Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS

Similar Messages

• Microsoft 2008 NPS Radius + wireless controller.

  Hi,
  We have implemented new Microsoft 2008 NPS Radius for authentification wireless controller.
  i am seeing RADIUS server x.x.x.x:1812 failed to respond to request (ID 119) for client ............. in controller. But there no logs hitting to the NPS server either failed or success or other related.
  Layer 3 comminucation is fine between controller & server.
  As per the debug logs,controller forwarding request NPS server "Successful transmission of Authentication Packet tp ......NPS proxy ".
  But there is no further key exchange or successful authentication logs, any idea on this?
  Thanks
  Shrinivas.K

  Download NTRadPing and test to see if your radius is working. You can put a sniffer on and see if you see packets coming out of the wlc and radius. You can always remove the aaa from the wlc and add it back on and also remove and add back on the wlc as a aaa client on the radius server.
  Thanks,
  Scott Fella
  Sent from my iPhone

• Cisco Nexus 5K + Micrososft Radius for Admin Authentication

  Hi,
  I have cisco 3750 switches configured to use MS radius for administrator authention. however, now I would like to add our cisco nexus switches to MS radius as well so that administrators are authenticated against the Microsoft radius for admin authention.
  I tried it earlier but it won't accept 3750 commands.. Can you please help with me with a configuration example please that I can follow?
  the commands I have used on 3750 are as follows:
  aaa new-model
  aaa authentication login vtylogin group radius local
  aaa authentication login conlogin group radius local
  aaa authentication enable default group radius enable
  aaa authorization console
  aaa authorization exec vtylogin group radius local
  aaa authorization exec conlogin group radius local
  radius-server host x.x.x.x key SECRETE
  line con 0
  exec-timeout 5 0
  authorization exec conlogin
  logging synchronous
  login authentication conlogin
  line vty 0 4
  exec-timeout 0 0
  authorization exec vtylogin
  login authentication vtylogin
  transport input ssh
  line vty 5 15
  exec-timeout 0 0
  authorization exec vtylogin
  login authentication vtylogin
  transport input ssh

  I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
  Attribute: cisco-av-pair
  Requirement: Mandatory
  Value: shell:roles*"network-admin vdc-admin"
  For more information take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
  Hope this helps
  Thank you for rating helpful posts!

• Authentication Failed to 2008 NPS from Cisco IOS VPN

  I'm trying to authenticate VPN connections to a Windows 2008 NPS Radius server.
  Local authentication works fine.
  Here are cisco configs:
  aaa new-model
  aaa authentication login default local
  aaa authentication login VPNauth group radius local
  aaa authorization network VPNgroup local
  aaa session-id common
  ip radius source-interface Loopback0
  radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 xxxx
  crypto map VPNMAP client authentication list VPNauth
  crypto map VPNMAP isakmp authorization list VPNgroup
  crypto map VPNMAP client configuration address respond
  crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
  ... other crypto commands
  This is the section of the log from NPS:
  Authentication Details:
      Connection Request Policy Name:    VPN
      Network Policy Name:        -
      Authentication Provider:        Windows
      Authentication Server:        x.x.x.x
      Authentication Type:        PAP
      EAP Type:            -
      Account Session Identifier:        -
      Logging Results:            Accounting information was written to the local log file.
      Reason Code:            16
      Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
  I do have PAP enabled on the Network/Connection Request Policies...
  I'm stuck
  Please help

  Can you run a "teat aaa " command to see if the user can be authenticated successfully?
  I think this might be a configuration issue on NPS. You can google it. Here is one I found, refer to "irishHam" post.
  http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bfbbbae4-a280-4b3f-b214-02867b7d33e3

• Radius AAA authentication

  I couldn't find anything relevant, but apologies if it has already been answered.
  Is there any way of encrypting the traffic between a switch and a radius server when using radius to authenticate switch logins? As far as I can tell the traffic is passed between the switch and the radius server in plain text by default.

  Hi,
  Please bear in mind that it is not the RADIUS protocol that bings security, but rather the authentication method inside it.
  Example, if you use PEAP or EAP-TLS, the authentication is all carried inside a TLS tunnel.
  You can sniff the RADIUS packets but you will not be able to get any critical information from the client.
  Think on the RADIUS as a transport mechanism for EAP authentication.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Cisco ASA 8.3 ldap AAA server setup Microsoft active directory fails

  Hello,
  I'm trying to set up ldap authentication for remote ssl vpn users like the picture below:
  When I try the test button, and enter any username and password I get the message "Authentication Rejected: User was not found"
  Why??? Please help, I'm running out of options here... Many many thanks in advance.

  Use the login DN in the following format.
  admin-user-name@domain_name and let me know how it goes.
  If the above suggestion doesn't work then please run the debug ldap 255 and paste the output here.
  Rgds,  Jatin
  Do rate helpful posts-

• Microsoft 2008 NPS Radius + WLC

  Anyone have any luck getting this to work? I am at this point just trying to get the radius set up and get the certificate pulled into the EAP section of NPS. Or know if Cisco supports this type of setup. My 2003 IAS box was a snap but now have the Windows Team forcing this god-awful OS onto me to use. Any help docs links appreciated.

  Wow, this thread is still going?
  I found a solution to the issue:
  1. Install NPS
  Start - Control Panel - Programs and Features - Turn Windows Features on or off
  Rt-click Roles - Add Roles - Next - Network Policy and Access Services - Next - Next
  Network Policy Server (tick) - Next - Install - Close
  2. Start NPS and Register in AD
  Start - Administrative Tools - Network Policy Server
  Rt-click NPS (local) - Register Server in Active Directory - OK - OK
  3. Configure Network Policy for Computers
  Expand Policies
  Rt-click Network Policies - New
  Policy Name Computer Policy (or whatever you want to call it) - Next - Add
  Select Windows Groups - Add - Add Groups
  Enter Domain Computers - OK - OK
  Select NAS Port type - Wireless - IEEE 802.11 (tick) - OK - Next - Access Granted - Next
  Microsoft Encrypted Authentication MS CHAP (untick) - Add
  Select Microsoft: Protected EAP (PEAP) - OK - Next - Next
  Select Framed-Protocol | PPP - Remove
  Select Service Type | Framed - Remove
  Select Encryption - No encryption (untick) - Next - Finish
  4. Configure Network Policy for Users
  Repeat steps in 3 above substituting User Policy as name and Domain Users as Group
  5. Setup RADIUS client
  Expand RADIUS Clients and Servers
  Rt-click RADIUS Clients - New RADIUS client
  Friendly Name: WLAN Controller Name of your choice
  Address (IP or DNS): IP address of Controller
  Vendor Name: Cisco
  Shared Secret: The Access Key you set on the Controller - Confirm Shared Secret - OK
  6. Set up Wireless GPO (if you want to automate client distribution)
  Start - Administrative Tools - Group Policy Management
  Rt-click your domain object and Create a GPO in this Domain and Link it Here
  Call it WirelessClient or whatever floats your boat
  Rt-Click the GPO - Edit
  Computer Configuration - Policies - Windows Settings - Security Settings - Wireless Network (IEEE 802.11) Policies
  Rt-click Wireless Network (IEEE 802.11) Policies - Create a new Wireless Policy
  Policy Name WIRELESS (or whatever)
  The rest of the settings need to be as per your controller setup, below are settings for WPA2 enterprise
  Description: Wireless network - yadayada
  Authentication: WPA2
  Encryption: AES
  IEEE 802.1X tab - Settings
  Trusted Roor Certificate Authorities - find your server's root certificate in the list and tick - OK - OK
  Repeat for additional SSIDs if necessary
  That should do it - it worked for me!

• Aaa authentication enable default group tacacs+ enable

  I am implementing CSACS 4.0. First on the client, I will apply aaa authenticatio/ authorization under vty. The issure if I use the followin command
  aaa authentication enable default group tacacs+ enable
  what will happen if I login via console? Will I be required to enter any username/password?
  Below is my configuration
  aaa new-model
  aaa authentication login authvty group TACACS + local
  aaa authentication enable default group tacacs+ enable
  aaa authorization commands 15 authvty TACACS+ local
  TACACS-server host IP
  Tacacs-server key key
  Ip tacacs source-interface VLAN 3
  aaa accounting send stop-record authentication failure
  aaa accounting delay-start
  aaa accounting exec authvty start-stop group tacacs+
  aaa accounting commands 15 authvty start-stop group tacacs+
  aaa accounting connection authvty start-stop group tacacs+
  line vty 0 15
  login authentication authvty
  authorization commands 15 authvty
  accounting connection authvty
  accounting commands 15 authvty
  accunting exec authvty
  Any suggestion will be appreciated!

  It should work because this is a message.banner prompt everytime you try to login (console/vty). I have it configured on my router.
  If you have banner motd, it will be displayed as well (see below). So I ahve to remove it to get only the aaa banner & prompt being displayed:
  *** Username: cisco, Password: cisco (priv 15f - local) ****
  Unauthorized use is prohibited.
  Enter your name here: user1
  Enter your password now:
  Router#
  The config more or less looks like:
  aaa new-model
  aaa authentication banner ^CUnauthorized use is prohibited.^C
  aaa authentication password-prompt "Enter your password now:"
  aaa authentication username-prompt "Enter your name here:"
  aaa authentication login default group radius
  aaa authentication login CONSOLE local
  HTH
  AK

• AAA Authentication for Traffic Passing through ASA

  I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
  Am I missing something?
  firewall# show run aaa
  aaa authentication http console TACACS+ LOCAL
  aaa authentication telnet console TACACS+ LOCAL
  aaa authentication serial console TACACS+ LOCAL
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication match guestnetwork_access guestnetwork RADIUS
  aaa authentication secure-http-client
  firewall# show access-li guestnetwork_access
  access-list guestnetwork_access; 2 elements
  access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
  access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
  firewall# show run aaa-s
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 192.168.250.14
  key xxxxx
  firewall# show run http
  http server enable

  your definition for the aaa-server is different to the aaa authentication server-group
  try
  aaa authentication http console RADIUS LOCAL
  aaa authentication telnet console RADIUS LOCAL

• Cisco nexus 7710 power

  Hi,
  I have a Cisco Nexus 7710 using the 3KW AC power supplies. Based on http://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series-switches/data_sheet_c78-729141.html?cachemode=refresh , it seems that the maximum input current is 20A while the power cord indicated on the link is  rated 16A; I was wondering if a 20A power cord may be required instead since the maximum input current is 20A?
  For the circuit, not too sure if it can be connected to a 16A circuit?
  Any suggestion is appreciated.

  It says...
  "With Cisco NX-OS Release 6.2(6), you cannot interoperate the F3 Series plus the F2 and/or F2e Series plus the M2 Series modules in the same VDC."
  If I've understood well...is not possible to do a LACP etherchannel on two different modules...right?

• Cisco Nexus 5010 FCOE Interconnection

  Hi, i would really apreciate your help on this  doubt.
  Is it possible to create a link between two cisco nexus 5010
  using  CNA interfaces ?
  I've already configured the ethernet interfaces(where the cna is plugged in),
  i've binded the E1/2, mapped the vsan, created specific traffic vlan, and so on ...
  I have  tried everything what's written in the manual but the vcf interface won't set up, keeps telling me "vcf is down" .
  What am i doing wrong ? or this connection is imposible ...
  Thanks in advance.

  5020A.1# show vlan fcoe
  Original VLAN ID        Translated VSAN ID      Association State
        100                       100              Operational
  5020A.1# sho feature | grep np
  npiv                  1         disabled
  npv                   1         enabled
  5020A.1# sho interface brief | grep -i fc
  fc2/3      100    NP     off     up               swl    NP      4    --
  fc2/4      100    NP     off     up               swl    NP      4    --
  vfc15      100    F      on      trunking         --     TF      auto --
  !!!here's vfc15 and it's associated interface
  5020A.1# sho run int vf15
  !Command: show running-config interface vfc15
  !Time: Thu Feb 17 12:45:29 2011
  version 5.0(2)N2(1)
  interface vfc15
    bind interface Ethernet1/15
    no shutdown
  5020A.1# show inter e1/15 status
  Port          Name               Status    Vlan      Duplex  Speed   Type
  Eth1/15       FCoE ports  connected trunk     full    10G     1/10g     
  5020A.1# sho run int e1/15
  !Command: show running-config interface Ethernet1/15
  !Time: Thu Feb 17 12:45:33 2011
  version 5.0(2)N2(1)
  interface Ethernet1/15
    description FCoE ports
    switchport mode trunk
    switchport trunk allowed vlan 1,10,30,100
    spanning-tree port type edge trunk
    load-interval counter 2 30
    load-interval counter 3 30
  5020A.1#
  5020A.1#
  5020A.1#
  I'd use this to get a look at FIP
  ethanalyzer local sniff-interface inbound-hi detailed-dissection display-filter vlan.etype==0x8914 limit-captured 200 write bootflash:fipcap1.pcap
  This is assuming that your eth1/2 is working and up.
  reply w/your associated show commands
  show fcoe vlan
  show feature | grep np
  show interface brief | grep -i fc
  show vsan
  sho run inter vfc x
  show run inter eth x/y
  show inter eth x/y status
  other questions
  1. what OS?
  2. what vendor of CNA card?
  Joe

• AAA authentication for networking devices using ACS 4.1 SE

  Hi!!!
  I want to perform AAA authentication for networking devices using ACS 4.1 SE.
  I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
  I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
  For all users i need to have different privilege levels based upon which access will be granted.
  could u plz send me the config that is required to be done in the active devices as well as ACS!!!!

  Pradeep,
  Are you planning MAC authentication for some users while using EAP for others?
  For MAC authentication, just use the following in your AP.
  aaa authentication login mac_methods group radius
  In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
  In your SSID configuration, under client authentication settings,
  check "open authentication" and also select "MAC Authentication" from the drop-down list.
  If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
  Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
  You will not need to change anything in XP.
  NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
  HTH

• Cisco AAA authentication with windows radius server

  Cisco - Windows Radius problems
  I need to created a limited access group through radius that I can have new network analysts log into
  and not be able to commit changes or get into global config.
  Here are my current radius settings
  aaa new-model
  aaa group server radius IAS
   server name something.corp
  aaa authentication login USERS local group IAS
  aaa authorization exec USERS local group IAS
  radius server something.corp
   address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
   key mypassword
  line vty 0 4
   access-class 1 in
   exec-timeout 0 0
   authorization exec USERS
   logging synchronous
   login authentication USERS
   transport input ssh
  When I log in to the switch, the radius server is passing the corrrect attriubute
  ***Jan 21 13:59:51.897: RADIUS:   Cisco AVpair       [1]   18  "shell:priv-lvl=7"
  The switch is accepting it and putting you in the correct priv level.
  ***Radius-Test#sh priv
     Current privilege level is 7
  I am not sure why it logs you in with the prompt for  privileged EXEC mode when
  you are in priv level 7. This shows that even though it looks like your in priv exec
  mode, you are not.
  ***Radius-Test#sh run
                  ^
     % Invalid input detected at '^' marker.
     Radius-Test#
  Now this is where I am very lost.
  I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
  global config mode.
  ***Radius-Test#enable
     Radius-Test#
  Debug log -
  Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
  ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
  Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
  ***Radius-Test#sh priv
     Current privilege level is 15
     Radius-Test#
  I have tried to set
  ***privilege exec level 15 enable
  It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
  Even if I try to do
  ***privilege exec level 7 show running-config (or other variations)
  It will allow you to type sh run without errors, but it doest actually run the command.
  What am I doing wrong?
  I also want to get PKI working with radius.

  I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
  Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch?

• Cisco Nexus AAA authentication and console access

  We have nexus 7k with AAA authentication working now i have an issue i can't login using console port because my logins are rejected.Is there anyway we can login into console with local login details or we have to use ACS server (AAA) logins when connected to console (while ACS server is still reachable).
  My main question is i want to login using console port while ACS server is still reachable is it possible?

  Perhaps I am not understanding some parts of the original post and if so I would appreciate clarification of what I missed. But it seems to me that the main question in the original post is whether the original poster would be able to login on the console. And it seems to me that the high level answer is that yes login to the console should be possible. The details of how that would work are dependent on details of how the N7K is configured. If the original poster would provide some details of the configuration (especially all of the aaa authentication commands and the configuration of line con 0) we would be in a much better position to provide helpful answers.
  HTH
  Rick

• Cisco Nexus 3K Layer 3 Connectivity Issue while using Optical SFP

  Dear All,
  Am facing L3 reachability issue between N3k switched, even in same subnet. Also checked that VLAN is allowed under trunk port.
  I can able to see the switch details as CDP neighbour.
  We are using SVI, and found all the SVI and Interface protocol status is up/up. So to test I use a host to directly connect N3k with Optical SFP in access port, found failure on reachability, but while replacing with SFP ethernet module instead of SFP optical module reachability is okay.
  Please help me to resolve this issue.
  Thanks,
  Kannan,

  Hello Amit,
  Pls find the following details..
  We use SFP-10G-LR Modules on both end, we also replaced and checked with SFP-10G-SR modules as well..
  Software
    BIOS:      version 1.9.0
    loader:    version N/A
    kickstart: version 6.0(2)A1(1b)
    system:    version 6.0(2)A1(1b)
    Power Sequencer Firmware:
               Module 1: version v3.1
    BIOS compile time:       10/13/2012
    kickstart image file is: bootflash:///n3500-uk9-kickstart.6.0.2.A1.1b.bin
    kickstart compile time:  9/5/2013 14:00:00 [09/05/2013 22:37:16]
    system image file is:    bootflash:///n3500-uk9.6.0.2.A1.1b.bin
    system compile time:     9/5/2013 14:00:00 [09/06/2013 02:25:01]
  Hardware
    cisco Nexus 3548 Chassis ("48x10GE Supervisor")
  Thanks for the reply,and sry for my delayed response..