Authenicating Windows Servers to NMAS Radius Server

Similar Messages

• Connecting Windows 7 to Apple Radius server

  Anyone know how to get a windows 7 machine to connect to an apple radius server? My macs work great and authenticate perfectly, but my windoww boxes won't connect at all.

  Please check out the following Apple Support article for details on how to access a HDD attached to an AirPort Extreme Base Station (AEBS) from either a Mac or PC.

• Multiple stand alone servers using one radius server?

  Hello, I have a question.
  I'm working for a company and our problem is we need a username and password for every server.
  We would like to set up a Radius server using an extension so it can use a SQL database for the users.
  Is it possible to put 1 username and 1 password for each user in this database so we don't need more then one for each server?
  Also can we set up policy's for those users so they can't access every stand-alone server.
  Kind Regards,
  Michael

  Hi,
  Based on my research, when a RADIUS client (access server) sends connection requests and accounting messages to a RADIUS server, the RADIUS server will sends back an Access-Accept message or sends back an Access-Reject message to authenticate and authorize
  the connection requests based on a set of rules and the information in the user account database. The Access-Accept message can contain connection restrictions that are implemented by the access server for the duration of the connection.
  In addition, according to your description, it seems that you used the SQL database as the User account database. Did you use NPS as a RADIUS server? If yes, maybe you can configure related network policy to restrict access. I would appreciate it if you can
  introduce more detailed information about your environment. The link below may be helpful:
  Configuring Microsoft NPS (Network Policy Server) / (Internet Authentication Service)IAS as Wireless LAN Controller (WLC) RADIUS Server
  Best regards,
  Susie

• How to set two radius servers one is window NPS another is cisco radius server

  how to set two radius servers one is window NPS another is cisco radius server
  when i try the following command, once window priority is first , i type cisco radius user name, it authenticated fail
  i can not use both at the same time
  radius-server host 192.168.1.3  is window NPS
  radius-server host 192.168.1.1 is cisco radius
  http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/
  conf t
  no aaa authentication login default line
  no aaa authentication login local group radius
  no aaa authorization exec default group radius if-authenticated
  no aaa authorization network default group radius
  no aaa accounting connection default start-stop group radius
  aaa new-model
  aaa group server radius IAS
   server 192.168.1.1 auth-port 1812 acct-port 1813
   server 192.168.1.3 auth-port 1812 acct-port 1813
  aaa authentication login userAuthentication local group IAS
  aaa authorization exec userAuthorization local group IAS if-authenticated
  aaa authorization network userAuthorization local group IAS
  aaa accounting exec default start-stop group IAS
  aaa accounting system default start-stop group IAS
  aaa session-id common
  radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
  radius-server host 192.168.1.2 auth-port 1812 acct-port 1813
  radius-server host 192.168.1.3 auth-port 1645 acct-port 1646
  radius-server host 192.168.1.3 auth-port 1812 acct-port 1813
  privilege exec level 1 show config
  ip radius source-interface Gi0/1
  line vty 0 4
   authorization exec userAuthorization
   login authentication userAuthentication
   transport input telnet
  line vty 5 15
   authorization exec userAuthorization
   login authentication userAuthentication
   transport input telnet
  end
  conf t
  aaa group server radius IAS
   server 192.168.1.3 auth-port 1812 acct-port 1813
   server 192.168.1.1 auth-port 1812 acct-port 1813
  end

  The first AAA server listed in your config will always be used unless/until it becomes unavailable. At that point the NAD would move down to the next AAA server defined on the list and use that one until it becomes unavailable and then move to third one, and so on. 
  If you want to use two AAA servers at the same time then you will need to put a load balancer in front of them. Then the virtual IP (vip) will be listed in the NADs vs the individual AAA servers' IPs. 
  I hope this helps!
  Thank you for rating helpful posts!

• Windows 2k8 Radius Server with Cisco Wireless Controllers

  We currently are using a Cisco 4400 wireless controller with an older Cisco Secure ACS appliance that is going EOL.  My hope was to just connect our 4400 Wireless Controller to a Windows Server 2008 Radius Server (Just using Microsoft's Network Policy Server) but have not had any luck in getting this to work.  Does anyone have an easy to follow set of instructions on configuration of Microsoft Windows Server 2008 NPS for use with Cisco Wireless Controllers?  Any advise would be greatly appreciated.
  Thank You,
  Jim

  Hi NPT,
  Here is the post which may help you!!
  https://supportforums.cisco.com/message/3073519
  Regards
  Surendra

• Cisco aironet 2600 series AP configuration with windows 2008 R2 Radius server.

  I want to know the configuration of Cisco aironet 2600 series AP with windows 2008 R2 Radius server.  
  I have
  1. AD & DHCP Server
  2. Cisco Aironet 2600 Access Point.
  I want to connect wifi devices through this AP. Authentication should be through Radius server and AD.

  Hi , 
  Below link should support your requirement 
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116584-configure-wirelesslan-00.html
  Minimal command : -
  AP(config)# aaa new-model
   AP(config)# radius-server host 172.20.0.1 auth-port 1645 acct-port 1645 key XXXXXX
   AP(config)# radius-server deadtime 10
  HTH
  Sandy

• Connectivity Issue - Server Network - Windows Servers

  Hello
  I'm  having connectivity issues, from my network, with the Servers Network  that's located behind the Ace 4710... I'm monitoring the servers and i  get Timeouts with a simple ICMP monitor... This problem is only with Windows Servers...
  I  never have problems regarding the access to the Admin context, but in  the context that i use to load balance the applications i have problems
  reaching directly the servers...
  For  example... I have two servers and i lose connectivity with one of them  for about 2-5 minutes and then i regain connectivity... If i undo the ft  group and redo the ft group i regain instant access to the server... As i said this problems only appear with Windows Servers...
  Thanks in advance...

  Thanks for the reply Gilles...
  What do you mean with a show tech...
  I'm looking at you blog posts...To see if it helps...

• WIndows Radius Server

  Hi,
  We are using windows 2000 IAS server radius server.
  We have Catalyst 4500 in our network.
  Requirement is to enable command level accounting using windows radius server (IAS).
  Pls suggest with sample config.
  Regards

  Hi,
  I believe command level accounting is supported in tacacs only however i am not sure about IAS server. you can check on this webpage
  Happy New Year To ALL

• Ok, taking the leap. Tossing out all Windows servers and going with Lion Server only!

  Help! We are retiring our Windows 2000 server (finally) and going with Lion Server only. We are transitioning from Windows to Mac and have 30 PC's running XP and a few scattered Windows 7 PC's (Lab). We have teachers and staff using Mac computers. Can I authenticate my windows pc's to Lion server?

  1. We are running lion on the old Xservs because we had them. Thought they still would be good file servers. And we thought Lion would work on them but know that mountain lion will not
  2. We have looked up some errors and they have to do with spotlight not getting index finnished with all the adobe files in folders, subfolders and subsubfolders. The vnode errors have something to do with lots ofmopen files but we do not know why. Maybe all these many directiries of files in deep hierarchy of adobe CS which the department does shared work directly on the server is issue. We have tried to get them tomuse as archive only but they do not habe a clue how to do shared work on separate clients. This deparment is not very savy in use but imtense Adobe CS users and my concern is these old file servers cannot take this kind of use.?
  Imposted the logs because i have no clue to why they keep filling up (the vnodes).

• Cisco AAA authentication with windows radius server

  Cisco - Windows Radius problems
  I need to created a limited access group through radius that I can have new network analysts log into
  and not be able to commit changes or get into global config.
  Here are my current radius settings
  aaa new-model
  aaa group server radius IAS
   server name something.corp
  aaa authentication login USERS local group IAS
  aaa authorization exec USERS local group IAS
  radius server something.corp
   address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
   key mypassword
  line vty 0 4
   access-class 1 in
   exec-timeout 0 0
   authorization exec USERS
   logging synchronous
   login authentication USERS
   transport input ssh
  When I log in to the switch, the radius server is passing the corrrect attriubute
  ***Jan 21 13:59:51.897: RADIUS:   Cisco AVpair       [1]   18  "shell:priv-lvl=7"
  The switch is accepting it and putting you in the correct priv level.
  ***Radius-Test#sh priv
     Current privilege level is 7
  I am not sure why it logs you in with the prompt for  privileged EXEC mode when
  you are in priv level 7. This shows that even though it looks like your in priv exec
  mode, you are not.
  ***Radius-Test#sh run
                  ^
     % Invalid input detected at '^' marker.
     Radius-Test#
  Now this is where I am very lost.
  I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
  global config mode.
  ***Radius-Test#enable
     Radius-Test#
  Debug log -
  Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
  ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
  Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
  ***Radius-Test#sh priv
     Current privilege level is 15
     Radius-Test#
  I have tried to set
  ***privilege exec level 15 enable
  It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
  Even if I try to do
  ***privilege exec level 7 show running-config (or other variations)
  It will allow you to type sh run without errors, but it doest actually run the command.
  What am I doing wrong?
  I also want to get PKI working with radius.

  I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
  Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch?

• What is available on new Windows servers that allow you to write scripts that can work directly with Windows, SQL Server, and Exchange Server?

  What is available on new Windows servers that allow you to write scripts that can work directly with Windows, SQL Server, and Exchange Server?
  a. PowerShell
  b. isql
  c. osql
  d. sqlcmd

  All questions seem to be from the interview or a test. I think I even took this test once, it's KForce test.
  For every expert, there is an equal and opposite expert. - Becker's Law
  My blog
  My TechNet articles

• Access denied when ssh in window server 2008 after set it as radius server

  yesterday i succeed to use aaa to login and can see aaa in sh aaa session
  https://murison.wordpress.com/2010/11/11/cisco-radius-configuration-with-server-2008-r2/
  today i simulate again, it access denied, do not know where is wrong
  win 192.168.2.12 ---  switch 192.168.2.5 --- 192.168.2.1 R1
  R1
  conf t
  hostname router1
  int FastEthernet0/0
  ip address 192.168.2.1 255.255.255.0
  no shut
  end
  conf t
  ip route 192.168.2.0 255.255.255.0 192.168.2.5
  end
  enable
  configure terminal
  enable secret cisco
  end
  conf t
  aaa new-model
  username radiusclient privilege 15 password 0 cisco
  crypto key generate rsa
  ip ssh time-out 60
  ip ssh version 2
  line vty 0 4
  transport input ssh
  exit
  line vty 5 15
  transport input ssh
  exit
  ip domain-name radius1.local
  radius-server host 192.168.2.12
  radius-server key cisco
  aaa group server radius NPSSERVER
  server 192.168.2.12
  exit
  aaa authentication login default group NPSSERVER local
  aaa authorization exec default group NPSSERVER local
  exit
  R2
  conf t
  vlan 10
  int vlan 10
  ip address 192.168.2.5 255.255.255.0
  end
  conf t
  hostname router2
  int FastEthernet1/0
  switchport
  switchport access vlan 10
  switchport mode access
  shutdown
  no shut
  end
  conf t
  hostname router2
  int FastEthernet1/1
  switchport
  switchport access vlan 10
  switchport mode access
  shutdown
  no shut
  end
  conf t
  hostname router2
  int FastEthernet1/2
  switchport
  switchport access vlan 10
  switchport mode access
  shutdown
  no shut
  end
  R3
  conf t
  hostname router3
  int FastEthernet0/0
  ip address 192.168.2.7 255.255.255.0
  no shut
  end
  conf t
  ip route 192.168.2.0 255.255.255.0 192.168.2.5
  end

  Hi,
  The configuration looks fine. What do you see in radius server as the reason for authentication failure?
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Server 2008 R2 RADIUS Server with a Cisco Aironet 1040 Wireless AP

  I am trying to get Server 2008 R2 RADIUS Server to work with a Cisco Aironet 1040 Wireless AP. I have installed the RADIUS server by MS standards and performed some searches on Google to configure the Cisco Aironet. I see others using a Wireless LAN Controller, which I do not have. I found this post below:
  https://supportforums.cisco.com/discussion/11546056/wlc-2504-radius-2008-r2-server
  But I have yet to locate a good step by step document on how to set it up and I have found so many different ways that others have set it up, but none have yet to work. I am having authentication issues that I have know of and I do not see any errors in the Windows Event Viewer and I do not know where the Acess Point stores it logs for any sort of error. Keep in mind this is the first time I am doing this. I do not have a Wireless LAN Controller and all my network / domain services are on individually built servers and not on one single server as I have seen with most of the documentation they all say the same thing by putting the Certificate Services, Domain Services (AD / ADS, etc), and NPS. I do not want that configuration and my setup should not be any different, but something is not right. I know from reading that this is not rocket science, but from someone who has never done it before this is difficult as I keep reading on and so many people do it different ways including what I have been reading according to what Cisco says to configure in the environment. Does anyone know where I can find good step by step documentation along with where I can look for logs on either device? I find that all the documentation I see on Cisco's website and from searching that it is old and outdated and not been updated in a long time so it is hard to determine what works and what does not work. I am stumped here and have been doing this for several weeks now with no luck. Thank you in advance.

  I did configure the Server 2008 R2 RADIUS Server using this video below: 
  https://www.youtube.com/watch?v=g-0MM_tK-Tk
  I also referenced Technet to make sure it was configured correctly as well. I am still not sure if I am 100% setup correctly on the Windows Server side, but I for sure want to make sure I have the AP side setup correctly. Do you know of a better article for the Windows Server 2008 R2 setup? Does it matter that I do not have all the services installed on the same server? Instead I have them installed on multiple servers.
  I have image number c1140-k9w7-tar.124.25d.JA1 on the AP. The part that confused me in that article, which I have seen before was the part about "Setting up access point must be configured in the authentication server as an AAA client." What is the AAA Client? I also am not aware of having Cisco Secure ACS anywhere built into the AP as that part through me off completely. Do I need to skip these steps? Thank you for help on this.

• RADIUS Server is Unreachable

  Hi All
  i am using Cisco 3640 router.i have a problem with radius server.
  i did basic aaa configuration but i still have problem...the problem is
  01:30:39: RADIUS: Initial Transmit id 6 171.68.118.115:1645,
  Access-Request, Len 67
  01:30:39: Attribute 4 6 0A1F0196
  01:30:39: Attribute 61 6 00000000
  01:30:39: Attribute 1 11 70726F78
  01:30:39: Attribute 2 18 E552A3E5
  01:30:39: Attribute 6 6 00000005
  01:30:44: RADIUS: Retransmit id 6
  01:30:49: RADIUS: Retransmit id 6
  01:30:59: RADIUS: Marking server 171.68.118.115 dead
  01:30:59: RADIUS: Tried all servers.
  01:30:59: RADIUS: No valid server found. Trying any viable server
  01:30:59: RADIUS: Tried all servers.
  01:30:59: RADIUS: No response for id 6
  01:30:59: RADIUS: No response from server
  01:30:59: AAA/AUTHEN (1597176845): status = ERROR
  Can anyone help me....
  Thanks

  Dear Rick,
  thanks for your reply.
  We have check all options you've mentioned one by one. All are ok.
  - We can ping - and get reply back
  - No firewalls - direct connection via ethernet
  We connected the same Radius server directly to a 4000 series Cisco Router and it worked fine.
  When we use the same commands and setup on the Cisco 3640 we get the above message.
  - Could it be the ethernet ports?
  - or maybe the IOS of the router?
  The IOS is: IOS (tm) 3600 Software (C3640-IK9S-M), Version 12.2(17a),
  Any help will be much appreciated,
  Kind Regards
  Shefik
  ==================
  sh version:
  isco Internetwork Operating System Software
  IOS (tm) 3600 Software (C3640-IK9S-M), Version 12.2(17a), RELEASE SOFTWARE (fc1)
  Copyright (c) 1986-2003 by cisco Systems, Inc.
  Compiled Thu 19-Jun-03 11:24 by pwade
  Image text-base: 0x60008930, data-base: 0x61296000
  ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
  ISPACCESS uptime is 1 day, 2 hours, 24 minutes
  System returned to ROM by power-on
  System image file is "flash:c3640-ik9s-mz.122-17a.bin"
  cisco 3640 (R4700) processor (revision 0x00) with 125952K/5120K bytes of memory.
  Processor board ID 17632609
  R4700 CPU at 100Mhz, Implementation 33, Rev 1.0
  Bridging software.
  X.25 software, Version 3.0.0.
  SuperLAT software (copyright 1990 by Meridian Technology Corp).
  2 FastEthernet/IEEE 802.3 interface(s)
  DRAM configuration is 64 bits wide with parity disabled.
  125K bytes of non-volatile configuration memory.
  32768K bytes of processor board System flash (Read/Write)
  Configuration register is 0x2102
  Building configuration...
  Current configuration : 1136 bytes
  version 12.2
  service config
  service timestamps debug uptime
  service timestamps log uptime
  service password-encryption
  hostname ISPACCESS
  aaa new-model
  aaa group server radius test
  server 202.52.62.104 auth-port 1812 acct-port 1813
  aaa authentication login secure1 group test
  aaa authentication ppp default group radius
  aaa authorization network default group radius
  enable secret 5
  username xxxx password 7
  username xxxxx password 7
  ip subnet-zero
  call rsvp-sync
  interface FastEthernet0/0
  ip address 192.168.1.250 255.255.255.0
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 220.245.140.46 255.255.255.248
  ip access-group 115 in
  duplex auto
  speed auto
  ip classless
  ip route 0.0.0.0 0.0.0.0 220.245.140.41
  ip http server
  access-list 115 permit tcp any any
  radius-server host 202.52.62.104 auth-port 1812 acct-port 1813
  radius-server key 7
  dial-peer cor custom
  privilege exec level 7 clear line
  line con 0
  password 7
  line aux 0
  line vty 0 3
  password 7
  line vty 4
  login authentication secure1
  end

• Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

  Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
  I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
  Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
  Any ideas of what might be the issue or misconfiguration?

  Jim,
  I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
  It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
  May need to open a TAC case to see if this issue is on the 550x controllers also.
  Thanks,
  Tarik