ACS v4 & radius

A device wants to talk to the ACS server to get authentication services. It wants to use CHAP. Where is the CHAP option as applied to the radius authentication function? How do  you set up radius in ACS to accept CHAP passwords authentication for radius requests?
Specifically, Qradar wants to query Cisco ACS v4.2 to see if users logging into Qradar are authorized to do so. This fails because I can't find the place (if any) in ACS where CHAP can be used.

ACS can act as both as RADIUS and TACACS server,
when you say what kind of issues to expect: you need to check for open caveats in the release notes of ACS 4.1.
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/index.htm

Similar Messages

  • ACS Express radius authentication AD authorization

    I work at a University and for some reason we have multiple systems for authentication and authorization.  That being said I am trying to use radius to do authentication and AD for authorization for VPNs.  I have the radius authentication working against our radius server.  I have my ACS express setup to join the AD domain and everything looks good there.  I setup the AD server as a radius object in AAA server groups on my ASA.  Then I add the server below in the servers in selected groups window.  I put all the info in there and when I hit test I click authorization and put in the username that I know is in the domain group I have associated with this on the ACS.  The test fails and with authorization failed with invalid password.  When I look at the logs on the ACS I see
    01/06/2011 20:14:26 acsxp/server Warning Server 0 AD Agent Plain Text Authentication Failed for user: username@domain
    01/06/2011 20:14:26 acsxp/server Warning Server 0 Authentication for user username failed for reason = 0
    01/06/2011 20:14:26 acsxp/server Error Protocol 0 Request from 172.20.5.2: User username rejected . by RemoteServer: AD (InvalidPassword). 
    Username and domain are correct I just edited them for posting.  It seems like it is trying to authenticate rather than authorize.  All I want it to do is say yes the user is in this group or no the user is not in this group?  You can't even fill in the password when testing authorization?  Maybe I have something setup wrong on the ACS side but when I look at AD under users and identity stores, it says it is joined to the domain.  When I do AD domain diagnostics under troubleshooting everything looks good.  I have the ASA I am testing from defined as a device and in the ASA device group.  Under access services in Radius access services I have one service that I setup that connects to the AD and it found the group so I know it is connecting.  Any idea what I am doing wrong or where to look?
    Any help would be GREATLY appreciated!
    Thanks
    Joe

    Hi Joe,
    We could take a deeper look at what is happening through some logs and debugs:
    1. On ACS Express, under
    Reports & Troubleshooting > Troubleshooting > Server Logs
    please set the Express Server Trace Level to 5 and the Web Server Trace Level to 4.
    Also, for the Log Level under OS Logging, please set its value to "Debug".
    If previous old logs are not essential to you, you may also wanna delete all the log files first, so that we capture logs for the last day only.
    2. On the ASA, please enable the following debugs
    debug aaa authentication
    debug aaa authorization
    debug radius
    3. Then please first recreate a successful authentication attempt, and then recreate the authorization test issue with the same user account for which you tested the successful authentication.
    4. After the issue is recreated, please attach the debugs from the ASA and following files from the ACS Server Logs:
    acsxp_adagent.log
    acsxp_agent_server.log
    acsxp_mcd.log
    acsxp_server.log
    acsxp_server_trace.log
    Regards,
    Fede
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Secure-ACS: Special RADIUS-Attributes for Enterasys E7

    Hi,
    we were running a pretty old version of the  Cisco Secure ACS for AAA our network devices.
    Unfortunately the  server crashed an we had to install and set it up with a new server.
    Using  TACACS+ for our Cisco devices works fine.
    We have a couple of  switches made by a vendor called Nexans, which only support RADIUS -  this works fine too.
    Furthermore we still have some Enterasys E7  and with those RADIUS doesn't work at all.
    Sniffering the packets,  everything looks good.
    With the old server it worked well.
    Does  anybody know if there are special configurations (e.g. attributes) when  configuring an ACS for Enterasys RADIUS-Clients?
    Thanks,
    Rolf

    We have this configuration and works fine with our network and associate in a good manner also the policy which we have configured it on Enterasys in this way
    Filter-Id===>
    Enterasys:version=1:mgmt=su:policy=Administrator
    After we make the update to ACS 5, the "ASA" consider this filter-id as access-list so it consider the field after the filter-id as the name of the acl, and diconnect the VPN connection.
    Could soneone help me to resolve that.

  • Nortel switches authenticating to both ACS via RADIUS

    Dual ACS solution (4.2) with one ACS doing the authenticating, the other acting as a standby.
    Recently when accessing nortel switches, they authenticate to both ACS, as some are going to ACS2 despite their primary RADIUS server being ACS1.
    The ACS solution has other network devices, using TACACS+ and they seem fine. DB replication is fine between the ACS and nothing I believe has changed in the configuration between the two.
    Any ideas? (all I can think is the response from ACS1 is exceeding the timeout and the switches then select ACS2, but there's no evidence to suggest a problem in network delay).

    I am unfamiliar with the Nortel switches. If a cisco switch queries a AAA server and it fails to respond, it will mark it as dead and move to the next. When the AAA server is back online, the switch will not revert to the previous server. It will remain on the current AAA server until AAA is disabled or the current AAA server fails to respond.
    Network delay would cause this. Maybe the services were disabled or replication was occuring while the device was trying to authenticate.
    Thank You,
    Dan Laden

  • ACS 5 Radius IP Assignment

    We have number of GPRS terminals, they work in our private APN. Can we assign static or dynamic IPs to them?
    Terminals work with IP, not with PPP. We have direct connect with ISP via serial interface. ISP forwards all Radius traffic to our ACS appliance.

    You may assign a static ip address. You may try this:

  • Unsucessful ACS to RADIUS token server exchange

    Hello team:
    We are getting a hard time in trying to make our ACS 4.2 talk to an external FreeRadius token server.
    When our ACS sends the Access-Request message, our FreeRadius token server answers with an Access-Accept message with zero atributes on the message. This answer, according to ACS documentation, should be perfectly accepted by ACS when it works as a RADIUS client. However, our ACS considers this answer as an error and so the transaction fails.
    In order to compare with another platform working of radius server of our , we replaced our FreeRadius token server by another CS ACS. With this scenario, everything works! So we sniffed the ACS to ACS transaction and found that two RADIUS attributes are sent with the Access-Accept message:
    (1) Framed-IP = 255.255.255.255
    (2) Class = 0x434143533a302f356662622f37663030303030312f31383133
    We got back to our FreeRadius as the external RADIUS server of our ACS, and managed it to generate and return exactly the previous kind of message to the ACS working as radius client, however when our ACS receives the RADIUS Access-Accept with these attributes, it still rejects the answer and fails.
    So we are missing something.
    ¿Did anyone manage to make ACS query an external RADIUS server with success? We would appreciate any hints!!
    thank you very much in advance
    Rogelio Alvez
    Argentina

    Thanks for the interest Tarik!
    Here you have the debug from both sides ACS 4.2 and Freeradius in the same authentication event:
    ACS Debug from a terminal monitor
    2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='(undef)')
    2w1d: AAA/AUTHEN (4096347873): status = GETUSER
    2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)
    2w1d: AAA/AUTHEN (4096347873): status = GETPASS
    2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='camara/829113')
    2w1d: AAA/AUTHEN (4096347873): status = GETPASS
    2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)
    2w1d: RADIUS: ustruct sharecount=1
    2w1d: RADIUS: Initial Transmit tty7 id 175 192.168.0.3:1645, Access-Request, len 86
    2w1d:         Attribute 4 6 C0A800CB
    2w1d:         Attribute 5 6 00000007
    2w1d:         Attribute 61 6 00000005
    2w1d:         Attribute 1 15 63616D61
    2w1d:         Attribute 31 15 3139322E
    2w1d:         Attribute 2 18 893A4B64
    2w1d: RADIUS: Received from id 175 192.168.0.3:1645, Access-Reject, len 32
    2w1d:         Attribute 18 12 52656A65
    2w1d: RADIUS: saved authorization data for user 80E8A88C at 0
    2w1d: AAA/AUTHEN (4096347873): status = FAIL
    2w1d: AAA/AUTHEN/ABORT: (4096347873) because Invalid password.
    2w1d: AAA/MEMORY: free_user (0x80E8A88C) user='camara/829113' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1
    2w1d: AAA: parse name=tty7 idb type=-1 tty=-1
    2w1d: AAA: name=tty7 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=7 channel=0
    2w1d: AAA/MEMORY: create_user (0x80E8B920) user='' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1
    2w1d: AAA/AUTHEN/START (2072451976): port='tty7' list='pepe' action=LOGIN service=LOGIN
    2w1d: AAA/AUTHEN/START (2072451976): found list pepe
    2w1d: AAA/AUTHEN/START (2072451976): Method=radius (radius)
    2w1d: AAA/AUTHEN (2072451976): status = GETUSER
    Freeradius Debug
    rad_recv: Access-Request packet from host 192.168.0.3 port 3912, id=23, length=94
        User-Name = "camara/829113"
        NAS-IP-Address = 192.168.0.3
        NAS-Port = 6372
        NAS-Identifier = "CiscoSecure ACS v4.2(0.124)"
        User-Password = "\277\241\340t\312/\2303^;\216\233\3618\2179"
    # Executing section authorize from file /etc/freeradius/sites-enabled/vuserver
    +- entering group authorize {...}
    ++[preprocess] returns ok
    [auth_log]     expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714
    [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714
    [auth_log]     expand: %t -> Sat Jul 14 18:42:32 2012
    ++[auth_log] returns ok
    [IPASS] Looking up realm "camara" for User-Name = "camara/829113"
    [IPASS] Found realm "DEFAULT"
    [IPASS] Adding Stripped-User-Name = "829113"
    [IPASS] Adding Realm = "DEFAULT"
    [IPASS] Authentication realm is LOCAL.
    ++[IPASS] returns ok
    [suffix] Request already proxied.  Ignoring.
    ++[suffix] returns ok
    ++[files] returns noop
    ++[control] returns noop
    rlm_perl: Response: 201: Succeeded
    rlm_perl: Added pair User-Name = camara/829113
    rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179
    rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)
    rlm_perl: Added pair Realm = DEFAULT
    rlm_perl: Added pair Stripped-User-Name = 829113
    rlm_perl: Added pair NAS-Port = 6372
    rlm_perl: Added pair NAS-IP-Address = 192.168.0.3
    rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133
    rlm_perl: Added pair Framed-IP-Address = 255.255.255.255
    rlm_perl: Added pair Auth-Type = Perl
    ++[perl] returns ok
    ++[expiration] returns noop
    ++[logintime] returns noop
    Found Auth-Type = Perl
    # Executing group from file /etc/freeradius/sites-enabled/vuserver
    +- entering group Perl {...}
    rlm_perl: Added pair User-Name = camara/829113
    rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)
    rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179
    rlm_perl: Added pair Realm = DEFAULT
    rlm_perl: Added pair NAS-IP-Address = 192.168.0.3
    rlm_perl: Added pair NAS-Port = 6372
    rlm_perl: Added pair Stripped-User-Name = 829113
    rlm_perl: Added pair Framed-IP-Address = 255.255.255.255
    rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133
    rlm_perl: Added pair Auth-Type = Perl
    ++[perl] returns ok
      WARNING: Empty post-auth section.  Using default return values.
    # Executing section post-auth from file /etc/freeradius/sites-enabled/vuserver
    Sending Access-Accept of id 23 to 192.168.0.3 port 3912
        Framed-IP-Address = 255.255.255.255
        Class = 0x434143533a302f3265662f37663030303030312f31383133
    Finished request 3.
    Going to the next request
    Waking up in 4.9 seconds.
    Cleaning up request 3 ID 23 with timestamp +575
    Ready to process requests.
    Inside the file archive.zip you`ll find
    cap_freeradius.cap (communication sniffed between the ACS and the Freeradius)
    captura2acsOK.pcapng (communication sniffed between the ACS 1 and the ACS 2 where everything its ok)
    If you need more information or output please let me know.
    Rogelio

  • ACS 5.1 - RADIUS Proxy Accounting Logs

    Recently I'm using ACS 5.1 to support external RADIUS Servers, and read the manauls to process with the following workflow.
    Install Linux RADIUS Service (this part was tested)
    Install FreeRADIUS Service
    Add new linux user account
    Cisco ACS 5.1
    Add External RADIUS servers
    Network Resources -> External RADIUS Servers
    Add informations.
    Add RADIUS Proxy Serivce
    Access Policies -> Access Services
    Create with User Selected Service Type , RADIUS Proxy
    Advanced Options -> Accounting
    Remote Accounting and Local Accounting enabledAccess Policies -> Access Services -> Service Selection Rules
    Create #1 rule , Conditions : match Radius , Results : RADIUS Service
    Add Network Resources for accepting network
    Network Device Groups -> Network Devices and AAA Clients
    Enable RADIUS Debug Messages
    System Administration > Configuration > Log Configuration  > Logging Categories > Global > Edit: "RADIUS Diagnostics"
    Configure Log Category Log Severity : DEBUG
    Add 3GPP VSA
    Send out Radius Accounting Packet to ACS
    ACS got the Packet, but didn't redirect to External Radius Server
    I got this message from ACS 5.1
    Others is 'Failed to forward request to current remote RADIUS server; an invalid response was received.' in the iv.csv file.
    There are two problem.
    RADIUS Accounting Packets didn't redirect to external server, but it works without proxy. (Auth is ok.)
    Other Attributes didn't collect all informations, and even the debug is enabled.

    Hi Steve,
    The shared secret is 100% correct.
    Finally I find out that there may be some white lists for attributes.
    If I keep NAS-Identifier , it will work.
    But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
    The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
    When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
    The RADIUS Server gets the message from NSA.
    Of course, there is the Proxy-State attribute.
    In this condition, the ACS has incorrect output in the sub-attribute.
    Now I try 5.2 to see the problem exist or not.

  • ACS 5.1 RADIUS Proxy - Adding RADIUS attributes

    Is there anyway under ACS 5.1 to add RADIUS attributes to outgoing RADIUS proxy auth requests or failing this to RADIUS proxy accounting updates?
    As soon as I configure a RADIUS proxy services, there is little config I can do other than to say whether or not the prefix and suffix is to be stripped.
    I can add these attributes if using an external RADIUS box as an identity store, but I cannot do this for this particular service and instead I need to use RADIUS proxying.
    Thanks
    Paul

    Hi Steve,
    The shared secret is 100% correct.
    Finally I find out that there may be some white lists for attributes.
    If I keep NAS-Identifier , it will work.
    But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
    The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
    When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
    The RADIUS Server gets the message from NSA.
    Of course, there is the Proxy-State attribute.
    In this condition, the ACS has incorrect output in the sub-attribute.
    Now I try 5.2 to see the problem exist or not.

  • Configuring AAA network client on ACS v5.1 using the same RADIUS atributes from ACS v3.3

    Hello,
    I was wondering if i should use the same RADIUS VSA attribute on ACS v5.1 to authenticate AAA clients as those i was using on my old     ACS v3.3 server.
    Exemple : under ACS v3.3 i was using RADIUS (Cisco Aironet) attribute to authenticate AP & WLC, should i do the same under ACS v5.1 ?
    Best regards.

    Hello,
    When defining AAA client on the new ACS 5.x server you just select TACACS+ or RADIUS. We no longer define the RADIUS "vendor"/"VSA" when creating the AAA Client entry. All AAA client would be defined as RADIUS or TACACS+ only.
    If you were using specific VSA Attributes then you need to send those attributes back configuring Authorization Profiles on the ACS 5.x. You will find the specific VSA attributes there. Refer to the following screenshots:
    And here are the available attributes for the ACS for RADIUS Aironet:

  • ACS Radius + Peap + MSChapV2

    I am using a wireless setup
    Aironet 1100, ACS 4.0, 3rd party Client adapter
    I am able to connect to my wireless network by keying in username&pass created on the ACS user setup. Also by using a self signed certificate from the ACS.
    Doubts: In ACS logs - Radius accounting is empty.
    Failed attempts.csv shows "Authen failed, EAP-TLS or PEAP authentication failed during SSL handshake"
    But i am able to authenticate my users successfully into the wireless network. What went wrong?

    Hi
    Try enabling the Passed Authentications report and see whats in there. It could be that the failure is perhaps purely transient and rectified by a subsequent attempt.
    For example a re-key authentication requires SSL state on the ACS, it could be that the supplicant and ACS have to revert to performing a full authentication.
    Im guessing but it is entirely possible to have entries in the failed attempts and still get access.
    Darran

  • Question in ACS radius ports and how test connectivity between router

    hi all
    im asking here about default ports used in cisco acs for radius protocol
    is it 1812 and 1813 ???
    or there is another ports ??
    Q2-
    how to test connectivity between ACS "server aaa"  and the router "client aaa " ??????
    Q3-
    can anyone give me simple config on router for radius protocol to connect acs based on radius protocol ?
    regards

    The default authentictaion port is 1812 and the default accounting port is 1813.
    Here's an example config-
    aaa new-model
    aaa group server radius ACME-RADIUS
    server-private 192.168.1.5 auth-port 1812 acct-port 1813 key SeCrEtPaSsWoRd
    aaa authentication login default local
    aaa authentication login ACME-AAA group ACME-RADIUS local
    aaa accounting send stop-record authentication failure
    aaa accounting exec default start-stop group ACME-RADIUS
    line vty 0 4
    login authentication ACME-AAA
    You can test with-
    test aaa group radius server 192.168.1.5 mmessier St@nleyCup
    where mmessier is your username and the password is St@nleyCup

  • User authentication in Cisco ACS by adding external RADIUS database

    Hi,
    I would like to configure the below setup:
    End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.
    Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in
    ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.
    Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?
    Any help on this would be really grateful to me.
    Thanks and Regards,
    Rahul.

    Thanks Ajay,
    As you said nothing needs to be done on ASA side, if we are using an external user database for authentication.
    Im a newbie to ACS and this is the first time i'm trying to perform a two factor authenticaton in Cisco ACS using external user database.
    By two factor authentication i mean, username + password serves as first factor (validated by RADIUS server), username + security code (validated by RADIUS server) serves as second factor.So, during user authentication i enter only username in username field and in "password" field i enter both "password + security code". Our RADIUS server has already been configured with AD as user store, so we dont have to specify AD details in ACS. I have done the following in ACS to perform this two factor authentication.
    -> In external user databases, i have added a external RADIUS token server.
    -> In unknown user policy , i have added the external data base that i configured in ACS into the selected databases list.
    -> under network configuration, i have added the Cisco ASA as AAA client (authenticate using RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)).
    Just to check whether user authentication is successful, i launched the ACS webVPN using https://IP:2002, it asked me to enter username and password. So, i entered username and in password field i entered "password + security code". But, the page throws an error saying "login failed...Try again".I cant find any logs in external RADIUS server.
    Here is what i found in "Failed attempts" logs under Reports and activities.
    Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,Network Access Profile Name,Authen-Failure-Code,Author-Failure-Code,Author-Data,NAS-Port,NAS-IP-Address,Filter Information,PEAP/EAP-FAST-Clear-Name,EAP Type,EAP Type Name,Reason,Access Device,Network Device Group
    02/28/2012,00:31:52,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
    02/28/2012,00:41:33,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
    02/28/2012,00:42:18,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
    Filtering is not applied.
    Date
    Time
    Message-Type
    User-Name
    Group-Name
    Caller-ID
    Network Access Profile Name
    Authen-Failure-Code
    Author-Failure-Code
    Author-Data
    NAS-Port
    NAS-IP-Address
    Filter Information
    PEAP/EAP-FAST-Clear-Name
    EAP Type
    EAP Type Name
    Reason
    Access Device
    Network Device Group
    02/28/2012
    00:42:18
    Unknown NAS
    (Unknown)
    10.204.124.71
    02/28/2012
    00:41:33
    Unknown NAS
    (Unknown)
    10.204.124.71
    02/28/2012
    00:31:52
    Unknown NAS
    Am i missing any thing in configuration side with respect to ACS?
    Thanks

  • ACS with Vasco

    Hi,
    I was wondering - is there any way when configuring ACS for Radius Proxy into Vasco that particular usernames in Vasco can be mapped to ones in ACS in order to apply attributes to only certain people?
    My understanding so far is that if ACS cannot find the username in its local database it will back it off into an external database if configured, such as Vasco. However i need different group policies applied to particular users by using attributes.
    Thanks in advance for your help!
    Andy

    Hi Andy,
    To enable per-user group mapping, configure the external user database to return authentication responses that contain the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair with the following value:
    ACS:CiscoSecure-Group-Id = N
    where N is the CiscoSecure ACS group number (0 through 499) to which CiscoSecure ACS should assign the user. For example, if Radius Token Server authenticated a user and included the following value for the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair: ACS:CiscoSecure-Group-Id = 37
    CiscoSecure ACS assigns the user to group 37 and applies authorization associated with group 37.
    Hope this helps,
    somishra

  • IP Pool with ACS 4.1

    Hello,
    Description:
    - I have an ACSv4.1
    - I have 2xNAS configured on ACS as RADIUS IETF
    - I have definet IP Poll under System conf -> IP pool Server (start Address & End adress)
    - On the Group setup I defined IP-assignement -> Assigned from AAA Server pool -> MyPool1
    Problem:
    The client get an IP address from the ip poll defined but doing ipconfig on the WINClient the subnet mask is randomly assigned (sometime 255.255.255.240 sometime 255.255.255.255.0)
    The client get a DNS that is not specified in the IP Pool ! :-() ..
    Quetions
    Since in the IP Poll is only defined start address and end address (i.e:10.47.110.32-10.47.110.40)
    Why client get random subnet mask, it should be 255.255.255.255 isn't ?
    Why there is no definition for Gateway ? Which value gets ?
    Clinets get also DNS, Where does this value get from ?
    I wuold like also to have the possibility to assign IP from IP poll based on the NAs that relay the AAA request, is that possible ?

    You may try the bug ID CSCse33323

  • 802.1x port authentication and Windows Radius, possible?

    Hello,
    I'm just testing at the moment before implementing on our netowrk, but has anyone implemented 802.1x port authentication on there Cisco switch and used a Windows IAS server?  See out users are all all on a Windows domain and I want to authenticate using their active directory credentials.  I think I am fine with the switch config, but it is the Windows IAS/Raduis server.  I have added the switch IP's and secret, but I need to create a policy to accept the domain users and need help.
    Thanks

    Andy:
    Yes of course you can use whatever radius server as a AAA server for 802.1x authentication on the switches. NPS, IAS, ACS, Open RADIUS ....etc.
    If you have problem with configuring the IAS then I would suggest that you post your quesiton in a microsoft forum and not here. They would be able to better assist you with your issue. But you can still look somewhere in this forum or in google to help yourself.
    See this link, it could be useful for you:  https://supportforums.cisco.com/thread/2090403
    Regards,
    Amjad
    Rating useful replies is more useful than saying "Thank you"

Maybe you are looking for

  • Converting hexadecimal XML data to a string

    Hello! Until now I generated XML data with the FM 'SDIXML_DOM_TO_XML'. After that I did a loop over the xml_as_table in which I was casting each line of that table to a string. ASSIGN <line> TO <line_c> CASTING. After the inftroduction of unicode in

  • Happy Birthday Oran_gina

    Strong hints that today is the day, so happy probably birthday Hope you have a fabulosa day

  • Can't download music to iphone 4G

    My wife and I have separate itunes accounts. I can download all the apps & music to my iphone 4G with no issues. The problem is when I sign into her account to download her iphone music & apps only my account's music & apps can download to her phone.

  • Over heating in Macbook pro

    Have Macbook pro MC700 13'', It is overheating while working in windows 7. How to resolve it ?

  • CalcLockBlock setting.....

    Hi All, I have written a business rule in EAS console.The rule was validated successfully but when i tried to Launch,it shows error msg as below.. Detail:Cannot calculate. Analytic Server Error(1012704): Dynamic Calc processor cannot lock more than [