Cisco Meraki Radius auth to ACS 5.6

Similar Messages

• Best Wireless Auth. methods ACS 3.2(3) and AD

  I am new with ACS and wirless authentication. Have just deployed my ACS 3.2 for Windows, and am trying to select the best methods of authentication for my invironment. I have determined my risk level to be low to medium. I would consider MAC based Auth. to be sufficient for users that don't support LEAP or similar Proto. I have a mixed OS base from Win98, 2000 and XP and MacOS 9.2 to MacOSX, I have AD setup for the external database, and it is working with ACS to allow Radius Auth. on my AP1100G Access Points. My questions are these.
  1- What is the best practice for setting up the MAC address auth.? Do I creat a text list, ACS records, SQL database, or can it be done in AD in some way?
  2- Is Leap the best Auth. Protocol considering my needs? Is there one that would be less difficult to set up but offer low to medium security I need.
  3- I am a little confussed by the config that needs to exhist on the Aironet 1100 series AP. What would be a good document/s for the configuration of these devices?
  Eric Bodily
  Idaho Falls School District 91
  Network Administrator

  I have no issues running Cisco ACS version 3.2 on Windows
  Server 2003 with SP2:
  1) create user test1 in MS Active Directory and put test1
  in users group with dial-in access granted,
  3) Create a group called "LDAP". Actually I renamed
  group name "group 1" to "LDAP".
  3) in ACS external user database configuration, I specified
  domain "CCIE" as for this. unknow user policy is to use
  Windows Database configuration,
  4) Configure the database configuration in ACS to point
  to "CCIE" windows domain,
  5) setup the ACS to authenticate one of your Cisco devices
  and log in using the MS windows account,
  By the way, mgurwara, you are wrong. I run Cisco
  ACS 3.2 on windows 2003 Enterprise Edition with Service
  Pack 2. I am running it on a Dell Optiplex Gx240
  (1.7 GHz with 512MB of RAM) and it is running fine.
  I use it to manage about 20 cisco devices and
  about 200 Wireless LEAP user(s). Furthermore, I am also
  running ACS 4.1 on another identical hardware. It has
  nothing to do with the hardware. I don't know where
  you get that information from.

• Issue with Cisco Meraki APs

  Is there any known issues with  Cisco Meraki APs with client devices which publish PMF support in probe requests ?  We are seeing  connectivity issues with Cisco Meraki MR12,MR16 and MX80   models . Please update if there are  any known issue with these APs.

  Thanks for your thoughts, Nathan. We do actually have the "Enable Fast Reconnect" option selected on our wireless profile. Good idea, though.
  We did also (originally) have 2 RADIUS servers defined within our wireless network. What we discovered was that each Meraki AP will try each one in order, top-to-bottom, and then primarily use the server that responded to it first. So, if for any reason you have a short-lived issue with your local RADIUS server responding to requests, and the AP is able to talk to a remote RADIUS server (in our case, one on the other side of the world) instead, the AP will elect to use the remote RADIUS server instead. In our case, the latency is high enough between these APs and this remote RADIUS server that while a client is roaming between APs, and having to re-authenticate, the entire process breaks down because (1) the client is moving between APs faster than the remote RADIUS server can authenticate the client, and (2) the entire exchange and communication ends up timing out -- thus forcing a manual re-connect. This is not a common occurrence by any means, but I just wanted to share what made us later choose to define only 1 RADIUS server, in the network settings. Surely our circumstance here is rather unique, but I thought it might be worth mentioning. Having only 1 RADIUS server defined forces ALL of our APs to use the same RADIUS server, regardless of anything else. It has resulted in a much smoother re-auth process for our clients.
  I appreciate the link you sent, however. If I come across anything else that is helpful, I'll certainly post it back here. I appreciate your input once again!

• Adding RADIUS VSAs on ACS 3.2 SE

  I have tried to add a VSA to enable a Packeteer to authenticate using RADIUS on the ACS.
  Using RDBMS synchronization to import the csv file below.
  SequenceId,Priority,GroupName,Action,ValueName ,Value1,Value2,Value3
  1,1,External,163,26,access=look,2334,1
  The group name is 'External', Action is 163 which corresponds to ADD_RADIUS_ATTR.
  From RDBMS Sychronization Import Definitions (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user/ag.htm#wp35130)
  To add a vendor-specific attribute (VSA), set VN = "26" and use V2 and V3 as follows:
  •V2 = IETF vendor ID (which in this case is 2334)
  •V3 = VSA attribute ID (1)
  •V1 = In this case 'access=look'
  After a couple of attempts I got the format correct but when I try and import the file I don't get an "INFO" message in the "Reports" section of the ACS indicating that the process was successful. I don't get any message at all, WARNING, ERROR or INFO.
  From the FTP server I can confirm that the file was transferred.
  What I should get is an INFO message similar to:
  08/30/2004 16:27:50 INFO Sync complete: 1 transaction(s) 0 parse error(s) 0 process error(s)
  Any ideas as to what is wrong would be much appreciated.
  Cheers,
  Aylmer.

  HI you need to import the RADIUS VSA for PAcketeer from their site.
  The link to the steps as shown below is ( might require u to subscribe & login)
  https://packeteer.custhelp.com/cgi-bin/packeteer.cfg/php/enduser/std_adp.php?p_faqid=399&p_created=1046793530&p_sid=gszcDFBh&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PWRmbHQmcF9ncmlkc29ydD0mcF9yb3dfY250PTImcF9wcm9kcz0wJnBfY2F0cz0wJnBfcHY9JnBfY3Y9JnBfc2VhcmNoX3R5cGU9YW5zd2Vycy5zZWFyY2hfZm5sJnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9YWNz&p_li=&p_topview=1
  IN any case the same content is copied below:-
  Also the stpes on how to do them is listed here
  Create a User Defined Vendor
  First, you need to create a User Defined Vendor.
  1. Create a text file (packet.ini) and enter the following:
  [User Defined Vendor]
  Name=Packeteer
  IETF Code=2334
  VSA 1=Packeteer-AVPair
  [Packeteer-AVPair]
  Type=STRING
  Profile=OUT
  2. Name the file packet.ini.
  Add the Vendor to the Database
  Next, you need to add the above vendor to the database.
  1. Go to the command prompt, and change the directory to the Cisco Secure utils directory (typically C:\Program Files\CiscoSecure ACS v3.0\Utils).
  2. The instructions below install the vendor into User Defined slot 0. If you have other vendors, you need to change this number to a free slot. To see a list of slots and their assignments, use the csutil -listudv command. For example:
  C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
  CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
  UDV 0 - Unassigned
  UDV 1 - Unassigned
  UDV 2 - Unassigned
  UDV 3 - Unassigned
  UDV 4 - Unassigned
  UDV 5 - Unassigned
  UDV 6 - Unassigned
  UDV 7 - Unassigned
  UDV 8 - Unassigned
  UDV 9 - Unassigned
  3. Run csutil -addudv to and add Packeteer to UDV (User Defined Vendor) slot 0 or the next
  open slot.
  C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -addudv 0 c:\temp\packet.ini
  CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
  Adding or removing vendors requires ACS services to be re-started.
  Please make sure regedit is not running as it can prevent registry
  backup/restore operations
  Are you sure you want to proceed? (y/n)y
  Parsing [c:\temp\packet.ini] for addition at UDV slot [0]
  Stopping any running services
  Creating backup of current config
  Adding Vendor [Packeteer] added as [RADIUS (Packeteer)]
  Adding VSA [Packeteer-AVPair]
  Done
  Checking new configuration...
  New configuration OK
  Re-starting stopped services
  Verify that Packeteer was added.
  C:\Program Files\CiscoSecure ACS v3.0\Utils>
  C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
  CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
  UDV 0 - RADIUS (Packeteer)
  UDV 1 - Unassigned
  UDV 2 - Unassigned
  UDV 3 - Unassigned
  UDV 4 - Unassigned
  UDV 5 - Unassigned
  UDV 6 - Unassigned
  UDV 7 - Unassigned
  UDV 8 - Unassigned
  UDV 9 - Unassigned
  4. Return to ACS Admin and select Network Configuration.
  From the main screen select Network Configurtion and add the PacketShaper by supplying the AAA client Hostname, IP address: , Key. Scroll through the Authenticate Using choices and select RADIUS (Packeteer).
  5. From the main screen select User Setup and enter a user name for a Touch or Look access user to the Packet Shaper. Supply the PAP/CHAP password. Leave other fields at defaults and scroll to the bottom
  of the form. Be sure the Packeteer-AVPair box is selected and supply either
  "access=touch" or "access=look" in the available entry space.

• How to monitor Radius services on ACS 5.4

  Hi All,
  I want to monitor  Radius services of ACS 5.4,  In case of failure any radius service on ACS.
  ACS should send alert to Syslogs  or email notification
  Is there any way to monitor Radius services ? Anyone have any idea how to monitor.
  Regards.

  Hi Narinder,
     I dont think so there is any particular way you can do that, Because ACS 5.x doesnt have any particluar Radius service.
  The services which are available and can be viewed through CLI and GUI are following:
  Database
  Management (ACS management subsystem)
  Ntpd
  Runtime (ACS runtime subsystem)
  View-alertmanager
  View-collector
  View-database
  View-jobmanager
  View-logprocessor
  htt    https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-ususer/guide/acsuserguide/viewer_sys_ops.html#pgfId-1052845
  Cheers 
  Minakshi

• HP Wireless Printers cannot connect to WPA2-secured WiFi networks with Cisco/Meraki WAPs

  In the last two months, I've had the displeasure of working with two very different HP printers and attempting to make them work on a WPA2-secured wireless network.  All attempts to authenticate fail with "invalid phassphrase". 
  I'm not the first person to encounter this, it's a problem with many different HP wireless printers (I just happen to have physical access to the OfficeJet Pro 8610 & Deskjet 3511). 
  My equipment is a Cisco ASA 5505 Firewall running ASA 9.1x & Cisco Aironet 1142 running IOS 15.3.x. 
  What does work on the WPA2/AES SSID:  Apple MacBook Air running OSX 10.10.2, Three Windows-Based laptops running Windows 8.1 Update 1, an iPhone 5s, Three Windows Phone 8.1 devices, Roku 2, PlayStation 4, PlayStation 3, Sharp Aquos TV, Amazon Streaming Stick, and an Android Tablet (Jellybean).  Basically, everything. 
  What does not work on the WPA2 network:  OfficeJet Pro 8610 & Deskjet 3511.
  To test the theory there is a problem with HP's implementation of WPA2 with regard to Cisco Aironet IOS, I built out a second SSID that only works in WPA/TKIP mode.  This solution works.  Both HP printers will join the WPA/TKIP network.
  So, I'm able to demonstrate there is a certain connectivity issue.  When i look at AAA Debug on the WAP's console, I can observe the HPs attempt to authenticate "Bind I/F" on the WPA2 SSID, however they do not achieve authentication and do not pass the AAA phase.  However, on the WPA SSID, they bind and authenticate successfully. 
  To help illustrate this, here is my WAP running config.  It's about as simple as it can get.  There is no relevant MAC filtering or ACLs bound to any interface.  Noting that I have an ACL on remote access to the WAP (i.e. Locked down to SSH, disabling telnet).  The main point being that the ASA firewall is not a factor in this problem as the issue is at the WAP before WPA2 authentication can complete, therefore the printers never reach the network / when the printers connect to the WPA network, the operate fully & correctly. 
  If anyone at HP can indicate why this particular config is somehow improper or broken, that would be fantastic.  There should be no reason why Cisco / Meraki WAP owners have to lower wireless encryption standards just for a printer, be forced into wired, create separate SSIDs with lower encryption specifically for a device. 
  Building configuration...
  Current configuration : 6064 bytes
  ! Last configuration change at 12:46:47 UTC Fri Aug 20 1993 by admin
  version 15.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname 10-10-50-1
  logging buffered 1024768
  logging rate-limit console 9
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  no ip source-route
  no ip cef
  ip domain name freedom.local
  dot11 syslog
  dot11 vlan-name inside vlan 50
  dot11 vlan-name inside-wpa-only vlan 70
  dot11 ssid inside
     vlan 50
     band-select
     authentication open
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 xxxxxx
     information-element ssidl
  dot11 ssid inside-wpa-only
     vlan 70
     band-select
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 xxxxxx
     information-element ssidl
  dot11 band-select parameters
     cycle-count 3
     cycle-threshold 200
     expire-supression 20
     expire-dual-band 60
     client-rssi 75
  dot11 wpa handshake timeout 500
  dot11 network-map
  username ADMIN privilege 15 secret 5 xxxxxx
  ip ssh version 2
  bridge irb
  interface Dot11Radio0
   no ip address
   no ip route-cache
   encryption vlan 50 mode ciphers aes-ccm
   encryption vlan 70 mode ciphers aes-ccm tkip
   ssid inside
   ssid inside-wpa-only
   antenna gain 0
   mbssid
   speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
   channel 2412
   station-role root
   l2-filter bridge-group-acl
  interface Dot11Radio0.50
   encapsulation dot1Q 50 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio0.70
   encapsulation dot1Q 70
   no ip route-cache
   bridge-group 70
   bridge-group 70 subscriber-loop-control
   bridge-group 70 input-address-list 700
   bridge-group 70 output-address-list 700
   bridge-group 70 spanning-disabled
   bridge-group 70 block-unknown-source
   no bridge-group 70 source-learning
   no bridge-group 70 unicast-flooding
  interface GigabitEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
  interface GigabitEthernet0.50
   encapsulation dot1Q 50 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface GigabitEthernet0.70
   encapsulation dot1Q 70
   no ip route-cache
   bridge-group 70
   bridge-group 70 spanning-disabled
   no bridge-group 70 source-learning
  interface BVI1
   mac-address xxxx.xxxx.xxxx
   ip address 10.10.50.1 255.255.255.0
   no ip route-cache
  ip forward-protocol nd
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip route 0.0.0.0 0.0.0.0 10.10.50.2
  logging history size 100
  access-list 111 permit tcp any any neq telnet
  bridge 1 route ip
  line con 0
   access-class 111 in
  line vty 0 4
   access-class 111 in
   length 0
   transport input ssh
  line vty 5 15
   access-class 111 in
   transport input ssh
  end

  I get the same behavior with a laserjet m451nw. I need to enable tkip to get the printer working, it doesn't support pure aes-ccm (every other device here supports pure aes-ccm, even cheap ones), although it's advertised as working.
  The following snippet of config works, but I still think it should work without the tkip "hack".
  dot11 ssid whatever
  vlan 1
  band-select
  authentication open
  authentication key-management wpa version 2
  interface Dot11Radio0
  encryption vlan 1 mode ciphers aes-ccm tkip

• Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)

  Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
  So I am trying to get TACACS+ auth to work for my ACE.
  The command string that I have on the ACE is as follows:
  tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15
  aaa group server tacacs+ tacacs+
    server 172.16.101.4
  aaa authentication login default group tacacs+ local
  aaa authentication login console local
  aaa accounting default group tacacs+ local
  But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.
  I do not know how to do this on the ACS 5.1.0.44.
  Anyone know?
  TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.
  Thanks for your reply. About this question:
  shell:<Context>*<Role> <Domain>
  What I meant is that you need to check the following couple of things on
  your ACS server in order to have AAA Tacacs users to login into the
  ACE over the context with superuser ritghts.
  Group setup ‑> users ‑> TACACS + Settings ‑> enable Shell(exec)
  ‑> enable Custom attributes ‑> right below this part you need to
  use the following sintax to link the ACE context that this user
  has access to.
  For example:
  shell:<Context>*<Role> <Domain>
  shell:Admin*Admin default‑domain
  Where this user will have access to the Admin context with the role
  admin using the 'default‑domain'

  Wilfred,
  What you will have to do on your version of ACS is modify the shell profile that your admins are hitting for other IOS devices or you can create another shell profile under Policy Elements -> Device Administration ->
  Once you get into this shell profile select the Custom Attributes tab and put in the following fields close to the bottom of the screen, from the example you provided type shell:Admin for the attribute field and then default-domain for the value field, and make sure you select this requirement as optional, if you select mandatory and other IOS devices use this same shell profile you will force this av pair to these devices also which will impact the priv levels that then need for authentication.
  After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.
  Thanks,
  Tarik Admani

• RADIUS auth-server unavailable messages

  Hello,
  during troubleshooting of some other WLC (WiSM2, 7.4.121.0) issues I have noticed that there is some messages like this:
  hu Feb 27 15:01:11 2014    RADIUS auth-server 192.168.4.66:1812 available
  1    Thu Feb 27 15:01:06 2014    RADIUS auth-server 192.168.4.66:1812 unavailable
  2    Thu Feb 27 15:01:06 2014    RADIUS server 192.168.4.66:1812 failed to respond to request (ID 216) for client 9c:d2:4b:bd:82:fb / user '***'
  3    Thu Feb 27 14:58:24 2014    RADIUS auth-server 192.168.4.66:1812 available
  4    Thu Feb 27 14:58:22 2014    RADIUS auth-server 192.168.4.66:1812 unavailable
  5    Thu Feb 27 14:58:22 2014    RADIUS server 192.168.4.66:1812 failed to respond to request (ID 128) for client 9c:d2:4b:bd:82:fb / user '***'
  6    Thu Feb 27 14:57:56 2014    RADIUS auth-server 192.168.4.66:1812 available
  7    Thu Feb 27 14:57:43 2014    RADIUS auth-server 192.168.4.66:1812 unavailable
  8    Thu Feb 27 14:57:43 2014    RADIUS server 192.168.4.66:1812 failed to respond to request (ID 103) for client 9c:d2:4b:bd:82:fb / user '***'
  9    Thu Feb 27 14:57:18 2014    RADIUS auth-server 192.168.4.66:1812 available
  10    Thu Feb 27 14:57:12 2014    RADIUS auth-server 192.168.4.66:1812 unavailable
  During that time I have ping radius server from console but it looks OK:
  (WiSM-slot25-1) >ping 192.168.4.66
  Send count=3, Receive count=3 from 192.168.4.66
  (WiSM-slot25-1) >ping 192.168.4.66
  Send count=3, Receive count=3 from 192.168.4.66
  (WiSM-slot25-1) >ping 192.168.4.66
  Send count=3, Receive count=3 from 192.168.4.66
  (WiSM-slot25-1) >ping 192.168.4.66
  Send count=3, Receive count=3 from 192.168.4.66
  (WiSM-slot25-1) >ping 192.168.4.66
  Send count=3, Receive count=3 from 192.168.4.66
  (WiSM-slot25-1) >ping 192.168.4.66
  Send count=3, Receive count=3 from 192.168.4.66
  (WiSM-slot25-1) >
  (WiSM-slot25-1) >show time
  Time............................................. Thu Feb 27 15:00:10 2014
  (WiSM-slot25-1) >ping 192.168.4.66
  Send count=3, Receive count=3 from 192.168.4.66
  (WiSM-slot25-1) >ping 192.168.4.66
  Send count=3, Receive count=3 from 192.168.4.66
  (WiSM-slot25-1) >ping 192.168.4.66
  Send count=3, Receive count=3 from 192.168.4.66
  (WiSM-slot25-1) >ping 192.168.4.66
  Send count=3, Receive count=3 from 192.168.4.66
  (WiSM-slot25-1) >ping 192.168.4.66
  Send count=3, Receive count=3 from 192.168.4.66
  (WiSM-slot25-1) >ping 192.168.4.66
  Send count=3, Receive count=3 from 192.168.4.66
  (WiSM-slot25-1) >ping 192.168.4.66
  Send count=3, Receive count=3 from 192.168.4.66
  (WiSM-slot25-1) >ping 192.168.4.66
  Send count=3, Receive count=3 from 192.168.4.66
  (WiSM-slot25-1) >ping 192.168.4.66
  Send count=3, Receive count=3 from 192.168.4.66
  (WiSM-slot25-1) >ping 192.168.4.66
  Send count=3, Receive count=3 from 192.168.4.66
  (WiSM-slot25-1) >ping 192.168.4.66
  Send count=3, Receive count=3 from 192.168.4.66
  (WiSM-slot25-1) >ping 192.168.4.66
  Send count=3, Receive count=3 from 192.168.4.66
  There is only one radius configured in WLC.
  (WiSM-slot25-1) >show radius auth statistics
  Authentication Servers:
  Server Index..................................... 1
  Server Address................................... 192.168.4.66
  Msg Round Trip Time.............................. 11 (msec)
  First Requests................................... 31952
  Retry Requests................................... 285
  Accept Responses................................. 4002
  Reject Responses................................. 274
  Challenge Responses.............................. 27620
  Malformed Msgs................................... 0
  Bad Authenticator Msgs........................... 0
  Pending Requests................................. 0
  Timeout Requests................................. 341
  Unknowntype Msgs................................. 0
  Other Drops...................................... 0
  What I can do to troubleshoot this, some debug commands, timer tuning... ?
  Regrds,
  Mladen

  that could also be load on the AAA server.  the WLC callas a radius server dead/unavailable if it doesn't respond to 3 requests for a client authetication.
  You may want to also try disabling agressive failover.
  config radius aggressive-failover disable.
  this changes the behavior of the WLC that the AAA has to not responde to three consecutive clients before it's called dead.  but if you only have the one server it may not help too much.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Cisco Meraki & Google Apps

  @Allen_Falcon - Yes it was upgraded by Meraki Support Team.

  Hello Team,IntroWe are using Cisco Meraki Aps MR34 for our WiFi Solution for our 3campuses serving over 3000 students every day. Users are being authenticatedwith their Google Apps Ids for Education.Problem.We were successfully using the Google Apps email IDs credentials whichis powered by Google to authenticated our WiFi users until 20th April 2015.Then Google changed their authentication method OAuth 1.0 to OAuth 2.0. As ithappens; users were forced to redirect to Google authentication page instead oftyping their user ID and password on Meraki splash page.But now we are facing a problem authenticating OAuth 2.0 thru MerakiAccess point because of one or more following reasons.1. Users are already logged with their personal Gmail2. Some devices are not compatible with redirecting process3. Need to clear cache and cookies 4. Need to...
  This topic first appeared in the Spiceworks Community

• Radius auth to standby ASA in Active Active Failover

  Hi Everyone,
  When ASA is in Active/standby failover i can ssh to standby ASA using Radius.
  But when ASA is in multi context mode  Active/Active failover i can not do Radius Auth to standby ASA?
  Is this default behaviour?
  Regards
  MAhesh

  I would not have thought this is the default behavior...but then again, I have never tested this.  If you console into the standby context issue the command show run | in aaa.  Which authentication database is indicated?
  Please remember to select a correct answer and rate helpful posts

• Set-up Radius Server to ACS 4.2 and AD server

  Hi Guys,
  I would like to ask help from you on how to set-up Radius server in ACS 4.2  (step-by-step guide or link), wireless client will be authenticated via Active Directory when connecting to our Wireless AP so it means that our Wireless AP is added as client to Radius server.
  Thanks in advance!
  regards,
  Gagamboy

  Hi Colin
  thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.
  I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).
  Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)
  Regards
  Dominic

• ACS 5.3.0.40 with Bluecoat Packetshaper via Radius Auth using PAP/CHAP

  Hi,
  We have a strange issue may be an known issue. We have the ACS 5.3.0.40 with Bluecoat Packetshaper (Packeteer) as the Radius Client and tried with PAP as well as CHAP with the suggested VSA. But once we try to authenticate with GUI in the PS end we get authentication failed. i.e its says invalid password but in the ACS end we get it as the Auth success log. We are not able to login to the PS as well. Anyone have any idea what is the issue anything to be done with the patch upgrade or any issue with the packetshaper??????
  below is the logs in ACS server.
  Logged At:        September 4,2012 4:10:26.250 PM
  RADIUS Status: Authentication        succeeded
  NAS Failure:
  Username: knpdtf
  MAC/IP Address:
  Network        Device: Test-PS : 10.187.115.83:
  Access Service: Radius Network
  Identity        Store: Internal Users
  Authorization Profiles: Permit Access
  CTS        Security Group:
  Authentication Method: PAP_ASCII
  By
  Karthik

  Hi,
  Do you have any special characters in the password? I would see if you can create an internal user in ACS and use a basic password (like cisco123) and see if the authentication will succeed. I have seen with some GUI based products that some special characters can cause some headaches.
  thanks,
  Tarik Admani
  *Please rate helpful posts*

• TACACS auth and RADIUS accounting with ACS

  I am having RADIUS accounting issues with an ASA 5520 that uses TACACS for authentication. Both are hosted on the same ACS server. I can send RADIUS info to my Microsoft IAS box but get Syslog ID 113022 errors when trying to send to the ACS RADIUS. A packet capture shows the RADIUS accounting request getting to the ACS box (Windows Server 2003 R2) but syslog shows failedauth. Any ideas?

  Thank you for the response. I did verify the syslog explanation you gave below and the AAA server is online as TACACS message are getting to it. My configuration for the ASA for RADIUS is as follows
  Server Group - RADIUS
  Protocol - RADIUS
  Accounting Mode - Simultaneous
  Reactivation Mode - Timed
  Max Failed attempts - 3
  Two servers in the Server Group
  ACS - Not working
  Microsoft IAS - Working
  I have tried removing the IAS server and changing the accounting mode to single and still getting auth failures.
  ACS is configured as follows
  Network Configuration
  AAA Clients - ASA authenticate using TACACS+
  AAA Servers - None listed. When I tried to add the ACS machine the error said the server already existed (In another Network Device Group)

• Cisco SPA504G continues to disconnect (Radius Auth and HP Switches)

  Hey Cisco Community,
  We recently exchanged our old PABX with a hosted solution instead. We have 2 locations where we use these phones and while the one location is running quite smoothly the other location is a bit more flaky. We know that the port authentication is causing this, but we don't know why and there doesn't seem to be a pattern. I'll try to describe how our setup works and maybe you guys can give me some ideas on what to do.
  We recieved a 2nd internet connection which our phones need to connect to. Therefore we set up a specific VLAN which forwards traffic to the new router. We have a policy in Microsoft NPS that allows the MAC ranges of the phones. This is to not be placed in our unauthenticated network segment. The VLAN's are set manually on each phone in order for them to get an IP via DHCP on our dedicated VoIP router.
  The phones seem to disconnect when they need to be reauthenticated by our switches. When you first set up the phone there are no issues with authenticating, getting the right IP or usage of the phone.
  We have tried changing the time between reauthentications, but that's pretty much all we can do.
  I hope someone has any ideas of what could be causing this. If you need switch configurations or anything just let me know.

  Here are the Steps, that I cann see in the RADIUS Authentication Detail:
  Steps
  11001  Received RADIUS  Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - Switch Web  Admin
  Evaluating Identity Policy
  15004  Matched rule
  15013  Selected Identity Store - Internal  Users
  24210  Looking up User in Internal Users IDStore -  freiberg
  24212  Found User in Internal Users  IDStore
  22037  Authentication Passed
  Evaluating Group Mapping Policy
  Evaluating Exception Authorization  Policy
  15042  No rule was matched
  Evaluating Authorization Policy
  15004  Matched rule
  15016  Selected Authorization Profile - Permit  Access
  11002  Returned RADIUS Access-Accept
  But the HP Switches are not very impressed by this "RADIUS Access-Accept"...

• How to monitor radius service in ACS 5?

  Hi to all,
  I have an ACS version 5 and the radius authentication is not working, i did a port scan to the ACS and I can't see the radius port open.
  I tried to verify if the radius service is running but i can't find "where to" check that in this ACS 5 version, does anyone know where is that or what should i verify to see what the problem could be??
  I also checked in the monitoring section but there is nothing matching radius authentication.
  Thanks in advance for your help.

  Hi Narinder,
     I dont think so there is any particular way you can do that, Because ACS 5.x doesnt have any particluar Radius service.
  The services which are available and can be viewed through CLI and GUI are following:
  Database
  Management (ACS management subsystem)
  Ntpd
  Runtime (ACS runtime subsystem)
  View-alertmanager
  View-collector
  View-database
  View-jobmanager
  View-logprocessor
  htt    https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-ususer/guide/acsuserguide/viewer_sys_ops.html#pgfId-1052845
  Cheers 
  Minakshi