Cisco Meraki Radius auth to ACS 5.6
I have several meraki AP's deployed that I would like to use 2-factor authentication to, as well as AD group membership lookup. The 2 factor service we are looking at is cloud based radius and only supports a few auth protocols. The Meraki AP's also only support a few auth types, and the 2 dont seem to line up.
It seems that when a user radius authenticates on an AP, this is only proxied by ACS to the radius server?? So if the cloud radius server and meraki dont support the same type it just fails with an error that the radius server does not support the authentication method.
Hi Anthony,
I don't thing so it will support non-standard ports as the options are only Disk,FTP,SFTP,TFTP and NFS.
Regards,
Chris
Similar Messages
-
Best Wireless Auth. methods ACS 3.2(3) and AD
I am new with ACS and wirless authentication. Have just deployed my ACS 3.2 for Windows, and am trying to select the best methods of authentication for my invironment. I have determined my risk level to be low to medium. I would consider MAC based Auth. to be sufficient for users that don't support LEAP or similar Proto. I have a mixed OS base from Win98, 2000 and XP and MacOS 9.2 to MacOSX, I have AD setup for the external database, and it is working with ACS to allow Radius Auth. on my AP1100G Access Points. My questions are these.
1- What is the best practice for setting up the MAC address auth.? Do I creat a text list, ACS records, SQL database, or can it be done in AD in some way?
2- Is Leap the best Auth. Protocol considering my needs? Is there one that would be less difficult to set up but offer low to medium security I need.
3- I am a little confussed by the config that needs to exhist on the Aironet 1100 series AP. What would be a good document/s for the configuration of these devices?
Eric Bodily
Idaho Falls School District 91
Network AdministratorI have no issues running Cisco ACS version 3.2 on Windows
Server 2003 with SP2:
1) create user test1 in MS Active Directory and put test1
in users group with dial-in access granted,
3) Create a group called "LDAP". Actually I renamed
group name "group 1" to "LDAP".
3) in ACS external user database configuration, I specified
domain "CCIE" as for this. unknow user policy is to use
Windows Database configuration,
4) Configure the database configuration in ACS to point
to "CCIE" windows domain,
5) setup the ACS to authenticate one of your Cisco devices
and log in using the MS windows account,
By the way, mgurwara, you are wrong. I run Cisco
ACS 3.2 on windows 2003 Enterprise Edition with Service
Pack 2. I am running it on a Dell Optiplex Gx240
(1.7 GHz with 512MB of RAM) and it is running fine.
I use it to manage about 20 cisco devices and
about 200 Wireless LEAP user(s). Furthermore, I am also
running ACS 4.1 on another identical hardware. It has
nothing to do with the hardware. I don't know where
you get that information from. -
Is there any known issues with Cisco Meraki APs with client devices which publish PMF support in probe requests ? We are seeing connectivity issues with Cisco Meraki MR12,MR16 and MX80 models . Please update if there are any known issue with these APs.
Thanks for your thoughts, Nathan. We do actually have the "Enable Fast Reconnect" option selected on our wireless profile. Good idea, though.
We did also (originally) have 2 RADIUS servers defined within our wireless network. What we discovered was that each Meraki AP will try each one in order, top-to-bottom, and then primarily use the server that responded to it first. So, if for any reason you have a short-lived issue with your local RADIUS server responding to requests, and the AP is able to talk to a remote RADIUS server (in our case, one on the other side of the world) instead, the AP will elect to use the remote RADIUS server instead. In our case, the latency is high enough between these APs and this remote RADIUS server that while a client is roaming between APs, and having to re-authenticate, the entire process breaks down because (1) the client is moving between APs faster than the remote RADIUS server can authenticate the client, and (2) the entire exchange and communication ends up timing out -- thus forcing a manual re-connect. This is not a common occurrence by any means, but I just wanted to share what made us later choose to define only 1 RADIUS server, in the network settings. Surely our circumstance here is rather unique, but I thought it might be worth mentioning. Having only 1 RADIUS server defined forces ALL of our APs to use the same RADIUS server, regardless of anything else. It has resulted in a much smoother re-auth process for our clients.
I appreciate the link you sent, however. If I come across anything else that is helpful, I'll certainly post it back here. I appreciate your input once again! -
Adding RADIUS VSAs on ACS 3.2 SE
I have tried to add a VSA to enable a Packeteer to authenticate using RADIUS on the ACS.
Using RDBMS synchronization to import the csv file below.
SequenceId,Priority,GroupName,Action,ValueName ,Value1,Value2,Value3
1,1,External,163,26,access=look,2334,1
The group name is 'External', Action is 163 which corresponds to ADD_RADIUS_ATTR.
From RDBMS Sychronization Import Definitions (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user/ag.htm#wp35130)
To add a vendor-specific attribute (VSA), set VN = "26" and use V2 and V3 as follows:
V2 = IETF vendor ID (which in this case is 2334)
V3 = VSA attribute ID (1)
V1 = In this case 'access=look'
After a couple of attempts I got the format correct but when I try and import the file I don't get an "INFO" message in the "Reports" section of the ACS indicating that the process was successful. I don't get any message at all, WARNING, ERROR or INFO.
From the FTP server I can confirm that the file was transferred.
What I should get is an INFO message similar to:
08/30/2004 16:27:50 INFO Sync complete: 1 transaction(s) 0 parse error(s) 0 process error(s)
Any ideas as to what is wrong would be much appreciated.
Cheers,
Aylmer.HI you need to import the RADIUS VSA for PAcketeer from their site.
The link to the steps as shown below is ( might require u to subscribe & login)
https://packeteer.custhelp.com/cgi-bin/packeteer.cfg/php/enduser/std_adp.php?p_faqid=399&p_created=1046793530&p_sid=gszcDFBh&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PWRmbHQmcF9ncmlkc29ydD0mcF9yb3dfY250PTImcF9wcm9kcz0wJnBfY2F0cz0wJnBfcHY9JnBfY3Y9JnBfc2VhcmNoX3R5cGU9YW5zd2Vycy5zZWFyY2hfZm5sJnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9YWNz&p_li=&p_topview=1
IN any case the same content is copied below:-
Also the stpes on how to do them is listed here
Create a User Defined Vendor
First, you need to create a User Defined Vendor.
1. Create a text file (packet.ini) and enter the following:
[User Defined Vendor]
Name=Packeteer
IETF Code=2334
VSA 1=Packeteer-AVPair
[Packeteer-AVPair]
Type=STRING
Profile=OUT
2. Name the file packet.ini.
Add the Vendor to the Database
Next, you need to add the above vendor to the database.
1. Go to the command prompt, and change the directory to the Cisco Secure utils directory (typically C:\Program Files\CiscoSecure ACS v3.0\Utils).
2. The instructions below install the vendor into User Defined slot 0. If you have other vendors, you need to change this number to a free slot. To see a list of slots and their assignments, use the csutil -listudv command. For example:
C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
UDV 0 - Unassigned
UDV 1 - Unassigned
UDV 2 - Unassigned
UDV 3 - Unassigned
UDV 4 - Unassigned
UDV 5 - Unassigned
UDV 6 - Unassigned
UDV 7 - Unassigned
UDV 8 - Unassigned
UDV 9 - Unassigned
3. Run csutil -addudv to and add Packeteer to UDV (User Defined Vendor) slot 0 or the next
open slot.
C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -addudv 0 c:\temp\packet.ini
CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
Adding or removing vendors requires ACS services to be re-started.
Please make sure regedit is not running as it can prevent registry
backup/restore operations
Are you sure you want to proceed? (y/n)y
Parsing [c:\temp\packet.ini] for addition at UDV slot [0]
Stopping any running services
Creating backup of current config
Adding Vendor [Packeteer] added as [RADIUS (Packeteer)]
Adding VSA [Packeteer-AVPair]
Done
Checking new configuration...
New configuration OK
Re-starting stopped services
Verify that Packeteer was added.
C:\Program Files\CiscoSecure ACS v3.0\Utils>
C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
UDV 0 - RADIUS (Packeteer)
UDV 1 - Unassigned
UDV 2 - Unassigned
UDV 3 - Unassigned
UDV 4 - Unassigned
UDV 5 - Unassigned
UDV 6 - Unassigned
UDV 7 - Unassigned
UDV 8 - Unassigned
UDV 9 - Unassigned
4. Return to ACS Admin and select Network Configuration.
From the main screen select Network Configurtion and add the PacketShaper by supplying the AAA client Hostname, IP address: , Key. Scroll through the Authenticate Using choices and select RADIUS (Packeteer).
5. From the main screen select User Setup and enter a user name for a Touch or Look access user to the Packet Shaper. Supply the PAP/CHAP password. Leave other fields at defaults and scroll to the bottom
of the form. Be sure the Packeteer-AVPair box is selected and supply either
"access=touch" or "access=look" in the available entry space. -
How to monitor Radius services on ACS 5.4
Hi All,
I want to monitor Radius services of ACS 5.4, In case of failure any radius service on ACS.
ACS should send alert to Syslogs or email notification
Is there any way to monitor Radius services ? Anyone have any idea how to monitor.
Regards.Hi Narinder,
I dont think so there is any particular way you can do that, Because ACS 5.x doesnt have any particluar Radius service.
The services which are available and can be viewed through CLI and GUI are following:
Database
Management (ACS management subsystem)
Ntpd
Runtime (ACS runtime subsystem)
View-alertmanager
View-collector
View-database
View-jobmanager
View-logprocessor
htt https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-ususer/guide/acsuserguide/viewer_sys_ops.html#pgfId-1052845
Cheers
Minakshi -
HP Wireless Printers cannot connect to WPA2-secured WiFi networks with Cisco/Meraki WAPs
In the last two months, I've had the displeasure of working with two very different HP printers and attempting to make them work on a WPA2-secured wireless network. All attempts to authenticate fail with "invalid phassphrase".
I'm not the first person to encounter this, it's a problem with many different HP wireless printers (I just happen to have physical access to the OfficeJet Pro 8610 & Deskjet 3511).
My equipment is a Cisco ASA 5505 Firewall running ASA 9.1x & Cisco Aironet 1142 running IOS 15.3.x.
What does work on the WPA2/AES SSID: Apple MacBook Air running OSX 10.10.2, Three Windows-Based laptops running Windows 8.1 Update 1, an iPhone 5s, Three Windows Phone 8.1 devices, Roku 2, PlayStation 4, PlayStation 3, Sharp Aquos TV, Amazon Streaming Stick, and an Android Tablet (Jellybean). Basically, everything.
What does not work on the WPA2 network: OfficeJet Pro 8610 & Deskjet 3511.
To test the theory there is a problem with HP's implementation of WPA2 with regard to Cisco Aironet IOS, I built out a second SSID that only works in WPA/TKIP mode. This solution works. Both HP printers will join the WPA/TKIP network.
So, I'm able to demonstrate there is a certain connectivity issue. When i look at AAA Debug on the WAP's console, I can observe the HPs attempt to authenticate "Bind I/F" on the WPA2 SSID, however they do not achieve authentication and do not pass the AAA phase. However, on the WPA SSID, they bind and authenticate successfully.
To help illustrate this, here is my WAP running config. It's about as simple as it can get. There is no relevant MAC filtering or ACLs bound to any interface. Noting that I have an ACL on remote access to the WAP (i.e. Locked down to SSH, disabling telnet). The main point being that the ASA firewall is not a factor in this problem as the issue is at the WAP before WPA2 authentication can complete, therefore the printers never reach the network / when the printers connect to the WPA network, the operate fully & correctly.
If anyone at HP can indicate why this particular config is somehow improper or broken, that would be fantastic. There should be no reason why Cisco / Meraki WAP owners have to lower wireless encryption standards just for a printer, be forced into wired, create separate SSIDs with lower encryption specifically for a device.
Building configuration...
Current configuration : 6064 bytes
! Last configuration change at 12:46:47 UTC Fri Aug 20 1993 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname 10-10-50-1
logging buffered 1024768
logging rate-limit console 9
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
no ip source-route
no ip cef
ip domain name freedom.local
dot11 syslog
dot11 vlan-name inside vlan 50
dot11 vlan-name inside-wpa-only vlan 70
dot11 ssid inside
vlan 50
band-select
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 xxxxxx
information-element ssidl
dot11 ssid inside-wpa-only
vlan 70
band-select
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 xxxxxx
information-element ssidl
dot11 band-select parameters
cycle-count 3
cycle-threshold 200
expire-supression 20
expire-dual-band 60
client-rssi 75
dot11 wpa handshake timeout 500
dot11 network-map
username ADMIN privilege 15 secret 5 xxxxxx
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 50 mode ciphers aes-ccm
encryption vlan 70 mode ciphers aes-ccm tkip
ssid inside
ssid inside-wpa-only
antenna gain 0
mbssid
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
channel 2412
station-role root
l2-filter bridge-group-acl
interface Dot11Radio0.50
encapsulation dot1Q 50 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.70
encapsulation dot1Q 70
no ip route-cache
bridge-group 70
bridge-group 70 subscriber-loop-control
bridge-group 70 input-address-list 700
bridge-group 70 output-address-list 700
bridge-group 70 spanning-disabled
bridge-group 70 block-unknown-source
no bridge-group 70 source-learning
no bridge-group 70 unicast-flooding
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
interface GigabitEthernet0.50
encapsulation dot1Q 50 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.70
encapsulation dot1Q 70
no ip route-cache
bridge-group 70
bridge-group 70 spanning-disabled
no bridge-group 70 source-learning
interface BVI1
mac-address xxxx.xxxx.xxxx
ip address 10.10.50.1 255.255.255.0
no ip route-cache
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 0.0.0.0 0.0.0.0 10.10.50.2
logging history size 100
access-list 111 permit tcp any any neq telnet
bridge 1 route ip
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
length 0
transport input ssh
line vty 5 15
access-class 111 in
transport input ssh
endI get the same behavior with a laserjet m451nw. I need to enable tkip to get the printer working, it doesn't support pure aes-ccm (every other device here supports pure aes-ccm, even cheap ones), although it's advertised as working.
The following snippet of config works, but I still think it should work without the tkip "hack".
dot11 ssid whatever
vlan 1
band-select
authentication open
authentication key-management wpa version 2
interface Dot11Radio0
encryption vlan 1 mode ciphers aes-ccm tkip -
Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
So I am trying to get TACACS+ auth to work for my ACE.
The command string that I have on the ACE is as follows:
tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15
aaa group server tacacs+ tacacs+
server 172.16.101.4
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa accounting default group tacacs+ local
But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.
I do not know how to do this on the ACS 5.1.0.44.
Anyone know?
TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.
Thanks for your reply. About this question:
shell:<Context>*<Role> <Domain>
What I meant is that you need to check the following couple of things on
your ACS server in order to have AAA Tacacs users to login into the
ACE over the context with superuser ritghts.
Group setup ‑> users ‑> TACACS + Settings ‑> enable Shell(exec)
‑> enable Custom attributes ‑> right below this part you need to
use the following sintax to link the ACE context that this user
has access to.
For example:
shell:<Context>*<Role> <Domain>
shell:Admin*Admin default‑domain
Where this user will have access to the Admin context with the role
admin using the 'default‑domain'Wilfred,
What you will have to do on your version of ACS is modify the shell profile that your admins are hitting for other IOS devices or you can create another shell profile under Policy Elements -> Device Administration ->
Once you get into this shell profile select the Custom Attributes tab and put in the following fields close to the bottom of the screen, from the example you provided type shell:Admin for the attribute field and then default-domain for the value field, and make sure you select this requirement as optional, if you select mandatory and other IOS devices use this same shell profile you will force this av pair to these devices also which will impact the priv levels that then need for authentication.
After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.
Thanks,
Tarik Admani -
RADIUS auth-server unavailable messages
Hello,
during troubleshooting of some other WLC (WiSM2, 7.4.121.0) issues I have noticed that there is some messages like this:
hu Feb 27 15:01:11 2014 RADIUS auth-server 192.168.4.66:1812 available
1 Thu Feb 27 15:01:06 2014 RADIUS auth-server 192.168.4.66:1812 unavailable
2 Thu Feb 27 15:01:06 2014 RADIUS server 192.168.4.66:1812 failed to respond to request (ID 216) for client 9c:d2:4b:bd:82:fb / user '***'
3 Thu Feb 27 14:58:24 2014 RADIUS auth-server 192.168.4.66:1812 available
4 Thu Feb 27 14:58:22 2014 RADIUS auth-server 192.168.4.66:1812 unavailable
5 Thu Feb 27 14:58:22 2014 RADIUS server 192.168.4.66:1812 failed to respond to request (ID 128) for client 9c:d2:4b:bd:82:fb / user '***'
6 Thu Feb 27 14:57:56 2014 RADIUS auth-server 192.168.4.66:1812 available
7 Thu Feb 27 14:57:43 2014 RADIUS auth-server 192.168.4.66:1812 unavailable
8 Thu Feb 27 14:57:43 2014 RADIUS server 192.168.4.66:1812 failed to respond to request (ID 103) for client 9c:d2:4b:bd:82:fb / user '***'
9 Thu Feb 27 14:57:18 2014 RADIUS auth-server 192.168.4.66:1812 available
10 Thu Feb 27 14:57:12 2014 RADIUS auth-server 192.168.4.66:1812 unavailable
During that time I have ping radius server from console but it looks OK:
(WiSM-slot25-1) >ping 192.168.4.66
Send count=3, Receive count=3 from 192.168.4.66
(WiSM-slot25-1) >ping 192.168.4.66
Send count=3, Receive count=3 from 192.168.4.66
(WiSM-slot25-1) >ping 192.168.4.66
Send count=3, Receive count=3 from 192.168.4.66
(WiSM-slot25-1) >ping 192.168.4.66
Send count=3, Receive count=3 from 192.168.4.66
(WiSM-slot25-1) >ping 192.168.4.66
Send count=3, Receive count=3 from 192.168.4.66
(WiSM-slot25-1) >ping 192.168.4.66
Send count=3, Receive count=3 from 192.168.4.66
(WiSM-slot25-1) >
(WiSM-slot25-1) >show time
Time............................................. Thu Feb 27 15:00:10 2014
(WiSM-slot25-1) >ping 192.168.4.66
Send count=3, Receive count=3 from 192.168.4.66
(WiSM-slot25-1) >ping 192.168.4.66
Send count=3, Receive count=3 from 192.168.4.66
(WiSM-slot25-1) >ping 192.168.4.66
Send count=3, Receive count=3 from 192.168.4.66
(WiSM-slot25-1) >ping 192.168.4.66
Send count=3, Receive count=3 from 192.168.4.66
(WiSM-slot25-1) >ping 192.168.4.66
Send count=3, Receive count=3 from 192.168.4.66
(WiSM-slot25-1) >ping 192.168.4.66
Send count=3, Receive count=3 from 192.168.4.66
(WiSM-slot25-1) >ping 192.168.4.66
Send count=3, Receive count=3 from 192.168.4.66
(WiSM-slot25-1) >ping 192.168.4.66
Send count=3, Receive count=3 from 192.168.4.66
(WiSM-slot25-1) >ping 192.168.4.66
Send count=3, Receive count=3 from 192.168.4.66
(WiSM-slot25-1) >ping 192.168.4.66
Send count=3, Receive count=3 from 192.168.4.66
(WiSM-slot25-1) >ping 192.168.4.66
Send count=3, Receive count=3 from 192.168.4.66
(WiSM-slot25-1) >ping 192.168.4.66
Send count=3, Receive count=3 from 192.168.4.66
There is only one radius configured in WLC.
(WiSM-slot25-1) >show radius auth statistics
Authentication Servers:
Server Index..................................... 1
Server Address................................... 192.168.4.66
Msg Round Trip Time.............................. 11 (msec)
First Requests................................... 31952
Retry Requests................................... 285
Accept Responses................................. 4002
Reject Responses................................. 274
Challenge Responses.............................. 27620
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 341
Unknowntype Msgs................................. 0
Other Drops...................................... 0
What I can do to troubleshoot this, some debug commands, timer tuning... ?
Regrds,
Mladenthat could also be load on the AAA server. the WLC callas a radius server dead/unavailable if it doesn't respond to 3 requests for a client authetication.
You may want to also try disabling agressive failover.
config radius aggressive-failover disable.
this changes the behavior of the WLC that the AAA has to not responde to three consecutive clients before it's called dead. but if you only have the one server it may not help too much.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
@Allen_Falcon - Yes it was upgraded by Meraki Support Team.
Hello Team,IntroWe are using Cisco Meraki Aps MR34 for our WiFi Solution for our 3campuses serving over 3000 students every day. Users are being authenticatedwith their Google Apps Ids for Education.Problem.We were successfully using the Google Apps email IDs credentials whichis powered by Google to authenticated our WiFi users until 20th April 2015.Then Google changed their authentication method OAuth 1.0 to OAuth 2.0. As ithappens; users were forced to redirect to Google authentication page instead oftyping their user ID and password on Meraki splash page.But now we are facing a problem authenticating OAuth 2.0 thru MerakiAccess point because of one or more following reasons.1. Users are already logged with their personal Gmail2. Some devices are not compatible with redirecting process3. Need to clear cache and cookies 4. Need to...
This topic first appeared in the Spiceworks Community -
Radius auth to standby ASA in Active Active Failover
Hi Everyone,
When ASA is in Active/standby failover i can ssh to standby ASA using Radius.
But when ASA is in multi context mode Active/Active failover i can not do Radius Auth to standby ASA?
Is this default behaviour?
Regards
MAheshI would not have thought this is the default behavior...but then again, I have never tested this. If you console into the standby context issue the command show run | in aaa. Which authentication database is indicated?
Please remember to select a correct answer and rate helpful posts -
Set-up Radius Server to ACS 4.2 and AD server
Hi Guys,
I would like to ask help from you on how to set-up Radius server in ACS 4.2 (step-by-step guide or link), wireless client will be authenticated via Active Directory when connecting to our Wireless AP so it means that our Wireless AP is added as client to Radius server.
Thanks in advance!
regards,
GagamboyHi Colin
thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.
I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).
Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)
Regards
Dominic -
ACS 5.3.0.40 with Bluecoat Packetshaper via Radius Auth using PAP/CHAP
Hi,
We have a strange issue may be an known issue. We have the ACS 5.3.0.40 with Bluecoat Packetshaper (Packeteer) as the Radius Client and tried with PAP as well as CHAP with the suggested VSA. But once we try to authenticate with GUI in the PS end we get authentication failed. i.e its says invalid password but in the ACS end we get it as the Auth success log. We are not able to login to the PS as well. Anyone have any idea what is the issue anything to be done with the patch upgrade or any issue with the packetshaper??????
below is the logs in ACS server.
Logged At: September 4,2012 4:10:26.250 PM
RADIUS Status: Authentication succeeded
NAS Failure:
Username: knpdtf
MAC/IP Address:
Network Device: Test-PS : 10.187.115.83:
Access Service: Radius Network
Identity Store: Internal Users
Authorization Profiles: Permit Access
CTS Security Group:
Authentication Method: PAP_ASCII
By
KarthikHi,
Do you have any special characters in the password? I would see if you can create an internal user in ACS and use a basic password (like cisco123) and see if the authentication will succeed. I have seen with some GUI based products that some special characters can cause some headaches.
thanks,
Tarik Admani
*Please rate helpful posts* -
TACACS auth and RADIUS accounting with ACS
I am having RADIUS accounting issues with an ASA 5520 that uses TACACS for authentication. Both are hosted on the same ACS server. I can send RADIUS info to my Microsoft IAS box but get Syslog ID 113022 errors when trying to send to the ACS RADIUS. A packet capture shows the RADIUS accounting request getting to the ACS box (Windows Server 2003 R2) but syslog shows failedauth. Any ideas?
Thank you for the response. I did verify the syslog explanation you gave below and the AAA server is online as TACACS message are getting to it. My configuration for the ASA for RADIUS is as follows
Server Group - RADIUS
Protocol - RADIUS
Accounting Mode - Simultaneous
Reactivation Mode - Timed
Max Failed attempts - 3
Two servers in the Server Group
ACS - Not working
Microsoft IAS - Working
I have tried removing the IAS server and changing the accounting mode to single and still getting auth failures.
ACS is configured as follows
Network Configuration
AAA Clients - ASA authenticate using TACACS+
AAA Servers - None listed. When I tried to add the ACS machine the error said the server already existed (In another Network Device Group) -
Cisco SPA504G continues to disconnect (Radius Auth and HP Switches)
Hey Cisco Community,
We recently exchanged our old PABX with a hosted solution instead. We have 2 locations where we use these phones and while the one location is running quite smoothly the other location is a bit more flaky. We know that the port authentication is causing this, but we don't know why and there doesn't seem to be a pattern. I'll try to describe how our setup works and maybe you guys can give me some ideas on what to do.
We recieved a 2nd internet connection which our phones need to connect to. Therefore we set up a specific VLAN which forwards traffic to the new router. We have a policy in Microsoft NPS that allows the MAC ranges of the phones. This is to not be placed in our unauthenticated network segment. The VLAN's are set manually on each phone in order for them to get an IP via DHCP on our dedicated VoIP router.
The phones seem to disconnect when they need to be reauthenticated by our switches. When you first set up the phone there are no issues with authenticating, getting the right IP or usage of the phone.
We have tried changing the time between reauthentications, but that's pretty much all we can do.
I hope someone has any ideas of what could be causing this. If you need switch configurations or anything just let me know.Here are the Steps, that I cann see in the RADIUS Authentication Detail:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Switch Web Admin
Evaluating Identity Policy
15004 Matched rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - freiberg
24212 Found User in Internal Users IDStore
22037 Authentication Passed
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15004 Matched rule
15016 Selected Authorization Profile - Permit Access
11002 Returned RADIUS Access-Accept
But the HP Switches are not very impressed by this "RADIUS Access-Accept"... -
How to monitor radius service in ACS 5?
Hi to all,
I have an ACS version 5 and the radius authentication is not working, i did a port scan to the ACS and I can't see the radius port open.
I tried to verify if the radius service is running but i can't find "where to" check that in this ACS 5 version, does anyone know where is that or what should i verify to see what the problem could be??
I also checked in the monitoring section but there is nothing matching radius authentication.
Thanks in advance for your help.Hi Narinder,
I dont think so there is any particular way you can do that, Because ACS 5.x doesnt have any particluar Radius service.
The services which are available and can be viewed through CLI and GUI are following:
Database
Management (ACS management subsystem)
Ntpd
Runtime (ACS runtime subsystem)
View-alertmanager
View-collector
View-database
View-jobmanager
View-logprocessor
htt https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-ususer/guide/acsuserguide/viewer_sys_ops.html#pgfId-1052845
Cheers
Minakshi
Maybe you are looking for
-
Photo Stream and MobileMe in iPhoto: I don't get it!
Hi Photo Stream is on for iPhoto on my iMac, iPhone 4, iPad and iPod Touch. I'm somewhat confused about how to handle this feature - aside from the basic understanding that it syncs photos I take, say, on my iPhone, to all other devices without the n
-
Add new telephone field in IC WebClient
Hi everyone, I've got to add one more field in IC WebClient BUPA Create View. The new field is the telephone number, we already have one telephone field but i need another one. How can i do this and what do i have to change to create the BP with 2 ph
-
Hi, Our client has purchased a tool to load supporting details directly into Planning. This is to have the granularity of the cost details. Is there any way that we can generate a report of the supporting details. Will that be restricted to that part
-
How to create ODS based on a table (e.g. TCURR)
Hello! I need to have access to V_TCURR in my BEx reports, cause I want to show relevant rates. Could you give me some links (if they exists) where I can find information about this? And I'd be really pleased if someone write a step-by-step instructi
-
Creating new folder causes RH8 to hang
I'm having trouble with a RH project (RH 8, patched to 8.0.2, source controlled with RSC 3.1): adding a new folder in Project Manager takes up to 15 minutes. It starts out fine, it creates files, checks them out from source control... and then we get