Authentication Interface in AAA Radius Configuration

Hello,
we are trying to authenticate against an Radius Server.
can you tell me witch interface will be used for the authentication Process?
With best regards

At least it looks like this:
Client   ------------> Lightweight Access Point  ----------------> WiSM --------X--------------> Radius Server
The WISM is Firmware is state 4.2 and the RADIUS Server is configured in the AAA setting as the Authentication Server and the Accounting Server.
The WISM has multiple Interfaces factoy default: Managment, ap-manager, service-port and virtual
                    we added the interface test-Radius which is configured with the WLAN the Client connects to.
In the Trap view i can see that the Controller cannot reach the Radius Server.
I think the Controller uses the Interface management to get contact to the Radius.
But the Radius is only reachable over the test-Radius interface.
Can somebody tell me where i configure the controller to use the client interface "test-radius" to get in contect to the Radius?
Best regards

Similar Messages

  • ISE - AAA radius authentication for NAD access

    Hi ,
    I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
    for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
    While testing the login access to the switches we've come up with 2 results :
    1.A domain user can indeed login to the switch as intended.
    2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
    So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
    of the IT_department only .
    I haven't been successfull , would appreciate any ideas on how to accomplish this .
    Switch configurations :
    =================
    aaa new-model
    aaa authentication login default group radius local
    ISE Authentication policy
    ==================
    Policy Name : NADs Authentication
    Condition:  "DEVICE:Device Type Equals :All Device Types#Wired"
    Allowed Protocol : Default Network Access
    use identity source : AD1

    Thank you for the quick replys , and now  ok , I've configured the following authorization policy :
    Rule Name : Nad Auth
    Conditions
    if: Any
    AND : AD1:ExternalGroups EQUALS IT_Departments
    Permissions , then PermitAccess
    What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
    How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?

  • What do IPSEC mean under Security - AAA - Radius - Authentication

    I can't find exact information regarding the IPSec checkbox in Security -> AAA -> Radius -> Authentication.
    On the Cisco Wireless LAN Controller Configuration Guide 5.1, it says "Check the IPSec check box to enable the IP security mechanism, or uncheck it to disable this feature.
    The default value is unchecked."
    What is exactly mean by IP security mechanism?
    Does this mean that I can terminate VPN client over my WLC?
    Take note that this options appeared even though no crypto card installed in my controller.

    This is old code from the Airespace days. There used to be a VPN module that would ride in the WLC. No longer supported, well can't buy it new, but if you had one already...you get the idea.
    HTH,
    Steve

  • AAA Radius Authentication Queries

    Have quite a few questions for Implementing Radius for my network devices :
    Q.1.) How to safely implement aaa Radius authentication to make sure users have login using LOCAL database incase the Radius fails.
    Q.2.) How to provide only read access for few users and full access to Adminstrators.
    Q 3.) Incase if I save the config ..will it be possible to login to devices through any other alternative way ( assuming both the radius and Local credentials are not working).
    Q 4.) How to recover the password for devices especially firewalls.
    GReat it would be if someone can help me on these queries.. Thanks in advance.
    Regards,
    gHP.

    VSAs are collected by the RADIUS server during the accounting process when AAA is configured with the Debit Card feature. Data items are collected for each call leg created on the gateway. A call leg is the internal representation of a connection on the gateway. Each call made through the gateway consists of two call legs: incoming and outgoing. The call leg information emitted by the gateways can be correlated by the connection ID, which is the same for all call legs of a connection.
    Use the H.323 VSA method of accounting when configuring the AAA application.
    There are two modes:
    •Overloaded Session-ID
    Use the gw-accounting h323 syslog command to configure this mode.
    •VSA
    Use the gw-accounting h323 vsa command to configure this mode.

  • AAA Radius Authentication for Calling Card Platform

    Hi,
    I am using AS5350 and I am using it for calling card application using Clear Box as my RADIUS Server for AAA. My question now, how would I know if cisco is sending the dtmf for "enter card number.au" on the RADIUS server ? Does the card number included on the VSA ? below are my configurations and the debug info. The problem here is that the card number that I entered doesn't able to match against the configuration on my Clear Box/SQL Database. I want to know what should I expect from CiscoAS5350 to send a vsa for enter_card_number ?
    aaa new-model
    aaa group server radius ClearBox
    server 192.168.1.1 auth-port 1812 acct-port 1813
    aaa authentication login default local
    aaa authentication login h323 group ClearBox
    aaa authorization exec h323 group ClearBox
    aaa accounting exec default start-stop group ClearBox
    aaa accounting network default start-stop group ClearBox
    aaa accounting connection h323 start-stop group ClearBox
    aaa session-id unique
    radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
    radius-server key 7 0355481F031F761D
    radius-server vsa send accounting
    radius-server vsa send authentication
    call application voice prepaid tftp://192.168.1.2/debitcard-multi-lang-Cisco.1.1.0.2.tcl
    call application voice prepaid pin-len 10
    call application voice prepaid warning-time 300
    call application voice prepaid redirect-number 8662195822
    call application voice prepaid language 1 en
    call application voice prepaid language 2 sp
    call application voice prepaid language 3 ch
    call application voice prepaid set-location en 0 tftp://192.168.1.2/prompts/
    call application voice prepaid set-location sp 0 tftp://192.168.1.2/prompts/
    call application voice prepaid set-location ch 0 tftp://192.168.1.2/prompts/
    gw-accounting aaa
    ==================================================
    Getting session id for NET(00003600) : db=6418E654
    AA/ACCT/NET(00003600): add, count 1
    Getting session id for NET(00003601) : db=6410D098
    AAA/ACCT/NET(00003601): add, count 1
    AAA/ACCT/CONN(00003601): Pick method list 'h323'
    AAA/ACCT/SETMLIST(00003601): Handle 94000002, mlist 62D3B124, Name h323
    Getting session id for CONN(00003601) : db=6410D098
    AAA/ACCT/CONN(00003601): Queueing record is START
    AAA/ACCT(00003601): Accouting method=ClearBox (RADIUS)
    AAA/ACCT/EVENT/(00003601): ATTR ADD
    AAA/ACCT/CONN(00003601): START protocol reply PASS
    AAA/ACCT/EVENT/(00003601): VOICE DOWN
    AAA/ACCT/HC(00003601): Update VOICE/000020D3
    AAA/ACCT/HC(00003601): VOICE/000020D3 [sess] (rx/tx) base 0/0 pre 0/0 call 0/0
    AAA/ACCT/HC(00003601): VOICE/000020D3 [sess] (rx/tx) adjusted, pre 0/0 call 0/0
    AAA/ACCT/CONN(00003601): Queueing record is STOP osr 1
    AAA/ACCT(00003601): del node, session 174133
    AAA/ACCT/CONN(00003601): free_rec, count 1
    AAA/ACCT/CONN(00003601): Setting session id 174144 : db=6410D098
    AAA/ACCT/HC(00003601): Update VOICE/000020D3
    AAA/ACCT/HC(00003601): Deregister VOICE/000020D3
    AAA/ACCT/EVENT/(00003601): CALL STOP
    AAA/ACCT/CALL STOP(00003601): Sending stop requests
    AAA/ACCT(00003601): Send all stops
    AAA/ACCT/NET(00003601): STOP
    AAA/ACCT/NET(00003601): Method list not found
    AAA/ACCT/CONN(00003601): STOP protocol reply PASS
    AAA/ACCT/CONN(00003601) Record not present

    VSAs are collected by the RADIUS server during the accounting process when AAA is configured with the Debit Card feature. Data items are collected for each call leg created on the gateway. A call leg is the internal representation of a connection on the gateway. Each call made through the gateway consists of two call legs: incoming and outgoing. The call leg information emitted by the gateways can be correlated by the connection ID, which is the same for all call legs of a connection.
    Use the H.323 VSA method of accounting when configuring the AAA application.
    There are two modes:
    •Overloaded Session-ID
    Use the gw-accounting h323 syslog command to configure this mode.
    •VSA
    Use the gw-accounting h323 vsa command to configure this mode.

  • Radius configuration(dot1x) problem with ios version 15

    Hello all,
    I upgrade one 3750x from version 12.2 55 to 15.0(2)SE7 and i see that some configuration must be changed
     Warning: The CLI will be deprecated soon
     'radius-server host xxxxxxxx auth-port 1645 acct-port 1646 test username name key 7 sharedsecret
     Please move to 'radius server <name>' CLI.
    I try to adapt the configuration but the 802.1x fails :
    radius server RADIUS-SRV
     address ipv4 xxxxxxxxxx auth-port 1645 acct-port 1646
     timeout 15
     retransmit 3
     automate-tester username name (username created in global configuration mode)
     key 7 sharedsecret
    aaa group server radius RADIUS-SRV
     server-private xxxxxxxxxx key 7 sharedsecret
     ip radius source-interface VlanX
    aaa authentication dot1x default group RADIUS-SRV
    aaa authorization network default group RADIUS-SRV 
    Here's the configuration for the interface with an IP phone connected :
     authentication event fail action authorize vlan 1
     authentication event server dead action authorize vlan 1
     authentication event no-response action authorize vlan 1
     authentication event server alive action reinitialize 
     authentication host-mode multi-domain
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication violation protect
     no snmp trap link-status
     dot1x pae authenticator
     dot1x timeout tx-period 5
    On the logs, i have the server-dead result (not the message that the switch can't reach the radius server):
    Apr 28 12:33:45.075: %AUTHMGR-5-START: Starting 'dot1x' for client (MAC) on Interface Gi1/0/1 AuditSessionID 0A175140000004640014346D
    Apr 28 12:34:05.191: %DOT1X-5-FAIL: Authentication failed for client (MAC) on Interface Gi1/0/1 AuditSessionID 0A175140000004640014346D
    Apr 28 12:34:05.191: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'dot1x' for client (MAC) on Interface Gi1/0/1 AuditSessionID 0A175140000004640014346D
    When i put the old fashion config, the IP phone is authenticated without problems, see capture from the ACS server (attached file 802.1x-OK)
    With the new configuration, see attached file 802.1x-NOK ; i don't have the same field in the ACS (username field) and i have the message 11036 The Message-Authenticator RADIUS attribute is invalid
    Why the authentication doesn't "come" to the ACS like before with this new configuration? What i'm missing?
    Thank you

    Hello all,
    I modify the configuration and now it's working :
    aaa group server radius RADIUS-SRV
     server-private xxxxxxxxxxxx timeout 15 retransmit 3 test username xxxxxxxxx key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     ip radius source-interface xxxxx
    radius server RADIUS-SRV
     address ipv4 xxxxxx auth-port 1645 acct-port 1646
     key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx
    aaa authentication dot1x default group RADIUS-SRV
    aaa authorization network default group RADIUS-SRV
    Regards

  • RADIUS configuration assistance

    Hi
    I want to configure radius on my 2960 switch. I apply below configuration:
    aaa new-model
    radius-server host 10.189.x.x key syafiq
    radius-server source-ports 1645-1646
    aaa authentication login default group radius local
    aaa authentication enable default group radius enable
    aaa authorization network default group radius local
    aaa authorization exec default group radius local
    aaa accounting exec default start-stop group radius
    aaa accounting network default start-stop group radius
    ip radius source-int vlan2
    line vty 0 4 
    login authentication default
    transport input ssh
    Unfortunately, I can't login using the ID given but able to login through local id. I have check on Cisco doc on the config, looks like the configuration is correct. Please help. Thanks.

    My oracle server's configuration lists below:
    1 sqlnet.ora
    # SQLNET.ORA Network Configuration File: e:\oracle\ora92\network\admin\sqlnet.ora
    # Generated by Oracle configuration tools.
    SQLNET.AUTHENTICATION_SERVICES=radius
    SQLNET.RADIUS_SECRET=e:\oracle\ora92\network\security\radius.key
    SQLNET.RADIUS_AUTHENTICATION=192.168.1.198
    SQLNET.RADIUS_AUTHENTICATION_PORT=1645
    SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=2
    SQLNET.RADIUS_AUTHENTICATION_RETRIES=4
    sqlnet.radius_accounting = off
    sqlnet.radius_challenge_response = off
    sqlnet.radius_authentication_interface = DefaultRadiusInterface
    2 I have added the following lines to the bottom of init.ora:
    REMOTE_OS_AUTHENT=FALSE
    OS_AUTHENT_PREFIX=""
    3 Restart oracle service and connect to the server:
    SQL> CREATE USER AAA IDENTIFIED EXTERNALLY;
    SQL> GRANT CREATE SESSION TO AAA;
    SQL> CONNECT AAA/AAApassword@ORCL;
    But the radius server received nothing.What's wrong with my configuration?

  • 802.1x authentication not trying second Radius server

    I have 802.1x setup for portbased authentication on my 3750. I have two identical Radius servers setup and both work when they are the initial server. If I disable the NIC on the first server, it never fails over to the second one. (This only happens with 802.1x, logging directly onto the switch works but just takes longer) What do I need to set to get the radius to failover faster or at all for matter?
    aaa authentication login default group radius local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    interface FastEthernet1/0/11
    switchport access vlan 15
    switchport mode access
    dot1x pae authenticator
    dot1x port-control auto
    dot1x violation-mode protect
    spanning-tree portfast
    radius-server host 10.10.0.41 auth-port 1645 acct-port 1646 key radiuskey
    radius-server host 10.10.0.42 auth-port 1645 acct-port 1646 key radiuskey

    I have 802.1x setup for portbased authentication on my 3750. I have two identical Radius servers setup and both work when they are the initial server. If I disable the NIC on the first server, it never fails over to the second one. (This only happens with 802.1x, logging directly onto the switch works but just takes longer) What do I need to set to get the radius to failover faster or at all for matter?
    aaa authentication login default group radius local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    interface FastEthernet1/0/11
    switchport access vlan 15
    switchport mode access
    dot1x pae authenticator
    dot1x port-control auto
    dot1x violation-mode protect
    spanning-tree portfast
    radius-server host 10.10.0.41 auth-port 1645 acct-port 1646 key radiuskey
    radius-server host 10.10.0.42 auth-port 1645 acct-port 1646 key radiuskey

  • AAA/Radius failures

    Have a couple of switches setup for AAA/Radius (Microsoft IAS running Radius). All authentication fails when I configure it with a radius key (matching on switch and server).
    When I remove the key, I still cant authenticate with my domain credentials, and can only authenticate using the local admin password configured on the switch on a few occasions.
    To get back into the switch I have to stop the IAS service on the Microsoft Radius server, log into the switch with the local admin password, before restarting the IAS service.
    How can I make AAA/Radius work effectively.

    Mark
    There are several things that you might do:
    - reconfigure a switch and reconfigure the Radius server for that switch to eliminate the possibility of configuration mismatch. I would be sure to key in clear text keys rather than cut and paste some encrypted value which you assume will be the same on both ends.
    - look on the server to see if there are any log entries that indicate that it saw authentication requests and why they failed.
    - run debugs on the switches to see what they are reporting.
    HTH
    Rick

  • Unable to login on console after RADIUS configuration on switch.

    I'm having some problems logging on to a switch via console after applying RADIUS-config.
    When using telnet I can log on.
    But when trying to log on via console I'm getting:
    User Access Verification
    Username: xxx
    Password: xxx
    % Authentication failed
    What I want to acheive here is to use radius for telnet & ssh, and the local user account for console.
    What am I missing here?
    Here's my aaa config.
    aaa authentication login default group radius local
    aaa authentication enable default group radius enable
    aaa authorization console
    aaa authorization exec default group radius local
    Thanks!

    Sorry, I was too fast. Cut and paste error from my notes. Anyway, the basics are when you want to enable AAA on IOS, but for console access you want to use the local database then you need to do following steps:
    1. Define local usernames: username xxx password yyy
    2. Configure aaa new-model
    3. Configure a named AAA authentication list: aaa authentication login LIST local
    4. Attach the named AAA authentication list to the console line: login authentication LIST
    If you want to use the local database only as fallback in case the aaa servers are not responding you use: aaa authentication login LIST group radius local 
    In above example no_radius is your LIST name. So, if you remove the password from the line con 0, and change aaa authentication login no_radius enable to aaa authentication login no_radius local, and attach this one to your line con 0, you will be using the local database for line con 0. The default list is still used on tty, vty and aux.
    If you use aaa authentication login no_radius group radius local instead of aaa authentication login no_radius local you are using the local database as a fallback.
    Kind regards
    (Sorry, not able to test this at this time so this is purely theory from my notes)

  • AAA Radius accounting command is not taking in 3750 switch

           Hi Cisco Support community,
    I am facing a issue with radius accounting in Cisco 3750 switch with version 12.2. I am unable to start accounting for radius server.
    This is the config that is on the switch for Radius.
    aaa authentication login default group radius local
    aaa authentication dot1x default group radius
    aaa authorization exec my-authradius group radius if-authenticated.
    radius-server attribute 6 on-for-login-auth
    radius-server dead-criteria time 20 tries 5
    radius-server host 10.100.1.225 auth-port 1645 acct-port 1646 key 7 14341A5801103F3904266021
    radius-server host 10.100.1.226 auth-port 1645 acct-port 1646 key 7 05280E5C2C585B1B390B4406
    When i try to add the following command for accounting, this is not saving.
    (aaa accounting commands 0 default start-stop group radius
    aaa accounting commands 1 default start-stop group radius
    aaa accounting commands 15 default start-stop group radius)
    If i do paste this command one by one after start-stop group it is showing only two options either tacacs+ or server, no radius option is there as well.
    I  tried to create a server group and add the radius server  in the group.  Even then when i am trying to implement the aaa accounting command with the server command it is not showing in show run.
    Can anyone please help me with this issue.

    Hi,
    thanks for your reply but the thing is that  i want to see the command that are being run by a user on  this particular device. If i use the network command it will only show me the  network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).
    I have read the document from this link and it is stating that we can use command accounting. Below is the link
    http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html. 
    Can anyone please tell me if this a version issue because even in version 15.4 i was not seeing the radius option in the end
    aaa accounting commands 15 default start-stop group (radius)- in radius place it was showing only Tacacs+ or group.

  • AAA Radius

    Hi,
    I want to use AAA (Radius Server)to do PEAP Authentication,Can i use different Radius Vendors or I need to use CSACS ONLY ?

    You can use any Radius server, most of them(actually I guess all of them) support PEAP authentication.
    IAS, FunkSteel, CSACS etc....

  • Using LP as authentication interface

    Before I used 2600 as ACS server client and using FastEthernet 0/0 as AAA Server authentication interface 。Now I want to change FastEthernet 0/0 to Loopback0 interface as authentication interface ,I couldn't found out any command can sepecify authentication interface on Cisco 2600 。
    anyone can tell me Cisco Router can support the function or which IOS can support the function

    The command ip tacacs source-interface loopback 0 should do exactly what you are asking by allowing you to secify which interface will be used as the source address in authentication requests.
    HTH
    Rick

  • The interface type is valid, but the specified interface number is not configured

    Hi
    I'm all new to using LabVIEW, which I have to use for a project. I'm trying to make a setup with a Keithley 2000 multimeter and an Agilent U2722A SMU. But I can't figure out how to get these instruments to communicate with LabVIEW. I can see and send commands to the Keithley 2000, but not the Agilent U2722A, with Agilent Connection Expert. But when I use LabVIEW I can't see any of them, and if I use the drivers I've found with "NI Instrument Driver Finder - Configure Search" I pops up with an error message saying
    "Error -1073807195 occurred at VISA Open in Keithley 2000.lvlib:Initialize.vi->Keithley 2000 Read Multiple.vi?            
    Possible reason(s):
    VISA:  (Hex 0xBFFF00A5) The interface type is valid, but the specified interface number is not configured.?"
    I've read all the threads I could find about this problem, but none of them helped. I've checked that the NiVi488.dll is checked in MAX under the VISA options. When I open the VISA Interactive Control I see an ASRL1>>ASRL1::INSTR and ASRL10>>ASRL10::INSTR. I don't know why it says ASRL, when I'm using an USB/GPIB interface, but the Keithley 2000 have 10 as the address. (the Agilent U2722A is connected directly by USB)
    Assume I know nothing.
    Thanks

    I'm using the GPIB-USB-HS. I also used this on the development PC when I exported the hardware configuration.
    This shows up in my MAX config and when I scan instruments, all of them show up. I can query them in MAX no problem.
    My installer includes all the .exe's from my project. As I said, I've done this with my previous 2009 installer without any issue. I upgraded my installer since I upgraded my project for version 2013. The error only happens when I run my code.
     

  • Cisco 2504 Local radius configuration, is their any ways for backing up the user db? In case the WLC dies

    Cisco 2504 Local radius configuration, is their any ways for backing up the user db?  In case the WLC dies

    Please find the guide to keep the backup:-
    http://www.cisco.com/en/US/partner/docs/wireless/controller/7.0/configuration/guide/c70mfw.html#wp1063850

Maybe you are looking for

  • How do I sync an older mac (10.5.8) with a newer mac (10.7.4)?

    I have an older mac mini (OS 10.5.8), and a macbook with OS 10.7.4 on it. With mobile.me gone, how can I sync these two? The only things I'm really interested in is iCal and Address Book.  They are both on the same wifi, if that helps. Thanks in adva

  • How can I easily change black line art to a colour?  (Or color?)

    I have line art on a transparent layer.  That is, it's not part of a white layer, but just black on nothing.  I want to easily change that to a colour without changing the quality of the line.  I know I can put a screen layer above it with a colour a

  • ActionListener in JDialog created by JOptionPane

    I have a problem I absolutely cannot get around. I've been toying with this code all day and nedd some help badly. The code is posted below. Let me give you some background. I have an application that uses "popups" to ask the user a series of questio

  • Can't get iCloud account to show up in Notes app

    Greeting, all. Not sure whether this is an iCloud issue, but here's the deal: On my Air, I can't get my iCould account to show up in Notes (the account IS showing up in Notes on my iMac and iPhone, just not on the Air). The iCloud account is enabled

  • Sqlcode 1012: Not Logged On

    I'm getting the run-time error "sqlcode 1012: not logged on" through a pro*c program. Here is the line of code in pro*c that causes the error: EXEC SQL EXECUTE GET_INFO using :orderid; Is anyone familiar with this error? thanks! null