Authentication via RADIUS : MSCHAPv2 Error 691

Hello All,
I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request
messages are in fact getting to the RADIUS server at which point the RADIUS server starts communicating with the domain controllers. I then see the chain of communication going back to the RADIUS and then finally back to the SBC. The problem is the response
I get back is always an access-reject message with a reason code of 16 (Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect). This is confirmed by looking
at the security event logs where I can see events 4625 and 6273. See the events below (Note: The names and IPs have been changed to protect the innocent):
Event ID: 6273
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
NULL SID
Account Name:
real_username
Account Domain:
real_domain
Fully Qualified Account Name:
real_domain\real_username
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name:
OS-Version:
Called Station Identifier:
Calling Station Identifier:
NAS:
NAS IPv4 Address:
10.0.0.10
NAS IPv6 Address:
NAS Identifier:
radius1.real_domain
NAS Port-Type:
NAS Port:
101451540
RADIUS Client:
Client Friendly Name:
sbc1mgmt
Client IP Address:
10.0.0.10
Authentication Details:
Connection Request Policy Name:
SBC Authentication
Network Policy Name:
Authentication Provider:
Windows
Authentication Server:
RADIUS1.real_domain
Authentication Type:
MS-CHAPv2
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the SQL data store and the local log file.
Reason Code:
16
Reason:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Event ID: 4625
An account failed to log on.
Subject:
Security ID:
SYSTEM
Account Name:
RADIUS1$
Account Domain:
REAL_DOMAIN
Logon ID:
0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID:
NULL SID
Account Name:
real_username
Account Domain:
REAL_DOMAIN
Failure Information:
Failure Reason:
Unknown user name or bad password.
Status:
0xC000006D
Sub Status:
0xC000006A
Process Information:
Caller Process ID:
0x2cc
Caller Process Name:
C:\Windows\System32\svchost.exe
Network Information:
Workstation Name:
Source Network Address:
Source Port:
Detailed Authentication Information:
Logon Process:
IAS
Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:
Package Name (NTLM only):
Key Length:
0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
So at first glance it would seem that the issue is merely a case of an invalid username or mismatched password. This is further confirmed in the packet capture where I can see the MSCHAPv2 response has an error code of 691 (Access denied because username or
password, or both, are not valid on the domain). The thing is I know I am using a valid username and I have tried many usernames including new ones I created just for troubleshooting. I don't know how many times I have reset the password in an attempt to ensure
it is not a mismatch password. I have even made sure to use passwords that are fairly short and contain only letters to ensure there was no terminal encoding issues (we connect to the SBC via SSH clients). I have also done this same thing with the shared secret
used during communication between the SBC and the RADIUS server. I have tried prefixing the username with the domain name at login (though I don't think that should be necessary). I have also tried using the full UPN of the user to login. I have tried several
RADIUS testing clients (NTRadPing, RadiusTest, etc.), but they either don't support MSCHAPv2 or only support EAP-MSCHAPv2. I have even created my own client using PHP's PECL RADIUS module. Still it always seems to fail with the MSCHAPv2 authentication with
an error code of 691. Does anyone have any ideas as to why I always get an invalid username or bad password response when I have done everything possible to ensure that is not the case?
Here are the specs for our RADIUS configuration:
Windows Server 2012 R2
SQL Server 2012 Back End Database for accounting.
The server has been authorized on the domain and is a member of the "RAS and IAS Servers" group. For which that group does have access to the accounts we are testing with.
The accounts we are testing with do have the "Control access through NPS Network Policy" option checked under their "Dial-in" property tab.
RADIUS clients configured to simply match on the IP address which you can see from the events above that it is applying the client friendly name.
Connection Request Policy: The "SBC Authenication" policy is being applied as seen above. The only condition is a regex expression that does successfully match the friendly name.
Network Policy: As seen in events above, none are getting applied. For troubleshooting purposes I have created a Network Policy that is set to "1" for the processing order and its only condition is a Day and Time Restriction currently set to any
time, any day.
The authentication method is set to only MSCHAPv2 or MSCHAPv2 (User can change password after it has expired). I have tried adding this to just the Network Policy and I have also tried adding this to the Connection Request Policy and setting it to override
the authentication method of the Network Policy.
We do have other RADIUS servers in our domain that use PEAP to authenticate wireless clients and they all work fine. However, we need this to work with MSCHAPv2 only (No EAP).
All other configurations are set to the defaults.
The only other things of note to consider is the fact that in the events above you can see that the Security ID is "NULL SID". Now I know this is common especially among failed logons but given that this issue is stating an invalid username or
bad password, perhaps it matters in this case. Also, this server has been rebuilt using the same computer account in Active Directory. I do not know if it would have worked before the rebuild. Essentially we built this server and only got as far as authorizing
the server to the domain and adding SQL when we decided to separate out the SQL role onto another server. Rather than uninstalling SQL we just rebuilt the machine. However, before reinstalling Windows I did do a reset on the computer account. I don't think
this should matter but thought I would point it out if there is some weird quirk where reusing the same SID of a previously authorized NPS server would cause an issue.
All in all it is a fairly basic setup and hopefully I have provided enough information for someone to get an idea of what might be going on. I hope this was the right forum to post this too, I figured there would be a higher number of RADIUS experts here than
any of the other categories. Apologies if my understanding of this seems a bit basic, after all, when it comes to RADIUS servers I guess you could say I'm the new guy here.

Update 1:
In an attempt to further troubleshoot this issue I have tried bringing up additional servers for testing. Here are the additional tests I have performed.
Multiple Domains
I have now tried this in 3 different isolated domains. Both our test and production domains as well as my private home domain which has very little in the way of customizations aside from the modifications made for Exchange and ConfigMgr. All have the same
results described above.
VPN Service
Using Windows Server 2012 R2 we brought up a separate server to run a standard VPN setup. The intent was to see if we could use RADIUS authentication with the VPN and if that worked we would know the issue is with the SBCs. However, before we could even
configure it to use RADIUS we just attempted to make sure it worked with standard Windows Authentication on the local VPN server. Interestingly, it too fails with the same events getting logged as the RADIUS servers. The client machine being a Windows 8.1
workstation. Again I point out that we have working RADIUS servers used specifically for our wireless environment. The only difference between those RADIUS servers and the ones I am having problems with is that the working wireless servers are using PEAP instead
of MSCHAPv2.
FreeRADIUS
Now I'm no Linux guru but I believe I have it up and running. I am able to use ntlm_auth to authenticate users when logged on to the console. However, when the radiusd service tries to use ntlm_auth to do essentially the same thing it fails and returns the
same message I've been getting with the Windows server (E=691). I have the radiusd service running in debug mode so I can see more of what is going on. I can post the debug info I am getting if requested. The lines I am seeing of particular interest however
are as follows:
(1) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)'
(1) mschap : External script failed.
(1) ERROR: mschap : External script says: Logon Failure (0xc000006d)
(1) ERROR: mschap : MS-CHAP2-Response is incorrect
The thing to note here is that while we are essentially still getting a "wrong password" message, the actual status code (0xc000006d) is slightly different than what I was getting on the Windows Servers which was (0xc000006a). From this document
you can see what these codes mean:
NTSTATUS values . The good thing about this FreeRADIUS server is that I can see all of the challenge responses when it is in debug mode. So if I can wrap my head around how a MSCHAPv2 response is computed I can compare it to see if this is simply a miscomputed
challenge response. Update: Was just noticing that the 6a code is just the sub-status code for the 6d code. So nothing different from the Windows Servers, I still wonder if there is a computation error with the challenge responses though.
Currently, I am working on bringing up a Windows Server 2008 R2 instance of a RADIUS server to see if that helps at all. However, I would be surprised if something with the service broke between W2K8 R2 and W2K12 R2 without anyone noticing until now. If this
doesn't work I may have to open a case with Microsoft. Update: Same results with W2K8 R2.

Similar Messages

Self Assigned IP even though I am Authenticated via PEAP(MSCHAPv2) to WPA2

Help!
After installing Snow Leopard 10.6.1 on my 2.16 GHz Core Duo MacBook Pro running OS 10.5, I can no longer connect to the WPA2 Enterprise network at the University of Ottawa. I can still connect to other encrypted networks, such as my home WEP encrypted network. Before the installation I was able to connect to the WPA2 enterprise network.
When attempting to connect, under network preferences I can see that my computer is Authenticated via PEAP(MSCHAPv2) and a timer showing my time connected is running. However under status, it says that I have a self assigned IP and that I cannot connect to the internet. As a result I cannot connect to the internet.
I have included a picture that describes my problem exactly:
Does anyone have this problem? Can anyone help me?
Thanks!

The thing you and many others forget is that these forums are for those with problems. Those for whom the installs works without fault do not visit here. They do not post. There are about 9,000 topics in the Installation and Using forums (the largest two) and even if every topic were an unique fault, this would mean a small fraction of the installed base.
According to AppleInsider the Q1 sales of SL would be circa 5 million copies, and other reports indicate these numbers have been surpassed in the early months. So lets go for one months sales at only 1.5 million copies. 9,000 faults in 1.5 million copies is only a 0.6% rate and that's if every topic is a different fault (which it plainly isn't).
So I'm afraid your argument is even less convincing - a few people report your fault, and even if only 1% of the installed base uses it, its still infinitesimal. IMO, the vast majority of problems arise from an initial Leopard installation that had enough variability of build to make enhancements problematical. I'd be the first to admit its not Apples finest hour, but its certainly not bad for the overwhelming majority.
Perhaps you could apply to be an Apple tester, to help solve this issue ? Its better than standing on the sidelines complaining about everyone elses work for certain.
Or log a fault request as it will get looked at I can assure you, but only if there is a tester who is actually able and willing to test that particular piece of functionality.

Cisco Prime Infrastructure 2.1 GUI authentication via RADIUS server (Cisco ISE 1.2 integrated with AD)

Hi,
I want to access Cisco PI 2.1 GUI using my AD credentials, so on PI I've enabled RADIUS AAA Mode and added RADIUS servers (two ISE nodes in our case). On ISE I added PI as RADIUS client and configured the same keys. Next, on ISE I created authorization profile PRIME_ADMIN_ACCESS with only attribute settings defined:
My authentication and authorization rules relating that case are as on following screenshots:
So when I open GUI of PI and enter my AD credentials to log in I have no success and I receive following message:
Looking in ISE's Authentication section I can see following:
Time difference between these two authentication/authorizations is just 25 msecs and clicking on each of them reveals following:
So at first I can authenticate and authorize (authorization profile has necessary attributes defined for PI management access (NCS:role0=Root, NCS:virtual-domain0=ROOT-DOMAIN)) and after 25 msecs I am getting failure. So what could be cause of such things and how I can successfully log in to PI GUI authenticating via ISE using AD credentials?

Hi,
-- Please Go to Administration > Logging > set the Message level to TRACE > Click save
-- Then try to add the ISE.
-- Once it fails, collect the logs from Administration > Logging >
check the "ncs-0-0.log" & search the file for "ERROR" & paste the results here. This will give us exact reason.
- Ashok
Please rate the post or mark as correct answer as it will help others looking for similar information

802.1x Port Authentication via RADIUS

I am investigating implementing 802.1x port authentication on our network.
I have a test LAN with a Catalyst 2950 switch and 2 Win XP workstations, (I know its pretty basic, but should be enough for testing purposes). One of these XP PCs is running a Win32 RADIUS server and the other has been configured for 802.1x authentication with MD5-Challenge. Both switch ports are configured for the default vlan and can ping each other.
I have configured the switch with the following commands
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host x.x.x.x key test
and the port to be authorised has been configured with
dot1x port-control auto
As far as I can tell this is all I need to configure on the switch, please correct me if I am wrong.
When I plug the PC into the port I get the request to enter login details, which I do, the RADIUS server sees the request but rejects it, because 'the password wasnt available'. Here is the output from the request, but there isnt any password field and I know there should be as the RADIUS server comes with a test utility and the output from that is similar to below, but the password field is included. I have removed IP/MAC addresses.
Client address [x.x.x.x]
NAS address [x.x.x.x]
UniqueID=3
Realm = def
User = Administrator
Code = Access request
ID = 26
Length = 169
Authenticator = 0xCCD65F510764D2B2635563104D0C2601
NAS-IP-Address = x.x.x.x
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = Administrator
Called-Station-Id = 00-11-00-11-00-11
Calling-Station-Id = 11-00-11-00-11-00
Service-Type = Framed
Framed-MTU = 1500
State = 0x3170020000FCB47C00
EAP-Message = 0x0201002304106424F60D765905F614983F30504A87BA41646D696E6973747261746F72
Message-Authenticator = 0xA119F2FD6E7384F093A5EE1BF4F761EC
Client address [x.x.x.x]
NAS address [x.x.x.x]
UniqueID=4
Realm = def
User = Administrator
Code = Access reject
ID = 26
Length = 0
Authenticator = 0xCCD65F510764D2B2635563104D0C2601
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
On the 2950 I have turned on debugging with 'debug dot1x all' and part of the output is below:
*Mar 2 01:58:38: dot1x-ev:Username is Administrator
*Mar 2 01:58:38: dot1x-ev:MAC Address is 0011.0011.0011
*Mar 2 01:58:38: dot1x-ev:RemAddr is 00-11-00-11-00-11/00-11-00-11-00-11
*Mar 2 01:58:38: dot1x-ev:going to send to backend on SP, length = 26
*Mar 2 01:58:38: dot1x-ev:Received VLAN is No Vlan
*Mar 2 01:58:38: dot1x-ev:Enqueued the response to BackEnd
*Mar 2 01:58:38: dot1x-ev:Sent to Bend
*Mar 2 01:58:38: dot1x-ev:Received QUEUE EVENT in response to AAA Request
*Mar 2 01:58:38: dot1x-ev:Dot1x matching request-response found
*Mar 2 01:58:38: dot1x-ev:Length of recv eap packet from radius = 26
*Mar 2 01:58:38: dot1x-ev:Received VLAN Id -1
Again there doesnt appear to be a password, shouldn't I see one?
Ultimately we will be using a Unix RADIUS server but for testing purposes I have just configured an eval version of Clearbox's RADIUS server. I've tried others as I thought the problem maybe the software, but I get similar problems regardless. If anyone can recommend better Win32 software, please do so.
I'm struggling to figure out where the problem is, the XP machine, the switch or the RADIUS server. Any advice would be appreciated as it's getting quite frustrating.

These are dot1x event debugs, so you wouldn't see this with that debug. The closest thing to seeing it would be to debug radius on the switch, and the password would be contained in RADIUS Attribute[79]. The switch uses this attribute to replay the EAP message (unmodified) to a RADIUS server. You might see it, but it's encrytped, so it might not buy you much. I'm sure you can imagine from a security point of view why the switch won't/shouldn't have this much visibility into this ;-).
I would recommend either:
a) Double-checking your RADIUS setup and logs to find out why the user failed. (double-check the RADIUS key configured on the switch too .. it must match).
b) Downloading a third-party supplicant from Meetinghouse or Funk to use as a control.
Eval copies are available on their websites.
Hope this helps,

ISE Sponsor Authentication via RADIUS

My client is requesting us to change the way the sponsor users are authenticated and authorized to access the ISE Sponsor Portal.
Their like to pass the ISE request to AD through a RADIUS server first. They said "to avoid sending AD credentials to ISE directly". Under this requirements,
My search and limited knowledge give me to assume I should define a Proxy RADIUS
I think I can Define an External RADIUS server, but I wonder if creating this, it would be available as an Identity Source for the "Sponsor Portal Sequence".
If not, how can I add this? After that, what conditions or attributes should I look for to use in the "Sponsor Group Policy" in order to filter username/password and allow access only to employees and deny access to anyone else?
I will appreciate any advice you can give me to offer the best recommendation to the customer.
Regards.
Daniel Escalante.

I think I understood the customer concern. This is quoted from Microsoft http://support.microsoft.com/kb/321051
"The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory. By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology."
So the question now is how can we be sure the ISE communication is secure? ... I understand port 636 is used to transport LDAP-Secure ...
The ISE User Gude indicates that one of the ports required to be open in the case a firewall exists between ISE and ADE is 636 (LDAPS). -(ISE User Guide Page 5-6)
In my case there is no FW between ISE and AD, so where or how can I show the customer we are using LDAPS?
Regards.

801.x WLANs authenticated via Radius and Active Directory permit any user access any WLAN

Hi,
I have configured several WLANs with WPA2 and 8021.x which authenticate users through Radius server (Windows Internet authentication service) that conects with an Active Directory, into the AD exists one user group for each WLAN but the problem is that any user that was added to some group can get access to any WLAN, does anyboby know if I need some configuraion on the WLC to restric that?
thanks for your help.

Hi Scott,
I have done some test modifying the Radius Policy to look at called station ID and test too looking at the NAS-ID, In the first case, I change the Call Station ID Type into WLC RADIUS Authentication Servers configuration to AP MAC Address:SSID and AP Name:SSID and into the Radius Server using .*:SSID-NAME$ and SSID-NAME$ ,but it blocks access for any user. In the second case, I change the NAS-ID into WLC WLAN and interface confguration and into the radius server Policy to match all, but it doesn´t have any impact, what other test could I try?
thanks for your help.

Anyconnect authentication via Radius (IAS) using AD groups

Hi all,
I'm trying to figure out how to setup our ASA to use AD group membership to assign users a profile using Radius. The goal is to setup different access into the network.
For instance, one group would be allowed full access to the network, including access to infrastructure elements (ASA, routers, etc.)
Another group will be given basic access to the network, but no access to the DMZ.
Another group will be allowed access to the DMZ server, but not to the infrastructure.
We're currently using Radius (IAS) on Windows Server 2003. Is there a way to check group membership in AD using Radius?
I'd like to keep this as simple as possible, so I'm thinking of each profile using a different VPN Pool, then using split-tunneling to put routes, or not, to the required networks on the users device. The users would only belong to one group in AD. They will be able to choose their group, but if they're not a member they should be denied.
I've done LDAP authentication using group membership, but we need good accounting and logging so we'd like to use the Radius server. I've looked for this info everywhere, but it's pretty elusive.
Thanks for any suggestions, links, step-by-step instructions or volunteers to come on-site and help

It's significantly easier with security products like Cisco Identity Services Engine, but you're adding infrastrcture and cost. Next best thing is DAP. DAP is actually pretty easy, don't let the config guide scare you away from it. IMO MS Radius stinks for anything other than basic authentication so I never use it for anything else.

Authentication via RADIUS

Hello,
we are running an Cisco WiSM in an Catalyst 6509 and we are trying to authenticate our clients against an radius Server.
As Interfaces we have configured´:
Management with IP: 172.17.140.9
Ap-Manager with IP: 172.17.140.10
Virtual IP: 1.1.1.1
Guest Lan with IP: 192.168.6.3
The Management Network is a closed Network with no Internet connection.
The Radius Server we want to use is at an other Location and has an official IP.
We have configured the WLAN to use the Guest Lan as outgoing Interface.
The Security Tab is configured as WPA + 802.1X with Radius Servers set in the AAA Servers TAB
The Controller is configured as AAA Client at the radius Server.
If we try to auth with our Client the Client keeps in "Verifing Mode"
The Controller Log shows "Radius Server x.x.x.x:1812 failed to respond to request (ID 91) for client xxx"
Any Ideas?
Has the Radius Server to be on the same Subnet as the Management interface?
Best regards

Hi,
Actualy i d'not know the solution but require some help from you setting the AP..
Can you please tell me how you have setup the guest access on the wireless device that use username/password credentials? is it using the peap using the certificate or with out it. your response wll be much appriciated.

Cisco 1602i + Authenticating users via RADIUS?

               Hello,
Our company recently purchased a Cisco 1602i standalone WAP to replace the WAP4410Ns that we were having issues with. I am now attempting to configure the RADIUS authentication, as we have a User network and a Guest connection. The Guest connection works fine, using WPA PSK. However, I can't seem to get the RADIUS authentication to work. Reading the documentation has got me a little confused, and I have tried turning on debugging (debug radius authentication, debug aaa) but those show nothing. Also, in the RADIUS server itself (Windows 2008 R2 NPS), I see nothing in the logs when I try to connect using a device or the "test aaa" command. Can someone guide me on what I'm doing wrong? I followed someone's advice on another forum and removed "authentication network-eap" from the SSID (phoenix_2), and now when I attempt to connect with a device it just asks me for a password, it doesn't prompt for a username anymore. I am very stumped. Here's the relevant config:
aaa new-model
aaa group server radius rad_eap
server 10.200.5.24
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone EST -5 0
ip cef
ip domain name gst
dot11 syslog
dot11 vlan-name guest vlan 255
dot11 vlan-name user vlan 140
dot11 ssid phoenix_2
   vlan 140
   band-select
   authentication open eap eap_methods
   mbssid guest-mode
dot11 ssid walker_2
   vlan 255
   band-select
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 0353035E535879191B
interface BVI1
ip address 10.200.5.70 255.255.255.0
ip default-gateway 10.200.5.1
ip forward-protocol nd
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 0.0.0.0 0.0.0.0 10.200.140.1
ip route 0.0.0.0 0.0.0.0 10.200.5.1
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
snmp-server community G!0bal RO
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.200.5.24 key 7 01445E510E1C07032A495C0D0B0C011718190D3E2E767863
radius-server vsa send accounting
The NPS worked just fine with the WAP4410Ns, not sure why we're having so much trouble with the 1602i.

Thanks Rasika, your link worked. I had the authentication key before, but i removed it while I was trying different things. My main issue was not applying the list name to the ssid, the documentation did not make it clear that when the radius server is specified using the "radius-server ...." command, that the radius group refers to that command when you configure the group. Once that clicked, it made sense that the method list name was specifed by the radius group, and that the authentication methods then referred to the radius group. It was a big question mark in my head how the radius server was applied to the SSID prior to reading your post.
I haven't tried the "erase startup-config" command yet, I will try that next.
Quick question, why are both authentication open and authentication network-eap needed? I would assume authentication network-eap would suffice, unless the authentication open command refers to the allowed devices and not just authentication via RADIUS?

WLC Management Admin via RADIUS

I am trying to have a management user authenticate via radius and have full admin privileges.
For a WCS I can simply set the radius attribute of "Cisco-AVPair.attr|Wireless-WCS:role0=Admin" and that user will get full admin rights. I found this doc to grant a user lobby admin:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080871921.shtml
but, it is specific to the using the Cisco ACS as a radius server. What attributes do I need to set for a user to get full admin rights to a WLC when authenticating via radius? Thanks.

My problem: I have a local management user profile defined on my WLC and it works fine when the Priority Order is set to LOCAL. When I change the Priority Order to make RADIUS first and LOCAL second, I can't get logged into the WLC using CLI, GUI, or the console. The last time this happened I had to reset the WLC and start over. I don't want to do that again, so I need some way to get into the WLC.
Once I can get back into the WLI would prefer using Active Directory to authenticate the management user but that doesn't seem to work. My RADIUS acts as a front end for the Active Directory database and works well for many of our Cisco LAN switches andd Routers. Now I'm trying to set up the WLC to authenticate the management user with RADIUS. I have set the RADIUS (MS IAS) to return two attributes;
1. Vendor-Specific -Vendor Code 14179, Value=management
2. Service-Type - Value=Login
When I try to login using my AD account, the RADIUS server log shows an Access Request record, then an Access-Accept record that makes it appear RADIUS has successfully authenticated the user. But the login prompt for the GUI comes back as if it has failed. Same with the CLI login. Now I can't get logged into the WLC. How can I get into the box to manage it again?
Thanks

Web authentication with Radius server problem

Hello,
I'm having problem to web authenticate users via radius server for one WLC. Here is the outpu from WLC:
*emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created for mobile, length = 7
*emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created in mscb for mobile, length = 7
*aaaQueueReader: Mar 26 14:17:31.537: Unable to find requested user entry for aaaaaa
*aaaQueueReader: Mar 26 14:17:31.537: ReProcessAuthentication previous proto 8, next proto 1
*aaaQueueReader: Mar 26 14:17:31.537: AuthenticationRequest: 0x1e08eb94
*aaaQueueReader: Mar 26 14:17:31.538:   Callback.....................................0x10908d90
*aaaQueueReader: Mar 26 14:17:31.538:   protocolType.................................0x00000001
*aaaQueueReader: Mar 26 14:17:31.538:   proxyState...................................20:7D:xx:xx:D8:F0-00:00
*aaaQueueReader: Mar 26 14:17:31.538:   Packet contains 11 AVPs (not shown)
*aaaQueueReader: Mar 26 14:17:31.538: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Mar 26 14:17:31.538: 20:7d:xx:xx:d8:f0 Successful transmission of Authentication Packet (id 67) to 10.xx.33.249:1645, proxy state 20:7d:xx:xx:d8:f0-00:01
*aaaQueueReader: Mar 26 14:17:31.538: 00000000: 01 43 00 8c 48 7c a7 ff df 06 53 30 c0 be e1 8e .C..H|....S0....
*aaaQueueReader: Mar 26 14:17:31.538: 00000010: d7 fd 8b d3 01 09 73 65 66 72 73 76 65 02 12 7b ......aaaaaa..{
*aaaQueueReader: Mar 26 14:17:31.538: 00000020: ae 2e f5 eb fa cf f5 cc 3b 08 65 d7 04 0e ba 06 ........;.e.....
*aaaQueueReader: Mar 26 14:17:31.538: 00000030: 06 00 00 00 01 04 06 0a 2e 09 14 05 06 00 00 00 ................
*aaaQueueReader: Mar 26 14:17:31.538: 00000040: 0d 20 0d 73 65 76 73 74 2d 6c 77 63 31 30 3d 06 ...xxxxx-lwc10=.
*aaaQueueReader: Mar 26 14:17:31.538: 00000050: 00 00 00 13 1a 0c 00 00 37 63 01 06 00 00 00 01 ........7c......
*aaaQueueReader: Mar 26 14:17:31.538: 00000060: 1f 0e 31 39 32 2e 31 36 38 2e 31 2e 36 31 1e 0c ..192.168.1.61..
*aaaQueueReader: Mar 26 14:17:31.538: 00000070: 31 30 2e 34 36 2e 39 2e 32 30 50 12 95 11 7c d9 10.xx.9.20P...|.
*aaaQueueReader: Mar 26 14:17:31.538: 00000080: 75 8e 01 6e bf 62 38 f8 38 ab 68 4a              u..n.b8.8.hJ
*radiusTransportThread: Mar 26 14:17:31.603: 00000000: 03 43 00 14 e5 8c e7 75 52 04 af e0 07 b7 fb 96 .C.....uR.......
*radiusTransportThread: Mar 26 14:17:31.603: 00000010: c1 4a fb 40                                       .J.@
*radiusTransportThread: Mar 26 14:17:31.603: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Mar 26 14:17:31.603: ****Enter processRadiusResponse: response code=3
*radiusTransportThread: Mar 26 14:17:31.603: 20:7d:xx:xx:d8:f0 Access-Reject received from RADIUS server 10.xx.33.249 for mobile 20:7d:xx:xx:d8:f0 receiveId = 0
*radiusTransportThread: Mar 26 14:17:31.603: ReProcessAuthentication previous proto 1, next proto 2
*radiusTransportThread: Mar 26 14:17:31.603: AuthenticationRequest: 0x1da9fa4c
*radiusTransportThread: Mar 26 14:17:31.603:    Callback.....................................0x10908d90
*radiusTransportThread: Mar 26 14:17:31.603:    protocolType.................................0x00000002
*radiusTransportThread: Mar 26 14:17:31.603:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
*radiusTransportThread: Mar 26 14:17:31.603:    Packet contains 11 AVPs (not shown)
*radiusTransportThread: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Returning AAA Error 'No Server' (-7) for mobile 20:7d:xx:xx:d8:f0
*radiusTransportThread: Mar 26 14:17:31.605: AuthorizationResponse: 0x2dd03648
*radiusTransportThread: Mar 26 14:17:31.605:    structureSize................................32
*radiusTransportThread: Mar 26 14:17:31.605:    resultCode...................................-7
*radiusTransportThread: Mar 26 14:17:31.605:    protocolUsed.................................0x00000002
*radiusTransportThread: Mar 26 14:17:31.605:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
*radiusTransportThread: Mar 26 14:17:31.605:    Packet contains 0 AVPs:
*emWeb: Mar 26 14:17:31.605: Authentication failed for aaaaaa
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Username entry deleted for mobile
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Plumbing web-auth redirect rule due to user logout
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Deleting mobile policy rule 42461
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Adding Web RuleID 42464 for mobile 20:7d:xx:xx:d8:f0
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Web Authentication failure for station
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Reached ERROR: from line 5069
That was pretty clear for me that Radius is refusing to give user access.
Fully-Qualified-User-Name = NMEA\aaaaaa
NAS-IP-Address = 10.xx.9.20
NAS-Identifier = xxxxx-lwc10
Called-Station-Identifier = 10.xx.9.20
Calling-Station-Identifier = 192.168.1.61
Client-Friendly-Name = YYY10.xx
Client-IP-Address = 10.xx.9.20
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 13
Proxy-Policy-Name = Use Windows authentication forall users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = YYYYY Wireless Users
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy
That output is from WLC 5508 version 7.0.235
What is strange, that user was able to authenticate from other before refresh WLC 4402 ver 4.2.207. I cannot change WLC because of AP which cannot run old version.
this is output from working client connection from old WLC
NAS-IP-Address = 10.xx.9.13
NAS-Identifier = xxxxx-lwc03
Client-Friendly-Name = YYY10.46
Client-IP-Address = 10.xx.9.13
Calling-Station-Identifier = 192.168.19.246
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = YYYYY Wireless Guest Access
Authentication-Type = PAP
EAP-Type = <undetermined>
I know there is different Policy Name used, but my question is why it is not using the same as on old WLC when configuration is same.
Is there any way I can force users to use different policy from WLC or AP configuration or is this solely configuration of Radius?
Is it maybe problem of version 7.0.235?
Any toughts would be much appriciated.

Scott,
You are probably right. The condition that is checked for the first policy name (we have 2) is to match
NAS-Port-Type = Wireless - IEEE 802.11, and this is basically used to differentiate guests from other company users.
as you can see from the logs the one that is working correctly is not sending NAS-Port-Type. The question is why.
As I said before.
WLC 5508 ver. 7.0.235 is sending NAS-Port-Type
WLC 4402 ver. 4.2.207 is not.
The same user was working OK on 4402 WLC and after refresh and associating APs to 5508 it all broke, so client did not changed anything on adapter.

Using ISE guest store via RADIUS

I have a question concerning the guest store on the ISE.
I would like to establish a guest portal on a WLC (currently running version 7.0.220.0). The guest network shouldn’t have any connection to the company network. So I can’t redirect to the ISE guest portal and have to use the local portal on the WLC and pass the login data to the ISE via RADIUS. Nevertheless I want to use the guest store on the ISE.
On the ISE I can only select the internal user store as identity source. But this seems not to include the guest user store.
Has anyone already implemented a similar solution or any idea how to access the guest store?
Thanks
Thomas

I just created a simple setup and tested the login.
It doesn't work with a user created as a guest account.
If I create the user in the normal internal identity store I works fine.
Might there be a difference between ISE Versions?
We are currently using Version 1.1.0.665 on a VM for testing purpose.
This is what the details show:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - tuser001
24206 User disabled
22057 The advanced option that is configured for a failed authentication request is used
22061 The 'Reject' advanced option is configured in case of a failed authentication request
11003 Returned RADIUS Access-Reject
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - tuser001
24212 Found User in Internal Users IDStore
22037 Authentication Passed
Evaluating Authorization Policy
15004 Matched rule
15016 Selected Authorization Profile - Guest
11022 Added the dACL specified in the Authorization Profile
11002 Returned RADIUS Access-Accept

Sshd authentication via pam_userdb

Hello
I would like to configure ssh to authenticate against a database file which I've created.
This is what I have done so far:
1. Generate the database file out of a text file:
db_load -T -t hash -f logins.txt /etc/vpasswd.db
I have modified /etc/pam.d/sshd to be the below:
%PAM-1.0
auth requisite pam_securetty.so #Disable remote root
auth sufficient pam_unix.so
auth sufficient pam_userdb.so db=/etc/vpasswd crypt=hash use_first_pass
auth required pam_nologin.so
auth required pam_env.so
account sufficient pam_unix.so
account sufficient pam_userdb.so db=/etc/vpasswd crypt=hash use_first_pass
account required pam_time.so
password required pam_unix.so
session required pam_unix_session.so
session required pam_limits.so
When I log is as a user specified in the database file the following logs are returned:
Apr 1 00:29:47 dopey sshd[13778]: Failed none for invalid user testuser from 57.62.62.102 port 31794 ssh2
Apr 1 00:29:52 dopey sshd[13778]: Failed password for invalid user testuser from 57.62.62.102 port 31794 ssh2
Apr 1 00:29:55 dopey sshd[13778]: Failed password for invalid user testuser from 57.62.62.102 port 31794 ssh2
What I'd like to happen is if the user exists as a Linux account then let them in as normal, but if not then check the vpasswd.db database file.
Can anyone point me in the right direction? Is it possible to configure this?
Thanks
- eskay
Last edited by eskay (2009-04-01 03:18:55)

It looks like RADIUS authentication via the PAM module does work. We compiled the pam_radius module using the -bundle option to the linker. That seems to have fixed it. The link line ends up being
gcc -bundle pamradiusauth.o md5.o -lpam -o pamradiusauth.so
We'll send these simple changes to the pam radius developers.
What this has allowed us to do is use RADIUS authentication for logging in remotely via ssh. However, we have yet to figure out how to get the main login "window" for OS X to allow PAM to be used.
Pete

Assign QoS Service Policy via RADIUS to Catalyst 45k/37k?

hi,
is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
in detail, we would like to assign this policy
    policy-map SET_EF
     class class-default
       set dscp ef
to an interface. All traffic should be marked with a defined DSCP value.
This works find when doing it statically with
    interface FastEthernet2/1
         service-policy input SET_EF
but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for
that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k (http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1926523)
unfortunately this seems to not work on Catalyst 45k and 37k.
In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
    4503-E#sh aaa attributes
    AAA ATTRIBUTE LIST:
        Type=1     Name=disc-cause-ext                 Format=Enum
        Type=2     Name=Acct-Status-Type               Format=Enum
    <snip>
        Type=345   Name=sub-policy-In                  Format=String
        Type=346   Name=sub-qos-policy-in              Format=String
        Type=347   Name=sub-policy-Out                 Format=String
        Type=348   Name=sub-qos-policy-out             Format=String
any input is welcome :-))
best reagrds

additionally to this discussion, i've just opened a service request with TAC.
unfortunately the engineer told me that by now per-User QoS is definitely no supported on this two plattforms but it's listed on the roadmap and will be possibly availabe mid 2012......

NAC authentication via Windows AD

Hi,
we have a Nac enviroment with users that are defined on the ACS. Also the groups are defined on this machine.
The problem is that we have to move all the users from the ACS to the domain controller, so all the users will become AD users.
In which way we have to configure the NAC enviroment to permit the authentication via Active Directory instead of Radius that runs on the ACS?
Thanks a lot!
Leonardo

You have to create a map rule if you have two or
more Roles authenticating in the same LDAP Auth Server
and not if you have two or more auth servers
If the users authenticating today in Radius Server ACS is associated with a single Role XYZ, then you can configure the LDAP Server linking users to the same Role XYZ.
You will have two providers for the same Role.

Authentication via RADIUS : MSCHAPv2 Error 691

Similar Messages

Maybe you are looking for