AAA using RADIUS

Similar Messages

• AAA using Radius with 802.1x

  Hello there,
  We're going to be implementing 802.1x on our network of some reaallly old switches (6509 Cat OS with MSFC 2).  We use radius for AAA authentication and I've been reading that .1x uses radius.  How is that going to work?  Do I just add another radius server in my radius server command and, more importantly, will .1x work on Cat OS running 8.2.1?  I've been trowling the forums and I can't seem to find anyone who's actually running .1x on the old Cat OS switches to see what kind of gotchas I can expect to run into.
  Any advise, assistance would be greatly appreciated!
  Thanks
  Kiley

  Salodh,
  Thanks but that document is for a 2950 and we have a 6509 but, the good thing is I just found out our Tier 3 engineers will not be adding dot1x to the 6509 since it has only trunks - no access ports.  Thanks very much for your reply!

• Using RADIUS without enabling AAA

  is there anyway I can use a RADIUS server without enabling/using AAA.
  is there any command "ip auth radius ... " ?
  cudnt find anything on cisco as such.

  Swapnendu
  Am I correct in assuming that you are talking about on IOS based routers or catOS switches? If so I believe that the only way to use Radius is to use AAA.
  HTH
  Rick

• 802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

  Currently Being Moderated
  802.1X for wired environments  using Radius/ACS for Dynamic Vlan Assignment
  Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
  If possible show:
  1. ACS/Radius Configurations.
  2. End User Switch Configurations
  Variables:
  Switch A
  MAC Address aaaa.bbbb.cccc     Vlan 10
              bbbb.cccc.dddd     Vlan 20
  Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
  Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
  Thanks in advance. .

  Hi Guys,
      Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
     So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
     Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
      Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
      If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

• FlexConnect & ISE ACLs - AAA Overide/RADIUS NAC

  Hi Chaps,
  I have 3 ACLs configured on a WLC for CWA, Corp and Guest users. On local mode APs, theses are called up using the Airespace fields in the ISE policies dependant on what rule is hit.
  ACL-WEBAUTH-REDIRECT
  ACL-PERMIT-CORP-TRAFFIC
  ACL-PERMIT-GUEST-TRAFFIC
  Will FlexConnect APs call up the ACLs in the same way as a local mode as the WLAN will be AAA Override/RADIUS NAC or will FC ACLs be required.
  Cheers,
  N

  I believe you need to create Flex ACLs on the fWLC.  These Flex ACLs can be called the same as regular ACLs so in ISE you wouldnt have to change the auth profile.

• Local Webauth WLC using radius database

  Hi all,
  I was implement local Webauth WLC not using local auth . I use radius database.
  at least I try to add on my  WLAN:
  layer 3 web auth  authentication
  layer 2 security is WPA/WPA2 PSK
  adding aaa radius server
  aaa radius "network user" check list  enabled
  web auth priority order
  radius
  LDAP
  after I Test WLAN ,I cant login using radius database.
  but, if I implement security method wpa/wpa2 dot1x  I can login using radius database.
  is there any miss in my config for implement webauth  method?
  Thanks
  ridho

  Are you trying to use LDAP or Radius to authenticate the webauth users? Since you have 802.1x working, I don't see why you would use LDAP. What radius server are you using also? Typically if your using Microsoft IAS or NPS, you have to
  Change the device type to Login to get webauth with radius to work. Here is an example of 3 ways to authenticate webauth users. You should be able to find others out there also.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml
  Sent from Cisco Technical Support iPhone App

• Assigning privilege level using Radius

  I'm trying to assigned a privilege level on a Cisco router via Radius. I'm using the Cisco Secure ACS (Windows 2K).
  I have set the privilege level to 15. But when I telnet to the router, I always get the router> prompt instead of the router# prompt.
  How can I configured the Radius/router so that when I get successfully authenticated, the router# prompt is shown.
  I've configured the router as below:
  aaa authentication login vtymethod group radius enable
  aaa authorization exec vtymethod group radius local
  radius-server host 202.x.x.195 auth-port 1645 acct-port 1646 key cisco
  line vty 0 4
  authorization exec vtymethod
  login authentication vtymethod
  On the Radius, I've configured as below:
  In the group settings for IETF Radius attributes, the Service-Type is set to Nas Prompt.
  Also in the group settings, I've checked the Cisco-av-pair with the following configured: shell:priv-lvl=15.
  Is there something I'm missing.
  Appreciate the help.
  Thanks.
  sweeann

  Hi
  Im curious... what is the perceived benefit of using RADIUS instead of TACACS+ ?
  Given that ACS supports both and that T+ is a superior protocol for device admin.
  I once heard someone mutter that T+ was proprietry... but all they were doing was sending (effectively) T+ av-pairs via a Cisco RADIUS VSAs. Not significantly different one could argue!

• AAA with RADIUS on ASA

  Hey Everyone,
  I am configuring AAA with RADIUS on our remote ASA firewalls.  This is pretty straight forward, but I have some firewalls that this is not working on.  I have upgraded the IOS image on the ASA 5510 to ASA804-K8.BIN on all of them.  The strange part is some of them are working and some of them are not working.
  Just wondering if anyone else has come across this before and what info do you need to give me an assist.
  Thanks in advance,
  Kimberly

  Hi Kimberly,
  just curious: why 8.0.4 and not 8.0.5 ?
  What are you using radius for ? What is the radius server? Did you configure all the ASAs on the radius server(s) ? Did you use the correct shared secret?
  Is there anything different between the working ASAs and the failing ones? Configuration, location in the network, etc?
  If the above doesn't help please post the config of a failing ASA (or at least the relevant parts, and make sure to remove any sensitive data) and the output of:
  debug radius
  debug aaa authen
  debug aaa common 254
  You can test just the radius part with the cli command "test aaa-server authentication ..."
  hth
  Herbert

• Ise 1.1 ActivatedGuest not able to authenticate using radius pap

  Hi,
  I want to create guest accounts using the sponsor portal and use radius to authenticate with these accounts; Afaik this  is supported as from 1.1mr1 (Show Version output      : 1.1.1.268)
  When we create an account with the ActivatedGuest Identity group, in the sponsor portal the account is marked as active.
  Username Status   First Name   Last Name   Email Address
  aazeaze1 ACTIVE azea azeaze
  However in ise, using radius, we receive an access-reject:
  24210  Looking up User in Internal Users IDStore - aazeaze1
  24206  User disabled
  after logging in successfully to the guest portal with this account, the radius request also succeeds.
  Questions
  1) is this scenario supported?
  2) is there anything else that should configured?
  Regards

  Hi,
  FYI it works if you don't use the fromlogin time profile , that's only for LWA/CWA.
  cheers

• LMS , AAA via Radius and cisco AV pair

  We are trying to authenticate users on a Ciscoworks LMS server 2.6 using Radius.
  Is there a radius vendor specific attribute that can be used to make the authenticated user part of the admin groups ?
  Ex : a Cisco-AV-pair , ?LMS?:groups="Network Administrator"
  I have tried a few, but none seem to work. And i havent found documentation on this.

  No, It is pure authentication that is done.
  There is not way to select a role in LMS based on an AV pair.
  With tacacs+ something like that is possible.
  Cheers,
  Michel

• Lobby User using RADIUS Server in the NCS

  Hello,
  I need to know if i can use the RADIUS to classify users such as looby and specify in these users the SSID for the guest user and the time for connection like the local database in the NCS.
  Actually i'm using the local database for lobby and i'd like to migrate to RADIUS database all these information.
  Thanks.

  Hello,
  Yes, you could use RADIUS to authenticate lobby ambassador users. But the information like default WLAN & time period can't be passed as attributes using attributes.
  As a work-around, you could create a local lobby admin account with the same username, define the lobby admin defaults locally. The user will be authenticated using RADIUS but the defaults would be picked up based on the definitions set locally in NCS.
  Ram.

• Can't auth to Nortels networks devices using RADIUS with ACS 5.1

  Hi,
  I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
  After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
  I can't manage to login using RADIUS and i get the following message.
  "Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
  But in my ACS View, I can see : "Authentication succeeded."
  I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
  I've got no problems with RADIUS Auth using other brand devices
  Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS  Authentication ?
  Regards.

  Are you sure that setting up a compound condition will help ?
  To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
  Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
  Here is my steps in the ACS View
  11001  Received RADIUS  Access-Request
  11017  RADIUS created a new  session
  Evaluating Service Selection  Policy
  15004  Matched rule
  15012  Selected Access  Service - Default Network Access
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity  Store - Internal Users
  24210  Looking up User in  Internal Users IDStore - radius
  24212  Found User in Internal  Users IDStore
  22037  Authentication Passed
  Evaluating Group Mapping  Policy
  Evaluating Exception  Authorization Policy
  15042  No rule was matched
  Evaluating Authorization  Policy
  15006  Matched Default Rule
  15016  Selected Authorization  Profile - Permit Access
  11002  Returned RADIUS  Access-Accept
  So I think the ACS does its job

• 7206VXR using RADIUS for L2L

  I am a member of a team working on a solution to provide VPN connectivity to 2000 remote locations running BSD server. We consulted our Cisco SE about this and received a recommendation to purchase a 7206VXR and use RADIUS to provide the L2L configuration to the router. We are having difficulties getting information on how to complete the build. I am curious if anyone has any experience using a Cisco router and RADIUS to do L2L VPN? Is it possible? Thanks!

  Thanks George.
  Yes I tried it and it works. But with web-auth it works a bit stupid if you have LDAP or local as backup.
  With normal dot1x/EAP with radius if primary server rejects the request it does not try the secondary.
  With web auth, if you choose more than method (local, radius or LDAP), then if first method ejects the request it will try the next one.
  +5 from me to you as well
  Sent from Cisco Technical Support iPad App

• Control access using Radius without ACS

  I want to log into my IPS using my existing RSA SecurID using Radius.  Is it possible to use a Radius attribute in the RSA to tell the IPS what privillege\role the user is?  The idea is I dont create users on the IPS, if a user tries to logon it authenticates them via radius running on the RSA server and if the user is allowed to log onto that clietn IP (the IPS) then it will allow them to logon but also pass a message back to the IPS to say this person has full admin access.  Is that possible using an attribute?  ANy guidance would be great.                  

  Yes, you should be able to specify the user role on the radius server.
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_setup.html#wp1276213
  Regards,
  Sawan Gupta

• Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS

  I have a Nexus 7010 running
  Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
  >>ip radius source-interface mgmt 0
  >>radius-server key XXXXX
  >>radius-server host X.X.X.X key XXXXX authentication accounting
  >>radius-server host X.X.X.X key XXXXX authentication accounting aaa
  >>authentication login default group Radius_Group aaa authentication
  >>login console local aaa group server radius Radius_Group
  >>    server X.X.X.X
  >>    server X.X.X.X
  >>    source-interface mgmt0
  Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
  shell:roles="vdc-admin" in the  Attribute Value field in the RADIUS server
  Does anyone know if this works????
  Thanks

  I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
  Attribute: cisco-av-pair
  Requirement: Mandatory
  Value: shell:roles*"network-admin vdc-admin"
  For more information take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
  Hope this helps
  Thank you for rating helpful posts!