cisco123
set authentication login radius enable
set authentication enable radius enable
show authentication
set radius timeout 5
set radius retransmit 3
set radius deadtime 3
For Pix Firewalls:
aaa authentication ssh console radius LOCAL
aaa authentication telnet console radius LOCAL
aaa-server radgroup protocol RADIUS
max-failed-attempts 2
reactivation-mode depletion deadtime 5
exit
(NOTE: This will depending on the location of the pix firewall)
aaa-server radgroup (inside) host 10.10.10.10
key XXXXXXX
exit
aaa-server radgroup(inside) host 10.10.10.10
key XXXXXX
exit
This is pretty much what we used for configurations on our test. It looks like most of your switches are IOS based so that will be nice for you.
If you are using local authentication, you can create a group and assign the local addresses to that group. What I did in the radius IETF attribute, you ensure that [006] Service-Type is checked and scroll down to Administrative and click Submit & Restart.
Hope this helps some. I had alot of help from Cisco TAC on this.
Dwane -
School network uses WEP with 802.1x Encryption How do I connect?
My University uses WEP with IEEE 802.1x Encryption with Protected EAP. There are two wireless networks I can connect to and they both use the same security settings. In order to connect on my laptop, I have to enter an User name and Password. I have to use the same user name and password to log on with my iPod touch. The problem is that while both school networks show up on my touch, I can not connect to either because I am only prompted for a password when I need to enter both a user name and password. As far as I can tell, this is not possible on my touch.
Is there a correct way to do this? Is this feature even supported by the iPod touch? Any help would be greatly appreciated.
Thank youFollowed your links and did some searching on the website.
found this page: http://www.calumet.purdue.edu/ctis/wireless_drop.html
And I think this might be the problem:
"How Wireless Access Works
Wireless access points emanate radio signals in a similar manner to non-cellular cordless phones. The signals are strong enough to be received up to 50 to 100 feet from each access point (and possibly further, if the access point is equipped with an external antenna). These signals can be received by laptops and PDA's that are equipped with a standard 802.11b/g wireless card. This feature can be requested when ordering a new laptop computer, or an 802.11b/g card can be purchased and added to most older laptops. _Please note that the iPhone, iTouch, and any device with a palm OS is not compatible with the wireless network_." -
Can't auth to Nortels networks devices using RADIUS with ACS 5.1
Hi,
I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
I can't manage to login using RADIUS and i get the following message.
"Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
But in my ACS View, I can see : "Authentication succeeded."
I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
I've got no problems with RADIUS Auth using other brand devices
Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS Authentication ?
Regards.Are you sure that setting up a compound condition will help ?
To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
Here is my steps in the ACS View
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - radius
24212 Found User in Internal Users IDStore
22037 Authentication Passed
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
11002 Returned RADIUS Access-Accept
So I think the ACS does its job -
Send vlan via Radius with 802.1x Authentication
Hi all.
I am trying to set up 802.1x authentication using Windows XP Supplicant, Catalyst 2950 and FreeRadius as radius server.
I can login correctly so I have the port in Authorized mode, but I can't download the vlan id through the radius server.
Reading docs, I have found these attributes:
cisco-avpair="tunnel-type(#64)=VLAN(13)"
cisco-avpair="tunnel-medium-type(#65)=802 media(6)"
cisco-avpair="tunnel-private-group-ID(#81)=2" (2 is my vlan id)
but when I insert these into radius DB (I have also tryed with text file config...) I can see from Radius debugs that only the first one (cisco-avpair="tunnel-type(#64)=VLAN(13)" is passed in the access-accept packet.
Here are some outputs:
Sending Access-Challenge of id 80 to 128.0.0.21:1812
Cisco-AVPair = "tunnel-type=VLAN"
EAP-Message = 0x0101001604103ee52f729eb199689ef4fc77a18a6a08
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf88b9673c199cb13def96563250cf8a7
I issued a "debug radius" on the switch Catalyst 2950 also, and the output is:
02:49:39: RADIUS: Received from id 73 128.0.0.243:1812, Access-Accept, len 129
02:49:39: Attribute 26 75 0000000901457475
02:49:39: Attribute 79 6 03010004
02:49:39: Attribute 80 18 1ABB3507
02:49:39: Attribute 1 10 74657374
02:49:39: RADIUS: EAP-login: length of eap packet = 4
02:49:39: RADIUS: EAP-login: radius didn't send any vlan
so I can see that radius is not sending anything about vlan...
Has anyone alredy tried this set up?
Thank you in advance.
Massimo Magnani.OK, so I may have glossed over that before. From your debug post, you had:
Cisco-AVPair = "tunnel-type=VLAN"
Unless I'm missing something, that looks like a VSA (or RADIUS Attribute [26\9\1].
You don't need VSAs for VLAN Assignment. You can do this with three standard RADIUS Attributes. Here they are (and an example of what they should look like):
[64] Tunnel-Type VLAN (13)
[65] Tunnel-Medium-Type 802 (6)
[81] Tunnel-Private-Group-ID - "" OR ""
They are defined in RFC 2868.
Hope this helps, -
RV220W - Wrong NAS Port-Type using RADIUS for 802.11
Hi everyone
I am attempting to configure the RV220W (Firmware 1.0.6.6) for dot1x authentication over a Windows 2008 based RADIUS Server (using Remote Access Services).
The RADIUS settings on the RV220W are pointing towards that W2008 Server. The SSID has been set up for "WPA2 Enterprise" Security.
All the authentication attempts arrive at the server, but they fail to get authenticated because the Cisco RV220W is not transmitting a "NAS Port-Type" and therefore, the RADIUS Server will reject the requests.
This is what the request from the RV220W looks like on the server:
And this is a request from a similar Zyxel Router:
How can I enable the Cisco RV220W to send a NAS Port-Type (19, Wireless 802.11)?
Thank you for your support!The RADIUS server in OS X Server is a standard FreeRADIUS implementation with Apple's own custom GUI frontend for configuring it and which only allows adding AirPort base-stations. In Mountain Lion Server it is even limited to a specific configuration for the AirPort base-station.
However if you follow the normal command-line instructions and steps for configuring FreeRADIUS then it will be possible to add any type of RADIUS client.
While as far as I can see by manually configuring the FreeRADIUS server in OS X Server should enable you to do what you want, most people chose to configure Squid to use either a PAM or the LDAP modules for Squid to in this case authenticate directly to Open Directory (which is of course based on LDAP).
I myself have used a PAM in the past with Squid to successfully configure Squid to authenticate users via Open Directory. I was even able to specific an Open Directory group and only allow members of that group access via the Squid Proxy Server. I then went a bit OTT and set up another open-source tool (which was discontinued and I had to fix to get working) to process the Squid logs and store them in MySQL, and then setup FileMaker Pro to connect to the MySQL database via ODBC to allow producing reports.
Unfortunately the AFP458 website had a major redesign a while ago and many previous technical articles on it are now hard to find. I had used two articles on that site to guide me through setting up Squid and the PAM on a Mac server. I believe the two articles I used are the ones listed below.
http://afp548.com/2004/09/08/using-os-x-open-directory-to-authenticate-squid-pro xy-server/
http://afp548.com/2004/12/13/squid-server-using-ldap-authentication/ -
I know that if I use wired ethernet then the MBRP can be a wirelss hotspot for other devices. Since the MBRP supports 802.11ac and I have a new 802.11ac wireless router it gets much better range than my older 802.11/n devices. There are places in teh house where the MBRP connects to the wireless but where older 802.11g/n devices lare out of range. In those rooms I'd like to use my MBRP connected to the network wirelessly using 802.11ac as a hotspot for the nearby 802.11 g/n devices. Anyone know if that can be done and how to do it ?
Turn on Internet Sharing in Sharing preferences. Share the Ethernet connection to wireless.
-
802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment
Currently Being Moderated
802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment
Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
If possible show:
1. ACS/Radius Configurations.
2. End User Switch Configurations
Variables:
Switch A
MAC Address aaaa.bbbb.cccc Vlan 10
bbbb.cccc.dddd Vlan 20
Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
Thanks in advance. .Hi Guys,
Hmmm, well if your just looking for Mac based authentication the good news is that is very easy. Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc. Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address. Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password. Then check the Separate(Chap/MS-Chap/ARAP) box. Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward. -
CCKM with 802.1x authentication
Hi,
Can we use CCKM authentication with 802.1x layer 2 authentication method. I read it one cisco article that we can't use CCKM with 802.1x authentication. Please find the url below, its says that is you choose layer 2 authentication method is 802.1x, then we can't use cckm. Kindly suggest
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/82135-wlc-authenticate.html
Regards,
Jubair.SYes, You can.
Refer this document which clearly state it
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01001110.html#ID963
802.1X+CCKM—During normal operation, 802.1X-enabled clients mutually authenticate with a new access point by performing a complete 802.1X authentication, including communication with the main RADIUS server. However, when you configure your WLAN for 802.1X and CCKM fast secure roaming, CCKM-enabled clients securely roam from one access point to another without the need to reauthenticate to the RADIUS server. 802.1X+CCKM is considered optional CCKM because both CCKM and non-CCKM clients are supported when this option is selected.
HTH
Rasika
**** Pls rate all useful responses *** -
ASA - logging via radius with group name passed.
Hi,
I'm trying to setup ASA5520 with Radius to authenticate users with group
privileges.
Useing Radius with ASA to authenticate users is quite simple. When I try
to pass from asa tunnel-group name (with group-policy and attributes
attached) there is a problem that ASA dosn't pass any group name to
radius.
Is there any way to overcome it?
What I want to do is to apply different policies to username depending
with what tunnel-group name he logs in to webvpn. I assume one user may
be member of different groups.
br
MarcinIt's possible.
Differentiate your privileges and restrictions based off of group-policy, not the tunnel-group. Keep your default WebVPN tunnel-group, and do not specify a default group policy for this tunnel-group.
Create separate group-policies that differentiate what links different groups of users should be presented with. If you're using ACS, link your Cisco Secure Groups to groups in Active Directory (or other method of directory services). The Cisco Secure Groups should then be configured to pass specific RADIUS attributes, such as the "Class" attribute #25. ACS will then tell the ASA to place the user (from Active Directory) into a specific group-policy, which you can then limit URL's shown with the url-list command.
Long winded, I know...any questions, please ask. -
Using Non-Apple 802.11N Adapters with Airport Extreme
I have an Airport Extreme Base Station but both N enabled and G enabled Macs in the house. I'd really like to set up the network as an N network. And since I can upgrade the Airport Cards in the older Macs, can I use 3rd Party 802.11N adapters (USB 2.0 for example) to get the older Macs onto the N network? Otherwise, it seems to defeat the purpose of having the 802.11N enabled Airport Extrement and iMacs.
I see that Netgear and Edimax have such adapters, but neither lists Mac OSX as a supported OS.
Thank you.Thank you for your comment. But unfortunately, I still need to run my non-N machines. So I think my choices are:
1. Try somehow to replace the older Airport Cards in those machines with N-Cards which seem like a pain
2. Have 2 networks, one N and one non-N
3. Try some of these 3rd Party USB or PC Card Slot N-Adapters
Seems like 3. is the least painful option?
Any advice on whether I can use 3rd Party N-Adapter would be very appreciated! Thanks again! -
802.1x RADIUS with EAP-TLS/EAP-TTLS & Dynamic VLAN Assignment
Hello, My team is looking for switches supporting 802.1x authentication on either EAP-TTLS or EAP-TLS protocols with dynamic vlan assignment enabled for these. Looking at the data sheets of the Linksys desktop switches, I found only SLM224G4PS and SLM224G4S models to support EAP-TLS or EAP-TTLS. Am I right? Do they support Dynamic VLAN Assigment for either of those protocols? This is not explicitly mentioned in the data sheets, and I happen to find switches from other manufacturers that announce to support EAP-TLS/EAP-TTLS but no dynamic vlan assignment. Thank you for any help.
SLM switches do support 802.1x RADIUS with EAP-TLS/EAP-TTLS unlike the SRW switches which support MD5. But I don't think that they support Dynamic VLAN.
-
Using RADIUS without enabling AAA
is there anyway I can use a RADIUS server without enabling/using AAA.
is there any command "ip auth radius ... " ?
cudnt find anything on cisco as such.Swapnendu
Am I correct in assuming that you are talking about on IOS based routers or catOS switches? If so I believe that the only way to use Radius is to use AAA.
HTH
Rick -
Using an Older (802.11g) Airport Extreme as bridge with Time Capsule
Several people have inquired about the possibility of having older (802.11g) computers and devices connected through their Time Capsules without disturbing the 802.11n capabilities of their newer equipment.
The latest version of Designing AirPort Networks Using AirPort Utility --
http://manuals.info.apple.com/en/DesigningAirPort_Networks10.5-Windows.pdf -- explains (pp. 48-49) that one can configure a dual-band (2.4 GHz & 5 GHz) network of this type by setting up the "second device [i.e., the older Airport Extreme] as a bridge." What is lacking is a clear (at least to me) way of configuring the 2.4 GHz Extreme as such a bridge, although the text states that one need only follow instructions "earlier in this chapter" (which begins at p. 14). When I try to do this, the AirPort Extreme shows up as a separate network.
Obviously, I am doing something wrong. Can someone walk me through how to configure the AirPort Extreme as a bridge?
Thanks.The MAC support people walked me through a solution to my question about using an older (802.11g) AirPort Extreme and a Time Capsule to form a dual network. The solution turns out to be pretty easy but I am posting it in case anyone else has a similar problem.
Here's what was involved:
N-capable equipment: MacBook Pro, IMac, Time Capsule.
B/G-capable equipment: AirPort Extreme (flying saucer 802.11g); Mac G4; older (802.11g) AirPort Express supporting a network printer; IBM ThinkPad running Windows XP (w/service pack 2).
Step 1: Using AirPort Utility (manual setup), I set the Time Capsule to run at 5 GHz (click on "Wireless" then "Radio Mode". Under the same "Wireless" tab, I assigned a 13-digit WPA2 password to this network (more about this latter). If you opt to use the 5GHz frequency, you have the choice of WPA2 or nothing. After saving your settings, exit out of the AirPort Utility; you are done with the Time Capsule.
Step 2: Reset the AirPort Extreme to its default settings by depressing the small reset button while the device is plugged in.
Step 3: I reopened AirPort Utility, accessed the Extreme and clicked manual setup. (You will loose your connection to the Time Capsule at this point, but this is okay.) At the top of the screen that opens in response to clicking "manual setup," click "internet" and set "connection sharing" to "Off (Bridge Mode)" Next click "AirPort" at the very top of the screen: under "Base Station" I named the Extreme as "G network" and set up a network password. Under "Wireless" I next set up a WEP 40 bit password which was identical to the WPA2 password I used for the Time Capsule. Using a WEP password was necessary, because some of the older computers were not WPA2 compatible. I kept the passwords identical simply as a matter of convenience.
Step 4: Connect the AirPort Extreme to the Time Capsule using an Ethernet cable between the WAN port of the Extreme, and one of the three LAN ports on the Time Capsule. There is a small, green LED recessed in the LAN port socket; if it lights up, you are in business.
Step 5: Using a pin, I reset the 802.11g AirPort Express to its default settings, opened AirPort Utility (no need for manual setup for this), named the Express "Printer" and added it to the G network in a conventional manner by following the setup prompts. (If anyone needs help with this, let me know). Exit out of AirPort Utility and reopen it to refresh; all wireless devices (3 in my case) should be visible and lighted green.
Step 6: I set up the MacBook Pro and the IMac to join the 5 GHz Time Capsule network, and everything else to run on the G network. At this point, everything appears to be working. I can, for example, print a document from my MacBook Pro (N-network) to the network printer which on the G-network. (Because the older computers belong to my daughters, I'll never know if file sharing across the networks is a possibility.)
I take no credit for any of this; it was all accomplished through the efforts of very patient MAC support people.
Carl -
WPA with 802.1x authentication
Hi experts,
I need clarification in a fundamental concept.
Is it possible to configure WPA with 802.1x authentication without external AAA / ACS server.
If the username and password is configured in local device, is it possible to create 802.1x authentication without RADIUS server
Thanks in advance
regards,RBYou can't do 802.1x without RADIUS. But you can use Local EAP on an Autonomous AP or on a LAP Controller. They can both act as RADIUS servers. Here's an example config for an autonomous AP:
aaa group server radius rad_eap
server 192.168.0.1 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
dot11 ssid ccie
authentication open eap eap_methods
authentication network-eap eap_methods
guest-mode
radius-server local
nas 192.168.0.1 key cisco
user test password test
radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key cisco
LAP Controller local EAP is configurable through GUI
Maybe you are looking for
-
hi, may i know where can see customer account is open item managed. the recon account for customer is not open item managed. in fb05 i do doc type DZ for transaction incoming payment. in first line item i put pk40 for bank clearing and open item sele
-
HP Officejet Pro 8600 Premium won't print wirelessly
Ok, I have been having this problem for about a month now and cannot seem to fix it. I have an Officejet 8600 Pro Premium that I recently bought for my business to replace my old 6500. I love the printer so far but there is one problem that is extre
-
How to use MRP for generate PO? any samlpe?
I want to know how to using the MRP for generate purchase order. have any documents for showing the steps by using MRP? Thanks. On
-
Third party backup software, how is the log sequence working?
Me and a colleague had a discussion about how third party software and full backups locally on the SQL works together. If we use TSM that do full backups and then logbackups every hour in between for example. If I between the two full backups from TS
-
Portrait Video shows in Landscape
I shot video in Portrait view. I synced it to iPhoto, dragged it back to iTunes and synced it back to my iPhone. (a tedious and odd process) But now iPod on the iPhone wants to show my portrait video in landscape. How do I view it in portrait?