Configure IP pool from radius server
Hi, all
My ADSL system's using a ERX-700 (juniper) as a BRAS and 7206 for backup.
Everything is alright except assigning name of pool to BRAS.
ERX-700 use frame-pool attr to provide pool name instead of addr-pool attr as 7206.
IOS can unsupport this attr but I can't configure both attr on radius.
Can you help to overcome this problem
Thanks a lot.
This is a radius issue. It does depends on the AAA server you're using how to configure both NASes independently.
For instance, if you would be using NavisRadius product as AAA server to configure which attributes to send back per NAS is really piece of cake:
1) First, you have you to define how to identify separately both NASes, either by IP, technology, by checking the calling-station-id, or whatever.
Supposing you do use IP, which maybe is easier, you do have to define a clients file, for instance:
10.0.0.1 secret_key ERX700
10.0.0.2 secret_key2 Cisco7200
10.0.0.3 secret_key3 AS5800
2) Depending on who's sending the request define what to do next and what attributes send back. With NavisRadius you make this thru a Policy Flow, which is like a set of instructions to configure it, either manually or thru a GUI. Thru this set you could do for instance:
checkClientClass Method-Type="Branch"
Branch-Case = "Cisco7200\tsetIPAdressPoolA"
Branch-Case = "ERX700\tsetIPforERX"
Branch-Case = "AS5800\tsetIpsecService"
Branch-Case = "*\tUnknownClient"
Branch-SelectMode = "KEY"
Branch-SearchKey = "${client.Client-Class}"
3) And finally depending on the tag used go to another method which sends the needed attributes back to the NAS or do whatever you want to do depending on the case.
This is a very brief example, since the product is really flexible and allows many other possibilities, like getting the IP pools from another server, etc.
Good luck!
Similar Messages
-
Waiting ACK from Radius Server before sending traffic
Hello,
After receiving the access accept from the Radus, the AS give the IP address to the client/user and send a Accounting Start to the Radus Server.
I just want to know if is possible for the AS to wait the Ack of the Accounting Start from the Radius Server, before forwarding the client traffic to the destination.
I see some documentation in the web and I find:
aaa dnis map xxx accounting network wait-start group YYY..
Is this the right thing to do? If I use ? after network this option doesn't appear.
The IOS is: 5300-j-mz.122-11.T2.bin
Thanks a lot
Ira
IraYes, I think its possible to start the accounting after receiving ack from radius server.For this, the command will be,
router(config)#aaa accounting "what-to-track info" wait-start "where-to-send info".
This wait-start cmd says that wait for receiving the ack from server before staring the accounting process. -
Can't authenticate Mac VPN client from RADIUS server
Hello,
I'm a real noob here so please bear with me.
I have been able to configure my PIX 515E to allow VPN connections onto my network, but what I need to do is set up some sort of user authentication to control access at a user level. From what I've read here and in the Configuration Guide I should be able to do this authentication with a RADIUS server. I'm running a Corriente Networks Elektron Security server which has RADIUS server capabilities. It is running on my (inside) interface at IP 192.168.10.26.
I thought that I had everything configured properly but it never seems to authenticate. I connect, the XAUTH window pops up, I add my username and password as it's configured on my RADIUS server, but when I click OK it just cycles the progress bar at the bottom and eventually times out. The client log doesn't show me anything and the log on the RADIUS server shows me nothing. Any ideas? this seems like it should be simple because I can connect until I attempt to authenticate to the RADIUS server.
TIA for any direction you can provide me.
ChristineIf it helps, here is my config with a some of the non-related bits deleted:
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password ********* encrypted
passwd ******* encrypted
hostname pixfirewall
domain-name acme.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol http 80
fixup protocol http 82
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
access-list inside_outbound_nat0_acl permit ip any 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.10.26 192.168.10.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip host 192.168.10.69 192.168.10.192 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.10.192 255.255.255.224
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 207.XXX.XXX.130 255.255.255.0
ip address inside 192.168.10.1 255.255.255.0
ip address DMZ 192.168.100.1 255.255.255.0
multicast interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool CBI_VPN_Pool 192.168.10.201-192.168.10.220
pdm location 192.168.10.50 255.255.255.255 inside
pdm group CBI_Servers inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 200 interface
global (DMZ) 200 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 200 192.168.10.0 255.255.255.0 0 0
static (inside,outside) 207.XXX.XXX.150 192.168.10.27 netmask 255.255.255.255 0 0
static (inside,outside) 207.XXX.XXX.132 192.168.10.26 dns netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 207.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1812
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.10.26 ************* timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.10.3 255.255.255.255 inside
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
crypto map inside_map interface inside
isakmp enable outside
isakmp nat-traversal 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Test_VPN address-pool CBI_VPN_Pool
vpngroup Test_VPN dns-server 142.77.2.101 142.77.2.36
vpngroup Test_VPN default-domain acme.com
vpngroup Test_VPN idle-time 1800
vpngroup Test_VPN authentication-server RADIUS
vpngroup Test_VPN user-authentication
vpngroup Test_VPN user-idle-timeout 1200
vpngroup Test_VPN password ********
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.100-192.168.10.254 inside
dhcpd dns 142.77.2.101 142.77.2.36
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside -
How to add VM guest in VM pool from OV Server .
In case of non availability of OVM-Manager I have created virtual server using virt-install command.
Now the problem is how do i add the guest in a particular virtual pool. Is there any specific command for adding a vm in virtual pool using ovm server and not ovm manager?user10373165 wrote:
Now the problem is how do i add the guest in a particular virtual pool. Is there any specific command for adding a vm in virtual pool using ovm server and not ovm manager?You can't do anything with the pool unless Oracle VM Manager is running. Even the OVMCLI utility requires the Manager to be online. So, while the Manager is offline, your existing guests will continue, including supporting any HA configuration for those guests, but you will not be able to add new guests to the pool or modify any pool configuration until the Manager comes back online.
To ensure that your Oracle VM Manager is always available, I recommend checking out the "[Using Oracle Clusterware to Protect Oracle VM Manager|http://www.oracle.com/technologies/virtualization/docs/ovm-clusterware-whitepaper.pdf]" whitepaper. -
Cisco NAC: How to configure the NGS as Radius Server & NAC Manager as Raidus Clients !!!
Hi,
Kindly let me know that how to configure the NGS (Version 2.0.3) as a Radius Server while NAC Manager (Version 4.8.2) as a Radius Client...
Moreover,
1) I want to Create the two User Roles (Guest1 & Guest2) on NGS.
2) When sponsor will create the users, user will belong to either of roles.
3) NAC Manager will have an authentication provider (Radius) with the default Role "Deny Role" but users belongs to "User Role = or Group = Guest1" will fall into "Guest1" Role while User Role = or Group = Guest2" will fall into "Guest2" Role.
I need an assistance to configure this scenario....
Please advise me.
BR,
Mubasher SultanHi,
Any idea or suggestion...
BR,
Mubasher Sultan -
Difference in use of connection pools from one server to another
Hi all
we are running wl5.1 with sp9 against SQLServer 2000
On our performance test server (2 CPU) which has weblogic & sqlserver runnig
on it we run out out of connection pools when running a specific method,
having looked at it we noticed that it contained nested sql, so that each
client would actually hang onto multiple connections until finished. The
total number of connections used seemed approximately the same as the number
of SQL statements.
However we then ran the weblogic server on a different machine against the
same database, so it was now running over a network and everything worked ok
and the total number of client connections was just 1.
Can anyone shed any light onto this, I have a few ideas but nothing to back
them up as follows:
Multi CPU versus single CPU
Local connection rather than network connection between WLServer and
DBServer
WL Configuration
DBServer configuration
Is nested SQL valid ?
Any help much appreciated Paul Taylor
(An example of what I mean by nested sql is shown below, method1() creates
instances of class2 and calls c2.method which contains sql before releasing
its connection.)
class c1
public void method1()
try
rs=executesql(sqlString)
while rs.next()
new c2();
c2.method2()
finally
closeConnection()
class c2
public void method2()
try
rs=executesql(sqlString)
finally
closeConnection()because when you are dealing with a remote server, your calls will be
serialized over one socket. and the connection is assigned to that socket
probably...or something like that...or not...shouldn't be important :)
Filip
~
Namaste - I bow to the divine in you
~
Filip Hanik
Software Architect
[email protected]
www.filip.net
"Paul taylor" <[email protected]> wrote in message
news:[email protected]...
The code has now been changed, but the real point was why are two server
dealing with the same code in a different way
"Filip Hanik" <[email protected]> wrote in message
news:[email protected]...
Any help much appreciated Paul Taylor
(An example of what I mean by nested sql is shown below, method1()creates
instances of class2 and calls c2.method which contains sql beforereleasing
its connection.)well this is obviously not a good way of doing it. you know that you are
obtaining multiple connections so why not code your software in a
smarter
way.
pass the connection object into c1 and c2 that way they both use thesame
connection. Or release in between.
Filip
~
Namaste - I bow to the divine in you
~
Filip Hanik
Software Architect
[email protected]
www.filip.net
<l> wrote in message news:[email protected]...
Hi all
we are running wl5.1 with sp9 against SQLServer 2000
On our performance test server (2 CPU) which has weblogic & sqlserverrunnig
on it we run out out of connection pools when running a specific
method,
having looked at it we noticed that it contained nested sql, so thateach
client would actually hang onto multiple connections until finished.
The
total number of connections used seemed approximately the same as thenumber
of SQL statements.
However we then ran the weblogic server on a different machine against
the
same database, so it was now running over a network and everythingworked
ok
and the total number of client connections was just 1.
Can anyone shed any light onto this, I have a few ideas but nothing
to
back
them up as follows:
Multi CPU versus single CPU
Local connection rather than network connection between WLServer and
DBServer
WL Configuration
DBServer configuration
Is nested SQL valid ?
Any help much appreciated Paul Taylor
(An example of what I mean by nested sql is shown below, method1()
creates
instances of class2 and calls c2.method which contains sql beforereleasing
its connection.)
class c1
public void method1()
try
rs=executesql(sqlString)
while rs.next()
new c2();
c2.method2()
finally
closeConnection()
class c2
public void method2()
try
rs=executesql(sqlString)
finally
closeConnection() -
WLC WLAN Authentication from External RADIUS Server
Dears,
How to make WLC Receive PoD (Packet of Disconnect) from the RADIUS server to terminate the session and disconnect authenticating clients.
Thanks,Hi Ahmed,
Its not documented well, but here is it:
CSCso52532 No Documentation for sending RADIUS Disconnect-Request (RFC 3576)
. If a user has to be logged out then, following attributes are expected
- SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value.
SSH_RADIUS_SERVICE_TYPE_LOGIN(1)
- SSH_RADIUS_AVP_CALLING_STATION_ID(31) - this is needed, if
we want to delete particular user session via particular device
(like PDA, Phone or PC)
- SSH_RADIUS_AVP_USER_NAME(1)
. If a management user has to be logged out then, following attributes
are expected
- SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value
- SSH_RADIUS_SERVICE_TYPE_ADMINISTRATIVE
OR
- SSH_RADIUS_SERVICE_TYPE_NAS_PROMPT
- SSH_RADIUS_AVP_USER_NAME(1)
- SSH_RADIUS_AVP_FRAMED_IP_ADDRESS(8)
Eg:
*Dec 17 12:59:08.926: Packet contains 14 AVPs:
*Dec 17 12:59:08.926: AVP[01] User-Name................................user@domain (17 bytes)
*Dec 17 12:59:08.926: AVP[02] Nas-Port.................................0x0000000d (13) (4 bytes)
*Dec 17 12:59:08.926: AVP[03] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
*Dec 17 12:59:08.926: AVP[04] Framed-IP-Address........................0x0a003f1b (167788315) (4 bytes)
*Dec 17 12:59:08.926: AVP[05] NAS-Identifier...........................wlcRM_1 (7 bytes)
*Dec 17 12:59:08.926: AVP[06] Airespace / WLAN-Identifier..............0x00000004 (4) (4 bytes)
*Dec 17 12:59:08.926: AVP[07] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
*Dec 17 12:59:08.926: AVP[08] Acct-Authentic...........................0x00000001 (1) (4 bytes)
*Dec 17 12:59:08.926: AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes)
*Dec 17 12:59:08.926: AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes)
*Dec 17 12:59:08.926: AVP[11] Tunnel-Group-Id..........................0x3633 (13875) (2 bytes)
*Dec 17 12:59:08.926: AVP[12] Acct-Status-Type.........................0x00000001 (1) (4 bytes)
*Dec 17 12:59:08.926: AVP[13] Calling-Station-Id.......................10.0.63.27 (10 bytes)
*Dec 17 12:59:08.926: AVP[14] Called-Station-Id........................10.0.71.251 (11 bytes)
*Dec 17 12:59:10.943: 00:1c:26:cb:27:71 Accounting-Response received from RADIUS server 10.0.71.249 for mobile 00:1c:26:cb:27:71 receiveId = 0
*Dec 17 12:59:34.044: Received a 'RFC-3576 Disconnect-Request' from 10.0.71.249
*Dec 17 12:59:34.044: Packet contains 6 AVPs:
*Dec 17 12:59:34.044: AVP[01] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
*Dec 17 12:59:34.044: AVP[02] User-Name................................user@domain (17 bytes)
*Dec 17 12:59:34.044: AVP[03] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
*Dec 17 12:59:34.044: AVP[04] Calling-Station-Id.......................10.0.63.27 (10 bytes)
*Dec 17 12:59:34.044: AVP[05] Called-Station-Id........................10.0.71.251 (11 bytes)
*Dec 17 12:59:34.044: AVP[06] Service-Type.............................0x00000001 (1) (4 bytes)
*Dec 17 12:59:34.044: Error cause 503 generated for 'RFC-3576 Disconnect-Request' from 10.0.71.249 (Session Identification attributes not valid)
*Dec 17 12:59:34.045: Sent a 'RFC-3576 Disconnect-Nak' to 10.0.71.249:3799
*Dec 17 12:59:36.561: ****Enter processIncomingMessages: response code=5
**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**
Please Rate if helpful.
Regards
Ed -
Cisco 871w, radius server local, and leap or eap-fast will not authenticate
Hello, i trying to setup eap-fast or leap on my 871w. i belive i have it confiured correctly but i can not get any device to authenticate to router. Below is the confiureation that i being used. any help would be welcome!
! Last configuration change at 15:51:30 AZT Wed Jan 4 2012 by testtest
! NVRAM config last updated at 15:59:37 AZT Wed Jan 4 2012 by testtest
version 12.4
configuration mode exclusive auto
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service linenumber
service pt-vty-logging
service sequence-numbers
hostname router871
boot-start-marker
boot-end-marker
logging count
logging message-counter syslog
logging buffered 4096
logging rate-limit 512 except critical
logging console critical
enable secret 5 <omitted>
aaa new-model
aaa group server radius rad-test3
server 192.168.16.49 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication login eap-methods group rad-test3
aaa authorization exec default local
aaa session-id common
clock timezone AZT -7
clock save interval 8
dot11 syslog
dot11 ssid test2
vlan 2
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 <omitted>
dot11 ssid test1
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 <omitted>
dot11 ssid test3
vlan 3
authentication open eap eap-methods
authentication network-eap eap-methods
no ip source-route
no ip gratuitous-arps
ip options drop
ip dhcp bootp ignore
ip dhcp excluded-address 192.162.16.49 192.162.16.51
ip dhcp excluded-address 192.168.16.33
ip dhcp excluded-address 192.168.16.1 192.168.16.4
ip dhcp pool vlan1pool
import all
network 192.168.16.0 255.255.255.224
default-router 192.168.16.1
domain-name test1.local.home
lease 4
ip dhcp pool vlan2pool
import all
network 192.168.16.32 255.255.255.240
default-router 192.168.16.33
domain-name test2.local.home
lease 0 6
ip dhcp pool vlan3pool
import all
network 192.168.16.48 255.255.255.240
default-router 192.168.16.49
domain-name test3.local.home
lease 2
ip cef
ip inspect alert-off
ip inspect max-incomplete low 25
ip inspect max-incomplete high 50
ip inspect one-minute low 25
ip inspect one-minute high 50
ip inspect udp idle-time 15
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 30
ip inspect tcp synwait-time 60
ip inspect tcp block-non-session
ip inspect tcp max-incomplete host 25 block-time 2
ip inspect name firewall tcp router-traffic
ip inspect name firewall ntp
ip inspect name firewall ftp
ip inspect name firewall udp router-traffic
ip inspect name firewall pop3
ip inspect name firewall pop3s
ip inspect name firewall imap
ip inspect name firewall imap3
ip inspect name firewall imaps
ip inspect name firewall smtp
ip inspect name firewall ssh
ip inspect name firewall icmp router-traffic timeout 10
ip inspect name firewall dns
ip inspect name firewall h323
ip inspect name firewall hsrp
ip inspect name firewall telnet
ip inspect name firewall tftp
no ip bootp server
no ip domain lookup
ip domain name local.home
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip accounting-threshold 100
ip accounting-list 192.168.16.0 0.0.0.31
ip accounting-list 192.168.16.32 0.0.0.15
ip accounting-list 192.168.16.48 0.0.0.15
ip accounting-transits 25
login block-for 120 attempts 5 within 60
login delay 5
login on-failure log
memory free low-watermark processor 65536
memory free low-watermark IO 16384
username testtest password 7 <omitted>
archive
log config
logging enable
logging size 255
notify syslog contenttype plaintext
hidekeys
path tftp://<omitted>/archive-config
write-memory
ip tcp synwait-time 10
ip ssh time-out 20
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
bridge irb
interface Loopback0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
interface Null0
no ip unreachables
interface FastEthernet0
switchport mode trunk
shutdown
interface FastEthernet1
switchport mode trunk
shutdown
interface FastEthernet2
shutdown
spanning-tree portfast
interface FastEthernet3
spanning-tree portfast
interface FastEthernet4
description Cox Internet Connection
ip address dhcp
ip access-group ingress-filter in
ip access-group egress-filter out
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip flow ingress
ip flow egress
ip inspect firewall out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
load-interval 30
duplex auto
speed auto
no cdp enable
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 2 mode ciphers aes-ccm
encryption key 1 size 128bit 7 <omitted> transmit-key
encryption mode wep mandatory
broadcast-key vlan 1 change <omitted> membership-termination
broadcast-key vlan 3 change <omitted> membership-termination
broadcast-key vlan 2 change <omitted> membership-termination
ssid test2
ssid test1
ssid test3
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
rts threshold 2312
no cdp enable
interface Dot11Radio0.1
description <omitted>
encapsulation dot1Q 1 native
no ip redirects
no ip unreachables
no ip proxy-arp
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.2
description <omitted>
encapsulation dot1Q 2
no ip redirects
no ip unreachables
no ip proxy-arp
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio0.3
description <omitted>
encapsulation dot1Q 3
no ip redirects
no ip unreachables
no ip proxy-arp
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
interface Vlan1
description <omitted>
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
interface Vlan2
description <omitted>
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
bridge-group 2
bridge-group 2 spanning-disabled
interface Vlan3
description <omitted>
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
bridge-group 3
bridge-group 3 spanning-disabled
interface BVI1
description <omitted>
ip address 192.168.16.1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
interface BVI2
description <omitted>
ip address 192.168.16.33 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
interface BVI3
description <omitted>
ip address 192.168.16.49 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip http secure-ciphersuite 3des-ede-cbc-sha rc4-128-sha
ip http timeout-policy idle 5 life 43200 requests 5
ip flow-top-talkers
top 10
sort-by bytes
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.16.50 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.16.50 53 interface FastEthernet4 53
ip nat inside source static tcp 192.168.16.50 3074 interface FastEthernet4 3074
ip nat inside source static udp 192.168.16.50 3074 interface FastEthernet4 3074
ip nat inside source static udp 192.168.16.50 88 interface FastEthernet4 88
ip nat inside source static udp 192.168.16.50 53 interface FastEthernet4 53
ip access-list extended egress-filter
deny ip any host <omitted>
deny ip any host <omitted>
deny ip host <omitted> any
deny ip host <omitted> any
remark ----- Bogons Filter -----
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.10.9.255 any
deny ip 10.0.0.0 0.10.13.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.15.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
remark ----- Internal networks -----
permit ip <omitted> 0.0.0.3 any
deny ip any any log
ip access-list extended ingress-filter
remark ----- To get IP form COX -----
permit udp any eq bootps any eq bootpc
deny icmp any any log
deny udp any any eq echo
deny udp any eq echo any
deny tcp any any fragments
deny udp any any fragments
deny ip any any fragments
deny ip any any option any-options
deny ip any any ttl lt 4
deny ip any host <omitted>
deny ip any host <omitted>
deny udp any any range 33400 34400
remark ----- Bogons Filter -----
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
remark ----- Internal networks -----
deny ip 10.10.10.0 0.0.0.255 any
deny ip 10.10.11.0 0.0.0.255 any
deny ip 10.10.12.0 0.0.0.255 any
deny ip any any log
access-list 1 permit 192.168.16.0 0.0.0.63
access-list 20 permit 127.127.1.1
access-list 20 permit 204.235.61.9
access-list 20 permit 173.201.38.85
access-list 20 permit 216.229.4.69
access-list 20 permit 152.2.21.1
access-list 20 permit 130.126.24.24
access-list 21 permit 192.168.16.0 0.0.0.63
radius-server local
no authentication mac
eapfast authority id <omitted>
eapfast authority info <omitted>
eapfast server-key primary 7 <omitted>
nas 192.168.16.49 key 7 <omitted>
group rad-test3
vlan 3
ssid test3
user test nthash 7 <omitted> group rad-test3
user testtest nthash 7 <omitted> group rad-test3
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.16.49 auth-port 1812 acct-port 1813 key 7 <omitted>
radius-server vsa send accounting
control-plane host
control-plane transit
control-plane cef-exception
control-plane
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
bridge 3 protocol ieee
bridge 3 route ip
line con 0
password 7 <omitted>
logging synchronous
no modem enable
transport output telnet
line aux 0
password 7 <omitted>
logging synchronous
transport output telnet
line vty 0 4
password 7 <omitted>
logging synchronous
transport preferred ssh
transport input ssh
transport output ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
process cpu threshold type total rising 80 interval 10 falling 40 interval 10
ntp authentication-key 1 md5 <omitted> 7
ntp authenticate
ntp trusted-key 1
ntp source FastEthernet4
ntp access-group peer 20
ntp access-group serve-only 21
ntp master 1
ntp server 152.2.21.1 maxpoll 4
ntp server 204.235.61.9 maxpoll 4
ntp server 130.126.24.24 maxpoll 4
ntp server 216.229.4.69 maxpoll 4
ntp server 173.201.38.85 maxpoll 4
endso this what i am getting now for debug? any thoughs?
010724: Jan 5 16:26:04.527 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/2
010725: Jan 5 16:26:08.976 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/2
010726: Jan 5 16:26:08.976 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
010727: Jan 5 16:26:08.976 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
010728: Jan 5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
010729: Jan 5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
010730: Jan 5 16:26:08.976 AZT: Client d8b3.7759.0488 failed: EAP reason 1
010731: Jan 5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
010732: Jan 5 16:26:08.976 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
010733: Jan 5 16:26:08.976 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
010734: Jan 5 16:26:08.976 AZT: EAPOL pak dump tx
010735: Jan 5 16:26:08.976 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0004
010736: Jan 5 16:26:08.976 AZT: EAP code: 0x4 id: 0x1 length: 0x0004
0AD05650: 01000004 04010004 ........
0AD05660:
010737: Jan 5 16:26:08.980 AZT: dot11_auth_send_msg: sending data to requestor status 1
010738: Jan 5 16:26:08.980 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
010739: Jan 5 16:26:08.980 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
010740: Jan 5 16:26:08.980 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
010741: Jan 5 16:26:08.980 AZT: dot11_auth_send_msg: sending data to requestor status 0
010742: Jan 5 16:26:08.980 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
010743: Jan 5 16:26:08.980 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
010744: Jan 5 16:26:08.984 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
010745: Jan 5 16:26:09.624 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
010746: Jan 5 16:26:09.624 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
010747: Jan 5 16:26:09.624 AZT: dot11_auth_add_client_entry: req->auth_type 0
010748: Jan 5 16:26:09.624 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
010749: Jan 5 16:26:09.624 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
010750: Jan 5 16:26:09.624 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
010751: Jan 5 16:26:09.624 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
010752: Jan 5 16:26:09.624 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
010753: Jan 5 16:26:09.624 AZT: EAPOL pak dump tx
010754: Jan 5 16:26:09.624 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0031
010755: Jan 5 16:26:09.624 AZT: EAP code: 0x1 id: 0x1 length: 0x0031 type: 0x1
0AD05B50: 01000031 01010031 ...1...1
0AD05B60: 01006E65 74776F72 6B69643D 746F7973 ..networkid=toys
0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465 onpg,nasid=route
0AD05B80: 72383731 2C706F72 7469643D 30 r871,portid=0
010756: Jan 5 16:26:09.644 AZT: dot11_auth_send_msg: sending data to requestor status 1
010757: Jan 5 16:26:09.648 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
010758: Jan 5 16:26:09.648 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
010759: Jan 5 16:26:09.656 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
010760: Jan 5 16:26:09.656 AZT: EAPOL pak dump rx
010761: Jan 5 16:26:09.656 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0009
010762: Jan 5 16:26:09.656 AZT: EAP code: 0x2 id: 0x1 length: 0x0009 type: 0x1
0B060D50: 01000009 02010009 ........
0B060D60: 01746573 74 .test
010763: Jan 5 16:26:09.660 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
010764: Jan 5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
010765: Jan 5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
010766: Jan 5 16:26:09.664 AZT: RADIUS/ENCODE(00000198):Orig. component type = DOT11
010767: Jan 5 16:26:09.664 AZT: RADIUS: AAA Unsupported Attr: ssid [282] 8
010768: Jan 5 16:26:09.664 AZT: RADIUS: 74 6F 79 73 6F 6E [toyson]
010769: Jan 5 16:26:09.664 AZT: RADIUS: AAA Unsupported Attr: interface [175] 3
010770: Jan 5 16:26:09.664 AZT: RADIUS: 36 [6]
010771: Jan 5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
010772: Jan 5 16:26:09.664 AZT: RADIUS/ENCODE(00000198): acct_session_id: 408
010773: Jan 5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
010774: Jan 5 16:26:09.664 AZT: RADIUS(00000198): sending
010775: Jan 5 16:26:09.664 AZT: RADIUS(00000198): Send Access-Request to 162.168.16.49:1645 id 1645/3, len 133
010776: Jan 5 16:26:09.664 AZT: RADIUS: authenticator BF 69 DD DF 89 1F C6 FB - EF EC 12 EB C5 3F 3A CD
010777: Jan 5 16:26:09.664 AZT: RADIUS: User-Name [1] 6 "test"
010778: Jan 5 16:26:09.664 AZT: RADIUS: Framed-MTU [12] 6 1400
010779: Jan 5 16:26:09.664 AZT: RADIUS: Called-Station-Id [30] 16 "0019.3075.e660"
010780: Jan 5 16:26:09.664 AZT: RADIUS: Calling-Station-Id [31] 16 "d8b3.7759.0488"
010781: Jan 5 16:26:09.668 AZT: RADIUS: Service-Type [6] 6 Login [1]
010782: Jan 5 16:26:09.668 AZT: RADIUS: Message-Authenticato[80] 18
010783: Jan 5 16:26:09.668 AZT: RADIUS: 5B FA 47 07 0E E3 4B 71 7F 60 6E 4E 91 37 84 A6 [[?G???Kq?`nN?7??]
010784: Jan 5 16:26:09.668 AZT: RADIUS: EAP-Message [79] 11
010785: Jan 5 16:26:09.668 AZT: RADIUS: 02 01 00 09 01 74 65 73 74 [?????test]
010786: Jan 5 16:26:09.668 AZT: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
010787: Jan 5 16:26:09.668 AZT: RADIUS: NAS-Port [5] 6 661
010788: Jan 5 16:26:09.668 AZT: RADIUS: NAS-Port-Id [87] 5 "661"
010789: Jan 5 16:26:09.668 AZT: RADIUS: NAS-IP-Address [4] 6 192.168.16.49
010790: Jan 5 16:26:09.668 AZT: RADIUS: Nas-Identifier [32] 11 "router871"
010791: Jan 5 16:26:14.501 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
router871#
010792: Jan 5 16:26:19.018 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
router871#
010793: Jan 5 16:26:23.739 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
router871#
010794: Jan 5 16:26:28.700 AZT: RADIUS: Fail-over to (162.168.16.49:1812,1813) for id 1645/3
router871#
010795: Jan 5 16:26:33.629 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
router871#
010796: Jan 5 16:26:38.494 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
router871#
010797: Jan 5 16:26:39.794 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
010798: Jan 5 16:26:39.794 AZT: EAPOL pak dump rx
010799: Jan 5 16:26:39.794 AZT: EAPOL Version: 0x1 type: 0x1 length: 0x0000
0AD053D0: 01010000 ....
010800: Jan 5 16:26:39.798 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,EAP_START) for d8b3.7759.0488
010801: Jan 5 16:26:39.798 AZT: dot11_auth_dot1x_ignore_event: Ignore event: do nothing
router871#
010802: Jan 5 16:26:43.007 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
router871#
010803: Jan 5 16:26:47.336 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/3
010804: Jan 5 16:26:47.336 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
010805: Jan 5 16:26:47.336 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
010806: Jan 5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
010807: Jan 5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
010808: Jan 5 16:26:47.336 AZT: Client d8b3.7759.0488 failed: EAP reason 1
010809: Jan 5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
010810: Jan 5 16:26:47.336 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
010811: Jan 5 16:26:47.336 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
010812: Jan 5 16:26:47.336 AZT: EAPOL pak dump tx
010813: Jan 5 16:26:47.336 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0004
010814: Jan 5 16:26:47.336 AZT: EAP code: 0x4 id: 0x1 length: 0x0004
0B060710: 01000004 04010004 ........
0B060720:
010815: Jan 5 16:26:47.340 AZT: dot11_auth_send_msg: sending data to requestor status 1
010816: Jan 5 16:26:47.340 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
010817: Jan 5 16:26:47.340 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
010818: Jan 5 16:26:47.340 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
010819: Jan 5 16:26:47.340 AZT: dot11_auth_send_msg: sending data to requestor status 0
010820: Jan 5 16:26:47.340 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
router871#
010821: Jan 5 16:26:47.340 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
010822: Jan 5 16:26:47.344 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
010823: Jan 5 16:26:47.972 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
010824: Jan 5 16:26:47.972 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
010825: Jan 5 16:26:47.972 AZT: dot11_auth_add_client_entry: req->auth_type 0
010826: Jan 5 16:26:47.972 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
010827: Jan 5 16:26:47.972 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
010828: Jan 5 16:26:47.976 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
010829: Jan 5 16:26:47.976 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
010830: Jan 5 16:26:47.976 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
010831: Jan 5 16:26:47.976 AZT: EAPOL pak dump tx
010832: Jan 5 16:26:47.976 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0031
010833: Jan 5 16:26:47.976 AZT: EAP code: 0x1 id: 0x1 length: 0x0031 type: 0x1
0AD05B50: 01000031 01010031 ...1...1
0AD05B60: 01006E65 74776F72 6B69643D 746F7973 ..networkid=toys
0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465 onpg,nasid=route
0AD05B80: 72383731 2C706F72 7469643D 30 r871,portid=0
010834: Jan 5 16:26:47.996 AZT: dot11_auth_send_msg: sending data to requestor status 1
010835: Jan 5 16:26:47.996 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
010836: Jan 5 16:26:47.996 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
010837: Jan 5 16:26:47.996 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
010838: Jan 5 16:26:47.996 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
router871#
010839: Jan 5 16:26:47.996 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
router871#
010840: Jan 5 16:26:58.634 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
010841: Jan 5 16:26:58.634 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
010842: Jan 5 16:26:58.638 AZT: dot11_auth_add_client_entry: req->auth_type 0
010843: Jan 5 16:26:58.638 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
010844: Jan 5 16:26:58.638 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
010845: Jan 5 16:26:58.638 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
010846: Jan 5 16:26:58.638 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
010847: Jan 5 16:26:58.638 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
010848: Jan 5 16:26:58.638 AZT: EAPOL pak dump tx
010849: Jan 5 16:26:58.638 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0031
010850: Jan 5 16:26:58.638 AZT: EAP code: 0x1 id: 0x1 length: 0x0031 type: 0x1
0B060710: 01000031 01010031 ...1...1
0B060720: 01006E65 74776F72 6B69643D 746F7973 ..networkid=toys
0B060730: 6F6E7067 2C6E6173 69643D72 6F757465 onpg,nasid=route
0B060740: 72383731 2C706F72 7469643D 30 r871,portid=0
010851: Jan 5 16:26:58.658 AZT: dot11_auth_send_msg: sending data to requestor status 1
010852: Jan 5 16:26:58.658 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
010853: Jan 5 16:26:58.658 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
010854: Jan 5 16:27:01.603 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
010855: Jan 5 16:27:01.603 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
010856: Jan 5 16:27:01.603 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
010857: Jan 5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list ingress-filter denied tcp 32.42.41.254(57443) -> 72.201.117.84(59652), 1 packet
010858: Jan 5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list egress-filter denied tcp 22.3.184.118(0) -> 74.125.53.188(0), 4 packets
010859: Jan 5 16:27:12.261 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
010860: Jan 5 16:27:12.261 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
010861: Jan 5 16:27:12.261 AZT: dot11_auth_add_client_entry: req->auth_type 0
010862: Jan 5 16:27:12.261 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
010863: Jan 5 16:27:12.261 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
010864: Jan 5 16:27:12.261 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
010865: Jan 5 16:27:12.261 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
010866: Jan 5 16:27:12.261 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
010867: Jan 5 16:27:12.261 AZT: EAPOL pak dump tx
010868: Jan 5 16:27:12.261 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0031
010869: Jan 5 16:27:12.261 AZT: EAP code: 0x1 id: 0x1 length: 0x0031 type: 0x1
0B060FD0: 01000031 01010031 ...1...1
0B060FE0: 01006E65 74776F72 6B69643D 746F7973 ..networkid=toys
0B060FF0: 6F6E7067 2C6E6173 69643D72 6F757465 onpg,nasid=route
0B061000: 72383731 2C706F72 7469643D 30 r871,portid=0
010870: Jan 5 16:27:12.285 AZT: dot11_auth_send_msg: sending data to requestor status 1
010871: Jan 5 16:27:12.285 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
010872: Jan 5 16:27:12.285 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
010873: Jan 5 16:27:12.293 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
010874: Jan 5 16:27:12.293 AZT: EAPOL pak dump rx
010875: Jan 5 16:27:12.293 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0009
010876: Jan 5 16:27:12.293 AZT: EAP code: 0x2 id: 0x1 length: 0x0009 type: 0x1
0AD05290: 01000009 02010009 ........
0AD052A0: 01746573 74 .test
010877: Jan 5 16:27:12.301 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
010878: Jan 5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
010879: Jan 5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
010880: Jan 5 16:27:12.301 AZT: RADIUS/ENCODE(0000019B):Orig. component type = DOT11
010881: Jan 5 16:27:12.305 AZT: RADIUS: AAA Unsupported Attr: ssid [282] 8
010882: Jan 5 16:27:12.305 AZT: RADIUS: 74 6F 79 73 6F 6E [toyson]
010883: Jan 5 16:27:12.305 AZT: RADIUS: AAA Unsupported Attr: interface [175] 3
010884: Jan 5 16:27:12.305 AZT: RADIUS: 36 [6]
010885: Jan 5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
010886: Jan 5 16:27:12.305 AZT: RADIUS/ENCODE(0000019B): acct_session_id: 411
010887: Jan 5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
010888: Jan 5 16:27:12.305 AZT: RADIUS(0000019B): sending
010889: Jan 5 16:27:12.305 AZT: RADIUS(0000019B): Send Access-Request to 162.168.16.49:1645 id 1645/4, len 133
010890: Jan 5 16:27:12.305 AZT: RADIUS: authenticator 6F 6C 63 31 88 DE 30 A2 - C2 06 12 EB 50 A3 53 36
010891: Jan 5 16:27:12.305 AZT: RADIUS: User-Name [1] 6 "test"
010892: Jan 5 16:27:12.305 AZT: RADIUS: Framed-MTU [12] 6 1400
010893: Jan 5 16:27:12.305 AZT: RADIUS: Called-Station-Id [30] 16 "0019.3075.e660"
010894: Jan 5 16:27:12.305 AZT: RADIUS: Calling-Station-Id [31] 16 "d8b3.7759.0488"
010895: Jan 5 16:27:12.305 AZT: RADIUS: Service-Type [6] 6 Login [1]
010896: Jan 5 16:27:12.305 AZT: RADIUS: Message-Authenticato[80] 18
010897: Jan 5 16:27:12.305 AZT: RADIUS: 9D D5 62 1A 38 13 94 30 3A 43 D7 A4 AE A4 43 64 [??b?8??0:C????Cd]
010898: Jan 5 16:27:12.305 AZT: RADIUS: EAP-Message [79] 11
010899: Jan 5 16:27:12.305 AZT: RADIUS: 02 01 00 09 01 74 65 73 74 [?????test]
010900: Jan 5 16:27:12.305 AZT: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
010901: Jan 5 16:27:12.305 AZT: RADIUS: NAS-Port [5] 6 664
010902: Jan 5 16:27:12.309 AZT: RADIUS: NAS-Port-Id [87] 5 "664"
010903: Jan 5 16:27:12.309 AZT: RADIUS: NAS-IP-Address [4] 6 192.168.16.49
010904: Jan 5 16:27:12.309 AZT: RADIUS: Nas-Identifier [32] 11 "router871"
010905: Jan 5 16:27:16.642 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/4 -
Hello all,
I have configured a radius server on my sbs2008 server. I am able to test it from the ASA successfully, however when I try to login with the Anyconnect client I get a login failed. When I check the logs I see that the VPN is trying to authenitcate against the Local database and not my RADIUS server evern though I have authentication-server-group set. I have also restarted the asa thinking that was the issue.
Here is my config:
webvpn
port 444
enable outside
svc image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy OAC internal
group-policy OAC attributes
wins-server value 192.168.2.2
dns-server value 192.168.2.2
vpn-tunnel-protocol svc webvpn
group-lock value OAC
split-tunnel-policy tunnelspecified
split-tunnel-network-list value OAC
default-domain value OAC.LOCAL
tunnel-group OAC type remote-access
tunnel-group OAC general-attributes
address-pool vpnpool
authentication-server-group OAC
default-group-policy OAC
Thank you for any help,
LeonLeon,
Looks like your connection is falling on DefaultWebvpn tunnel group. You need to define group list so as to choose
OAC as tunnel group for connection. Here is what needs to be configured:
webvpn
tunnel-group-list enable
tunnel-group OAC webvpn-attributes
group-alias OAC enable
Users will connect to correct OAC tunnel group to get authentocated from radius server.
Regards,
Varinder
P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users -
Stop dynamic updating of ldap from radius
We use iPlanet v.4.12 ldap server with radius extensions. At some point in time we have started dynamic updating of the ldap server with session information from the radius server and now I can't find out how to turn off this dynamic updating. I have removed the check mark beside Dynamic accounting in the console configuration page for the radius server, but am still getting the following error messages by the thousand
[18/Dec/2002:17:39:13 +0100] - add value for type dynamicipaddress failed: duplicate value
[18/Dec/2002:17:39:13 +0100] - add value for type dynamicsessionid failed: duplicate value
Can anyone give me a detailed method of turning off this feature please.
TIA
JamesSolved this.
When you turn off dynamic accounting in the console, the schema is changed from Dynamic=yes to Dynamic=false. I went in and manually adjusted the schema to Dynamic=no and dynamic accounting was finally turned off.
Just in case anyone else has the same problem.
mvh/regards
James -
Web authentication with Radius server problem
Hello,
I'm having problem to web authenticate users via radius server for one WLC. Here is the outpu from WLC:
*emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created for mobile, length = 7
*emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created in mscb for mobile, length = 7
*aaaQueueReader: Mar 26 14:17:31.537: Unable to find requested user entry for aaaaaa
*aaaQueueReader: Mar 26 14:17:31.537: ReProcessAuthentication previous proto 8, next proto 1
*aaaQueueReader: Mar 26 14:17:31.537: AuthenticationRequest: 0x1e08eb94
*aaaQueueReader: Mar 26 14:17:31.538: Callback.....................................0x10908d90
*aaaQueueReader: Mar 26 14:17:31.538: protocolType.................................0x00000001
*aaaQueueReader: Mar 26 14:17:31.538: proxyState...................................20:7D:xx:xx:D8:F0-00:00
*aaaQueueReader: Mar 26 14:17:31.538: Packet contains 11 AVPs (not shown)
*aaaQueueReader: Mar 26 14:17:31.538: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Mar 26 14:17:31.538: 20:7d:xx:xx:d8:f0 Successful transmission of Authentication Packet (id 67) to 10.xx.33.249:1645, proxy state 20:7d:xx:xx:d8:f0-00:01
*aaaQueueReader: Mar 26 14:17:31.538: 00000000: 01 43 00 8c 48 7c a7 ff df 06 53 30 c0 be e1 8e .C..H|....S0....
*aaaQueueReader: Mar 26 14:17:31.538: 00000010: d7 fd 8b d3 01 09 73 65 66 72 73 76 65 02 12 7b ......aaaaaa..{
*aaaQueueReader: Mar 26 14:17:31.538: 00000020: ae 2e f5 eb fa cf f5 cc 3b 08 65 d7 04 0e ba 06 ........;.e.....
*aaaQueueReader: Mar 26 14:17:31.538: 00000030: 06 00 00 00 01 04 06 0a 2e 09 14 05 06 00 00 00 ................
*aaaQueueReader: Mar 26 14:17:31.538: 00000040: 0d 20 0d 73 65 76 73 74 2d 6c 77 63 31 30 3d 06 ...xxxxx-lwc10=.
*aaaQueueReader: Mar 26 14:17:31.538: 00000050: 00 00 00 13 1a 0c 00 00 37 63 01 06 00 00 00 01 ........7c......
*aaaQueueReader: Mar 26 14:17:31.538: 00000060: 1f 0e 31 39 32 2e 31 36 38 2e 31 2e 36 31 1e 0c ..192.168.1.61..
*aaaQueueReader: Mar 26 14:17:31.538: 00000070: 31 30 2e 34 36 2e 39 2e 32 30 50 12 95 11 7c d9 10.xx.9.20P...|.
*aaaQueueReader: Mar 26 14:17:31.538: 00000080: 75 8e 01 6e bf 62 38 f8 38 ab 68 4a u..n.b8.8.hJ
*radiusTransportThread: Mar 26 14:17:31.603: 00000000: 03 43 00 14 e5 8c e7 75 52 04 af e0 07 b7 fb 96 .C.....uR.......
*radiusTransportThread: Mar 26 14:17:31.603: 00000010: c1 4a fb 40 .J.@
*radiusTransportThread: Mar 26 14:17:31.603: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Mar 26 14:17:31.603: ****Enter processRadiusResponse: response code=3
*radiusTransportThread: Mar 26 14:17:31.603: 20:7d:xx:xx:d8:f0 Access-Reject received from RADIUS server 10.xx.33.249 for mobile 20:7d:xx:xx:d8:f0 receiveId = 0
*radiusTransportThread: Mar 26 14:17:31.603: ReProcessAuthentication previous proto 1, next proto 2
*radiusTransportThread: Mar 26 14:17:31.603: AuthenticationRequest: 0x1da9fa4c
*radiusTransportThread: Mar 26 14:17:31.603: Callback.....................................0x10908d90
*radiusTransportThread: Mar 26 14:17:31.603: protocolType.................................0x00000002
*radiusTransportThread: Mar 26 14:17:31.603: proxyState...................................20:7D:xx:xx:D8:F0-00:00
*radiusTransportThread: Mar 26 14:17:31.603: Packet contains 11 AVPs (not shown)
*radiusTransportThread: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Returning AAA Error 'No Server' (-7) for mobile 20:7d:xx:xx:d8:f0
*radiusTransportThread: Mar 26 14:17:31.605: AuthorizationResponse: 0x2dd03648
*radiusTransportThread: Mar 26 14:17:31.605: structureSize................................32
*radiusTransportThread: Mar 26 14:17:31.605: resultCode...................................-7
*radiusTransportThread: Mar 26 14:17:31.605: protocolUsed.................................0x00000002
*radiusTransportThread: Mar 26 14:17:31.605: proxyState...................................20:7D:xx:xx:D8:F0-00:00
*radiusTransportThread: Mar 26 14:17:31.605: Packet contains 0 AVPs:
*emWeb: Mar 26 14:17:31.605: Authentication failed for aaaaaa
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Username entry deleted for mobile
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Plumbing web-auth redirect rule due to user logout
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Deleting mobile policy rule 42461
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Adding Web RuleID 42464 for mobile 20:7d:xx:xx:d8:f0
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Web Authentication failure for station
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Reached ERROR: from line 5069
That was pretty clear for me that Radius is refusing to give user access.
Fully-Qualified-User-Name = NMEA\aaaaaa
NAS-IP-Address = 10.xx.9.20
NAS-Identifier = xxxxx-lwc10
Called-Station-Identifier = 10.xx.9.20
Calling-Station-Identifier = 192.168.1.61
Client-Friendly-Name = YYY10.xx
Client-IP-Address = 10.xx.9.20
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 13
Proxy-Policy-Name = Use Windows authentication forall users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = YYYYY Wireless Users
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy
That output is from WLC 5508 version 7.0.235
What is strange, that user was able to authenticate from other before refresh WLC 4402 ver 4.2.207. I cannot change WLC because of AP which cannot run old version.
this is output from working client connection from old WLC
NAS-IP-Address = 10.xx.9.13
NAS-Identifier = xxxxx-lwc03
Client-Friendly-Name = YYY10.46
Client-IP-Address = 10.xx.9.13
Calling-Station-Identifier = 192.168.19.246
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = YYYYY Wireless Guest Access
Authentication-Type = PAP
EAP-Type = <undetermined>
I know there is different Policy Name used, but my question is why it is not using the same as on old WLC when configuration is same.
Is there any way I can force users to use different policy from WLC or AP configuration or is this solely configuration of Radius?
Is it maybe problem of version 7.0.235?
Any toughts would be much appriciated.Scott,
You are probably right. The condition that is checked for the first policy name (we have 2) is to match
NAS-Port-Type = Wireless - IEEE 802.11, and this is basically used to differentiate guests from other company users.
as you can see from the logs the one that is working correctly is not sending NAS-Port-Type. The question is why.
As I said before.
WLC 5508 ver. 7.0.235 is sending NAS-Port-Type
WLC 4402 ver. 4.2.207 is not.
The same user was working OK on 4402 WLC and after refresh and associating APs to 5508 it all broke, so client did not changed anything on adapter. -
WLC Web-auth fail with external RADIUS server
I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"
My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user.
WLC 4402 version 4.1.171.0
http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.htmlHi,
I am having some issues when I try to authenticate an AD account against a NAP Radius Server on Windows 2008.
In fact, I own a WLC 2106 and I configured it to authenticate users againts a radius Server with Active Directory. I set the Web Radius Authentication to CHAP on the controller tab from the WLC 2106 and i am getting the error below
: Authentication failed for gcasanova. When I set the controller to Web Radius Authentication to PAP, everything is working fine. I am able to connect to through the controller using an AD Account. But my purpose is not use PAP which is an unsecure protocol since password are sent as plaintext on the network.
Can someone tell me what's wrong?
*radiusTransportThread: Oct 26 11:02:13.975: proxyState...................... .............00:24:D7:40:E5:00-00:00
*radiusTransportThread: Oct 26 11:02:13.975: Packet contains 0 AVPs:
*emWeb: Oct 26 11:02:13.977: Authentication failed for gcasanova
*aaaQueueReader: Oct 26 11:02:29.985: AuthenticationRequest: 0xb6564634
*aaaQueueReader: Oct 26 11:02:29.985: Callback.....................................0x8576720
*aaaQueueReader: Oct 26 11:02:29.985: protocolType.................................0x00000001
*aaaQueueReader: Oct 26 11:02:29.985: proxyState...................................00:24:D7:40:E5:00-00:00
*aaaQueueReader: Oct 26 11:02:29.986: Packet contains 11 AVPs (not shown)
*aaaQueueReader: Oct 26 11:02:29.986: apfVapRadiusInfoGet: WLAN(4) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Oct 26 11:02:29.986: 00:24:d7:40:e5:00 Successful transmission of Authentication Packet (id 86) to 10.2.0.15:1812, proxy state 00:24:d7:40:e5:00-00:00
*aaaQueueReader: Oct 26 11:02:29.987: 00000000: 01 56 00 9a 8e 48 e7 20 1d ef be 29 e6 3a 61 6d .V...H.....).:am
*aaaQueueReader: Oct 26 11:02:29.987: 00000010: 2b de 07 24 01 0b 67 63 61 73 61 6e 6f 76 61 3c +..$..gcasanova<
*aaaQueueReader: Oct 26 11:02:29.987: 00000020: 12 3c ce a0 87 ac df 7a a5 35 af 7c ef 83 c7 58 .<.....z.5.|...X
*aaaQueueReader: Oct 26 11:02:29.987: 00000030: ed 03 13 28 a7 5a 0d 26 6d ab 49 ea da 7c 5a 8e ...(.Z.&m.I..|Z.
*aaaQueueReader: Oct 26 11:02:29.987: 00000040: 1d 94 70 69 06 06 00 00 00 01 04 06 0a 02 00 06 ..pi............
*aaaQueueReader: Oct 26 11:02:29.987: 00000050: 05 06 00 00 00 01 20 0a 50 41 52 2d 57 4c 43 31 ........PAR-WLC1
*aaaQueueReader: Oct 26 11:02:29.987: 00000060: 3d 06 00 00 00 13 1a 0c 00 00 37 63 01 06 00 00 =.........7c....
*aaaQueueReader: Oct 26 11:02:29.988: 00000070: 00 04 1f 0c 31 30 2e 32 2e 30 2e 31 35 36 1e 0a ....10.2.0.156..
*aaaQueueReader: Oct 26 11:02:29.988: 00000080: 31 30 2e 32 2e 30 2e 36 50 12 7f 86 5a c5 61 ad 10.2.0.6P...Z.a.
*aaaQueueReader: Oct 26 11:02:29.988: 00000090: af 54 fa fa 42 e7 f6 16 9e 10 .T..B.....
*radiusTransportThread: Oct 26 11:02:29.988: 00000000: 03 56 00 14 a9 10 07 84 83 00 87 83 b9 10 64 e1 .V............d.
*radiusTransportThread: Oct 26 11:02:29.988: 00000010: 66 b3 c5 5e f..^
*radiusTransportThread: Oct 26 11:02:29.988: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Oct 26 11:02:29.988: ****Enter processRadiusResponse: response code=3
*radiusTransportThread: Oct 26 11:02:29.988: 00:24:d7:40:e5:00 Access-Reject received from RADIUS server 10.2.0.15 for mobile 00:24:d7:40:e5:00 receiveId = 0
*radiusTransportThread: Oct 26 11:02:29.989: 00:24:d7:40:e5:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d7:40:e5:00
*radiusTransportThread: Oct 26 11:02:29.989: AuthorizationResponse: 0xb97fe774
*radiusTransportThread: Oct 26 11:02:29.989: structureSize................................32
*radiusTransportThread: Oct 26 11:02:29.989: resultCode...................................-4
*radiusTransportThread: Oct 26 11:02:29.989: protocolUsed.................................0xffffffff
*radiusTransportThread: Oct 26 11:02:29.989: proxyState...................................00:24:D7:40:E5:00-00:00
*radiusTransportThread: Oct 26 11:02:29.989: Packet contains 0 AVPs: -
Hi,
I'm trying to assign different ip addresses to each vpn client depending the group the belong to. To do so, I create three different pools locally to the router and configure the radius server to send the Cisco-AVPair=”ip:addr-pool=poolname” attribute. The radius server is sending this attribute correctly but the router isn't using it. If I try with the Framed-IP-Address it works fine, but not for the pool.
Here is the related router config:
aaa new-model
aaa authentication login RemoteUsers group radius
aaa authorization network UsersGroup group radius
aaa session-id common
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration group Users
key xxxx
pool pool1
acl UsersSplit
crypto isakmp profile UsersProfile
match identity group Users
client authentication list RemoteUsers
isakmp authorization list UsersGroup
client configuration address respond
virtual-template 1
crypto ipsec transform-set Transf-Users esp-aes esp-sha-hmac
mode transport
crypto ipsec profile Prof-Users
set transform-set Transf-Users
set isakmp-profile UsersProfile
ip local pool pool1 192.168.110.10 192.168.110.20
ip local pool pool2 192.168.120.10 192.168.120.20
ip local pool pool3 192.168.130.10 192.168.130.20
Freeradius config:
testuser Auth-Type := Local, User-Password == "testpass"
Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "ip:addr-pool=pool1",
Without enabling authorization, testuser connects succesfully, but after I enable authorization to instruct the router to accept pool configuration, it automatically authenticate using the isakmp Users user, without asking for the real vpn testuser client and the connection fails.
Is authorization essential? Using authentication I can assign ip addresses from Radius.
I also used the Framed-IP-Pool value without success.
What I'm missing?
Thanks in advance.Hi Jatin,
Thanks for your quick reply. Here is the new configuration and the debugs. I'm using IOS c890-universalk9-mz.152-1.T.bin and Cisco VPN client 5.0.07.0290 version.
IOS Configuration with authorization and accounting enabled:
aaa new-model
aaa authentication login RemoteUsers group radius
aaa authorization network UsersGroup group radius
aaa accounting network default
aaa session-id common
IOS Debugs:
Jun 4 21:20:46.133: AAA/BIND(00000010): Bind i/f
Jun 4 21:20:46.149: AAA/AUTHOR (0x10): Pick method list 'UsersGroup'
Jun 4 21:20:46.153: RADIUS/ENCODE(00000010):Orig. component type = VPN IPSEC
Jun 4 21:20:46.153: RADIUS: AAA Unsupported Attr: interface [222] 11
Jun 4 21:20:46.153: RADIUS: 31 30 2E 31 34 2E 31 34 2E [ 10.14.14.]
Jun 4 21:20:46.153: RADIUS(00000010): Config NAS IP: 0.0.0.0
Jun 4 21:20:46.153: RADIUS(00000010): Config NAS IPv6: ::
Jun 4 21:20:46.153: RADIUS/ENCODE(00000010): acct_session_id: 6
Jun 4 21:20:46.153: RADIUS(00000010): sending
Jun 4 21:20:46.153: RADIUS/ENCODE: Best Local IP-Address 10.14.14.30 for Radius-Server 10.14.14.17
Jun 4 21:20:46.153: RADIUS(00000010): Send Access-Request to 10.14.14.17:1812 id 1645/4, len 98
Jun 4 21:20:46.153: RADIUS: authenticator 01 A1 34 BE 06 3D C2 C5 - 4F EE 98 D7 47 4D BF AB
Jun 4 21:20:46.153: RADIUS: User-Name [1] 10 "Users"
Jun 4 21:20:46.153: RADIUS: User-Password [2] 18 *
Jun 4 21:20:46.153: RADIUS: Calling-Station-Id [31] 13 "10.14.14.17"
Jun 4 21:20:46.153: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jun 4 21:20:46.153: RADIUS: NAS-Port [5] 6 0
ruc#
Jun 4 21:20:46.153: RADIUS: NAS-Port-Id [87] 13 "10.14.14.30"
Jun 4 21:20:46.153: RADIUS: Service-Type [6] 6 Outbound [5]
Jun 4 21:20:46.153: RADIUS: NAS-IP-Address [4] 6 10.14.14.30
Jun 4 21:20:46.153: RADIUS(00000010): Sending a IPv4 Radius Packet
Jun 4 21:20:46.153: RADIUS(00000010): Started 5 sec timeout
ruc#
Jun 4 21:20:48.205: RADIUS: Received from id 1645/4 10.14.14.17:1812, Access-Reject, len 20
Jun 4 21:20:48.205: RADIUS: authenticator 2A B6 91 42 DF 70 2B 89 - AF D5 59 82 31 3B EA 53
Jun 4 21:20:48.205: RADIUS(00000010): Received from id 1645/4
As you can see, the router authenticates automatically using the Users user configured under at the isakmp client configuration group. The VPN client software does not prompt for the real user account and fails. Why the router is not asking for the user? I was expecting the router performs authentication first and authorization later. Take a look at the FreeRadius debug:
FreeRadius debug:
Ready to process requests.
rad_recv: Access-Request packet from host 10.14.14.30:1645, id=4, length=98
User-Name = "Users"
User-Password = "cisco" <--Where does this password comes from?!
Calling-Station-Id = "10.14.14.17"
NAS-Port-Type = Virtual
NAS-Port = 0
NAS-Port-Id = "10.14.14.30"
Service-Type = Dialout-Framed-User
NAS-IP-Address = 10.14.14.30
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '../var/log/radius/radacct/10.14.14.30/auth-detail-20130604.log'
rlm_detail: ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.lo
g expands to ../var/log/radius/radacct/10.14.14.30/auth-detail-20130604.log
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "Users", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 188
modcall[authorize]: module "files" returns ok for request 0
rlm_pap: WARNING! No "known good" password found for the user. Authentication m
ay fail because of this.
modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
ERROR: Unknown value specified for Auth-Type. Cannot perform requested action
auth: Failed to validate the user.
Login incorrect: [Users/cisco] (from client vpnServer port 0 cli 10.14.14.17)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 4 to 10.14.14.30 port 1645
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 4 with timestamp 51ae5a41
Nothing to do. Sleeping until we see a request.
Any idea Jatin? -
WPA2 and Radius server configuration
On the page: http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml
is described how to setup a WPA2 and Radius server.
If I follow this, the Radius server does not work. In the document they descibe that I need to use 10.0.0.1 as the IP, but my AP has a 192.168.1.251 address. Even if I enter that adres, or the 10.0.0.1, it does not work.
Normal WPA2 personal, without Radius does work.
I use a 1100 series AP, (AIR-AP1120B-E-K9) with a AIR-MP21G and the firmware of the radio module is 5.90.11.
The IOS version is 12.3(8)JA2.
Does anyone know what to do?
HaikHello,
I understand that. I have given the AP a fixed address, 192.168.1.251. This is outside the DHCP pool, from the router.
Even if I use this address in th Radius configuration, it still does not work. My client (laptop with Intel Pro Wireless 2200 card), detects that there is a Radius server, and asks for a username / password.
But even if I fill it in correctly (copy / paste) it does not work.
So what can be wrong with this configuration?
Haik -
EAP-TLS with Radius Server configuration (1130AG)
Hi All,
Im currently tryign to get eap-tls user certificate based wireless authentication working. The mismatch of guides im trying to follow has me ocming up trumps with success so far, so heres hoping you guys can right me wrongs and put me on the right path again.
My steps for radius:- (i think this part ive actually got ok)
http://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx
Steps for the wirless profile on a win 7 client:- this has me confused all over the place
http://technet.microsoft.com/en-us/library/dd759246.aspx
My 1130 Config:-
[code]
Current configuration : 3805 bytes
! Last configuration change at 11:57:56 UTC Fri Jan 25 2013 by apd
! NVRAM config last updated at 14:43:51 UTC Fri Jan 25 2013 by apd
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname WAP1
aaa new-model
aaa group server radius RAD_EAP
server 10.1.1.29 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication login EAP_LOGIN group RAD_EAP
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
ip domain name ************
dot11 syslog
dot11 ssid TEST
authentication open eap EAP_LOGIN
authentication network-eap EAP_LOGIN
guest-mode
crypto pki trustpoint TP-self-signed-1829403336
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1829403336
revocation-check none
rsakeypair TP-self-signed-1829403336
quit
username ***************
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid TEST
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
ssid TEST
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.1.2.245 255.255.255.0
ip helper-address 10.1.1.27
no ip route-cache
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
radius-server host 10.1.1.29 auth-port 1812 acct-port 1813 key **************
radius-server key ************
bridge 1 route ip
line con 0
logging synchronous
transport preferred ssh
line vty 0 4
logging synchronous
transport input ssh
sntp server 130.88.212.143
end
[/code]
and my current debug
[code]
Jan 25 12:00:56.703: dot11_auth_send_msg: sending data to requestor status 1
Jan 25 12:00:56.703: dot11_auth_send_msg: Sending EAPOL to requestor
Jan 25 12:00:56.703: dot1x-registry:registry:dot1x_ether_macaddr called
Jan 25 12:00:56.703: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
WAP1#
Jan 25 12:01:26.698: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
Jan 25 12:01:26.698: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
Jan 25 12:01:26.698: dot11_auth_send_msg: sending data to requestor status 0
Jan 25 12:01:26.698: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
Jan 25 12:01:26.699: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
Jan
WAP1#25 12:01:26.699: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
Jan 25 12:01:26.699: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
Jan 25 12:01:26.699: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
Jan 25 12:01:27.580: AAA/BIND(000000
WAP1#12): Bind i/f
Jan 25 12:01:27.580: dot11_auth_add_client_entry: Create new client 74de.2b81.56c4 for application 0x1
Jan 25 12:01:27.580: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
Jan 25 12:01:27.581: dot11_auth_add_client_entry: req->auth_type 0
Jan 25 12:01:27.581: dot11_auth_add_client_entry: auth_methods_inprocess: 2
Jan 25 12:01:27.581: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
Jan 25 12:01:27.581: dot11_run_auth_methods: Start aut
WAP1#h method EAP or LEAP
Jan 25 12:01:27.581: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
Jan 25 12:01:27.581: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
Jan 25 12:01:27.581: EAPOL pak dump tx
Jan 25 12:01:27.581: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Jan 25 12:01:27.581: EAP code: 0x1 id: 0x1 length: 0x002B type: 0x1
01801670: 0100002B 0101002B ...+...+
01801680: 01006E65 74776F72 6B69643D 54455354 ..networkid=TEST
WAP1#
01801690: 2C6E6173 69643D41 50445741 50312C70 ,nasid=WAP1,p
018016A0: 6F727469 643D30 ortid=0
Jan 25 12:01:27.582: dot11_auth_send_msg: sending data to requestor status 1
Jan 25 12:01:27.582: dot11_auth_send_msg: Sending EAPOL to requestor
Jan 25 12:01:27.582: dot1x-registry:registry:dot1x_ether_macaddr called
Jan 25 12:01:27.583: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
WAP1#
[/code]
Can anyone point me in the right direction with this?
i also dont like it that you can attempt to join the network first before failing
can i have user cert based + psk? and then apply it all by GPO
Thanks for any helpok ive ammdened the wireless profile as suggested
i already have the root ca and a user certificate installed with matching usernames
I had already added the radius device to the NPS server and matched the keys to the AP
now heres the debug im getting, when i check the NPS server, still doesnt look like its getting any requests at all :|
Jan 29 11:53:13.501: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
Jan 29 11:53:13.501: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
Jan 29 11:53:13.501: dot11_auth_send_msg: sending data to requestor status 0
Jan 29 11:53:13.501: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
Jan 29 11:53:13.501: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
Jan
WAP1#29 11:53:13.501: dot11_mgr_disp_callback: Received message from Local Authenticator
Jan 29 11:53:13.501: dot11_mgr_disp_callback: Received FAIL from Local Authenticator
Jan 29 11:53:13.501: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_FAIL) for 74de.2b81.56c4
Jan 29 11:53:13.502: dot11_mgr_sm_send_client_fail: Authentication failed for 74de.2b81.56c4
Jan 29 11:53:13.502: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
Jan 29 11:53:13.502: dot11_mgr_disp_auth_abort
WAP1#: Sending abort request for client 74de.2b81.56c4 to local Authenticator
Jan 29 11:53:13.502: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
Jan 29 11:53:13.502: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
Jan 29 11:53:14.619: AAA/BIND(00000019): Bind i/f
Jan 29 11:53:14.619: dot11_mgr_disp_auth_request: Send auth request for client 74de.2b81.56c4 to local Authenticator
Jan 29 11:53:14.619: dot11_auth_add_client_entry: Create new c
WAP1#lient 74de.2b81.56c4 for application 0x1
Jan 29 11:53:14.620: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
Jan 29 11:53:14.620: dot11_auth_add_client_entry: req->auth_type 0
Jan 29 11:53:14.620: dot11_auth_add_client_entry: auth_methods_inprocess: 2
Jan 29 11:53:14.620: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
Jan 29 11:53:14.620: dot11_run_auth_methods: Start auth method EAP or LEAP
Jan 29 11:53:14.620: dot11_auth_dot1x_start: in the dot11
WAP1#_auth_dot1x_start
Jan 29 11:53:14.620: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
Jan 29 11:53:14.620: EAPOL pak dump tx
Jan 29 11:53:14.621: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Jan 29 11:53:14.621: EAP code: 0x1 id: 0x1 length: 0x002B type: 0x1
01808560: 0100002B 0101002B 01006E65 74776F72 ...+...+..networ
01808570: 6B69643D 54455354 2C6E6173 69643D41 kid=TEST,nasid=A
01808580: 50445741 50312C70 6F727469 643D30 WAP1,portid=0
Jan 29 11:53
WAP1#:14.621: dot11_auth_send_msg: sending data to requestor status 1
Jan 29 11:53:14.621: dot11_auth_send_msg: Sending EAPOL to requestor
Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received message from Local Authenticator
Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received DOT11_AAA_EAP from Local Authenticator
Jan 29 11:53:14.622: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_REPLY) for 74de.2b81.56c4
Jan 29 11:53:14.622: dot11_mgr_sm_send_response_to_client: Forwarding Authenti
WAP1#cator message to client 74de.2b81.56c4
Jan 29 11:53:14.622: EAPOL pak dump tx
Jan 29 11:53:14.622: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Jan 29 11:53:14.622: EAP code: 0x1 id: 0x1 length: 0x002B type: 0x1
01808690: 0100002B 0101002B ...+...+
018086A0: 01006E65 74776F72 6B69643D 54455354 ..networkid=TEST
018086B0: 2C6E6173 69643D41 50445741 50312C70 ,nasid=WAP1,p
018086C0: 6F727469 643D30 ortid=0
Jan 29 11:53:14.623: dot1x-regi
Maybe you are looking for
-
www.movie01.ca I've just used iWeb to post my video work and I'm looking for some feedback. The site takes a while to load, so please be patient. Although most of my work is done in FCP, some is done using After Effects as well.
-
Hi Friends, In the planning area , variables tab, if there is a variable defined for a characteristic, but it is not used in the planning level and the planning level shows 'selection in package' is not flagged, and there is no values set in the leve
-
Missing the music tab on purchased beta
i am using the mac i use to update the ipad periodically....it has the new iTunes version 10.3... the purchased beta feature on the store page has no tab for music...it does have the tabs for apps and books purchased...i have purchased music in the p
-
What exactly does AppleCare cover for an iPhone4S?
I purchased AppleCare when I bought my iPhone 4s Last December (2011). I am wondering, what does this plan actually cover, when is it possible to get a new phone (for free? or less price)?
-
Query between two date columns ?
Oracle 11g R2 I'm trying too create a query between two date columns. I have a view that consists of many columns. There are two columns in question called valid_to and valid_from Part Number Valid_from valid_to 100 01/0