ACS 4.2 RADIUS - Wireless - Certificates
I setup our ACS 4.2 server for TACACS and also to provide RADIUS authentication for our WLAN and eventually will use it for 802.1x authentication for the LAN.
I am not an expert on certificates. I called TAC to get assistance installing the self signed certificate on ACS. This allowed me to build and test my WLan. Now that I am near the point of going live with this I'd like to install a certificate that won't expire in 1 year.
How do most people do this? We do have a windows 2003 server that acts as the Certificate Authority for other services. Should I be doing something with that? And how do most people get these certifactes deployed to the clients? by GPO?
Clearly I am not very familiar with Certificates and I apologize for this, but reading about them is getting confusing, if someone could point me in the right direction that would be a big help! Thank you!
Edit: I should mention I've been using PEAP with the self signed certificate. And currently manually installing the certificate on my test clients. As it is right now everytihng on my WLan works great: authentication, vlan assignment, etc. I'm just confused on the best practice for the certificate.
ACS can only provide validity of one year. Using Microsoft CA you configure it for 5...6...7 years, depending upon your need.
It is easy to handle and manage it via GPO.
Two PEAP scenarios,
Using peap without validate server option checked---> Easy to deploy as cert is required only on ACS.
Using PEAP with validate server option checked---> Needs CA cert on each client.
Also you can get the certs from vendors like Verisign, Entrust, Equifax , GeoTrust etc. The advantage with these certs are that we don't have to install CA on each client as it is installed by default on each operating system.
Hope that helps!
Regards,
~JG
Do rate helpful posts
Similar Messages
-
ACS 5.1 - RADIUS Proxy Accounting Logs
Recently I'm using ACS 5.1 to support external RADIUS Servers, and read the manauls to process with the following workflow.
Install Linux RADIUS Service (this part was tested)
Install FreeRADIUS Service
Add new linux user account
Cisco ACS 5.1
Add External RADIUS servers
Network Resources -> External RADIUS Servers
Add informations.
Add RADIUS Proxy Serivce
Access Policies -> Access Services
Create with User Selected Service Type , RADIUS Proxy
Advanced Options -> Accounting
Remote Accounting and Local Accounting enabledAccess Policies -> Access Services -> Service Selection Rules
Create #1 rule , Conditions : match Radius , Results : RADIUS Service
Add Network Resources for accepting network
Network Device Groups -> Network Devices and AAA Clients
Enable RADIUS Debug Messages
System Administration > Configuration > Log Configuration > Logging Categories > Global > Edit: "RADIUS Diagnostics"
Configure Log Category Log Severity : DEBUG
Add 3GPP VSA
Send out Radius Accounting Packet to ACS
ACS got the Packet, but didn't redirect to External Radius Server
I got this message from ACS 5.1
Others is 'Failed to forward request to current remote RADIUS server; an invalid response was received.' in the iv.csv file.
There are two problem.
RADIUS Accounting Packets didn't redirect to external server, but it works without proxy. (Auth is ok.)
Other Attributes didn't collect all informations, and even the debug is enabled.Hi Steve,
The shared secret is 100% correct.
Finally I find out that there may be some white lists for attributes.
If I keep NAS-Identifier , it will work.
But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
The RADIUS Server gets the message from NSA.
Of course, there is the Proxy-State attribute.
In this condition, the ACS has incorrect output in the sub-attribute.
Now I try 5.2 to see the problem exist or not. -
ACS 5.1 RADIUS Proxy - Adding RADIUS attributes
Is there anyway under ACS 5.1 to add RADIUS attributes to outgoing RADIUS proxy auth requests or failing this to RADIUS proxy accounting updates?
As soon as I configure a RADIUS proxy services, there is little config I can do other than to say whether or not the prefix and suffix is to be stripped.
I can add these attributes if using an external RADIUS box as an identity store, but I cannot do this for this particular service and instead I need to use RADIUS proxying.
Thanks
PaulHi Steve,
The shared secret is 100% correct.
Finally I find out that there may be some white lists for attributes.
If I keep NAS-Identifier , it will work.
But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
The RADIUS Server gets the message from NSA.
Of course, there is the Proxy-State attribute.
In this condition, the ACS has incorrect output in the sub-attribute.
Now I try 5.2 to see the problem exist or not. -
Machine certificate RADIUS wireless login
Hi all,
I have a customer who want's to have a computer authentication against RADIUS (allow only school devices to connect through SSID). As I am a network engineer I am struggling with NPS settings and machine certificates.
I have lab settings in our office where I am using Windows Server 2012 and configured domain certificates using the links below
https://4sysops.com/archives/how-to-deploy-certificates-with-group-policy-part-2-configuration/#creating-the-certificates
http://www.petenetlive.com/KB/Article/0000919.htm
Under NPS I have two policies, one for domain devices and one for non-domain devices
Domain_devices policy:
Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
Machine groups - domain\Domain devices - PC added to that group
Constraints - Auth. method - Microsoft Smart Card or other certificate
Domain_devices policy:
Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
Constraints - Auth. method - Microsoft Protected EAP (PEAP)
When tested with iPad this was able to connect fine but when testing with domain laptop NPS is returning Event ID 6273 Reason code 16
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
password is correct as I am using same one for iPad as well as computer login
Anybody with an idea why it's not working?
ThanksUnder NPS I have two policies, one for domain devices and one for non-domain devices
Domain_devices policy:
Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
Machine groups - domain\Domain devices - PC added to that group
Constraints - Auth. method - Microsoft Smart Card or other certificate
Domain_devices policy:
Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
Constraints - Auth. method - Microsoft Protected EAP (PEAP)
When tested with iPad this was able to connect fine but when testing with domain laptop NPS is returning Event ID 6273 Reason code 16
Hi Lukas,
Based on your description, the first policy is for domain devices, the second policy is for non-domain devices, the iPad is non-domain device and the laptop is domain device, is that
right?
Due to the certificate was deployed via GPO, have you checked if the user or computer certificate was installed successfully in the laptops?
To verify if the user certificate was installed in the laptop, please follow steps below,
1. Click
Start, click Run, enter MMC to open a Console.
2. Click
File, click Add/Remove Snap-in,
3. In the Add or Remove Snap-ins, click
Certificates, click Add, check My user account, click
Finish, click OK.
4. Expand
Console Root\Certificates-Current User\Personal, if there are not any certificate in this container, it shows that user certificate was not installed successfully.
To verify if the computer certificate was installed in the laptop, please follow steps below,
1. Click
Start, click Run, enter MMC to open a Console.
2. Click
File, click Add/Remove Snap-in,
3. In the Add or Remove Snap-ins, click
Certificates, click Add, check Computer account, click
Finish, click OK.
4. Expand
Console Root\Certificates(Local Computer)\Personal, if there are not any certificate in this container, it shows that computer certificate was not installed successfully.
Also, the NPS server and laptops are all need to trust CA, so please check if there is a CA certificate in the
Trusted Root Certification Authorities\Certificates container.
Best Regards,
Tina
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]. -
ACS 5.5 RADIUS OUTBOUND Attributes Injection feature
Hello
I'm having a look at the RADIUS OUTBOUND Attributes Injection feature for the External Proxy service in ACS version 5.5.0.46.
The use case is:
ACS uses the External Proxy service to authenticate wireless users with certain domain suffixes
Sometimes the username Access-Accept comes back with the domain suffix stripped.
The result of this is:
ACS logs a successful authentication with the sent username (with suffix)
ACS sends the Access-Accept to the WLC and the user is listed on the WLC (without suffix)
Subsequent accounting packets for the user appear in ACS (without suffix)
In the past I've used a freeradius proxy server between ACS and the external proxy to 'rewrite' the username in the Access-Accept so that it matches the username origianlly sent in the Access-Request. The code for this looked something like the following.
Post-proxy {
update outer.reply {
User-Name := "%{request:User-Name}"
I'm looking to do the above solely with ACS but I can't see the Radius-ietf username attribute listed under the RADIUS OUTBOUND Attributes Injection feature. Is it possible to rewrite the username attribute in ACS 5.5?
Thanks
AndyDon't think this can be done in ACS 5.5 when using an External Proxy Service Type.
Interestingly, it appears to be possible with a Network Access Service Type. Under Allowed Protocols there is a tick box for Send as User-Name in RADIUS Access-Accept - one of the options is RADIUS Access-Request User-Name. Hopefully this will be implemented in a future release for External Proxy.
Cheers
Andy -
Wireless certificate prompt - WLC 5508
When users connect to my companiees wireless, which authenicates using a Windows 2008 RADIUS server, they're prompted to accept a server certificate. I'd like to install a trusted SSL and prevent users from having to accept a cert every time they connect. This primarily happens on ipad/iphone devices.
How do I go about doing this? Do this on the controller? Or on the Radius server?
Wireless Controller: 5508
Thank youHere is the solution:
If you have iOS devices—iPhones, iPads, or iPod Touchs—or Mac OS Lion machines on the network, you may want to use the iPhone Configuration Utility (iPCU) to help distribute the wireless settings to them. Apple offers the utility for both Windows and Mac OS X.
You can use the iPCU to create, encrypt, maintain, and install XML-based configuration profiles. In addition to Wi-Fi settings, these profiles can contain device security policies, VPN configuration, MS Exchange and email settings, and digital certificates. You can create profiles for specific users, groups, or a profile for all. You can either install the profiles directly from the computer running the iPCU or distribute the .mobile config. file via other means.
Note:This is one time process after distribution the profiles will be saved to the devices .
Mark it as correct if this resolve your issue. -
ACS 5.3 Radius authentication with ASA and DACL
Hi,
I am trying to do Radius authentication on the ACS 5.3 for VPN access (cisco client) using a downloadable ACL with AD identity
Clients are connecting to an ASA 5510 with image asa843-K8.bin
I followed the configuration example on the Cisco site, but I am having some problems
First : AD identity is not triggered, I put a profile :
Status
Name
Conditions
Results
Hit Count
NDG:Location
Time And Date
AD1:memberOf
Authorization Profiles
1
TestVPNDACL
-ANY-
-ANY-
equals Network Admin
TEST DACL
0
But if I am getting no hits on it, Default Access is being used (Permit Access)
So I tried putting the DACL in the default profile, but when connecting I am immediately disconnected.
I can see the DACL/ASA being authenticated in the ACS log but no success
I am using my user which is member of the Network Admin Group.
Am I missing something?
Any help greatly appreciated!
WimHello Stephen,
As per the IP Pools feature, the ACS 5.x does not include such functionality. It is not on the ACS 5.x roadmap either as the recommended scenario would be to use a dedicated DHCP server.
ACS 4.x included that functionality, however, it was not the best solution as the ACS returned the IP Address value as a RADIUS Attribute instead of acting as a real DCHP server.
As per the IMEI and MISDN I am assuming you are referring to International Mobile Equipment Identity and Mobile Subscriber ISDN. Correct me if I am wrong.
In that case it seems that the ACS 5.x should be able to Allow or Deny access based on Radius Attribute 30 (Called-Station-Id) and 31 (Calling-Station-Id).
In that case you might want to use the End-Station Filters feature and use it as the condition for the Rule. The End-Station Filter feature uses CLI/DNIS where CLI is Radius Attribute 31 and DNIS is Attribute 30.
I am assuming a Generic Username will be embedded on the devices request. In that case you will define which end-user devices will be granted access based on the above attributes.
Here is a snapshot of the section: -
ACS 5.3 / Self Signed / Certificate base auth
Hello,
Our ACS (5.3) has self signed certificate, we have exported it and declared it in Certificate Authorities.
We have exported it to have a Trusted Certificate for client machine.
This certificat has been installed on a laptop.
The wlc is successfully setup for eap (peap & eap-fast has been tested > ok)
I have this error in the log:
12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain
I think the Access Policies (identity & authorization) are misconfigured:
> I allowed Host Lookup, PAP/ASCII, MSCHAPV2, EAP-MD5, EAP-TLS, PEAP, EAP-FAST
> Identity: System:EAPauthentication match EAP-TLS
id Source: AD in which AD, Internal Users, Password based, certificate based CN Username are enabled
> authorization: System:WasMachineAuthenticated=True
Thanks for your help,
regards,Hello,
I found the answer here:
https://supportforums.cisco.com/message/1298039#1298039
ACS self-signed certificate is not compatible with EAP-TLS
Thanks, -
Password aging with ACS + UCP in a wireless network.
Hello
We want to use ACS in our wireless network, but we would like to allow users to change their own passwords, so we want to use UCP.
Additionally, we want to force them to change their passwords after a period of time or number of logins.
Is it possible to use password aging based on time or number of connections when users connect through UCP web interface?
Also, does using UCP requiere some kind of additional license/payment?
Thanks.Juilo,
No the UCP sample scripts have to run on a seperate ACS server and you have to enable the ucp intefaces through the cli to accept the UCP requests from the other server.
Here is a link that will help you.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/admin_config.html#wp1105672
Tarik Admani
*Please rate helpful posts* -
802.1x with ACS 4.2 (RADIUS) problem
HI all!
I am trying to configure AAA authentication and authorization with Cisco 3725 (IOS 12.4(17)) for 802.1x and ACS 4.2 with VLAN assignment to my Windows XP client. (trying to assign VLAN 100 in my scenario).
When user connects to the Router, it passes the authentication process (EAP-MD5). In my debug i see that Router recieves the Radius Attributes BUT does not apply anything!
My running config:
Building configuration...
Current configuration : 1736 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R4
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
memory-size iomem 5
ip cef
no ip domain lookup
ip domain name lab.local
ip device tracking
dot1x system-auth-control
interface FastEthernet0/0
ip address 10.10.0.253 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet1/0
dot1x port-control auto
interface FastEthernet1/1
interface FastEthernet1/2
interface FastEthernet1/3
interface FastEthernet1/4
interface FastEthernet1/5
interface Vlan1
ip address 192.168.1.1 255.255.255.0
interface Vlan100
ip address 192.168.100.1 255.255.255.0
ip forward-protocol nd
no ip http server
no ip http secure-server
mac-address-table static 0800.27b1.b332 interface FastEthernet1/0 vlan 1
radius-server host 10.10.0.2 auth-port 1645 acct-port 1646 key cisco
radius-server vsa send accounting
radius-server vsa send authentication
My Radius debug information:
*Mar 1 00:21:31.487: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0
*Mar 1 00:21:31.491: RADIUS: ustruct sharecount=2
*Mar 1 00:21:31.491: Radius: radius_port_info() success=1 radius_nas_port=1
*Mar 1 00:21:31.491: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"
*Mar 1 00:21:31.491: RADIUS: Request contains 9 byte EAP-message
*Mar 1 00:21:31.491: RADIUS: Added 9 bytes of EAP data to request
*Mar 1 00:21:31.495: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2
*Mar 1 00:21:31.507: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/3, len 127
*Mar 1 00:21:31.511: RADIUS: authenticator 36 68 24 30 F0 CC E8 3C - 69 48 61 E3 DA 28 52 AC
*Mar 1 00:21:31.511: RADIUS: NAS-IP-Address [4] 6 10.10.0.253
*Mar 1 00:21:31.511: RADIUS: NAS-Port [5] 6 0
*Mar 1 00:21:31.511: RADIUS: Vendor, Cisco [26] 23
*Mar 1 00:21:31.515: RADIUS: cisco-nas-port [2] 17 "FastEthernet1/0"
*Mar 1 00:21:31.515: RADIUS: NAS-Port-Type [61] 6 X75 [9]
*Mar 1 00:21:31.515: RADIUS: User-Name [1] 6 "user"
*Mar 1 00:21:31.515: RADIUS: Calling-Station-Id [31] 19 "08-00-27-B1-B3-32"
*Mar 1 00:21:31.515: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 1 00:21:31.515: RADIUS: Framed-MTU [12] 6 1500
*Mar 1 00:21:31.515: RADIUS: EAP-Message [79] 11
*Mar 1 00:21:31.515: RADIUS: 02 1D 00 09 01 75 73 65 72 [?????user]
*Mar 1 00:21:31.515: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.515: RADIUS: B1 8B 8F 4C F1 6D C9 A6 4E 96 B8 3D 53 E9 41 12 [???L?m??N??=S?A?]
*Mar 1 00:21:31.555: RADIUS: Received from id 1645/3 10.10.0.2:1645, Access-Challenge, len 93
*Mar 1 00:21:31.555: RADIUS: authenticator DF 38 A1 1B ED 3C 1E B2 - 1A 92 6A D5 58 CE B8 4A
*Mar 1 00:21:31.555: RADIUS: EAP-Message [79] 28
*Mar 1 00:21:31.555: RADIUS: 01 1E 00 1A 04 10 BE BA B4 B0 26 9D 52 0E 43 BC [??????????&?R?C?]
*Mar 1 00:21:31.555: RADIUS: 33 46 8E A8 C6 45 47 4E 53 33 [3F???EGNS3]
*Mar 1 00:21:31.555: RADIUS: State [24] 27
*Mar 1 00:21:31.555: RADIUS: 45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B [EAP=0.1ff.986.1;]
*Mar 1 00:21:31.559: RADIUS: 53 56 43 3D 30 2E 31 35 3B [SVC=0.15;]
*Mar 1 00:21:31.559: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.559: RADIUS: 22 C8 D5 BB 44 FC FC 14 D3 2C C9 42 A3 9B A4 9E ["???D????,?B????]
*Mar 1 00:21:31.563: RADIUS: Found 26 bytes of EAP data in reply (ofs 0)
*Mar 1 00:21:31.563: RADIUS: Received 26 byte EAP Message in reply
*Mar 1 00:21:31.587: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0
*Mar 1 00:21:31.587: RADIUS: ustruct sharecount=1
*Mar 1 00:21:31.587: Radius: radius_port_info() success=1 radius_nas_port=1
*Mar 1 00:21:31.587: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"
*Mar 1 00:21:31.591: RADIUS: Request contains 26 byte EAP-message
*Mar 1 00:21:31.591: RADIUS: Added 26 bytes of EAP data to request
*Mar 1 00:21:31.591: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2
*Mar 1 00:21:31.591: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/4, len 171
*Mar 1 00:21:31.591: RADIUS: authenticator 0A A2 1F 7C 12 A8 AB F7 - 9F 87 C6 51 A4 0D EA A2
*Mar 1 00:21:31.595: RADIUS: NAS-IP-Address [4] 6 10.10.0.253
*Mar 1 00:21:31.595: RADIUS: NAS-Port [5] 6 0
*Mar 1 00:21:31.595: RADIUS: Vendor, Cisco [26] 23
*Mar 1 00:21:31.595: RADIUS: cisco-nas-port [2] 17 "FastEthernet1/0"
*Mar 1 00:21:31.595: RADIUS: NAS-Port-Type [61] 6 X75 [9]
*Mar 1 00:21:31.595: RADIUS: User-Name [1] 6 "user"
*Mar 1 00:21:31.595: RADIUS: Calling-Station-Id [31] 19 "08-00-27-B1-B3-32"
*Mar 1 00:21:31.595: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 1 00:21:31.595: RADIUS: Framed-MTU [12] 6 1500
*Mar 1 00:21:31.595: RADIUS: State [24] 27
*Mar 1 00:21:31.595: RADIUS: 45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B [EAP=0.1ff.986.1;]
*Mar 1 00:21:31.595: RADIUS: 53 56 43 3D 30 2E 31 35 3B [SVC=0.15;]
*Mar 1 00:21:31.595: RADIUS: EAP-Message [79] 28
*Mar 1 00:21:31.595: RADIUS: 02 1E 00 1A 04 10 AA 09 8E 39 DE 29 E4 CC C6 BC [?????????9?)????]
*Mar 1 00:21:31.595: RADIUS: 7F 01 C8 47 EC 74 75 73 65 72 [???G?tuser]
*Mar 1 00:21:31.595: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.595: RADIUS: 33 57 82 E2 5C 24 A2 8C 67 CC 0D 8C 25 12 74 13 [3W??\$??g?????t?]
*Mar 1 00:21:31.731: RADIUS: Received from id 1645/4 10.10.0.2:1645, Access-Accept, len 90
*Mar 1 00:21:31.731: RADIUS: authenticator A0 0E DF D7 87 FD 9E B6 - BB 64 04 4F 56 2A 03 89
*Mar 1 00:21:31.735: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
*Mar 1 00:21:31.735: RADIUS: EAP-Message [79] 6
*Mar 1 00:21:31.735: RADIUS: 03 1E 00 04 [????]
*Mar 1 00:21:31.735: RADIUS: Tunnel-Type [64] 6 01:VLAN [13]
*Mar 1 00:21:31.739: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]
*Mar 1 00:21:31.739: RADIUS: Tunnel-Private-Group[81] 6 01:"100"
*Mar 1 00:21:31.739: RADIUS: Class [25] 22
*Mar 1 00:21:31.739: RADIUS: 43 41 43 53 3A 30 2F 35 62 31 2F 61 30 61 30 30 [CACS:0/5b1/a0a00]
*Mar 1 00:21:31.739: RADIUS: 66 64 2F 30 [fd/0]
*Mar 1 00:21:31.739: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.739: RADIUS: 75 BC F2 E0 91 07 6C 12 4D 5C BB 50 A4 FD D3 26 [u?????l?M\?P???&]
*Mar 1 00:21:31.739: RADIUS: Found 4 bytes of EAP data in reply (ofs 0)
*Mar 1 00:21:31.739: RADIUS: Received 4 byte EAP Message in reply
As a result the vlan-switch data based does not change.
Any help will be appreciated!
Thanks a lot,
Chelovekov AlexanderI've tried multiple ways to cope with this problem but nothing was helpfull...
Tunnel-Medium-Type [65] 6 01:ALL_802
I use only ACS Radius attributes and chose ony what ACS allows me to choose (Tunnel-medium-type: 802).
Screenshot n attachment.
The same situation occurs when i try to use some Vendor Specific Attributes (Cisco-AV-Pair) - downloadable ACEs to my user, and again, i see Radius attributes in my debug but nothing is applied to my L3 Switch.
What am i missing? -
ACS 5.5 Radius Attribute not listed in Radius Directory
Hello Community,
iam on the evaluation on Cisco ACS 5.5, and iam trying some scenarios for my company.
I have to authenticate a ip phone . here i need one VLan tagged and one vlan untagged.
In the authorization profile u can add the Radius Attributes, we got hp switches and i need the attribute with the ID-56, but this ID ist not listed in the Authorization Profiles--> Radius Attributes-->select Part.
But it is listed under system-administration->Configuration-->dictionaries-->Protocols->Radius--> Radius IETF
come somebody tell me how i can selct this Attributes under Authorization Profiles--> Radius Attributes-->select Part. ??
Thanks a lot
regardsHi
As you are using HP switches, certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality, and are therefore not supported with non-Cisco devices.
For more information regarding Authorization profile configuration, please go through the following link:
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/pol_elem.html -
Radius & wireless & IP address
Hello, I''d like to use a Radius to dynamically authenticate wireless users, but I'd know if it's possible to assign dinamically address to the wireless port, when accesing to the RADIUS, or validaing it to avoid wireless clients of changing their IP address.
ThanksLet me clarify more here..Cisco's aironet wireless clients associated with cisco's access points and authenticated via LEAP with RADIUS server, can't get ip address allocated via radius server..There is no way in LEAP that you can do it..Atleast cisco dosen't support it..Tejal
-
Printers supporting Radius wireless networks
Do any printers exist that support Radius wirless networking and Mac OS X 10.8??
Simply reconfigure your Airport Express to either use for airtunes only or to extend the range of the existing network. This effectively connects the Airport Express to your main wireless router as a basic access node rather than a separate router creating its own network.
If you consult the User Guide that came with your Airport Express you'll find additional information on how to setup an Express to simply extend a local wireless network rather than function independently.
Why reward points?(Quoted from Discussions Terms of Use.)
The reward system helps to increase community participation. When a community member gives you (or another member) a reward for providing helpful advice or a solution to their question, your accumulated points will increase your status level within the community.
Members may reward you with 5 points if they deem that your reply is helpful and 10 points if you post a solution to their issue. Likewise, when you mark a reply as Helpful or Solved in your own created topic, you will be awarding the respondent with the same point values. -
Microsoft 2008 NPS Radius + wireless controller.
Hi,
We have implemented new Microsoft 2008 NPS Radius for authentification wireless controller.
i am seeing RADIUS server x.x.x.x:1812 failed to respond to request (ID 119) for client ............. in controller. But there no logs hitting to the NPS server either failed or success or other related.
Layer 3 comminucation is fine between controller & server.
As per the debug logs,controller forwarding request NPS server "Successful transmission of Authentication Packet tp ......NPS proxy ".
But there is no further key exchange or successful authentication logs, any idea on this?
Thanks
Shrinivas.KDownload NTRadPing and test to see if your radius is working. You can put a sniffer on and see if you see packets coming out of the wlc and radius. You can always remove the aaa from the wlc and add it back on and also remove and add back on the wlc as a aaa client on the radius server.
Thanks,
Scott Fella
Sent from my iPhone -
ACS as proxy radius and class 25 attribute
Hello !
Could you please help ?
we have cisco3640 as nas, cs acs 2.6 as radius-server.
Now we would need to
forward authentication request to another radius-server ( username is unknown to the acs)
Username is provided with a certain prefix and according to that prefix, request is forwarded to another radius-server.
That another server should give back accept/deny and class attribute 25.
Here comes the question
Can acs 2.6 take the class attribute and use it as username's group-information ?.
for example class attribute 25 named test is forwarded to acs and acs has a group named test. According to group test ACS gives ip/dns information back to to cisco3640 and ras-client.
Or could you please tell me how we could forward username authentication and then bind username that is not known to acs to a certain acs group ?
The ip/dns information must be provided by acs.
Any help will be appreciated !
TIA
Best Regards,
SusannaAs far as I know, ACS 2.6 cannot take the class attribute and use it as username's group-information....
Maybe you are looking for
-
Need to re-image my Dell Venue 8 Pro
This is a pretty long explanation, but I hope someone can help me! I have a 32gb Venue 8 Pro, and when I got it 12 months ago, I immediately made a recovery "disk" onto a MicroSD card, and deleted the recovery partition to free up space. I put the M
-
Is there a language of "English" that is Not "English (Canada)"?
When I look at Language, it shows English (Canada). In the US, some words are spelled differently than the British, which seems to be the base for English (Canada). Is there a language of English (US), or similar?
-
Hi, i) I had shot some movies through my Iphone 4S. I am not able to copy all of them (through scanner & camera wizard) to my PC and some are getting stuck. Pls. help me on how I can copy them (like drag & drop etc.). Error message "current picture
-
Best software for backing up an external hard drive to another
I used to use the echo feature within SyncToy on a PC to create a backup of the external hard drive i keep all my work files on but want to find software that will do this Mac based. Effectively SyncToy scanned the primary drive for additions and del
-
Airport Extreme USB disk password issue fix ETA?
Many people who have a USB drive connected to their Airport Extreme 802.11n have had problems where it repeatedly asks for the password to connect to the USB disk, but never allows you access until you reboot the router. This has been an issue for so