Authenticate Users against external RADIUS-Server

Hi,
i have some users in the local LDAP database of an 10.5 Server.
Is there a way to store their passwords on an external RADIUS-Server?
Thank you very much,
macservo
Message was edited by: macservo

CryptoCard does this.
We use it at one customer for L2TP VPN authentication.
This way the VPN user get's a yes or no to use the VPN server and then has to give his credentials: name and VPN shared secret or certificate (support for CryptoCard is in the OS X VPN client) to get on the network. The password is in 2 halves, one half is static and the rest is added to it from the Token.
You then have to authenticate to any service you want to use (Kerberos?).
We only had to alter a PPP config file on the OS X server and add a small file to both server (and client) to make it contact their Radius server instead of it using Apples regular internal VPN authentication (not the Radius one). And we had to add a shared secret corresponding to what was setup for the customer at CryptoCard (in the server only) for the OS X Server (Radius client) to CryptoCard server (Radius server) communication. You can't use Server Admin to alter VPN settings afterwards without messing up the PPP settings file.
Maybe possible to us it for Ethernet/Wireless 802.1X authentication too?
For just AFP server auth I don't know.

Similar Messages

  • When WLC authenticate users with secondary RADIUS server?

    Hi Sir,
    I'm configuring a WLC4404-100. One of the WLANs points to two RADIUS Servers for Authentication and Accounting (please see attached).
    I'd like to know, under what circumstances will the WLC authenticate users against the secondary RADIUS Server (in my case, the ACS with IP address 10.200.67.84)?
    Please advise.
    Thank you.
    B.Rgds,
    Lim TS

    Hi,
    I navigated to the following on the WLC:
    MANAGEMENT -> SNMP -> Trap Logs
    I noticed the following SNMP trap:
    Fri Dec 8 11:23:21 2006 No Radius Servers Are Responding
    I checked the 2nd ACS server, and true, at around the same time 11:23, the 2nd ACS server was authenticating users.
    I checked the 1st ACS server; at around the same time 11:23, there wasn't any service suspension or database replication going on. What's the cause of this WLC authenticating with the 2nd ACS server? The network is robust and I don't expect any latency issue. The two RADIUS servers are serving only wireless users, the number is about 120.
    On the WLC, I used the default of 2 seconds Retransmit Timeout for both the RADIUS Authentication Servers. Should I fine-tune it to higher value?
    Retransmit Timeout - Specify the time in seconds after which the RADIUS authentication request will timeout and a retransmission will be taken up by the controller. You can specify a value between 2 to 30 seconds.
    There are Passed Authentications logged on the 1st ACS server after during & after 11:23. So, I suspect the WLC is doing a kind of load-balancing across the two RADIUS servers.
    Please advise.
    Thank you.
    B.Rgds,
    Lim TS

  • WLC Web-auth fail with external RADIUS server

    I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"
    My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user.
    WLC 4402 version 4.1.171.0
    http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.html

    Hi,
    I am having some issues when I try to authenticate an AD account against a NAP Radius Server on Windows 2008.
    In fact, I own a WLC 2106 and I configured it to authenticate users againts a radius Server with Active Directory. I set the Web Radius Authentication to CHAP on the controller tab from the WLC 2106 and i am getting the error below  
    : Authentication failed for gcasanova. When I set the controller to  Web Radius Authentication to PAP, everything is working fine. I am able to connect to through the controller using an AD Account. But my purpose is not use PAP which is an unsecure protocol since password are sent as plaintext on the network.
    Can someone tell me what's wrong?
    *radiusTransportThread: Oct 26 11:02:13.975:    proxyState......................                                                                                                 .............00:24:D7:40:E5:00-00:00
    *radiusTransportThread: Oct 26 11:02:13.975:    Packet contains 0 AVPs:
    *emWeb: Oct 26 11:02:13.977: Authentication failed for gcasanova
    *aaaQueueReader: Oct 26 11:02:29.985: AuthenticationRequest: 0xb6564634
    *aaaQueueReader: Oct 26 11:02:29.985:   Callback.....................................0x8576720
    *aaaQueueReader: Oct 26 11:02:29.985:   protocolType.................................0x00000001
    *aaaQueueReader: Oct 26 11:02:29.985:   proxyState...................................00:24:D7:40:E5:00-00:00
    *aaaQueueReader: Oct 26 11:02:29.986:   Packet contains 11 AVPs (not shown)
    *aaaQueueReader: Oct 26 11:02:29.986: apfVapRadiusInfoGet: WLAN(4) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *aaaQueueReader: Oct 26 11:02:29.986: 00:24:d7:40:e5:00 Successful transmission of Authentication Packet (id 86) to 10.2.0.15:1812, proxy state 00:24:d7:40:e5:00-00:00
    *aaaQueueReader: Oct 26 11:02:29.987: 00000000: 01 56 00 9a 8e 48 e7 20  1d ef be 29 e6 3a 61 6d  .V...H.....).:am
    *aaaQueueReader: Oct 26 11:02:29.987: 00000010: 2b de 07 24 01 0b 67 63  61 73 61 6e 6f 76 61 3c  +..$..gcasanova<
    *aaaQueueReader: Oct 26 11:02:29.987: 00000020: 12 3c ce a0 87 ac df 7a  a5 35 af 7c ef 83 c7 58  .<.....z.5.|...X
    *aaaQueueReader: Oct 26 11:02:29.987: 00000030: ed 03 13 28 a7 5a 0d 26  6d ab 49 ea da 7c 5a 8e  ...(.Z.&m.I..|Z.
    *aaaQueueReader: Oct 26 11:02:29.987: 00000040: 1d 94 70 69 06 06 00 00  00 01 04 06 0a 02 00 06  ..pi............
    *aaaQueueReader: Oct 26 11:02:29.987: 00000050: 05 06 00 00 00 01 20 0a  50 41 52 2d 57 4c 43 31  ........PAR-WLC1
    *aaaQueueReader: Oct 26 11:02:29.987: 00000060: 3d 06 00 00 00 13 1a 0c  00 00 37 63 01 06 00 00  =.........7c....
    *aaaQueueReader: Oct 26 11:02:29.988: 00000070: 00 04 1f 0c 31 30 2e 32  2e 30 2e 31 35 36 1e 0a  ....10.2.0.156..
    *aaaQueueReader: Oct 26 11:02:29.988: 00000080: 31 30 2e 32 2e 30 2e 36  50 12 7f 86 5a c5 61 ad  10.2.0.6P...Z.a.
    *aaaQueueReader: Oct 26 11:02:29.988: 00000090: af 54 fa fa 42 e7 f6 16  9e 10                    .T..B.....
    *radiusTransportThread: Oct 26 11:02:29.988: 00000000: 03 56 00 14 a9 10 07 84  83 00 87 83 b9 10 64 e1  .V............d.
    *radiusTransportThread: Oct 26 11:02:29.988: 00000010: 66 b3 c5 5e                                       f..^
    *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processIncomingMessages: response code=3
    *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processRadiusResponse: response code=3
    *radiusTransportThread: Oct 26 11:02:29.988: 00:24:d7:40:e5:00 Access-Reject received from RADIUS server 10.2.0.15 for mobile 00:24:d7:40:e5:00 receiveId = 0
    *radiusTransportThread: Oct 26 11:02:29.989: 00:24:d7:40:e5:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d7:40:e5:00
    *radiusTransportThread: Oct 26 11:02:29.989: AuthorizationResponse: 0xb97fe774
    *radiusTransportThread: Oct 26 11:02:29.989:    structureSize................................32
    *radiusTransportThread: Oct 26 11:02:29.989:    resultCode...................................-4
    *radiusTransportThread: Oct 26 11:02:29.989:    protocolUsed.................................0xffffffff
    *radiusTransportThread: Oct 26 11:02:29.989:    proxyState...................................00:24:D7:40:E5:00-00:00
    *radiusTransportThread: Oct 26 11:02:29.989:    Packet contains 0 AVPs:

  • Authenticated on ISE 1.2 (as admin) against an external radius server

    Hello
    Our customer wants to be authenticated on ISE 1.2 (as admin) against an external radius server (like ACS not microsoft). How could i do that ?
    Is it possible while retaining internal admin users database in a sequence "external_radius or internal"
    thank you in advance.
    Best regards

    External authentication is supported only with internal authorization:
    External Authentication + Internal Authorization
    When configuring Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from External Authentication + External Authorization:
    You do not need to specify any particular external administrator groups for the administrator.
    You must configure the same username in both the external identity store and the local Cisco ISE database.
    To create a new Cisco ISE administrator that authenticates via the external identity store, complete the following steps:
    Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.
    The Administrators window appears, listing all existing locally defined administrators.
    Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.
    Note Remember: you do not need to specify a password for this external administrator user ID, nor are you required to apply any specially configured external administrator group to the associated RBAC policy.
    Step 3 Click Save .

  • Authentication Policy ISE with External RADIUS Server

    Hi All,
    I would like to authenticate client by using External RADIUS. Once I create authentication policy using the new compound condition (wireless dot1x + Radius Username Matches "domainB\") I would like to forward the user authentication who make an authen using domainB\username to the External RADIUS Server Sequence. But when I check on the authentication dashboard, it still authenticate using the default authentication rule.
    Please suggest about this scenario.
    Regards,
    Sent from Cisco Technical Support Android App

    Hi jrabinow,
    Which details you would like to see ?
    Here is some infos.
    ISEs are deployed in 2 domains such as "acme.com" and "sub.acme.com"
    Each domain does not make a trusted relationship so these 2 domains cannot communicate between them.
    Each domain has owned Enterprise Root CA (Microsoft)
    Client who need to access the network need to authenticate with EAP-TLS.
    My environment
    My ISE node joined into domain "acme.com"
    User will be "[email protected]"
    Once the user from "[email protected]" try to authenticate, I would like to forward the RADIUS request from ISEs (acme.com) to other ISEs (sub.acme.com)
    After ISEs in "sub.acme.com" return RADIUS-ACCEPT then ISEs in "acme.com" will process an authorization policy.
    Regards,
    Pongsatorn

  • Cisco ISE: External RADIUS Server

    Hi,
    I would like to forward RADIUS from PSN to another PSN. I already defined "External RADIUS Servers".
    So, how can I use this external RADIUS server to process my request ?
    Looking at the user guide but didn't find any information about this setting (For rule based not simple rule)
    If anyone use this, please suggest this to me.
    Thanks,
    Pongsatorn

    Defining an External RADIUS Server
    The Cisco Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.
    The Cisco Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description or both.
    To create an external RADIUS server, complete the following steps:
    Step 1 Choose Administration > Network Resources > External RADIUS Servers.
    The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.
    Step 2 Click Add to add an external RADIUS server.
    Step 3 Enter the values as described:
    •Name—(Required) Enter the name of the external RADIUS server.
    •Description—Enter a description of the external RADIUS server.
    •Host IP—(Required) Enter the IP address of the external RADIUS server.
    •Shared Secret—(Required) Enter the shared secret between Cisco Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.
    •Enable KeyWrap—This option increases RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.
    •Key Encryption Key—This key is used for session encryption (secrecy).
    •Message Authenticator Code Key—This key is used for keyed HMAC calculation over RADIUS messages.
    •Key Input Format—Specify the format you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.)
    –ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.
    –Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.
    •Authentication Port—(Required) Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.
    •Accounting Port—(Required) Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.
    •Server Timeout—(Required) Enter the number of seconds that the Cisco Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.
    •Connection Attempts—(Required) Enter the number of times that the Cisco Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.
    Step 4 Click Submit to save the external RADIUS server configuration.

  • Configuring Cisco ISE for Authorization with External Radius Server attribute

    Hi,
    I'm trying to integrate an external radius server with Cisco ISE.
    I created an External Identity Store>Radius Token Server.
    I created a Identity Store sequence with just one identity store just as creadted above.
    And I was able to authenticate successfully.
    But when it comes to authorization.
    I observed we just have one tab named Authorization while creating Radius Token server.
    And it always refers to ACS:attribute_name.
    If I want to define a IETF radius attribute, (lets say class with attribute id as 25), how could I do it.
    In Cisco ACS we have a direct entry option in authorization tab where we can define the radius (IETF) attribute within Radius token server creation (within radius token server>Directory attribute tab).
    How ever I try to define the IETF attribute here (class,IETF:Class) I am not able to authorize with this attribute value.
    I tried with just one single authorization rule where it could hit.But observed it to go the default(as none of the rules defined matches the condition).
    Can anyone guide me how can we define a IETF radius attribute for authorization within Cisco ISE and what policy could we set it to work as authorization.
    Thanks in advance
    Senthil K

    This is the step of Creating and Editing RADIUS Vendors
    To create and edit a RADIUS vendor, complete the following steps:
    Step 1 From the Administration mega menu, choose Resources > RADIUS  Vendors.
    The RADIUS Vendors page appears with a list of RADIUS vendors that ISE  supports.
    Step 2 Click Create to create a new RADIUS vendor or click the radio  button next to the RADIUS vendor that
    you want to edit and click Edit.
    Step 3 Enter the following information:
    • Name—(Required) Name of the RADIUS vendor.
    • Description—An optional description for the vendor.
    • Vendor ID—(Required) The Internet Assigned Numbers Authority  (IANA)-approved ID for the
    vendor.
    • Vendor Attribute Type Field Length—(Required) The number of bytes  taken from the attribute value
    to be used to specify the attribute type. Valid values are 1, 2, and 4.  The default value is 1.
    • Vendor Attribute Size Field Length—(Required) The number of bytes  taken from the attribute value
    to be used to specify the attribute length. Valid values are 0 and 1.  The default value is 1.
    Step 4 Click Submit to save the RADIUS vendor.

  • Authenticate Users Using an LDAP Server

    Hi,
    I did implement 'Authenticate Users Using an LDAP Server' according the link blow below.
    [http://www.oracle.com/technology/products/database/application_express/howtos/how_to_ldap_authenticate.html]
    It works OK to specific DN String, example 'cn=%LDAP_USER%,OU=Menahel,OU=Cmp,DC=ho,DC=discount'.
    We have a lot of domain rules, mean the users not located at the same DN.
    Is it possibale to use general DN string (base root) like 'cn=%LDAP_USER%,*,*,DC=ho,DC=discount?
    Thanks in advance,
    Shay

    Augusto, one thing to check (since it caught me out) is that your LDAP entries conform to the right format, namely
    "cn=Bob" etc
    When I was integrating HTMLDB LDAP against a Sun One Directory Server, it had me scratching my head for ages, until I realised that the LDAP entries had been created in the format of -
    "uid=bob" rather than "cn=bob"
    This might not be your problem, but it's worth checking anyway ;)

  • ISE 1.2 Patch 2 External RADIUS Server Sequence Broken?

    Hi community,
    We have upgraded our proof of concept ISE 1.2 lab to Patch level 2.
    Our lab design includes the use of external RADIUS servers which we off-load certain authentication rules to.
    To ensure resiliency of the external RADIUS service, we have two of these which we add to a RADIUS Server Sequence, the idea being that if the first in the list is unavailable, ISE will try the second and all will be well.
    Now this worked for us in testing ISE 1.2, but I have noticed that after the upgrade to Patch 2 ISE is sending the majority RADIUS traffic to the first (failed) external RADIUS server, with only the odd RADIUS Access-Request to thte next in the list.
    Anybody else come across this??
    All helpful comments rated!
    Many thanks, Ash.

    I couldn't find any known issues with this feature. Could you please paste the screen shot of external radius sequence and configuration. Also, how are we determing that the first server in the sequence is DEAD?
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Cisco ISE with both internal and External RADIUS Server

    Hi
    I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
    I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
    So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
    I will like to know if it is possible to configure it and how I can do it ?
    Thanks in advance for your help
    Regards
    Blaise

    Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
    Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
    The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

  • OTP of ASDM using external radius server ( Not RSA )

    Hello,
    Just seeing if the ASDM will support OTP using an external radius server, and not RSA.  I see there was a feature added to 8.2 that states its possible with RSA, but nothing of any other support.  Just checking to see if someone know for sure.
    Thanks,
    Jason

    I did see in the Release notes for ASDM 6.2, that SDI is support with RSA.  Can anyone confirm or not if it works with Radius too ( OTP ).
    http://www.cisco.com/en/US/docs/security/asdm/6_2/release/notes/asdmrn62.html

  • ISE admin access, authentication against external radius

    Please don't ask me why,
    the customer insists and wants to be authenticated on ise (as admin) against an external (microsoft) radius server
    is it possible while retaining internal admin users database in a sequence Internal>external_radius or internal>AD ?
    thank you in advance for whatever may help

    According to Cisco:
    External Authentication AND external Authorisation for Admin acces son the ISE can only be done by using LDAP or AD.
    For Radius Servers there are a solution for external Authentication and internal Authorisation on the ise:
    External Authentication + Internal Authorization
    When configuring Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from External Authentication + External Authorization:
    You do not need to specify any particular external administrator groups for the administrator.
    You must configure the same username in both the external identity store and the local Cisco ISE database.
    To create a new Cisco ISE administrator that authenticates via the external identity store, complete the following steps:
    Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.
    The Administrators window appears, listing all existing locally defined administrators.
    Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.
    Note Remember: you do not need to specify a password for this external administrator user ID, nor are you required to apply any specially configured external administrator group to the associated RBAC policy.
    Step 3 Click Save .

  • ISE External radius server

    Hello,
    Since the JRS roam servers have to be put in a Radius Server sequence on ISE, which node IP address is meant to be registered with JANET, PAN or each PSN IP address. I would have thought it to be the PAN since all the external radius servers are configured on the PAN, but thought I should ask just to be sure. Thanks

    Yes, even though the configuration is done on the PAN, only the ise nodes that have the policy service role enabled, will be used to forward requests using the external radius proxy feature.

  • WLC WLAN Authentication from External RADIUS Server

    Dears,
    How to make WLC Receive PoD (Packet of Disconnect) from the RADIUS server to terminate the session and disconnect authenticating clients.
    Thanks,

    Hi Ahmed,
    Its not documented well, but here is it:
    CSCso52532 No Documentation for sending RADIUS Disconnect-Request (RFC 3576)
    . If a user has to be logged out then, following attributes are expected
      - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value.
             SSH_RADIUS_SERVICE_TYPE_LOGIN(1)
           - SSH_RADIUS_AVP_CALLING_STATION_ID(31) - this is needed, if
                  we want to delete  particular user  session via particular device
                  (like PDA, Phone or PC)
           - SSH_RADIUS_AVP_USER_NAME(1)
    . If a management user has to be logged out then, following attributes
    are expected
      - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value
      - SSH_RADIUS_SERVICE_TYPE_ADMINISTRATIVE
                          OR
       - SSH_RADIUS_SERVICE_TYPE_NAS_PROMPT
       - SSH_RADIUS_AVP_USER_NAME(1)
       - SSH_RADIUS_AVP_FRAMED_IP_ADDRESS(8)
    Eg:
    *Dec 17 12:59:08.926:   Packet contains 14 AVPs:
    *Dec 17 12:59:08.926:       AVP[01] User-Name................................user@domain (17 bytes)
    *Dec 17 12:59:08.926:       AVP[02] Nas-Port.................................0x0000000d (13) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[03] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[04] Framed-IP-Address........................0x0a003f1b (167788315) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[05] NAS-Identifier...........................wlcRM_1 (7 bytes)
    *Dec 17 12:59:08.926:       AVP[06] Airespace / WLAN-Identifier..............0x00000004 (4) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[07] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
    *Dec 17 12:59:08.926:       AVP[08] Acct-Authentic...........................0x00000001 (1) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[11] Tunnel-Group-Id..........................0x3633 (13875) (2 bytes)
    *Dec 17 12:59:08.926:       AVP[12] Acct-Status-Type.........................0x00000001 (1) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[13] Calling-Station-Id.......................10.0.63.27 (10 bytes)
    *Dec 17 12:59:08.926:       AVP[14] Called-Station-Id........................10.0.71.251 (11 bytes)
    *Dec 17 12:59:10.943: 00:1c:26:cb:27:71 Accounting-Response received from RADIUS server 10.0.71.249 for mobile 00:1c:26:cb:27:71 receiveId = 0
    *Dec 17 12:59:34.044: Received a 'RFC-3576 Disconnect-Request' from 10.0.71.249
    *Dec 17 12:59:34.044:   Packet contains 6 AVPs:
    *Dec 17 12:59:34.044:       AVP[01] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
    *Dec 17 12:59:34.044:       AVP[02] User-Name................................user@domain (17 bytes)
    *Dec 17 12:59:34.044:       AVP[03] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
    *Dec 17 12:59:34.044:       AVP[04] Calling-Station-Id.......................10.0.63.27 (10 bytes)
    *Dec 17 12:59:34.044:       AVP[05] Called-Station-Id........................10.0.71.251 (11 bytes)
    *Dec 17 12:59:34.044:       AVP[06] Service-Type.............................0x00000001 (1) (4 bytes)
    *Dec 17 12:59:34.044: Error cause 503 generated for 'RFC-3576 Disconnect-Request' from 10.0.71.249 (Session Identification attributes not valid)
    *Dec 17 12:59:34.045: Sent a 'RFC-3576 Disconnect-Nak' to 10.0.71.249:3799
    *Dec 17 12:59:36.561: ****Enter processIncomingMessages: response code=5
    **Share your knowledge. It’s a way to achieve immortality.
    --Dalai Lama**
    Please Rate if helpful.
    Regards
    Ed

  • VPN Tunnel w/ 802.1X port authentication against remote RADIUS server

    I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X.  The tunnel works fine and comes up if theirs correct traffic.  I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.
    If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work.  I'll see the following.  This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone.  No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.
    *Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.
    *Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.
    *Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.
    *Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.
    If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly.  In this situation, I can ping the RADIUS servers from VLAN10.  If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.
    Current configuration : 6199 bytes
    ! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by
    version 15.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname router1
    boot-start-marker
    boot-end-marker
    aaa new-model
    aaa local authentication default authorization default
    aaa authentication login default local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa session-id common
    clock timezone EST -5 0
    clock summer-time EDT recurring
    ip cef
    ip dhcp pool pool
    import all
    network 192.168.28.0 255.255.255.248
    bootfile PXEboot.com
    default-router 192.168.28.1
    dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2
    domain-name domain.local
    option 66 ip 192.168.23.10
    option 67 ascii PXEboot.com
    option 150 ip 192.168.23.10
    lease 0 2
    ip dhcp pool phonepool
    network 192.168.28.128 255.255.255.248
    default-router 192.168.28.129
    dns-server 192.168.26.10 192.168.1.100
    option 150 ip 192.168.1.132
    domain-name domain.local
    lease 0 2
    ip dhcp pool guestpool
    network 10.254.0.0 255.255.255.0
    dns-server 8.8.8.8 4.2.2.2
    domain-name local
    default-router 10.254.0.1
    lease 0 2
    no ip domain lookup
    ip domain name remote.domain.local
    no ipv6 cef
    multilink bundle-name authenticated
    license udi pid CISCO892-K9
    dot1x system-auth-control
    username somebody privilege 15 password 0 password
    redundancy
    crypto isakmp policy 1
    encr aes 256
    authentication pre-share
    group 5
    crypto isakmp key secretpassword address 123.123.123.123
    crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac
    mode tunnel
    crypto map pix 10 ipsec-isakmp
    set peer 123.123.123.123
    set transform-set pix-set
    match address 110
    interface BRI0
    no ip address
    encapsulation hdlc
    shutdown
    isdn termination multidrop
    interface FastEthernet0
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    authentication port-control auto
    dot1x pae authenticator
    spanning-tree portfast
    interface FastEthernet1
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    authentication port-control auto
    dot1x pae authenticator
    spanning-tree portfast
    interface FastEthernet2
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    authentication port-control auto
    dot1x pae authenticator
    spanning-tree portfast
    interface FastEthernet3
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    authentication port-control auto
    dot1x pae authenticator
    spanning-tree portfast
    interface FastEthernet4
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    spanning-tree portfast
    interface FastEthernet5
    switchport access vlan 12
    switchport voice vlan 11
    no ip address
    spanning-tree portfast
    interface FastEthernet6
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    spanning-tree portfast
    interface FastEthernet7
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    authentication port-control auto
    dot1x pae authenticator
    spanning-tree portfast
    interface FastEthernet8
    no ip address
    shutdown
    duplex auto
    speed auto
    interface GigabitEthernet0
    ip address dhcp
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map pix
    interface Vlan1
    no ip address
    interface Vlan10
    ip address 192.168.28.1 255.255.255.248
    ip nat inside
    ip virtual-reassembly in
    interface Vlan11
    ip address 192.168.28.129 255.255.255.248
    interface Vlan12
    ip address 10.254.0.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    ip forward-protocol nd
    ip http server
    ip http authentication local
    ip http secure-server
    ip nat inside source list 101 interface GigabitEthernet0 overload
    ip route 0.0.0.0 0.0.0.0 dhcp
    ip radius source-interface Vlan10
    ip sla auto discovery
    access-list 101 deny   ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
    access-list 101 permit ip 192.168.28.0 0.0.0.255 any
    access-list 101 permit ip 10.254.0.0 0.0.0.255 any
    access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
    access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255
    radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey
    radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey
    control-plane
    mgcp profile default
    line con 0
    line aux 0
    line vty 0 4
    transport input all
    ntp source FastEthernet0
    ntp server 192.168.26.10
    ntp server 192.168.1.100
    end

    I have 802.1X certificate authentication enabled on the computers.  As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication.  It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.

Maybe you are looking for

  • Can you use a hard drive to run bootcamp off it and also use it as a time capsule?

    Hello, i'm running out of space on my macbook air, so i was woundering if i could buy a portable hard drvie and use it for storage as well as to run bootcamp off it and use windows 8. But then will I be able to also use it as general storage?

  • How can i have the Mac OS X 10.8 version ?

    I have the Mac OS X 10.7.5 version and i want the 10.8. How can i procure it ? Thank you

  • Acrobat XI Pro & Mac OS X 10.7.5

    I have Mac OS X 10.7.5 and I'm about to try installing a trial version of XI Pro - but the download instructions suggest that it will only work with Mac OS X v10.6.8, v10.7.4, or v10.8 - is that right??  Also I use firefox not safari yet the download

  • How get the metadata with intermedia?

    Hi all, In my application I record Microsoft Word documents into a blob column, but before record this file I need to verify the version of Microsoft Word who created this file. Anyone can help me with this? Tks, Everson

  • Handing special characters in JMS Channels

    Dear Experts, In a specific scenario(JMS - IDOC), we are getting the below characters in th source XML. XML message is being uploaded to a MQ queue, from where JMS channel of XI extracts the message and moves it forward to the mapping. The characters