Dynamic IP allocation by Radius server

Hi community,
Can Cisco Radius server allocation different IP pools for requests from difference source IP addresses but having the same username/ password information? We have multiple GGSNs using dynamic IP allocation by Radius server. In Radius server, we configure username is subscriber's MSISDN. So we face a situation that a subscriber can go through any GGSN but for different GGSN, Radius server return different IP pools, even for the same subscriber. Is it possible?
Thanks and regards,
Hieu

I'm not sure if the Autonomous APs have the option for AAA Override. On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override". I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
Hope this helps

Similar Messages

Dynamic WEP with Win2k3 Radius server

Can someone provide information as how to configure AP350 and AP1200 to use dynamic WEP with Win2k3 Radius server.
What security feature should be configured
If possible provide information for configuration of Win2k3 Radius server.

PEAP CHAPS,128-BIT or WPA

Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points

Hi Guys,
I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
I go through some references:
3.5 RADIUS-Based VLAN Access Control
As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
There are two different ways to implement RADIUS-based VLAN access control features:
1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
extract from: Wireless Virtual LAN Deployment Guide
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
==============================================================
Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
==============================================================
Controller: Wireless Domain Services Configuration
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
Any help on this issue is appreicated.
Thanks.

I'm not sure if the Autonomous APs have the option for AAA Override. On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override". I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
Hope this helps

WLC- dynamic Vlan assignment with Radius

Hello, we would like to use this feature in our company and because of that I am now testing it. But I found one problem.
I created one testing SSID and two Vlans on WLC. On ACS I use an IETF atributes (064,065,081) for my account and I am changing Vlan ID (081) during testing.
It works with LEAP but when I use PEAP-GTC (which we use commonly in our company) the ip address is not assigned properly (ip which was assigned before remains).
Could you please help me?

There is good document which explains how to configure Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller. This will help you. You will find the document at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

Using RSA RADIUS Server and WLC 7.4 to dynamically asssign users to VLAN

Hello,
What we are trying to do:
John logs on to wifi using RSA fob for password. RSA sends back auth request with attibutes to WLC 7.4 that magically knows how to interpret the attributes and puts John on vlan 10. Mary logs on with her fob and gets put on VLAN 20.
We dont have ISE. We dont have ACS. We have RSA Authentication Manager 7.0
We have looked high and low for documentation for this kind of setup and we find stuff that is close to a match but not quite.
Here is what we are seeing
1. dynamic vlan assignment is not working -- radius server is set with the attributes
2. RSA authentication works
3. John and Mary are always put into the VLAN where the MGMT interface is
4. I can see that attributes are making it back to the WLC by sniffing
We are stuck at this point. Any help would be much appreciated,
P.

Here is a little more background:
We have created a dynamic interface in VLAN 157
Wireless LAN has been assigned to MGMT interface which is on VLAN 35
This is a VWLC ver 7.4.100
AP is attached to VWLC (only FlexConnect mode is supported)
RADIUS Server has been configured
Users are getting assigned to VLAN 35
Also I have attached some screenshots and two packet captures so you can see what the RSA is sending back with your own eyes
I dont see any atttributes in the capture when RSA sends to the VWLC
I see attributes in the capture when RSA send to my local RADIUS Client (My PC)
And to answer your question we have sending a VLAN ID (157)

802.1x authetication with dynamic Vlan assignment by a radius server

Hi
At school I want to start using 802.1x authentication with dynamic Vlan assignment by a Windows Server 2012R2 Radius server.
When a student logs in, I want it to be placed in the "Students" Vlan, when a Administrative employee logs in, I want it to be placed in the "Administative" vlan and when the client is unknown I want to place it in the "Guest" Vlan.
I have several SG200 switches and I configured everything as mentioned in the administrative guide but I cannot get it to work as desired.
What does work:
- If the client is permitted, the switch changes to "authorized" state. (before anyone logs on to the domain with that client)
- When a User logs on that is part of the Administrative employees, the switch changes to "authorized" and when a student logs on, it changes to "unauthorized".
So far so good.
But what doesn't work:
- it does not put the administrative employee in the Vlan "Administrative", it just enables the port on the switch but leaves it in the default vlan 1.
- I can not find the Guest VLAN.
Any help would be appriciated.

Hi Wouter,
Can you see in the packet capture Radius accept message VLAN attribute? Also please ensure you have the latest firmware and boot code:
http://www.cisco.com/c/en/us/support/switches/sg200-26-26-port-gigabit-smart-switch/model.html#~rdtab1
I would recommend you to open ticket with Small Business team so they can go with you through packet capture and configuration steps:
http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
Regards,
Aleksandra

ISE 1.1.1 (Fallback to local Vlan if radius server is found to be dead) not working

We have configured following commands on switch to fallback to local Vlan if both radius server (policy persona's) is found dead. For test purpose we shutdown both servers (policy persona's) but fallback didn't work. We have 3750 switch running image 12.2(55)SE6 having following configuration.
We do not know whether we configured switch in proper way or do we need to modify it.
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
client 10.10.10.10 server-key 7 12345678 (Policy Persona 1)
client 10.10.10.11 server-key 7 12345678 (Policy Persona 2)
server-key 7 12345678
ip device tracking
epm logging
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 1)
radius-server host 10.10.10.11 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 2)
radius-server vsa send accounting
radius-server vsa send authentication
Port Configuration
interface GigabitEthernet0/1
switchport access vlan 305
switchport mode access
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 305
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
Please help....
Thanks

Tabish-
The pre-auth ACL that you have on your port is used for what's called a "Low-Impact" mode type of setup. With Low-Impact mode you are allowing services defined in the pre-auth ACL until the user/devices is authenticated. Once authenticated the pre-auth ACL gets replaced with the dACL/authorization policy that you have defined in the authorization profile. As a result, it is not possible to use "fail-open" configuration with low-impact as there is nothing to replace that pre-auth ACL since your NAD device(s) are unavailable.
If you want to use the "fail-open" features you will have to use the "High Securty/Closed Mode." In that mode you cannot utilize the pre-auth ACL and essentially only EPoL traffic is allowed on port until authenticated.
For more info you should reference the TrustSec design guide located at:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
Thank you for rating!

Can't authenticate Mac VPN client from RADIUS server

Hello,
I'm a real noob here so please bear with me.
I have been able to configure my PIX 515E to allow VPN connections onto my network, but what I need to do is set up some sort of user authentication to control access at a user level. From what I've read here and in the Configuration Guide I should be able to do this authentication with a RADIUS server. I'm running a Corriente Networks Elektron Security server which has RADIUS server capabilities. It is running on my (inside) interface at IP 192.168.10.26.
I thought that I had everything configured properly but it never seems to authenticate. I connect, the XAUTH window pops up, I add my username and password as it's configured on my RADIUS server, but when I click OK it just cycles the progress bar at the bottom and eventually times out. The client log doesn't show me anything and the log on the RADIUS server shows me nothing. Any ideas? this seems like it should be simple because I can connect until I attempt to authenticate to the RADIUS server.
TIA for any direction you can provide me.
Christine

If it helps, here is my config with a some of the non-related bits deleted:
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password ********* encrypted
passwd ******* encrypted
hostname pixfirewall
domain-name acme.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol http 80
fixup protocol http 82
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
access-list inside_outbound_nat0_acl permit ip any 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.10.26 192.168.10.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip host 192.168.10.69 192.168.10.192 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.10.192 255.255.255.224
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 207.XXX.XXX.130 255.255.255.0
ip address inside 192.168.10.1 255.255.255.0
ip address DMZ 192.168.100.1 255.255.255.0
multicast interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool CBI_VPN_Pool 192.168.10.201-192.168.10.220
pdm location 192.168.10.50 255.255.255.255 inside
pdm group CBI_Servers inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 200 interface
global (DMZ) 200 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 200 192.168.10.0 255.255.255.0 0 0
static (inside,outside) 207.XXX.XXX.150 192.168.10.27 netmask 255.255.255.255 0 0
static (inside,outside) 207.XXX.XXX.132 192.168.10.26 dns netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 207.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1812
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.10.26 ************* timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.10.3 255.255.255.255 inside
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
crypto map inside_map interface inside
isakmp enable outside
isakmp nat-traversal 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Test_VPN address-pool CBI_VPN_Pool
vpngroup Test_VPN dns-server 142.77.2.101 142.77.2.36
vpngroup Test_VPN default-domain acme.com
vpngroup Test_VPN idle-time 1800
vpngroup Test_VPN authentication-server RADIUS
vpngroup Test_VPN user-authentication
vpngroup Test_VPN user-idle-timeout 1200
vpngroup Test_VPN password ********
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.100-192.168.10.254 inside
dhcpd dns 142.77.2.101 142.77.2.36
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside

Cisco 28xx easy vpn server & MS NPS (RADIUS server)

Здравстуйте.
Имеется LAN (192.168.11.0/24) с граничным роутером cisco 2821 (192.168.11.1), на котором настроен Easy VPN Server с локальной авторизацией удаленных пользователей, использующих для подключения Cisco VPN Client v 5.0. Все работает. В той же LAN имеется MS Windows Server 2012 Essensial в качестве DC AD.
Возникла необходимость перенести авторизацию удаленных пользователей на RADIUS сервер. В качестве RADIUS сервера хочется использовать MS Network Policy Server (NPS) 2012 Essensial (192.168.11.9).
На сервере поднята соответствующая политика, NPS сервер зарегистрирован в AD, создан RADIUS-клиент (192.168.11.1), настроена Сетевая политика. В AD создана группа VPN-USERS, в которую помимо удаленных пользователей добавлен служебный пользователь EasyVPN с паролем "cisco".
Ниже выдежка из сонфига cisco 2821:
aaa new-model
aaa authentication login rausrs local
aaa authentication login VPN-XAUTH group radius
aaa authorization network ragrps local
aaa authorization network VPN-GROUP local
aaa session-id common
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration address-pool local RAPOOL
crypto isakmp client configuration group ra1grp
key key-for-remote-access
domain domain.local
pool RAPOOL
acl split-acl
split-dns 192.168.11.9
crypto isakmp client configuration group EasyVPN
key qwerty123456
domain domain.local
pool RAPOOL
acl split-acl
split-dns 192.168.11.9
crypto isakmp profile RA-profile
   description profile for remote access VPN
   match identity group ra1grp
   client authentication list rausrs
   isakmp authorization list ragrps
   client configuration address respond
crypto isakmp profile VPN-IKMP-PROFILE
   description profile for remote access VPN via RADIUS
   match identity group EasyVPN
   client authentication list VPN-XAUTH
   isakmp authorization list VPN-GROUP
   client configuration address respond
crypto ipsec transform-set tset1 esp-aes esp-sha-hmac
crypto dynamic-map dyn-cmap 100
set transform-set tset1
set isakmp-profile RA-profile
reverse-route
crypto dynamic-map dyn-cmap 101
set transform-set tset1
set isakmp-profile VPN-IKMP-PROFILE
reverse-route
crypto map stat-cmap 100 ipsec-isakmp dynamic dyn-cmap
int Gi0/1
descrition -- to WAN --
crypto map stat-cmap
В результате на cisco вылезает следующая ошибка (выделено жирным):
RADIUS/ENCODE(000089E0):Orig. component type = VPN_IPSEC
RADIUS: AAA Unsupported Attr: interface         [157] 14
RADIUS:   31 39 34 2E 38 38 2E 31 33 39 2E 31              [194.88.139.1]
RADIUS(000089E0): Config NAS IP: 192.168.11.1
RADIUS/ENCODE(000089E0): acct_session_id: 35296
RADIUS(000089E0): sending
RADIUS(000089E0): Send Access-Request to 192.168.11.9:1645 id 1645/61, len 103
RADIUS: authenticator 4A B1 DB 2D B7 58 B2 BF - 7F 12 6F 96 01 99 32 91
RADIUS: User-Name           [1]   9   "EasyVPN"
RADIUS: User-Password       [2]   18 *
RADIUS: Calling-Station-Id [31] 16 "aaa.bbb.ccc.137"
RADIUS: NAS-Port-Type       [61] 6   Virtual                   [5]
RADIUS: NAS-Port            [5]   6   1
RADIUS: NAS-Port-Id         [87] 16 "aaa.bbb.ccc.136"
RADIUS: Service-Type        [6]   6   Outbound                  [5]
RADIUS: NAS-IP-Address      [4]   6   192.168.11.1
RADIUS: Received from id 1645/61 192.168.11.9:1645, Access-Reject, len 20
RADIUS: authenticator A8 08 69 44 44 8B 13 A5 - 06 C2 95 8D B4 C4 E9 01
RADIUS(000089E0): Received from id 1645/61
MS NAS выдает ошибку 6273:
Сервер сетевых политик отказал пользователю в доступе.
За дополнительными сведениями обратитесь к администратору сервера сетевых политик.
Пользователь:
    ИД безопасности:            domain\VladimirK
    Имя учетной записи:            VladimirK
    Домен учетной записи:           domain
    Полное имя учетной записи:   domain.local/Users/VladimirK
Компьютер клиента:
    ИД безопасности:            NULL SID
    Имя учетной записи:            -
    Полное имя учетной записи:    -
    Версия ОС:            -
    Идентификатор вызываемой станции:        -
    Идентификатор вызывающей станции:       aaa.bbb.ccc.137
NAS:
    Адрес IPv4 NAS:        192.168.11.1
    Адрес IPv6 NAS:        -
    Идентификатор NAS:            -
    Тип порта NAS:            Виртуальная
    Порт NAS:            0
RADIUS-клиент:
    Понятное имя клиента:        Cisco2821
    IP-адрес клиента:            192.168.11.1
Сведения о проверке подлинности:
    Имя политики запроса на подключение:    Использовать проверку подлинности Windows для всех пользователей
    Имя сетевой политики:        Подключения к другим серверам доступа
    Поставщик проверки подлинности:        Windows
    Сервер проверки подлинности:        DC01.domain.local
    Тип проверки подлинности:        PAP
    Тип EAP:            -
    Идентификатор сеанса учетной записи:        -
    Результаты входа в систему:            Сведения об учетных данных были записаны в локальный файл журнала.
    Код причины:            66
    Причина:                Пользователь пытался применить способ проверки подлинности, не включенный в соответствующей сетевой политике.
Игры с Cisco AV Pairs и прочими параметрами настройки Сетевой политики на RADIUS выдают аналогичный результат.
Штудирование "Network Policy Server Technical Reference" и "Configuring IPSec Between a Cisco IOS Router and a Cisco VPN Client 4.x for Windows Using RADIUS for User Authentication" Document ID: 21060 ответа не дали.
Если кто практиковал подобное, прошу дать направление для поиска решения.

Going through your post, I could see that radius is sending access-reject because radius access-request is sending a vpn group name in the user name field. I was in a discussion of same problem few days before and that got resolved by making 2 changes.
replace the authorization from radius to local
and
changing the encryption type in transform set
However, in your configuration, your configuration already have those changes.
Here you can check the same : https://supportforums.cisco.com/thread/2226065
Could you please tell me what exactly radius server complaining? Can you please paste the error you're getting on the radius server.
~BR
Jatin Katyal
**Do rate helpful posts**

WLC "radius server overwrite interface" setting

Hello
I'm looking at using "radius server overwrite interface" on a WLAN as a replacement for Called-Station-ID for Radius to match on SSID.
When I enable "radius server overwrite interface" on a WLAN and join a client to the SSID I can see (via packet capture) that the WLC is correctly sourcing the Radius packets with the WLAN's "dynamic" interface IP Address. The problem is that the Radius server doesn't repond to these requests. Radius is configured with rules to match the new IP address but I see nothing (pass or fail) in the logs.
Interestingly, the packet captures shows the correct NAS IP address (the WLAN interface IP Address) but always shows the WLC hostname as NAS-ID (regardless of NAS-ID settings on the WLAN or WLAN interface)
I've tried WLC software 7.4.110.0, 7.4.121.0 and 7.6.100.0 with the same results but Radius never responds. Radius is Cisco ACS 5.5.0.46. Any ideas as to why this is happening?
Thanks
Andy

Hi Scott
installed ACS 5.4 0.46.6 and I still have the same problem - ACS doesn't respond to request from WLC when "radius server overwrite interface" is enabled on WLAN and nothing appears in the logs. With "radius server overwrite interface" disabled on the WLAN, authentication is a success and I can see this in the logs.
I had a look a the packet captures I took earlier and the attributes in the Access-Request look ok - the only attribute I wasn't sure about was Message-Authenticator. Found this ietf document http://www.ietf.org/rfc/rfc2869.txt which mentions "silent discards" of Radius packets with non existent or incorrect Message-Authenticator attributes. I'm not sure if this is what I'm seeing on ACS when it receives the "radius server overwrite interface" Access-Request packets. ACS is under contract so I will contact TAC about this.
Mt production ACS cluster was upgraded from latest version of 5.3 to 5.5 with no loss of historic logs (logging after upgrade worked fine also). The upgrade did take a while with the log-collector. When it had completed I checked the Data Upgrade Status under Monitoring configuration and it showed that the upgrade was successful.
Thanks for your help with this.
Cheers
Andy

Web authentication with Radius server problem

Hello,
I'm having problem to web authenticate users via radius server for one WLC. Here is the outpu from WLC:
*emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created for mobile, length = 7
*emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created in mscb for mobile, length = 7
*aaaQueueReader: Mar 26 14:17:31.537: Unable to find requested user entry for aaaaaa
*aaaQueueReader: Mar 26 14:17:31.537: ReProcessAuthentication previous proto 8, next proto 1
*aaaQueueReader: Mar 26 14:17:31.537: AuthenticationRequest: 0x1e08eb94
*aaaQueueReader: Mar 26 14:17:31.538:   Callback.....................................0x10908d90
*aaaQueueReader: Mar 26 14:17:31.538:   protocolType.................................0x00000001
*aaaQueueReader: Mar 26 14:17:31.538:   proxyState...................................20:7D:xx:xx:D8:F0-00:00
*aaaQueueReader: Mar 26 14:17:31.538:   Packet contains 11 AVPs (not shown)
*aaaQueueReader: Mar 26 14:17:31.538: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Mar 26 14:17:31.538: 20:7d:xx:xx:d8:f0 Successful transmission of Authentication Packet (id 67) to 10.xx.33.249:1645, proxy state 20:7d:xx:xx:d8:f0-00:01
*aaaQueueReader: Mar 26 14:17:31.538: 00000000: 01 43 00 8c 48 7c a7 ff df 06 53 30 c0 be e1 8e .C..H|....S0....
*aaaQueueReader: Mar 26 14:17:31.538: 00000010: d7 fd 8b d3 01 09 73 65 66 72 73 76 65 02 12 7b ......aaaaaa..{
*aaaQueueReader: Mar 26 14:17:31.538: 00000020: ae 2e f5 eb fa cf f5 cc 3b 08 65 d7 04 0e ba 06 ........;.e.....
*aaaQueueReader: Mar 26 14:17:31.538: 00000030: 06 00 00 00 01 04 06 0a 2e 09 14 05 06 00 00 00 ................
*aaaQueueReader: Mar 26 14:17:31.538: 00000040: 0d 20 0d 73 65 76 73 74 2d 6c 77 63 31 30 3d 06 ...xxxxx-lwc10=.
*aaaQueueReader: Mar 26 14:17:31.538: 00000050: 00 00 00 13 1a 0c 00 00 37 63 01 06 00 00 00 01 ........7c......
*aaaQueueReader: Mar 26 14:17:31.538: 00000060: 1f 0e 31 39 32 2e 31 36 38 2e 31 2e 36 31 1e 0c ..192.168.1.61..
*aaaQueueReader: Mar 26 14:17:31.538: 00000070: 31 30 2e 34 36 2e 39 2e 32 30 50 12 95 11 7c d9 10.xx.9.20P...|.
*aaaQueueReader: Mar 26 14:17:31.538: 00000080: 75 8e 01 6e bf 62 38 f8 38 ab 68 4a              u..n.b8.8.hJ
*radiusTransportThread: Mar 26 14:17:31.603: 00000000: 03 43 00 14 e5 8c e7 75 52 04 af e0 07 b7 fb 96 .C.....uR.......
*radiusTransportThread: Mar 26 14:17:31.603: 00000010: c1 4a fb 40                                       .J.@
*radiusTransportThread: Mar 26 14:17:31.603: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Mar 26 14:17:31.603: ****Enter processRadiusResponse: response code=3
*radiusTransportThread: Mar 26 14:17:31.603: 20:7d:xx:xx:d8:f0 Access-Reject received from RADIUS server 10.xx.33.249 for mobile 20:7d:xx:xx:d8:f0 receiveId = 0
*radiusTransportThread: Mar 26 14:17:31.603: ReProcessAuthentication previous proto 1, next proto 2
*radiusTransportThread: Mar 26 14:17:31.603: AuthenticationRequest: 0x1da9fa4c
*radiusTransportThread: Mar 26 14:17:31.603:    Callback.....................................0x10908d90
*radiusTransportThread: Mar 26 14:17:31.603:    protocolType.................................0x00000002
*radiusTransportThread: Mar 26 14:17:31.603:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
*radiusTransportThread: Mar 26 14:17:31.603:    Packet contains 11 AVPs (not shown)
*radiusTransportThread: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Returning AAA Error 'No Server' (-7) for mobile 20:7d:xx:xx:d8:f0
*radiusTransportThread: Mar 26 14:17:31.605: AuthorizationResponse: 0x2dd03648
*radiusTransportThread: Mar 26 14:17:31.605:    structureSize................................32
*radiusTransportThread: Mar 26 14:17:31.605:    resultCode...................................-7
*radiusTransportThread: Mar 26 14:17:31.605:    protocolUsed.................................0x00000002
*radiusTransportThread: Mar 26 14:17:31.605:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
*radiusTransportThread: Mar 26 14:17:31.605:    Packet contains 0 AVPs:
*emWeb: Mar 26 14:17:31.605: Authentication failed for aaaaaa
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Username entry deleted for mobile
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Plumbing web-auth redirect rule due to user logout
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Deleting mobile policy rule 42461
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Adding Web RuleID 42464 for mobile 20:7d:xx:xx:d8:f0
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Web Authentication failure for station
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Reached ERROR: from line 5069
That was pretty clear for me that Radius is refusing to give user access.
Fully-Qualified-User-Name = NMEA\aaaaaa
NAS-IP-Address = 10.xx.9.20
NAS-Identifier = xxxxx-lwc10
Called-Station-Identifier = 10.xx.9.20
Calling-Station-Identifier = 192.168.1.61
Client-Friendly-Name = YYY10.xx
Client-IP-Address = 10.xx.9.20
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 13
Proxy-Policy-Name = Use Windows authentication forall users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = YYYYY Wireless Users
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy
That output is from WLC 5508 version 7.0.235
What is strange, that user was able to authenticate from other before refresh WLC 4402 ver 4.2.207. I cannot change WLC because of AP which cannot run old version.
this is output from working client connection from old WLC
NAS-IP-Address = 10.xx.9.13
NAS-Identifier = xxxxx-lwc03
Client-Friendly-Name = YYY10.46
Client-IP-Address = 10.xx.9.13
Calling-Station-Identifier = 192.168.19.246
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = YYYYY Wireless Guest Access
Authentication-Type = PAP
EAP-Type = <undetermined>
I know there is different Policy Name used, but my question is why it is not using the same as on old WLC when configuration is same.
Is there any way I can force users to use different policy from WLC or AP configuration or is this solely configuration of Radius?
Is it maybe problem of version 7.0.235?
Any toughts would be much appriciated.

Scott,
You are probably right. The condition that is checked for the first policy name (we have 2) is to match
NAS-Port-Type = Wireless - IEEE 802.11, and this is basically used to differentiate guests from other company users.
as you can see from the logs the one that is working correctly is not sending NAS-Port-Type. The question is why.
As I said before.
WLC 5508 ver. 7.0.235 is sending NAS-Port-Type
WLC 4402 ver. 4.2.207 is not.
The same user was working OK on 4402 WLC and after refresh and associating APs to 5508 it all broke, so client did not changed anything on adapter.

WLC Web-auth fail with external RADIUS server

I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"
My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user.
WLC 4402 version 4.1.171.0
http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.html

Hi,
I am having some issues when I try to authenticate an AD account against a NAP Radius Server on Windows 2008.
In fact, I own a WLC 2106 and I configured it to authenticate users againts a radius Server with Active Directory. I set the Web Radius Authentication to CHAP on the controller tab from the WLC 2106 and i am getting the error below
: Authentication failed for gcasanova. When I set the controller to Web Radius Authentication to PAP, everything is working fine. I am able to connect to through the controller using an AD Account. But my purpose is not use PAP which is an unsecure protocol since password are sent as plaintext on the network.
Can someone tell me what's wrong?
*radiusTransportThread: Oct 26 11:02:13.975:    proxyState......................                                                                                                 .............00:24:D7:40:E5:00-00:00
*radiusTransportThread: Oct 26 11:02:13.975:    Packet contains 0 AVPs:
*emWeb: Oct 26 11:02:13.977: Authentication failed for gcasanova
*aaaQueueReader: Oct 26 11:02:29.985: AuthenticationRequest: 0xb6564634
*aaaQueueReader: Oct 26 11:02:29.985:   Callback.....................................0x8576720
*aaaQueueReader: Oct 26 11:02:29.985:   protocolType.................................0x00000001
*aaaQueueReader: Oct 26 11:02:29.985:   proxyState...................................00:24:D7:40:E5:00-00:00
*aaaQueueReader: Oct 26 11:02:29.986:   Packet contains 11 AVPs (not shown)
*aaaQueueReader: Oct 26 11:02:29.986: apfVapRadiusInfoGet: WLAN(4) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Oct 26 11:02:29.986: 00:24:d7:40:e5:00 Successful transmission of Authentication Packet (id 86) to 10.2.0.15:1812, proxy state 00:24:d7:40:e5:00-00:00
*aaaQueueReader: Oct 26 11:02:29.987: 00000000: 01 56 00 9a 8e 48 e7 20 1d ef be 29 e6 3a 61 6d .V...H.....).:am
*aaaQueueReader: Oct 26 11:02:29.987: 00000010: 2b de 07 24 01 0b 67 63 61 73 61 6e 6f 76 61 3c +..$..gcasanova<
*aaaQueueReader: Oct 26 11:02:29.987: 00000020: 12 3c ce a0 87 ac df 7a a5 35 af 7c ef 83 c7 58 .<.....z.5.|...X
*aaaQueueReader: Oct 26 11:02:29.987: 00000030: ed 03 13 28 a7 5a 0d 26 6d ab 49 ea da 7c 5a 8e ...(.Z.&m.I..|Z.
*aaaQueueReader: Oct 26 11:02:29.987: 00000040: 1d 94 70 69 06 06 00 00 00 01 04 06 0a 02 00 06 ..pi............
*aaaQueueReader: Oct 26 11:02:29.987: 00000050: 05 06 00 00 00 01 20 0a 50 41 52 2d 57 4c 43 31 ........PAR-WLC1
*aaaQueueReader: Oct 26 11:02:29.987: 00000060: 3d 06 00 00 00 13 1a 0c 00 00 37 63 01 06 00 00 =.........7c....
*aaaQueueReader: Oct 26 11:02:29.988: 00000070: 00 04 1f 0c 31 30 2e 32 2e 30 2e 31 35 36 1e 0a ....10.2.0.156..
*aaaQueueReader: Oct 26 11:02:29.988: 00000080: 31 30 2e 32 2e 30 2e 36 50 12 7f 86 5a c5 61 ad 10.2.0.6P...Z.a.
*aaaQueueReader: Oct 26 11:02:29.988: 00000090: af 54 fa fa 42 e7 f6 16 9e 10                    .T..B.....
*radiusTransportThread: Oct 26 11:02:29.988: 00000000: 03 56 00 14 a9 10 07 84 83 00 87 83 b9 10 64 e1 .V............d.
*radiusTransportThread: Oct 26 11:02:29.988: 00000010: 66 b3 c5 5e                                       f..^
*radiusTransportThread: Oct 26 11:02:29.988: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Oct 26 11:02:29.988: ****Enter processRadiusResponse: response code=3
*radiusTransportThread: Oct 26 11:02:29.988: 00:24:d7:40:e5:00 Access-Reject received from RADIUS server 10.2.0.15 for mobile 00:24:d7:40:e5:00 receiveId = 0
*radiusTransportThread: Oct 26 11:02:29.989: 00:24:d7:40:e5:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d7:40:e5:00
*radiusTransportThread: Oct 26 11:02:29.989: AuthorizationResponse: 0xb97fe774
*radiusTransportThread: Oct 26 11:02:29.989:    structureSize................................32
*radiusTransportThread: Oct 26 11:02:29.989:    resultCode...................................-4
*radiusTransportThread: Oct 26 11:02:29.989:    protocolUsed.................................0xffffffff
*radiusTransportThread: Oct 26 11:02:29.989:    proxyState...................................00:24:D7:40:E5:00-00:00
*radiusTransportThread: Oct 26 11:02:29.989:    Packet contains 0 AVPs:

Please Help: 3550 lab switch locked by radius server

Hi All,
Any idea? After clean up all routers and switches config files, sw3 still asks for radius username and password.
When console login and using 3550 password recovery procedure, it still asks for username and password.
When config aaa new-model, no username is asked only the passowrd cisco in typed in. (please see detail config file in the following)
Note: This is for CCIE R&S home lab rack.
==========
// radius server locks sw3
Access-Server#9
[Resuming connection 9 to sw3 ... ]
User Access Verification
Username:
Username: cisco
Password:
% Backup authentication
00:27:36: %RADIUS-4-RADIUS_DEAD: RADIUS server 150.100.1.254:1645,1646 is not responding.
00:27:36: %RADIUS-4-RADIUS_ALIVE: RADIUS server 150.100.1.254:1645,1646 has returned.
Username:
===========
sw3#sh run
Building configuration...
Current configuration : 4655 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname sw3
aaa new-model
aaa authentication dot1x default group radius
aaa session-id common
mls qos
ip subnet-zero
ip routing
no ip domain-lookup
dot1x system-auth-control
dot1x guest-vlan supplicant
no file verify auto
interface FastEthernet0/11
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/12
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/13
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/14
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/15
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/16
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/17
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/18
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/19
switchport mode dynamic desirable
channel-group 1 mode desirable
interface FastEthernet0/20
switchport mode dynamic desirable
channel-group 1 mode desirable
interface FastEthernet0/21
switchport mode dynamic desirable
interface FastEthernet0/22
switchport mode dynamic desirable
interface FastEthernet0/23
switchport mode dynamic desirable
channel-group 2 mode desirable
interface FastEthernet0/24
switchport mode dynamic desirable
channel-group 2 mode desirable
interface GigabitEthernet0/1
switchport mode dynamic desirable
interface GigabitEthernet0/2
switchport mode dynamic desirable
interface Vlan1
no ip address
shutdown
ip classless
ip http server
ip http secure-server
radius-server host 150.100.1.254 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key cisco

try to do password recovery per cisco doc, but config.text file is missing from flash dir:
switch: dir flash:
Directory of flash:/
2 -rwx 5276 syslog
3 -rwx 0 env_vars
4 -rwx 7131928 c3550-ipservicesk9-mz.122-25.SEE.bin
5 drwx 64 crashinfo
24 -rwx 326 system_env_vars
7 drwx 192 c3550-i9q3l2-mz.121-13.EA1a
26 -rwx 24 private-config.text

ISE 1.2 Patch 2 External RADIUS Server Sequence Broken?

Hi community,
We have upgraded our proof of concept ISE 1.2 lab to Patch level 2.
Our lab design includes the use of external RADIUS servers which we off-load certain authentication rules to.
To ensure resiliency of the external RADIUS service, we have two of these which we add to a RADIUS Server Sequence, the idea being that if the first in the list is unavailable, ISE will try the second and all will be well.
Now this worked for us in testing ISE 1.2, but I have noticed that after the upgrade to Patch 2 ISE is sending the majority RADIUS traffic to the first (failed) external RADIUS server, with only the odd RADIUS Access-Request to thte next in the list.
Anybody else come across this??
All helpful comments rated!
Many thanks, Ash.

I couldn't find any known issues with this feature. Could you please paste the screen shot of external radius sequence and configuration. Also, how are we determing that the first server in the sequence is DEAD?
~BR
Jatin Katyal
**Do rate helpful posts**

EAP-FAST on Local Radius Server : Can't Get It Working

Hi all
I'm using an 877w router (flash:c870-advsecurityk9-mz.124-24.T4.bin) as local radius server and have followed various config guides on CCO. LEAP works fine but I just can't get EAP-FAST to work.
I'm testing with win7 client using anyconnect secure mobility client, and also a mac book pro but without luck.
the router sees unknown auth type, and when I run some debugs it talks of unknown eap type 3
sh radius local-server s
Successes              : 1           Unknown usernames      : 0
Client blocks          : 0           Invalid passwords      : 0
Unknown NAS            : 0           Invalid packet from NAS: 17
NAS : 172.27.44.1
Successes              : 1           Unknown usernames      : 0
Client blocks          : 0           Invalid passwords      : 0
Corrupted packet       : 0           Unknown RADIUS message : 0
No username attribute : 0           Missing auth attribute : 0
Shared key mismatch    : 0           Invalid state attribute: 0
Unknown EAP message    : 0           Unknown EAP auth type : 17
Auto provision success : 0           Auto provision failure : 0
PAC refresh            : 0           Invalid PAC received   : 0
Can anyone suggest what I might be doing wrong?
Regs, Tim

Thanks Nicolas, relevant snippets from config:
aaa new-model
aaa group server radius rad_eap
server 172.27.44.1 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa session-id common
dot11 ssid home
vlan 3
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
ip dhcp pool home
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 194.74.65.68 194.74.65.69
ip inspect name ethernetin tcp
ip inspect name ethernetin udp
ip inspect name ethernetin pop3
ip inspect name ethernetin ssh
ip inspect name ethernetin dns
ip inspect name ethernetin ftp
ip inspect name ethernetin tftp
ip inspect name ethernetin smtp
ip inspect name ethernetin icmp
ip inspect name ethernetin telnet
interface Dot11Radio0
no ip address
encryption vlan 1 mode ciphers aes-ccm tkip
encryption vlan 2 mode ciphers aes-ccm tkip
encryption vlan 3 mode ciphers aes-ccm tkip
broadcast-key vlan 1 change 30
broadcast-key vlan 2 change 30
broadcast-key vlan 3 change 30
ssid home
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.3
encapsulation dot1Q 3
no cdp enable
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
interface Vlan3
no ip address
bridge-group 3
interface BVI3
ip address 192.168.1.1 255.255.255.0
ip inspect ethernetin in
ip nat inside
ip virtual-reassembly
radius-server local
no authentication mac
nas 172.27.44.1 key 0 123456
user test1 nthash 0 B151E8FF684B4F376C018E632A247D84
user test2 nthash 0 F2EEAE1D895645B819C9FD217D0CA1F9
user test3 nthash 0 0CB6948805F797BF2A82807973B89537
radius-server host 172.27.44.1 auth-port 1812 acct-port 1813 key 123456
radius-server vsa send accounting

Dynamic IP allocation by Radius server

Similar Messages

Maybe you are looking for