ACS 4.2 RADIUS - Wireless - Certificates

I setup our ACS 4.2 server for TACACS and also to provide RADIUS authentication for our WLAN and eventually will use it for 802.1x authentication for the LAN.
I am not an expert on certificates. I called TAC to get assistance installing the self signed certificate on ACS. This allowed me to build and test my WLan. Now that I am near the point of going live with this I'd like to install a certificate that won't expire in 1 year.
How do most people do this? We do have a windows 2003 server that acts as the Certificate Authority for other services. Should I be doing something with that? And how do most people get these certifactes deployed to the clients? by GPO?
Clearly I am not very familiar with Certificates and I apologize for this, but reading about them is getting confusing, if someone could point me in the right direction that would be a big help! Thank you!
Edit: I should mention I've been using PEAP with the self signed certificate. And currently manually installing the certificate on my test clients. As it is right now everytihng on my WLan works great: authentication, vlan assignment, etc. I'm just confused on the best practice for the certificate.

ACS can only provide validity of one year. Using Microsoft CA you configure it for 5...6...7 years, depending upon your need.
It is easy to handle and manage it via GPO.
Two PEAP scenarios,
Using peap without validate server option checked---> Easy to deploy as cert is required only on ACS.
Using PEAP with validate server option checked---> Needs CA cert on each client.
Also you can get the certs from vendors like Verisign, Entrust, Equifax , GeoTrust etc. The advantage with these certs are that we don't have to install CA on each client as it is installed by default on each operating system.
Hope that helps!
Regards,
~JG
Do rate helpful posts

Similar Messages

  • ACS 5.1 - RADIUS Proxy Accounting Logs

    Recently I'm using ACS 5.1 to support external RADIUS Servers, and read the manauls to process with the following workflow.
    Install Linux RADIUS Service (this part was tested)
    Install FreeRADIUS Service
    Add new linux user account
    Cisco ACS 5.1
    Add External RADIUS servers
    Network Resources -> External RADIUS Servers
    Add informations.
    Add RADIUS Proxy Serivce
    Access Policies -> Access Services
    Create with User Selected Service Type , RADIUS Proxy
    Advanced Options -> Accounting
    Remote Accounting and Local Accounting enabledAccess Policies -> Access Services -> Service Selection Rules
    Create #1 rule , Conditions : match Radius , Results : RADIUS Service
    Add Network Resources for accepting network
    Network Device Groups -> Network Devices and AAA Clients
    Enable RADIUS Debug Messages
    System Administration > Configuration > Log Configuration  > Logging Categories > Global > Edit: "RADIUS Diagnostics"
    Configure Log Category Log Severity : DEBUG
    Add 3GPP VSA
    Send out Radius Accounting Packet to ACS
    ACS got the Packet, but didn't redirect to External Radius Server
    I got this message from ACS 5.1
    Others is 'Failed to forward request to current remote RADIUS server; an invalid response was received.' in the iv.csv file.
    There are two problem.
    RADIUS Accounting Packets didn't redirect to external server, but it works without proxy. (Auth is ok.)
    Other Attributes didn't collect all informations, and even the debug is enabled.

    Hi Steve,
    The shared secret is 100% correct.
    Finally I find out that there may be some white lists for attributes.
    If I keep NAS-Identifier , it will work.
    But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
    The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
    When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
    The RADIUS Server gets the message from NSA.
    Of course, there is the Proxy-State attribute.
    In this condition, the ACS has incorrect output in the sub-attribute.
    Now I try 5.2 to see the problem exist or not.

  • ACS 5.1 RADIUS Proxy - Adding RADIUS attributes

    Is there anyway under ACS 5.1 to add RADIUS attributes to outgoing RADIUS proxy auth requests or failing this to RADIUS proxy accounting updates?
    As soon as I configure a RADIUS proxy services, there is little config I can do other than to say whether or not the prefix and suffix is to be stripped.
    I can add these attributes if using an external RADIUS box as an identity store, but I cannot do this for this particular service and instead I need to use RADIUS proxying.
    Thanks
    Paul

    Hi Steve,
    The shared secret is 100% correct.
    Finally I find out that there may be some white lists for attributes.
    If I keep NAS-Identifier , it will work.
    But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
    The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
    When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
    The RADIUS Server gets the message from NSA.
    Of course, there is the Proxy-State attribute.
    In this condition, the ACS has incorrect output in the sub-attribute.
    Now I try 5.2 to see the problem exist or not.

  • Machine certificate RADIUS wireless login

    Hi all,
    I have a customer who want's to have a computer authentication against RADIUS (allow only school devices to connect through SSID). As I am a network engineer I am struggling with NPS settings and machine certificates.
    I have lab settings in our office where I am using Windows Server 2012 and configured domain certificates using the links below
    https://4sysops.com/archives/how-to-deploy-certificates-with-group-policy-part-2-configuration/#creating-the-certificates
    http://www.petenetlive.com/KB/Article/0000919.htm
    Under NPS I have two policies, one for domain devices and one for non-domain devices
    Domain_devices policy:
    Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
                        Machine groups - domain\Domain devices  - PC added to that group
    Constraints - Auth. method - Microsoft Smart Card or other certificate
    Domain_devices policy:
    Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
    Constraints - Auth. method - Microsoft Protected EAP (PEAP)
    When tested with iPad this was able to connect fine but when testing with domain laptop NPS is returning Event ID 6273 Reason code 16
    Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
    password is correct as I am using same one for iPad as well as computer login
    Anybody with an idea why it's not working?
    Thanks

    Under NPS I have two policies, one for domain devices and one for non-domain devices
    Domain_devices policy:
    Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
                        Machine groups - domain\Domain devices  - PC added to that group
    Constraints - Auth. method - Microsoft Smart Card or other certificate
    Domain_devices policy:
    Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
    Constraints - Auth. method - Microsoft Protected EAP (PEAP)
    When tested with iPad this was able to connect fine but when testing with domain laptop NPS is returning Event ID 6273 Reason code 16
    Hi Lukas,
    Based on your description, the first policy is for domain devices, the second policy is for non-domain devices, the iPad is non-domain device and the laptop is domain device, is that
    right?
    Due to the certificate was deployed via GPO, have you checked if the user or computer certificate was installed successfully in the laptops?
    To verify if the user certificate was installed in the laptop, please follow steps below,
     1. Click
    Start, click Run, enter MMC to open a Console.
     2. Click
    File, click Add/Remove Snap-in,
     3. In the Add or Remove Snap-ins, click
    Certificates, click Add, check My user account, click
    Finish, click OK.
     4. Expand
    Console Root\Certificates-Current User\Personal, if there are not any certificate in this container, it shows that user certificate was not installed successfully.
    To verify if the computer certificate was installed in the laptop, please follow steps below,
     1. Click
    Start, click Run, enter MMC to open a Console.
     2. Click
    File, click Add/Remove Snap-in,
     3. In the Add or Remove Snap-ins, click
    Certificates, click Add, check Computer account, click
    Finish, click OK.
     4. Expand
    Console Root\Certificates(Local Computer)\Personal, if there are not any certificate in this container, it shows that computer certificate was not installed successfully.
    Also, the NPS server and laptops are all need to trust CA, so please check if there is a CA certificate in the
    Trusted Root Certification Authorities\Certificates container.
    Best Regards,
    Tina
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].

  • ACS 5.5 RADIUS OUTBOUND Attributes Injection feature

    Hello
    I'm having a look at the RADIUS OUTBOUND Attributes Injection feature for the External Proxy service in ACS version 5.5.0.46.
    The use case is:
    ACS uses the External Proxy service to authenticate wireless users with certain domain suffixes
    Sometimes the username Access-Accept comes back with the domain suffix stripped.
    The result of this is:
    ACS logs a successful authentication with the sent username (with suffix)
    ACS sends the Access-Accept to the WLC and the user is listed on the WLC (without suffix)
    Subsequent accounting packets for the user appear in ACS (without suffix)
    In the past I've used a freeradius proxy server between ACS and the external proxy to 'rewrite' the username in the Access-Accept so that it matches the username origianlly sent in the Access-Request. The code for this looked something like the following.
    Post-proxy {
    update outer.reply {
    User-Name := "%{request:User-Name}"
    I'm looking to do the above solely with ACS but I can't see the Radius-ietf username attribute listed under the RADIUS OUTBOUND Attributes Injection feature. Is it possible to rewrite the username attribute in ACS 5.5?
    Thanks
    Andy

    Don't think this can be done in ACS 5.5 when using an External Proxy Service Type.
    Interestingly, it appears to be possible with a Network Access Service Type. Under Allowed Protocols there is a tick box for Send as User-Name in RADIUS Access-Accept - one of the options is RADIUS Access-Request User-Name. Hopefully this will be implemented in a future release for External Proxy.
    Cheers
    Andy

  • Wireless certificate prompt - WLC 5508

    When users connect to my companiees wireless, which authenicates using a Windows 2008 RADIUS server, they're prompted to accept a server certificate. I'd like to install a trusted SSL and prevent users from having to accept a cert every time they connect. This primarily happens on ipad/iphone devices.
    How do I go about doing this? Do this on the controller? Or on the Radius server?
    Wireless Controller: 5508
    Thank you

    Here is the solution:
    If you have iOS devices—iPhones, iPads, or iPod Touchs—or Mac OS Lion machines on the network, you may want to use the iPhone Configuration Utility (iPCU) to help distribute the wireless settings to them. Apple offers the utility for both Windows and Mac OS X.
    You can use the iPCU to create, encrypt, maintain, and install XML-based configuration profiles. In addition to Wi-Fi settings, these profiles can contain device security policies, VPN configuration, MS Exchange and email settings, and digital certificates. You can create profiles for specific users, groups, or a profile for all. You can either install the profiles directly from the computer running the iPCU or distribute the .mobile config. file via other means.
    Note:This is one time process after distribution the profiles will be saved to the devices .
    Mark it as correct if this resolve your issue.

  • ACS 5.3 Radius authentication with ASA and DACL

    Hi,
    I am trying to do Radius authentication on the ACS 5.3 for VPN access (cisco client) using a downloadable ACL with AD identity
    Clients are connecting to an ASA 5510 with image asa843-K8.bin
    I followed the configuration example on the Cisco site, but I am having some problems
    First : AD identity is not triggered, I put a profile  :
    Status
    Name
    Conditions
    Results
    Hit Count
    NDG:Location
    Time And   Date
    AD1:memberOf
    Authorization   Profiles
    1
    TestVPNDACL
    -ANY-
    -ANY-
    equals Network Admin
    TEST DACL
    0
    But if I am getting no hits on it, Default Access is being used (Permit Access)
    So I tried putting the DACL in the default profile, but when connecting I am immediately disconnected.
    I can see the DACL/ASA being authenticated in the ACS log but no success
    I am using my user which is member of the Network Admin Group.
    Am I missing something?
    Any help greatly appreciated!
    Wim

    Hello Stephen,
    As per the IP Pools feature, the ACS 5.x does not include such functionality. It is not on the ACS 5.x roadmap either as the recommended scenario would be to use a dedicated DHCP server.
    ACS 4.x included that functionality, however, it was not the best solution as the ACS returned the IP Address value as a RADIUS Attribute instead of acting as a real DCHP server.
    As per the IMEI and MISDN I am assuming you are referring to International Mobile Equipment Identity and Mobile Subscriber ISDN. Correct me if I am wrong.
    In that case it seems that the ACS 5.x should be able to Allow or Deny access based on Radius Attribute 30 (Called-Station-Id) and 31 (Calling-Station-Id).
    In that case you might want to use the End-Station Filters feature and use it as the condition for the Rule. The End-Station Filter feature uses CLI/DNIS where CLI is Radius Attribute 31 and DNIS is Attribute 30.
    I am assuming a Generic Username will be embedded on the devices request. In that case you will define which end-user devices will be granted access based on the above attributes.
    Here is a snapshot of the section:

  • ACS 5.3 / Self Signed / Certificate base auth

    Hello,
    Our ACS (5.3) has self signed certificate, we have exported it and declared it in Certificate Authorities.
    We have exported it to have a Trusted Certificate for client machine.
    This certificat has been installed on a laptop.
    The wlc is successfully setup for eap (peap & eap-fast has been tested > ok)
    I have this error in the log:
    12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in  the client certificates chain
    I think the Access Policies (identity & authorization) are misconfigured:
    > I allowed Host Lookup, PAP/ASCII, MSCHAPV2, EAP-MD5, EAP-TLS, PEAP, EAP-FAST
    > Identity: System:EAPauthentication match EAP-TLS
    id Source: AD in which AD, Internal Users, Password based, certificate based CN Username are enabled
    > authorization: System:WasMachineAuthenticated=True
    Thanks for your help,
    regards,

    Hello,
    I found the answer here:
    https://supportforums.cisco.com/message/1298039#1298039
    ACS self-signed certificate is not compatible with EAP-TLS
    Thanks,

  • Password aging with ACS + UCP in a wireless network.

    Hello
    We want to use ACS in our wireless network, but we would like to allow users to change their own passwords, so we want to use UCP.
    Additionally, we want to force them to change their passwords after a period of time or number of logins.
    Is it possible to use password aging based on time or number of connections when users connect through UCP web interface?
    Also, does using UCP requiere some kind of additional license/payment?
    Thanks.

    Juilo,
    No the UCP sample scripts have to run on a seperate ACS server and you have to enable the ucp intefaces through the cli to accept the UCP requests from the other server.
    Here is a link that will help you.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/admin_config.html#wp1105672
    Tarik Admani
    *Please rate helpful posts*

  • 802.1x with ACS 4.2 (RADIUS) problem

    HI all!
    I am trying to configure AAA authentication and authorization with Cisco 3725 (IOS 12.4(17)) for 802.1x and ACS 4.2 with VLAN assignment to my Windows XP client. (trying to assign VLAN 100 in my scenario).
    When user connects to the Router, it passes the authentication process (EAP-MD5). In my debug i see that Router recieves the Radius Attributes BUT does not apply anything!
    My running config:
    Building configuration...
    Current configuration : 1736 bytes
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname R4
    boot-start-marker
    boot-end-marker
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa session-id common
    memory-size iomem 5
    ip cef
    no ip domain lookup
    ip domain name lab.local
    ip device tracking
    dot1x system-auth-control
    interface FastEthernet0/0
    ip address 10.10.0.253 255.255.255.0
    duplex auto
    speed auto
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    interface FastEthernet1/0
    dot1x port-control auto
    interface FastEthernet1/1
    interface FastEthernet1/2
    interface FastEthernet1/3
    interface FastEthernet1/4
    interface FastEthernet1/5
    interface Vlan1
    ip address 192.168.1.1 255.255.255.0
    interface Vlan100
    ip address 192.168.100.1 255.255.255.0
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    mac-address-table static 0800.27b1.b332 interface FastEthernet1/0 vlan 1
    radius-server host 10.10.0.2 auth-port 1645 acct-port 1646 key cisco
    radius-server vsa send accounting
    radius-server vsa send authentication
    My Radius debug information:
    *Mar  1 00:21:31.487: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0
    *Mar  1 00:21:31.491: RADIUS: ustruct sharecount=2
    *Mar  1 00:21:31.491: Radius: radius_port_info() success=1 radius_nas_port=1
    *Mar  1 00:21:31.491: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"
    *Mar  1 00:21:31.491: RADIUS: Request contains 9 byte EAP-message
    *Mar  1 00:21:31.491: RADIUS: Added 9 bytes of EAP data to request
    *Mar  1 00:21:31.495: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2
    *Mar  1 00:21:31.507: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/3, len 127
    *Mar  1 00:21:31.511: RADIUS:  authenticator 36 68 24 30 F0 CC E8 3C - 69 48 61 E3 DA 28 52 AC
    *Mar  1 00:21:31.511: RADIUS:  NAS-IP-Address      [4]   6   10.10.0.253
    *Mar  1 00:21:31.511: RADIUS:  NAS-Port            [5]   6   0
    *Mar  1 00:21:31.511: RADIUS:  Vendor, Cisco       [26]  23
    *Mar  1 00:21:31.515: RADIUS:   cisco-nas-port     [2]   17  "FastEthernet1/0"
    *Mar  1 00:21:31.515: RADIUS:  NAS-Port-Type       [61]  6   X75                       [9]
    *Mar  1 00:21:31.515: RADIUS:  User-Name           [1]   6   "user"
    *Mar  1 00:21:31.515: RADIUS:  Calling-Station-Id  [31]  19  "08-00-27-B1-B3-32"
    *Mar  1 00:21:31.515: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    *Mar  1 00:21:31.515: RADIUS:  Framed-MTU          [12]  6   1500
    *Mar  1 00:21:31.515: RADIUS:  EAP-Message         [79]  11
    *Mar  1 00:21:31.515: RADIUS:   02 1D 00 09 01 75 73 65 72                       [?????user]
    *Mar  1 00:21:31.515: RADIUS:  Message-Authenticato[80]  18
    *Mar  1 00:21:31.515: RADIUS:   B1 8B 8F 4C F1 6D C9 A6 4E 96 B8 3D 53 E9 41 12  [???L?m??N??=S?A?]
    *Mar  1 00:21:31.555: RADIUS: Received from id 1645/3 10.10.0.2:1645, Access-Challenge, len 93
    *Mar  1 00:21:31.555: RADIUS:  authenticator DF 38 A1 1B ED 3C 1E B2 - 1A 92 6A D5 58 CE B8 4A
    *Mar  1 00:21:31.555: RADIUS:  EAP-Message         [79]  28
    *Mar  1 00:21:31.555: RADIUS:   01 1E 00 1A 04 10 BE BA B4 B0 26 9D 52 0E 43 BC  [??????????&?R?C?]
    *Mar  1 00:21:31.555: RADIUS:   33 46 8E A8 C6 45 47 4E 53 33                    [3F???EGNS3]
    *Mar  1 00:21:31.555: RADIUS:  State               [24]  27
    *Mar  1 00:21:31.555: RADIUS:   45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B  [EAP=0.1ff.986.1;]
    *Mar  1 00:21:31.559: RADIUS:   53 56 43 3D 30 2E 31 35 3B                       [SVC=0.15;]
    *Mar  1 00:21:31.559: RADIUS:  Message-Authenticato[80]  18
    *Mar  1 00:21:31.559: RADIUS:   22 C8 D5 BB 44 FC FC 14 D3 2C C9 42 A3 9B A4 9E  ["???D????,?B????]
    *Mar  1 00:21:31.563: RADIUS: Found 26 bytes of EAP data in reply (ofs 0)
    *Mar  1 00:21:31.563: RADIUS: Received 26 byte EAP Message in reply
    *Mar  1 00:21:31.587: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0
    *Mar  1 00:21:31.587: RADIUS: ustruct sharecount=1
    *Mar  1 00:21:31.587: Radius: radius_port_info() success=1 radius_nas_port=1
    *Mar  1 00:21:31.587: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"
    *Mar  1 00:21:31.591: RADIUS: Request contains 26 byte EAP-message
    *Mar  1 00:21:31.591: RADIUS: Added 26 bytes of EAP data to request
    *Mar  1 00:21:31.591: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2
    *Mar  1 00:21:31.591: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/4, len 171
    *Mar  1 00:21:31.591: RADIUS:  authenticator 0A A2 1F 7C 12 A8 AB F7 - 9F 87 C6 51 A4 0D EA A2
    *Mar  1 00:21:31.595: RADIUS:  NAS-IP-Address      [4]   6   10.10.0.253
    *Mar  1 00:21:31.595: RADIUS:  NAS-Port            [5]   6   0
    *Mar  1 00:21:31.595: RADIUS:  Vendor, Cisco       [26]  23
    *Mar  1 00:21:31.595: RADIUS:   cisco-nas-port     [2]   17  "FastEthernet1/0"
    *Mar  1 00:21:31.595: RADIUS:  NAS-Port-Type       [61]  6   X75                       [9]
    *Mar  1 00:21:31.595: RADIUS:  User-Name           [1]   6   "user"
    *Mar  1 00:21:31.595: RADIUS:  Calling-Station-Id  [31]  19  "08-00-27-B1-B3-32"
    *Mar  1 00:21:31.595: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    *Mar  1 00:21:31.595: RADIUS:  Framed-MTU          [12]  6   1500
    *Mar  1 00:21:31.595: RADIUS:  State               [24]  27
    *Mar  1 00:21:31.595: RADIUS:   45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B  [EAP=0.1ff.986.1;]
    *Mar  1 00:21:31.595: RADIUS:   53 56 43 3D 30 2E 31 35 3B                       [SVC=0.15;]
    *Mar  1 00:21:31.595: RADIUS:  EAP-Message         [79]  28
    *Mar  1 00:21:31.595: RADIUS:   02 1E 00 1A 04 10 AA 09 8E 39 DE 29 E4 CC C6 BC  [?????????9?)????]
    *Mar  1 00:21:31.595: RADIUS:   7F 01 C8 47 EC 74 75 73 65 72                    [???G?tuser]
    *Mar  1 00:21:31.595: RADIUS:  Message-Authenticato[80]  18
    *Mar  1 00:21:31.595: RADIUS:   33 57 82 E2 5C 24 A2 8C 67 CC 0D 8C 25 12 74 13  [3W??\$??g?????t?]
    *Mar  1 00:21:31.731: RADIUS: Received from id 1645/4 10.10.0.2:1645, Access-Accept, len 90
    *Mar  1 00:21:31.731: RADIUS:  authenticator A0 0E DF D7 87 FD 9E B6 - BB 64 04 4F 56 2A 03 89
    *Mar  1 00:21:31.735: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255
    *Mar  1 00:21:31.735: RADIUS:  EAP-Message         [79]  6
    *Mar  1 00:21:31.735: RADIUS:   03 1E 00 04                                      [????]
    *Mar  1 00:21:31.735: RADIUS:  Tunnel-Type         [64]  6   01:VLAN                   [13]
    *Mar  1 00:21:31.739: RADIUS:  Tunnel-Medium-Type  [65]  6   01:ALL_802                [6]
    *Mar  1 00:21:31.739: RADIUS:  Tunnel-Private-Group[81]  6   01:"100"
    *Mar  1 00:21:31.739: RADIUS:  Class               [25]  22
    *Mar  1 00:21:31.739: RADIUS:   43 41 43 53 3A 30 2F 35 62 31 2F 61 30 61 30 30  [CACS:0/5b1/a0a00]
    *Mar  1 00:21:31.739: RADIUS:   66 64 2F 30                                      [fd/0]
    *Mar  1 00:21:31.739: RADIUS:  Message-Authenticato[80]  18
    *Mar  1 00:21:31.739: RADIUS:   75 BC F2 E0 91 07 6C 12 4D 5C BB 50 A4 FD D3 26  [u?????l?M\?P???&]
    *Mar  1 00:21:31.739: RADIUS: Found 4 bytes of EAP data in reply (ofs 0)
    *Mar  1 00:21:31.739: RADIUS: Received 4 byte EAP Message in reply
    As a result the vlan-switch data based does not change.
    Any help will be appreciated!
    Thanks a lot,
    Chelovekov Alexander

    I've tried multiple ways to cope with this problem but nothing was helpfull...
    Tunnel-Medium-Type  [65]  6   01:ALL_802
    I use only ACS Radius attributes and chose ony what ACS allows me to choose (Tunnel-medium-type: 802).
    Screenshot n attachment.
    The same situation occurs when i try to use some Vendor Specific Attributes (Cisco-AV-Pair)  - downloadable ACEs to my user, and again, i see Radius attributes in my debug but nothing is applied to my L3 Switch.
    What am i missing?

  • ACS 5.5 Radius Attribute not listed in Radius Directory

                       Hello Community,
    iam on the evaluation on Cisco ACS 5.5, and iam trying some scenarios for my company.
    I have to authenticate a ip phone . here i need one VLan tagged and one vlan untagged.
    In the authorization profile u can add the Radius Attributes, we got hp switches and i need the attribute  with the ID-56, but this ID ist not listed in the Authorization Profiles--> Radius Attributes-->select Part.
    But it is listed under system-administration->Configuration-->dictionaries-->Protocols->Radius--> Radius IETF
    come somebody tell me how i can selct this Attributes under Authorization Profiles--> Radius Attributes-->select Part. ??
    Thanks a lot
    regards

    Hi
    As you are using HP switches, certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality, and are therefore not supported with non-Cisco devices.
    For more information regarding Authorization profile configuration, please go through the following link:
    http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/pol_elem.html

  • Radius & wireless & IP address

    Hello, I''d like to use a Radius to dynamically authenticate wireless users, but I'd know if it's possible to assign dinamically address to the wireless port, when accesing to the RADIUS, or validaing it to avoid wireless clients of changing their IP address.
    Thanks

    Let me clarify more here..Cisco's aironet wireless clients associated with cisco's access points and authenticated via LEAP with RADIUS server, can't get ip address allocated via radius server..There is no way in LEAP that you can do it..Atleast cisco dosen't support it..Tejal

  • Printers supporting Radius wireless networks

    Do any printers exist that support Radius wirless networking and Mac OS X 10.8?? 

    Simply reconfigure your Airport Express to either use for airtunes only or to extend the range of the existing network. This effectively connects the Airport Express to your main wireless router as a basic access node rather than a separate router creating its own network.
    If you consult the User Guide that came with your Airport Express you'll find additional information on how to setup an Express to simply extend a local wireless network rather than function independently.
    Why reward points?(Quoted from Discussions Terms of Use.)
    The reward system helps to increase community participation. When a community member gives you (or another member) a reward for providing helpful advice or a solution to their question, your accumulated points will increase your status level within the community.
    Members may reward you with 5 points if they deem that your reply is helpful and 10 points if you post a solution to their issue. Likewise, when you mark a reply as Helpful or Solved in your own created topic, you will be awarding the respondent with the same point values.

  • Microsoft 2008 NPS Radius + wireless controller.

    Hi,
    We have implemented new Microsoft 2008 NPS Radius for authentification wireless controller.
    i am seeing RADIUS server x.x.x.x:1812 failed to respond to request (ID 119) for client ............. in controller. But there no logs hitting to the NPS server either failed or success or other related.
    Layer 3 comminucation is fine between controller & server.
    As per the debug logs,controller forwarding request NPS server "Successful transmission of Authentication Packet tp ......NPS proxy ".
    But there is no further key exchange or successful authentication logs, any idea on this?
    Thanks
    Shrinivas.K

    Download NTRadPing and test to see if your radius is working. You can put a sniffer on and see if you see packets coming out of the wlc and radius. You can always remove the aaa from the wlc and add it back on and also remove and add back on the wlc as a aaa client on the radius server.
    Thanks,
    Scott Fella
    Sent from my iPhone

  • ACS as proxy radius and class 25 attribute

    Hello !
    Could you please help ?
    we have cisco3640 as nas, cs acs 2.6 as radius-server.
    Now we would need to
    forward authentication request to another radius-server ( username is unknown to the acs)
    Username is provided with a certain prefix and according to that prefix, request is forwarded to another radius-server.
    That another server should give back accept/deny and class attribute 25.
    Here comes the question
    Can acs 2.6 take the class attribute and use it as username's group-information ?.
    for example class attribute 25 named test is forwarded to acs and acs has a group named test. According to group test ACS gives ip/dns information back to to cisco3640 and ras-client.
    Or could you please tell me how we could forward username authentication and then bind username that is not known to acs to a certain acs group ?
    The ip/dns information must be provided by acs.
    Any help will be appreciated !
    TIA
    Best Regards,
    Susanna

    As far as I know, ACS 2.6 cannot take the class attribute and use it as username's group-information....

Maybe you are looking for

  • Need to re-image my Dell Venue 8 Pro

    This is a pretty long explanation, but I hope someone can help me! I have a 32gb Venue 8 Pro, and when I got it 12 months ago, I immediately made a recovery "disk" onto a MicroSD card, and deleted the recovery partition to free up space.  I put the M

  • Is there a language of "English" that is Not "English (Canada)"?

    When I look at Language, it shows English (Canada).  In the US, some words are spelled differently than the British, which seems to be the base for English (Canada).  Is there a language of English (US), or similar?

  • How to copy movies to PC

    Hi,   i) I had shot some movies through my Iphone 4S. I am not able to copy all of them (through scanner & camera wizard) to my PC and some are getting stuck. Pls. help me on how I can copy them (like drag & drop etc.). Error message "current picture

  • Best software for backing up an external hard drive to another

    I used to use the echo feature within SyncToy on a PC to create a backup of the external hard drive i keep all my work files on but want to find software that will do this Mac based. Effectively SyncToy scanned the primary drive for additions and del

  • Airport Extreme USB disk password issue fix ETA?

    Many people who have a USB drive connected to their Airport Extreme 802.11n have had problems where it repeatedly asks for the password to connect to the USB disk, but never allows you access until you reboot the router. This has been an issue for so