Authentication against 2000 domain server

Is ther any way to authorize client using it's logon information, using the same domain server than the one used for login pourposes
Thanks in advance

Cisco Secure ACS 2.6 or higher should accomplish this for you.
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/jacsb26.htm

Similar Messages

VPN Tunnel w/ 802.1X port authentication against remote RADIUS server

I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X. The tunnel works fine and comes up if theirs correct traffic. I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.
If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work. I'll see the following. This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone. No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.
If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly. In this situation, I can ping the RADIUS servers from VLAN10. If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.
Current configuration : 6199 bytes
! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router1
boot-start-marker
boot-end-marker
aaa new-model
aaa local authentication default authorization default
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
ip cef
ip dhcp pool pool
import all
network 192.168.28.0 255.255.255.248
bootfile PXEboot.com
default-router 192.168.28.1
dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2
domain-name domain.local
option 66 ip 192.168.23.10
option 67 ascii PXEboot.com
option 150 ip 192.168.23.10
lease 0 2
ip dhcp pool phonepool
network 192.168.28.128 255.255.255.248
default-router 192.168.28.129
dns-server 192.168.26.10 192.168.1.100
option 150 ip 192.168.1.132
domain-name domain.local
lease 0 2
ip dhcp pool guestpool
network 10.254.0.0 255.255.255.0
dns-server 8.8.8.8 4.2.2.2
domain-name local
default-router 10.254.0.1
lease 0 2
no ip domain lookup
ip domain name remote.domain.local
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO892-K9
dot1x system-auth-control
username somebody privilege 15 password 0 password
redundancy
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key secretpassword address 123.123.123.123
crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac
mode tunnel
crypto map pix 10 ipsec-isakmp
set peer 123.123.123.123
set transform-set pix-set
match address 110
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
interface FastEthernet0
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet1
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet2
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet3
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet4
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet5
switchport access vlan 12
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet6
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet7
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map pix
interface Vlan1
no ip address
interface Vlan10
ip address 192.168.28.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
interface Vlan11
ip address 192.168.28.129 255.255.255.248
interface Vlan12
ip address 10.254.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 101 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
ip radius source-interface Vlan10
ip sla auto discovery
access-list 101 deny ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.28.0 0.0.0.255 any
access-list 101 permit ip 10.254.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255
radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey
radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey
control-plane
mgcp profile default
line con 0
line aux 0
line vty 0 4
transport input all
ntp source FastEthernet0
ntp server 192.168.26.10
ntp server 192.168.1.100
end

I have 802.1X certificate authentication enabled on the computers. As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication. It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.

Problem authenticating against FreeBSD NIS Server

Hello,
We are having problems authenticating Oracle Linux 5.7 32 bits agains a FreeBSD NIS Server, which works without problems with another Linux (CentOS, Gentoo...)
Our Oracle Linux server binds without problems to the NIS domain and we can retrieve all the maps, but when we try to login using ssh, gdm or in console we get that the password is incorrect...
Any clues on what is happening?

Hello, i finally have discovered what was happening, it has to be with the way FreeBSD passes the password field. By default FreeBSD passes the password field with a '*' while Oracle Linux (and Red Hat clones) expect an 'x' to look into shadow maps (Linux uses the '*' character in the password file to not allow login to that user).
To solve it the password field served by the NIS server must be substituted, which is accomplished with nsswitch.conf and adding a line to the /etc/password file on the NIS Client, so the final files will look this way:
# nsswitch.conf (compat directive allows us to use the '+' sintaxis in /etc/passwd file)
passwd files compat
# /etc/passwd (just add at the end of file)
+:x:::::

User Authentication against NT Domain

Hi Expert
I want to code a program which ask for my user id and password and then
authenticate it from my NT domain, mean verigy that am I a valid user or not ? If yes then is my password correct ?
Any one who can give me some help to start ? I believe it can be done but I don't know how and what are the functions and libraries available to do so.
Any help will be appreciated.
Thanks
-- Kashif Ahmed
[email protected]

Create an intial context to the Directory Server using Basic Authentication. You will have to pass the username and password (which for ADS is userPrincipalName or domain\username). As long as you do not get an AuthenticationException then your user is "Authenticated". Just remember the security implications, the password is sent in plain text.

Authentication against NT Domain

Hi Expert
          I want to code a program which ask for my user id and password and then
          authenticate it from my NT domain, mean am I a valid user or not ? If yes
          then is my password correct ?
          Any one who can give me some help to start ? can a servlet do this all stuff
          for me ?
          Any help will be appreciated.
          Thanks
          -- Ali


          Hi,
          I am solving the same problem. There is a product called JCSI Single Sign-On that
          should provide the authentication support for Windows clients based on the Active
          Directory. If I understand it well. The browser (IE) will send a Kerberos ticket
          to the server (SPNEGO) and the server will consider it as a authenticated principal.
          However I don't know anything more at this moment.
          If you find someting out, let us pls. know.
          Zdenek
          "Ali" <[email protected]> wrote:
          >Hi Expert
          >
          >I want to code a program which ask for my user id and password and then
          >authenticate it from my NT domain, mean am I a valid user or not ? If
          >yes
          >then is my password correct ?
          >
          >Any one who can give me some help to start ? can a servlet do this all
          >stuff
          >for me ?
          >
          >Any help will be appreciated.
          >Thanks
          >
          >-- Ali
          >

Ubuntu Karmic authentication against Snow leopard open directory server

Hi,
I'm looking for help. I've tried to configure an installation of Karmic to authenticate against our office's open directory server running on an osx snow leopard server. Currently `getent password` show all users including those from the open directory server when running the command as both root and normal users. However authentication against the open directry users fails with the following messages in the /var/log/auth.log:-
Dec 7 22:42:05 [hostname] getent: nss_ldap: failed to bind to LDAP server ldap://server.domain.com: Invalid credentials
Dec 7 22:42:05 [hostname] getent: nss_ldap: could not search LDAP server - Server is unavailable
(I've changed the hostname and ldap url)
/etc/ldap.conf has:-
base dc=server,dc=domain,dc=com
ldap_version 3
rootbinddn cn=diradmin,dc=server,dc=domain,dc=com
bind_policy soft
pam_password md5
/etc/ldap.secret is set to the password of the diradmin user and has a permission mask of 600
/etc/pam.d/common-passwd :-
password sufficient pam_ldap.so md5
password required pam_unix.so nullok obscure md5
password optional pam_smbpass.so nullok use_authtok tryfirstpass missingok
/etc/pam.d/common-auth:-
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so usefirstpass
auth requisite pam_deny.so
auth required pam_permit.so
/etc/pam.d/common-account:-
account [success=2 newauthtokreqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
/etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_ldap.so
session optional pamckconnector.so nox11
Does anyone have any ideas where to go from here?
Message was edited by: zebardy

Hi
It's easy enough to 'connect' any version of OS X Server to any other version of OS X Server. Use the Join button in the Users & Groups Preferences Pane. Alternatively use the Directory Utility itself.
You seem to be misunderstanding what an Open Directory Master and Replica are? They are not what I think you think they are. They are not a 'back-up' of each other if you're providing more than the shared Directory Service.
An OD Replica maintains a read-only copy of the LDAP Database (Usernames, Passwords and Policies etc) that's stored on the OD Master and nothing more. If the Master was to go offline for any reason the Replica can be quickly promoted to a Master Role and continue to provide information for the shared directory. This assumes it has easy and quick access to the Volume storing networked home folders? The LDAP Database in that case would then become writable. Later on and whenever you've fixed the problem with the old Master it can quickly be demoted and made a Replica of the now new Master.
Although this is for 10.6 Server (it is nevertheless still applicable) everything you need to know about Master and Replica relationships is here:
http://manuals.info.apple.com/en_US/OpenDirAdmin_v10.6.pdf
Page 55 onwards.
From Page 64:
"The Open Directory master and its replicas must use the same version of Mac OS X Server. . ."
If your OD Master is also providing Mail, Calendar and Contact Services then none of these will be replicated. You will have to maintain a backup of these databases yourself using whatever method you deem fit for your needs.
HTH?
Tony

Anybody done USERID/PASSWORD authentication against aWindows NT Domain

I think I'll have to write a C++ Program to the WinNT API to do it
(LogonUser). Then I'll wrap it with a service object for authentication. Has
it been done before? Or something similar? We want to validate users against
a WindowsNT Server DOMAIN.
-martin ([email protected])

Hi Martin & All,
Yes you are right, wrap the API in C++/C then write a PEX file for interface to Forté and use the method to invoke the WinNT API authentication. Do not forget to validate the return values from the methods. They are very crucial in handling exceptions etc., in forte.
I've done the same to provide the mail user authentication in MAPI API wrapper for Forté.
Is this what you looking for????
Regards,
Sivaram S Ghorakavi mailto:[email protected]
International Business Corporation http://www.ibcweb.com/
From: Martin G Nystrom
Sent: Wednesday, November 26, 1997 1:53 PM
To: [email protected]
Subject: Anybody done USERID/PASSWORD authentication against a Windows NTDomain?
I think I'll have to write a C++ Program to the WinNT API to do it
(LogonUser). Then I'll wrap it with a service object for authentication. Has
it been done before? Or something similar? We want to validate users against
a WindowsNT Server DOMAIN.
-martin ([email protected])

"Sharepoint 2013" is giving error that prevents local domain users authentication for "Team Foundation Server"

I am getting 2 errors through the event viewer that prevents TFS 2013 authentication for local domain users, also this error started appearing after having TFS upgraded to [ 12.0.30723.0 (Tfs2013.Update3) ].
1st Error (from administrative events):
The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID a51a0244-765d-433b-8502-0bb0540ad1fd) threw an exception. More information is included below.
Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS' is denied.
Tried so far:-
- changed the path to another folder from "Diagnostic Logging" in another drive, but still getting the same error.
2nd Error (from application server):
DistributedCOM error
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{000C101C-0000-0000-C000-000000000046}
and APPID
{000C101C-0000-0000-C000-000000000046}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
Which I already got fixed using the following steps on a thread I opened before (but still getting the same error).
https://social.technet.microsoft.com/Forums/windows/en-US/3896e35c-b99a-4d30-b662-f92d337c8d6f/windows-servers-components-services-and-regedit-permissions-are-grayed-out-for-my-admin-account?forum=winservergen
Other Fixes I tried
- Found on another topic that it is not sharepoint that is causing the problem, but it is the generated ASP.NET web pages used for testing is causing the memory to fill up due to cashing on RAM, the fix suggested to change IIS cashing from RAM to HD to prevent
loading up using w3wp.exe from processes.
Concern
- by checking other topics for people having the same problem, it was mentioned that this error appeared after the lastest TFS update, is there is a fix for it ?

Hi Kpdn,
Thanks for your post.
All your participation and support are very important to build such harmonious/ pleasant / learning environment for MSDN community.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

Oracle 10g Reports Server - problem authenticating against DB

I have a problem with Oracle 10g Reports server authenticating against an Oracle RDBMS.
When I try to run reports, an authentication form screen is presented, with the password field empty (the URL in explorer that loads this page contains the username and DB instance, but is missing the password) and the following error message:
REP-51018: Need database user authentication
When the password is entered into the empty field in the form and submitted, another 2 authentication errors are given.
REP-51018: Need database user authentication
REP-12545: java.sql.SQLException: ORA-12545: Connect failed because target host or object does not exist
When the URL in the browser location field is manually altered to include the DB password, the reports are authenticated fine.
Any ideas which config file I should be looking in?
Any pointers would, of course, be much appreciated.
thanks,
Brian

Hello, i finally have discovered what was happening, it has to be with the way FreeBSD passes the password field. By default FreeBSD passes the password field with a '*' while Oracle Linux (and Red Hat clones) expect an 'x' to look into shadow maps (Linux uses the '*' character in the password file to not allow login to that user).
To solve it the password field served by the NIS server must be substituted, which is accomplished with nsswitch.conf and adding a line to the /etc/password file on the NIS Client, so the final files will look this way:
# nsswitch.conf (compat directive allows us to use the '+' sintaxis in /etc/passwd file)
passwd files compat
# /etc/passwd (just add at the end of file)
+:x:::::

ISE and authenticating against Windows AD with RADIUS realm that is different from the Windows domain

Hello
We are in the process of evaluating the Cisco ISE VMWare appliance with a view to replace our existing FreeRADIUS installation as authentication provider for our wireless network and VPN service. As a part of this we are hoping to migrate our user authentication to Microsoft Active Directory - we have previously authenticated against a different identity store (not MS AD). Because of this legacy our Windows domain is not the same as our RADIUS realm name - the Windows domain is "win.mydomain" whereas we wish to allow users to authenticate using "username@mydomain" or even "[email protected]" as they are doing today. We are experiencing an issue where authentication requests with the format "[email protected]" will be forwarded to the Windows AD whereas authentication requests with the format "username@mydomain" will fail with the log message "User not found in Active Directory". We do not know if the ISE itself is validating the username and triggering this error, or if the error originates from AD. We suspect the that the ISE is not even asking AD because "win.mydomain" is the domain configured in "Active Directory" in "External Identity Sources".
Authentication requests against the AD without a realm are successful (that is, using only "username"). With this in mind we located a post on the Cisco support forums that described a process of proxying the request back to the ISE and strip the realm information, but this was specific for the ACS platform. We have attempted to implement this solution but it is still not working as we would have hoped, and we are not entirely certain where the fault might lie. We are currently using PEAP with MSCHAPv2 for authentication in our WLAN where the main problem is. We suspect that the "proxy-to-self" with realm stripping is an issue with PEAP.
Is there a supported method of achieving our goal, or should we abandon the ISE platform as our scenario is simply not supported?

Seems like your issue maybe related to DNS, when ISE receives the format [email protected], the dns request is failing. However, there is a setting for alternate UPN Suffixes that can be configured to include domain.com and student.domain.com.
Here is a windows article that should fix this for you. Once you get this updated please reboot ISE so it rejoins AD. Try your tests again.
http://technet.microsoft.com/en-us/library/cc772007.aspx
Thanks,
Tarik Admani
*Please rate helpful posts*

Domain trying to validate against an incorrect server

Hi Guys,
I have a hosted exhcange cluster that has many many many domains all administered by a DC where each domain is an OU under a main OU called Hosting.
For some reason, a few mailboxes of a certain OU (not all the mailboxes) are tryong to validate against the domain associated with that OU. Meaning that if for example, The people in that OU has a domain called abcd.com and my mailserver is myexchange.com,
Those specific mailboxes are triying to connect to abcd.com and not to the mail server. I can't think of anything that might cause such a bizzare error. Any ideas?

Still I think, I need more info/not able to understand the real issue :)
1. Are you facing the autoconfiguration issue for other mailboxes also?
2. Do you have Outlook anywhere enabled? If so, do an outlook connectivity test through
www.testconnectivity.Microsoft.com
3. if the domain name selection box is grayed out, still you can enter the name like domainname\username and password
Regards from Visit ExchangeOnline |
Visit WindowsAdmin
1) No, only some mailboxes on this specific domain.
2) The connectivity test passed succesfully
3) It shoudln't be connecting to a domain to begin with, it lists their domain as the server it tries to connect to! it should be connecting to the exchange server and no the client's FQDN.

How to bypass from OAM authentication for certain domain

Hi All,
We are trying to unprotect certain domain from OAM domain but coudn't. Please help us fix this issue.
Environement details:
We have two nodes, one node for OAM_OSSO and another one for OSSO_Portal application.
OAM server details:
In this server, oracle application server single sign on(services are HTTP, OC4J, and OID) and OAM. Integrated OAM_OSSO using [ID 979827.1]
Portal server details:
In this server, oracle application server single sign on(services are HTTP, OC4J, and OID) and portal weblogic server(portal application) is running. portal weblogic is registered with thier own portal OSSO.
In OAM, We protected following portal url's
/sso/auth
/pls/orasso/orasso.wwsso_app_admin.ls_login
portal _OAM integration is working fine.
Now portal team come with new requirement for customer, application also running in their same portal weblogic server and that portal application domain is alreday registered with Portal OSSO and Portal OSSO page is protected by OAM. the requirement is bypass OAM authentication, and need to authentication against their own portal OSSO+OID.
Please tell me how to bypass OAM authentication from this scenerio.
-Sarath

Hi MD,
Thanks for your update.
We are using oracle 10g. Please tell me how Anonymous scheme will help us to get out from this issue.
Portal Weblogic server registered with portal IDM server and portal IDM server OSSO protected by IDM OAM. So if i tried any of the application which deployed under portal weblogic server will get protected by OAM right. Please correct me if iam wrong.
In this scenerio we have two OSSO, one in OAM node and another one in portal server. Now portal team come up with new webserver domain for customer, in customer scenerio we want authenticate againt portal OSSO with their own OID rather than using OAM authentication. Here my concern is, customer or employee the portal weblogic server and portal OSSO are common for both user but only difference in webserver domain.
So if i tried to access customer application, then customer webserver redirect to portal weblogic for open the requested page(note if webgate not in picture). portal weblogic server is register with portal OSSO and its redirect to portal OSSO for authentication but Portal OSSO server integrated with OAM using webgate.
1. When tried to access customer application ,Portal OSSO server tried to show own sso login page for authentication but Portal OSSO server already integrated with OAM. so portal OSSO server requested to OAM to access portal sso login page not the request of customer page login.
2. here,portal OSSO login page protected and OAM serve login page for OAM authentication against OAM OID. If i specify anonymous scheme for customer domain then how will work here, portal OSSO requested to OAM to access portal OSSO login page not the customer page or employee page...
Here OAM authentication will come into picture for all scenario but need bypass for customer login.
Requirement is when customer trying to access then authentication need to happen in portal OSSO not in OAM. Hope you understand the architecture.Please suggest how.
-Sarath
Edited by: 898990 on May 11, 2012 8:22 PM
Edited by: 898990 on May 11, 2012 8:25 PM

ISE 1.1 - 24492 Machine authentication against AD has failed

We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
Authentication Summary
Logged At:
March 11,2015 7:00:13.374 AM
RADIUS Status:
RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
RadiusPacketType=Drop
AuthenticationResult=Error
Related Events
Authentication Details
Logged At:
March 11,2015 7:00:13.374 AM
Occurred At:
March 11,2015 7:00:13.374 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
host/LENOVO-PC.tdsouth.com
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:
TDS-PEAP-TLS
Service Type:
Framed
Identity Store:
AD1
Authorization Profiles:
Active Directory Domain:
tdsouth.com
Identity Group:
Allowed Protocol Selection Matched Rule:
TDS-WLAN-DOT1X-EAP-TLS
Identity Policy Matched Rule:
Default
Selected Identity Stores:
Authorization Policy Matched Rule:
SGA Security Group:
AAA Session ID:
ISE-TDS/215430381/40
Audit Session ID:
c0a801e10000007f54ffe828
Tunnel Details:
Cisco-AVPairs:
audit-session-id=c0a801e10000007f54ffe828
Other Attributes:
ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
Posture Status:
EPS Status:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12571 ISE will continue to CRL verification if it is configured for specific CA
12571 ISE will continue to CRL verification if it is configured for specific CA
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
Evaluating Identity Policy
15006 Matched Default Rule
24433 Looking up machine/host in Active Directory - [email protected]
24492 Machine authentication against Active Directory has failed
22059 The advanced option that is configured for process failure is used
22062 The 'Drop' advanced option is configured in case of a failed authentication request
But the user can authenticated by EAP-TLS
AAA Protocol > RADIUS Authentication Detail
RADIUS Audit Session ID :
c0a801e10000007f54ffe828
AAA session ID :
ISE-TDS/215430381/59
Date :
March 11,2015
Generated on March 11, 2015 2:48:43 PM ICT
Actions
Troubleshoot Authentication
View Diagnostic MessagesAudit Network Device Configuration
View Network Device Configuration
View Server Configuration Changes
Authentication Summary
Logged At:
March 11,2015 7:27:32.475 AM
RADIUS Status:
Authentication succeeded
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
TDS-WLAN-PERMIT-ALL
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
[email protected]
State=ReauthSession:c0a801e10000007f54ffe828
Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
Termination-Action=RADIUS-Request
cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
Airespace-Wlan-Id=1
Related Events
Authentication Details
Logged At:
March 11,2015 7:27:32.475 AM
Occurred At:
March 11,2015 7:27:32.474 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
[email protected]
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:

Hello,
I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network.

RADIUS Authentication Problems with NPS Server Eventid 6274

Hi,
We have struggled for a while with RADIUS auth for some clients against an NPS Server when the user or computer tries to connect to the wireless network the following error can be seen on the NPS server:
Network Policy Server discarded the request for a user
Contact the Network Policy Server administrator for more information.
User:
   Security ID:           NULL SID
   Account Name:           host/hostname.domainname.com
   Account Domain:           -
   Fully Qualified Account Name:   -
Client Machine:
   Security ID:           NULL SID
   Account Name:           -
   Fully Qualified Account Name:   -
   OS-Version:           -
   Called Station Identifier:       40-20-B1-F4-BB-15:Wireless-SSID
   Calling Station Identifier:       C1-18-85-08-10-E1
NAS:
   NAS IPv4 Address:       192.168.10.10
   NAS IPv6 Address:       -
   NAS Identifier:            AP name
   NAS Port-Type:           Wireless - IEEE 802.11
   NAS Port:           0
RADIUS Client:
   Client Friendly Name:        name
   Client IP Address:            192.168.10.10
Authentication Details:
   Connection Request Policy Name:   Secure Wireless Connections
   Network Policy Name:       -
   Authentication Provider:       Windows
   Authentication Server:        NPS servername
   Authentication Type:       -
   EAP Type:           -
   Account Session Identifier:       -
   Reason Code:           3
   Reason:               The RADIUS Request message that Network Policy Server received from the network access server was malformed.
Network Policy Server discarded the request for a user.
Contact the Network Policy Server administrator for more information.
User:
   Security ID:           NULL SID
   Account Name:            domainname\username
   Account Domain:           -
   Fully Qualified Account Name:   -
Client Machine:
   Security ID:           NULL SID
   Account Name:           -
   Fully Qualified Account Name:   -
   OS-Version:           -
   Called Station Identifier:        20-18-B1-F4-BB-15:Wireless-SSID
   Calling Station Identifier:       09-3E-8E-3E-5A-C9
NAS:
   NAS IPv4 Address:        192.168.10.10
   NAS IPv6 Address:       -
   NAS Identifier:            AP name
   NAS Port-Type:           Wireless - IEEE 802.11
   NAS Port:           0
RADIUS Client:
   Client Friendly Name:        name
   Client IP Address:            192.168.10.10
Authentication Details:
   Connection Request Policy Name:   Secure Wireless Connections
   Network Policy Name:       -
   Authentication Provider:       Windows
   Authentication Server:        NPS server name
   Authentication Type:       -
   EAP Type:           -
   Account Session Identifier:       -
   Reason Code:           3
   Reason:               The RADIUS Request message that Network Policy Server received from the network access server was malformed.
Message seen from the AP's logs:
(317)IEEE802.1X auth is starting (at if=wifi0.2)
(318)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=157 length=162, User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
(319)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=157 length=90
(320)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=158 length=286, User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
(321)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=161 length=162, User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
(322)Receive message from RADIUSServer: code=11 (Access-Challenge) identifier=161 length=90 BASIC
Output omitted
(330)Sta(at if=wifi0.2) is de-authenticated because of notification of driver
We have other NPS Servers with corresponding policy settings which are working so I am having trouble to understand why this errors occurs.
Initally the problem seemed to be related to the Cert on the NPS server cause it used the cert generated from the Somputer template. Now it uses the template for Domain controller just as the other NPS servers so this should not be the issue(Not sure if
this matters?)
Please guide me on how to take this further
Thank you :)
//Cris

Hi,
NPS Event ID: 6274.
This condition occurs when the NPS discards accounting requests because the structure of the accounting request message that was sent by a RADIUS client does not comply with the RADIUS protocol. You should reconfigure, upgrade, or replace the RADIUS client.
Detailed information reference：
Event ID 6274 — NPS Accounting Request Message Processing
https://technet.microsoft.com/en-us/library/cc735339(v=WS.10).aspx
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

ISE with per-windows 2000 domain

Hi
I am experiencing a problem with AD authentication.
I have joined the ISE appliance to the windows AD and I can browse the groups and attributes.
But the problem I am experincing is that the users logon to the domain using the pre-windows 2000 domain name.
FQDN format : ab.cdef.com - ISE is joined to this
pre-windows 2000 name : abcd - Users logon with this
So wen the users authenticate I get the following error : 22056 Subject not found in the applicable identity store.
Also tried to logon with [email protected] with no luck.
Does someone have any suggestions?
Thanks

The 802.11 Mac Layer is a bit longer than the ethernet mac layer. This sometimes cause problem with domain login because they are done using UDP by default. The frame are sometime drop. To test if this is your problem, I recomand changing the MTU on the 2000server(DC) and the host to something lesser than the actuel MTU on the interface. (configure the DC and host @1300 leaving the network @1500)
A Windows 2003 server as a default mtu of 13?? something to get around this problem. I usaully tell my users to install the cisco vpn client if they want to use domain in wireless because the installation of this client lower the MTU of every interface to 1300.
Another path you can look into is forcing kerberos to use TCP insted of UDP. (look on MS TechNet for method)

Authentication against 2000 domain server

Similar Messages

Maybe you are looking for