Cisco ISE: External RADIUS Server

Similar Messages

• ISE External radius server

  Hello,
  Since the JRS roam servers have to be put in a Radius Server sequence on ISE, which node IP address is meant to be registered with JANET, PAN or each PSN IP address. I would have thought it to be the PAN since all the external radius servers are configured on the PAN, but thought I should ask just to be sure. Thanks

  Yes, even though the configuration is done on the PAN, only the ise nodes that have the policy service role enabled, will be used to forward requests using the external radius proxy feature.

• Cisco ISE some Radius issues

  Dear guys,
       I deployed Cisco ISE for Network Access Control. My topology as described as attached image. I configured Cisco ISE as Radius Server for Client Access Control. But, I got some problems such as:
  No Accounting Start. (I have configured accouting on Switch 2960).
  Radius Request Dropped (attached image). These NAS IP Address are Servers on same subnet with Cisco ISE.
  I would greatly appreciate any help you can give me in working this problem.
  Have a nice day,
  Thanks and Regrads,

  Sorry for late reply.
  Here is my switch config.
  Current configuration : 8630 bytes
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Switch
  boot-start-marker
  boot-end-marker
  no logging console
  enable password ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting delay-start all
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa server radius dynamic-author
   client A.B.C.D server-key keystrings
  aaa session-id common
  system mtu routing 1500
  vtp mode transparent
  ip dhcp snooping
  ip device tracking
  crypto pki trustpoint TP-self-signed-447922560
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-447922560
   revocation-check none
   rsakeypair TP-self-signed-447922560
  crypto pki certificate chain TP-self-signed-447922560
   certificate self-signed 01
    xxxxx
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  vlan 139,153,401-402,999,1501-1502
  interface FastEthernet0/11
   switchport access vlan 139
   switchport mode access
   authentication host-mode multi-auth
   authentication open
   authentication port-control auto
   authentication periodic
   authentication timer inactivity 180
   authentication violation restrict
   mab
  interface FastEthernet0/12
   switchport access vlan 139
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize vlan 139
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication timer inactivity 180
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
  interface GigabitEthernet0/1
   switchport mode trunk
  interface GigabitEthernet0/2
  interface Vlan1
   no ip address
  interface Vlan139
   ip address E.F.G.H 255.255.255.0
  ip default-gateway I.J.K.L
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   permit ip any any
  ip access-list extended ACL-DEFAULT
   remark Allow DHCP
   permit udp any eq bootpc any eq bootps
   remark Allow DNS
   permit udp any any eq domain
   permit icmp any any
   permit tcp any host A.B.C.D eq 8443
   permit tcp any host A.B.C.D eq 443
   permit tcp any host A.B.C.D eq www
   permit tcp any host A.B.C.D eq 8905
   permit tcp any host A.B.C.D eq 8909
   permit udp any host A.B.C.D eq 8905
   permit udp any host A.B.C.D eq 8909
   deny   ip any any
  ip access-list extended ACL-WEBAUTH-REDIRECT
   permit tcp any any eq www
   permit tcp any any eq 443
   deny   ip any any
  ip radius source-interface Vlan139
  snmp-server community keystrings RW
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host A.B.C.D version 2c keystrings  mac-notification
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host A.B.C.D auth-port 1812 acct-port 1813 key STRINGSKEY
  radius-server vsa send accounting
  radius-server vsa send authentication
  line con 0
  line vty 5 15
  end
  My switch version is
  WS-2960   12.2(55)SE5 C2960-LANBASEK9-M
  I would greatly appreciate any help you can give me in working this problem.

• Cisco ISE with both internal and External RADIUS Server

  Hi
  I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
  I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
  So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
  I will like to know if it is possible to configure it and how I can do it ?
  Thanks in advance for your help
  Regards
  Blaise

  Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
  Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
  The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

• Configuring Cisco ISE for Authorization with External Radius Server attribute

  Hi,
  I'm trying to integrate an external radius server with Cisco ISE.
  I created an External Identity Store>Radius Token Server.
  I created a Identity Store sequence with just one identity store just as creadted above.
  And I was able to authenticate successfully.
  But when it comes to authorization.
  I observed we just have one tab named Authorization while creating Radius Token server.
  And it always refers to ACS:attribute_name.
  If I want to define a IETF radius attribute, (lets say class with attribute id as 25), how could I do it.
  In Cisco ACS we have a direct entry option in authorization tab where we can define the radius (IETF) attribute within Radius token server creation (within radius token server>Directory attribute tab).
  How ever I try to define the IETF attribute here (class,IETF:Class) I am not able to authorize with this attribute value.
  I tried with just one single authorization rule where it could hit.But observed it to go the default(as none of the rules defined matches the condition).
  Can anyone guide me how can we define a IETF radius attribute for authorization within Cisco ISE and what policy could we set it to work as authorization.
  Thanks in advance
  Senthil K

  This is the step of Creating and Editing RADIUS Vendors
  To create and edit a RADIUS vendor, complete the following steps:
  Step 1 From the Administration mega menu, choose Resources > RADIUS  Vendors.
  The RADIUS Vendors page appears with a list of RADIUS vendors that ISE  supports.
  Step 2 Click Create to create a new RADIUS vendor or click the radio  button next to the RADIUS vendor that
  you want to edit and click Edit.
  Step 3 Enter the following information:
  • Name—(Required) Name of the RADIUS vendor.
  • Description—An optional description for the vendor.
  • Vendor ID—(Required) The Internet Assigned Numbers Authority  (IANA)-approved ID for the
  vendor.
  • Vendor Attribute Type Field Length—(Required) The number of bytes  taken from the attribute value
  to be used to specify the attribute type. Valid values are 1, 2, and 4.  The default value is 1.
  • Vendor Attribute Size Field Length—(Required) The number of bytes  taken from the attribute value
  to be used to specify the attribute length. Valid values are 0 and 1.  The default value is 1.
  Step 4 Click Submit to save the RADIUS vendor.

• Authenticated on ISE 1.2 (as admin) against an external radius server

  Hello
  Our customer wants to be authenticated on ISE 1.2 (as admin) against an external radius server (like ACS not microsoft). How could i do that ?
  Is it possible while retaining internal admin users database in a sequence "external_radius or internal"
  thank you in advance.
  Best regards

  External authentication is supported only with internal authorization:
  External Authentication + Internal Authorization
  When configuring Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from External Authentication + External Authorization:
  You do not need to specify any particular external administrator groups for the administrator.
  You must configure the same username in both the external identity store and the local Cisco ISE database.
  To create a new Cisco ISE administrator that authenticates via the external identity store, complete the following steps:
  Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.
  The Administrators window appears, listing all existing locally defined administrators.
  Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.
  Note Remember: you do not need to specify a password for this external administrator user ID, nor are you required to apply any specially configured external administrator group to the associated RBAC policy.
  Step 3 Click Save .

• Authentication Policy ISE with External RADIUS Server

  Hi All,
  I would like to authenticate client by using External RADIUS. Once I create authentication policy using the new compound condition (wireless dot1x + Radius Username Matches "domainB\") I would like to forward the user authentication who make an authen using domainB\username to the External RADIUS Server Sequence. But when I check on the authentication dashboard, it still authenticate using the default authentication rule.
  Please suggest about this scenario.
  Regards,
  Sent from Cisco Technical Support Android App

  Hi jrabinow,
  Which details you would like to see ?
  Here is some infos.
  ISEs are deployed in 2 domains such as "acme.com" and "sub.acme.com"
  Each domain does not make a trusted relationship so these 2 domains cannot communicate between them.
  Each domain has owned Enterprise Root CA (Microsoft)
  Client who need to access the network need to authenticate with EAP-TLS.
  My environment
  My ISE node joined into domain "acme.com"
  User will be "[email protected]"
  Once the user from "[email protected]" try to authenticate, I would like to forward the RADIUS request from ISEs (acme.com) to other ISEs (sub.acme.com)
  After ISEs in "sub.acme.com" return RADIUS-ACCEPT then ISEs in "acme.com" will process an authorization policy.
  Regards,
  Pongsatorn

• ISE 1.2 Patch 2 External RADIUS Server Sequence Broken?

  Hi community,
  We have upgraded our proof of concept ISE 1.2 lab to Patch level 2.
  Our lab design includes the use of external RADIUS servers which we off-load certain authentication rules to.
  To ensure resiliency of the external RADIUS service, we have two of these which we add to a RADIUS Server Sequence, the idea being that if the first in the list is unavailable, ISE will try the second and all will be well.
  Now this worked for us in testing ISE 1.2, but I have noticed that after the upgrade to Patch 2 ISE is sending the majority RADIUS traffic to the first (failed) external RADIUS server, with only the odd RADIUS Access-Request to thte next in the list.
  Anybody else come across this??
  All helpful comments rated!
  Many thanks, Ash.

  I couldn't find any known issues with this feature. Could you please paste the screen shot of external radius sequence and configuration. Also, how are we determing that the first server in the sequence is DEAD?
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ISE External RADIUS proxy remove attributes

  Hi all,
  I setup external RADIUS for authenticating external users on ISE 1.2  - I need to remove all attributes received from the external RADIUS but I cannot find how to do it.
  I checked the option
  On Access-Accept, continue to Authorization Policy
  in RADIUS server sequense Advanced Attribute settings 
  and in Authorization policy I setup proper attributes but I found the attributes from external RADIUS server are in the Access-Acceept response too.
  This is RADIUS debug from the switch:
  Apr 10 09:35:51 CEST: RADIUS: User-Name [1] 17 "xxxxxxxxxxxxx"
  Apr 10 09:35:51 CEST: RADIUS: Session-Timeout [27] 6 3600
  Apr 10 09:35:51 CEST: RADIUS: Termination-Action [29] 6 1
  Apr 10 09:35:51 CEST: RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
  Apr 10 09:35:51 CEST: RADIUS: Tunnel-Type [64] 6 01:VLAN [13]
  Apr 10 09:35:51 CEST: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]
  Apr 10 09:35:51 CEST: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]
  Apr 10 09:35:51 CEST: RADIUS: EAP-Message [79] 6
  Apr 10 09:35:51 CEST: RADIUS: 03 08 00 04
  Apr 10 09:35:51 CEST: RADIUS: Message-Authenticato[80] 18
  Apr 10 09:35:51 CEST: RADIUS: BA 8C BC 8D 69 23 2B 7D 8A 70 20 D4 DE 96 0B E2 [ i#+}p ]
  Apr 10 09:35:51 CEST: RADIUS: Tunnel-Private-Group[81] 4 "17"
  Apr 10 09:35:51 CEST: RADIUS: Tunnel-Private-Group[81] 7 01:"v230"
  Apr 10 09:35:51 CEST: RADIUS: Vendor, Cisco [26] 22
  Apr 10 09:35:51 CEST: RADIUS: Cisco AVpair [1] 16 ""ssid=eduroam""
  Apr 10 09:35:51 CEST: RADIUS: Vendor, Cisco [26] 37
  Apr 10 09:35:51 CEST: RADIUS: Cisco AVpair [1] 31 "termination-action-modifier=1"
  Apr 10 09:35:51 CEST: RADIUS: Vendor, Microsoft [26] 58
  Apr 10 09:35:51 CEST: RADIUS: MS-MPPE-Send-Key [16] 52 *
  Apr 10 09:35:51 CEST: RADIUS: Vendor, Microsoft [26] 58
  Apr 10 09:35:51 CEST: RADIUS: MS-MPPE-Recv-Key [17] 52 *
  As you can see a lot of attributes are twice in the response. I need only "v230" set as VLAN ID
  I looked for removing the attributes but "Modify attribute" settings (iether "in the request" or "before access-apccept") offer only subset of RADIUS attributes - I need to remove attribute 81 - Tunnel Network Private Group - but it is not offered there.
  Can somebody advice me, how to (idealy) remove all atrributes from external RADIUS or at least remove set of attributes at minimum with attribute 81?
  Thank you for any help

  Thank you,
  I duplicated the Dot1x Authentication Rule, and changed allowed protocols to "RADIUS Server Sequence : MySequence"
  In the RADIUS Server Sequence under the advanced tab I have it set to "Continue to Authorization Policy'.
  Which Authorization rule would match?
  Network Access:RADIUS Server Sequence EQUAL MySequence
  OR
  Network Access:UseCase EQUALS Proxy
  OR
  None of the above?
  Thanks

• Cisco ISE AD (Windows Server 2013) Authentication Problem

  Background:
  Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.
  Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.
  Problem:
  Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".
  Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below:
  xxdc01.xx.com (10.21.3.1)
  Pinged:0 Mins Ago
  State:down
  xxdc02.xx.com (10.21.3.2)
  Pinged:0 Mins Ago
  State:down
  xxdc01.xx.com
  Last Success:Thu Jan  1 10:00:00 1970
  Last Failure:Mon Mar 11 11:18:04 2013
  Successes:0
  Failures:11006
  xxdc02.xx.com
  Last Success:Mon Mar 11 09:43:31 2013
  Last Failure:Mon Mar 11 11:18:04 2013
  Successes:25
  Failures:11006
  Domain Controller: xxdc02.xx.com:389
      Domain Controller Type: Unknown DC Functional Level: 5
      Domain Name:            xx.COM
      IsGlobalCatalogReady:   TRUE
      DomainFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
      ForestFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
  Action Taken:
  Log on to Cisco ISE and WLC using AD credentials. This rules out AD connection, clock and AAA shared secret as the problem.
  2)     Tested wireless authentication using EAP-FAST but same problem occurs.
  3)     Detailed error message shows the below. This rules out any authentication and authorization polices. Before even hitting the authentication policy, the AD lookup fails.     
  12304  Extracted EAP-Response containing PEAP challenge-response
  11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - AD1
  24430  Authenticating user against Active Directory
  24444  Active Directory operation has failed because of an unspecified error in the ISE
  4)     Enabled AD debugging logging and had a look at the logging. Nothing significant and no clues to the problem.
  5)     Tested wireless on different laptos and mobile phones with same error
  6)     Delete and add again AAA Client/Devices on both Cisco ISE and WLC
  7)     Restarted ISE services
  8)     Rejoin domain on Cisco ISE
  9)     Checked release notes of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Nothing found related to this problem.
  10)    There are two ISE and two WLC deployed. Tested different combination of ISE1 to WLC1, ISE1 to WLC2 etc. This rules out hardware issue of WLC.
  Other possibilities/action:
  1)     Test it out on a different WLC version. Will have to wait outage approval to upgrade WLC software.
  2)     Incompatibility of Cisco ISE and AD running on Microsoft Windows Server 2012
  Anyone out there experienced something similar of have any ideas on why this is happening?
  Thanks.
  Update:
  1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.
  2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.
  This leads me to think there is a compatibility issue of Cisco ISE with Windows Server 2012.

  Does anyone know if ISE 1.1.3 p1 supports AD DCs running 2012, if not which patch is required ot version?
  Worryingly when ISE joins a 2012 DC it states it's connected successfully, and if another 2003 DC is available in that datacentre it will perform the auths against that DC whilst actually advertising (Connections in the GUI) that it's connected to the 2012 DC. We ended up mapping 8 PSN IP’s to another datacentre which has one Win2003 servers whilst the old 2003 DC is being promoted back, the 8 ISE servers started working, even though they still advertised they were connected to the 2012 DCs in the original datacentre - I performed a leave and join on one PSN and only then did it advertise that the node was connected to a DC in a different datacentre

• OTP of ASDM using external radius server ( Not RSA )

  Hello,
  Just seeing if the ASDM will support OTP using an external radius server, and not RSA.  I see there was a feature added to 8.2 that states its possible with RSA, but nothing of any other support.  Just checking to see if someone know for sure.
  Thanks,
  Jason

  I did see in the Release notes for ASDM 6.2, that SDI is support with RSA.  Can anyone confirm or not if it works with Radius too ( OTP ).
  http://www.cisco.com/en/US/docs/security/asdm/6_2/release/notes/asdmrn62.html

• WLC Web-auth fail with external RADIUS server

  I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"
  My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user.
  WLC 4402 version 4.1.171.0
  http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.html

  Hi,
  I am having some issues when I try to authenticate an AD account against a NAP Radius Server on Windows 2008.
  In fact, I own a WLC 2106 and I configured it to authenticate users againts a radius Server with Active Directory. I set the Web Radius Authentication to CHAP on the controller tab from the WLC 2106 and i am getting the error below  
  : Authentication failed for gcasanova. When I set the controller to  Web Radius Authentication to PAP, everything is working fine. I am able to connect to through the controller using an AD Account. But my purpose is not use PAP which is an unsecure protocol since password are sent as plaintext on the network.
  Can someone tell me what's wrong?
  *radiusTransportThread: Oct 26 11:02:13.975:    proxyState......................                                                                                                 .............00:24:D7:40:E5:00-00:00
  *radiusTransportThread: Oct 26 11:02:13.975:    Packet contains 0 AVPs:
  *emWeb: Oct 26 11:02:13.977: Authentication failed for gcasanova
  *aaaQueueReader: Oct 26 11:02:29.985: AuthenticationRequest: 0xb6564634
  *aaaQueueReader: Oct 26 11:02:29.985:   Callback.....................................0x8576720
  *aaaQueueReader: Oct 26 11:02:29.985:   protocolType.................................0x00000001
  *aaaQueueReader: Oct 26 11:02:29.985:   proxyState...................................00:24:D7:40:E5:00-00:00
  *aaaQueueReader: Oct 26 11:02:29.986:   Packet contains 11 AVPs (not shown)
  *aaaQueueReader: Oct 26 11:02:29.986: apfVapRadiusInfoGet: WLAN(4) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *aaaQueueReader: Oct 26 11:02:29.986: 00:24:d7:40:e5:00 Successful transmission of Authentication Packet (id 86) to 10.2.0.15:1812, proxy state 00:24:d7:40:e5:00-00:00
  *aaaQueueReader: Oct 26 11:02:29.987: 00000000: 01 56 00 9a 8e 48 e7 20  1d ef be 29 e6 3a 61 6d  .V...H.....).:am
  *aaaQueueReader: Oct 26 11:02:29.987: 00000010: 2b de 07 24 01 0b 67 63  61 73 61 6e 6f 76 61 3c  +..$..gcasanova<
  *aaaQueueReader: Oct 26 11:02:29.987: 00000020: 12 3c ce a0 87 ac df 7a  a5 35 af 7c ef 83 c7 58  .<.....z.5.|...X
  *aaaQueueReader: Oct 26 11:02:29.987: 00000030: ed 03 13 28 a7 5a 0d 26  6d ab 49 ea da 7c 5a 8e  ...(.Z.&m.I..|Z.
  *aaaQueueReader: Oct 26 11:02:29.987: 00000040: 1d 94 70 69 06 06 00 00  00 01 04 06 0a 02 00 06  ..pi............
  *aaaQueueReader: Oct 26 11:02:29.987: 00000050: 05 06 00 00 00 01 20 0a  50 41 52 2d 57 4c 43 31  ........PAR-WLC1
  *aaaQueueReader: Oct 26 11:02:29.987: 00000060: 3d 06 00 00 00 13 1a 0c  00 00 37 63 01 06 00 00  =.........7c....
  *aaaQueueReader: Oct 26 11:02:29.988: 00000070: 00 04 1f 0c 31 30 2e 32  2e 30 2e 31 35 36 1e 0a  ....10.2.0.156..
  *aaaQueueReader: Oct 26 11:02:29.988: 00000080: 31 30 2e 32 2e 30 2e 36  50 12 7f 86 5a c5 61 ad  10.2.0.6P...Z.a.
  *aaaQueueReader: Oct 26 11:02:29.988: 00000090: af 54 fa fa 42 e7 f6 16  9e 10                    .T..B.....
  *radiusTransportThread: Oct 26 11:02:29.988: 00000000: 03 56 00 14 a9 10 07 84  83 00 87 83 b9 10 64 e1  .V............d.
  *radiusTransportThread: Oct 26 11:02:29.988: 00000010: 66 b3 c5 5e                                       f..^
  *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processIncomingMessages: response code=3
  *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processRadiusResponse: response code=3
  *radiusTransportThread: Oct 26 11:02:29.988: 00:24:d7:40:e5:00 Access-Reject received from RADIUS server 10.2.0.15 for mobile 00:24:d7:40:e5:00 receiveId = 0
  *radiusTransportThread: Oct 26 11:02:29.989: 00:24:d7:40:e5:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d7:40:e5:00
  *radiusTransportThread: Oct 26 11:02:29.989: AuthorizationResponse: 0xb97fe774
  *radiusTransportThread: Oct 26 11:02:29.989:    structureSize................................32
  *radiusTransportThread: Oct 26 11:02:29.989:    resultCode...................................-4
  *radiusTransportThread: Oct 26 11:02:29.989:    protocolUsed.................................0xffffffff
  *radiusTransportThread: Oct 26 11:02:29.989:    proxyState...................................00:24:D7:40:E5:00-00:00
  *radiusTransportThread: Oct 26 11:02:29.989:    Packet contains 0 AVPs:

• Client Exclusion Policies on WLC not working with ISE as RADIUS Server

  Hi,
  for our Guest WLAN (Security Setting for this SSID:Layer2: MAC filtering, Layer3:none) we use ISE as RADIUS Server. On WLC I enabled client exclusion polices and checked all options (Excessive 802.11 Auth. Failures etc..).. But even if a client fails 20times at authentication, it is not excluded on the wlc. It works with other SSIDs, where security settings are set to 802.1x.
  Am I missing any settings here or do you have some tipps on how to troubleshoot this?
  Thanks very much!

  Hi Renata,
  If those guest failures are not associated with valid guest users (i.e. people who have forgotten their account or entering the wrong password) there isn't anything that can be done. The main point of Guest WLAN is to make it as easy as possible for Guests - individuals with device configurations you don't want to deal with or know about, to connect your network for internet access. From a WiFi/802.11 perspective, the standard Guest WLAN setup means its easy for any device to connect.
  If your Guest WLAN has the following:
  SSID is broadcast enabled, Security = OPEN, Encryption = none, then any 802.11 device can find the WLAN via passive scanning and connect. And any device that connects will get the ISE portal. Once recieveing that portal they can guess away at valid username/password.
  I would suspect that unless your Guest WiFi is adjacent to a Mall, school, hotel or other hi-density area of individuals  with time and electronics on their hands, other than alerts in your ops window and logs, resources associated with this (WLC & ISE) are very low.
  You can try and dull the noise a few ways.
  Option 1. create and ISE log filter on those alerts so they don't cluter the console.
  Option 2. Stop broadcasting the SSID.  This is not a security measure, but will cut volume of people connecting to the SSID significantly. You will have to tell your guests what SSID or include it in their credential communication.
  Option 3. Put a very simple PSK on the SSID. The PSK will become a public secret - shared with valid guests, doesn't have change as it's purpose is not security.  You will have to include this information on their credential communication.
  Option 4 - both 2 and 3
  The most effective option would be 3.
  Good Luck!

• Authenticate Users against external RADIUS-Server

  Hi,
  i have some users in the local LDAP database of an 10.5 Server.
  Is there a way to store their passwords on an external RADIUS-Server?
  Thank you very much,
  macservo
  Message was edited by: macservo

  CryptoCard does this.
  We use it at one customer for L2TP VPN authentication.
  This way the VPN user get's a yes or no to use the VPN server and then has to give his credentials: name and VPN shared secret or certificate (support for CryptoCard is in the OS X VPN client) to get on the network. The password is in 2 halves, one half is static and the rest is added to it from the Token.
  You then have to authenticate to any service you want to use (Kerberos?).
  We only had to alter a PPP config file on the OS X server and add a small file to both server (and client) to make it contact their Radius server instead of it using Apples regular internal VPN authentication (not the Radius one). And we had to add a shared secret corresponding to what was setup for the customer at CryptoCard (in the server only) for the OS X Server (Radius client) to CryptoCard server (Radius server) communication. You can't use Server Admin to alter VPN settings afterwards without messing up the PPP settings file.
  Maybe possible to us it for Ethernet/Wireless 802.1X authentication too?
  For just AFP server auth I don't know.

• External Radius Server

  Hello, are there anybody configure Solaris 9 as radius client? I looked for the solution without the third party. Many thanks.

  Yes, even though the configuration is done on the PAN, only the ise nodes that have the policy service role enabled, will be used to forward requests using the external radius proxy feature.