Dynamic WEP with Win2k3 Radius server
Can someone provide information as how to configure AP350 and AP1200 to use dynamic WEP with Win2k3 Radius server.
What security feature should be configured
If possible provide information for configuration of Win2k3 Radius server.
PEAP CHAPS,128-BIT or WPA
Similar Messages
-
WLC Web-auth fail with external RADIUS server
I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"
My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user.
WLC 4402 version 4.1.171.0
http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.htmlHi,
I am having some issues when I try to authenticate an AD account against a NAP Radius Server on Windows 2008.
In fact, I own a WLC 2106 and I configured it to authenticate users againts a radius Server with Active Directory. I set the Web Radius Authentication to CHAP on the controller tab from the WLC 2106 and i am getting the error below
: Authentication failed for gcasanova. When I set the controller to Web Radius Authentication to PAP, everything is working fine. I am able to connect to through the controller using an AD Account. But my purpose is not use PAP which is an unsecure protocol since password are sent as plaintext on the network.
Can someone tell me what's wrong?
*radiusTransportThread: Oct 26 11:02:13.975: proxyState...................... .............00:24:D7:40:E5:00-00:00
*radiusTransportThread: Oct 26 11:02:13.975: Packet contains 0 AVPs:
*emWeb: Oct 26 11:02:13.977: Authentication failed for gcasanova
*aaaQueueReader: Oct 26 11:02:29.985: AuthenticationRequest: 0xb6564634
*aaaQueueReader: Oct 26 11:02:29.985: Callback.....................................0x8576720
*aaaQueueReader: Oct 26 11:02:29.985: protocolType.................................0x00000001
*aaaQueueReader: Oct 26 11:02:29.985: proxyState...................................00:24:D7:40:E5:00-00:00
*aaaQueueReader: Oct 26 11:02:29.986: Packet contains 11 AVPs (not shown)
*aaaQueueReader: Oct 26 11:02:29.986: apfVapRadiusInfoGet: WLAN(4) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Oct 26 11:02:29.986: 00:24:d7:40:e5:00 Successful transmission of Authentication Packet (id 86) to 10.2.0.15:1812, proxy state 00:24:d7:40:e5:00-00:00
*aaaQueueReader: Oct 26 11:02:29.987: 00000000: 01 56 00 9a 8e 48 e7 20 1d ef be 29 e6 3a 61 6d .V...H.....).:am
*aaaQueueReader: Oct 26 11:02:29.987: 00000010: 2b de 07 24 01 0b 67 63 61 73 61 6e 6f 76 61 3c +..$..gcasanova<
*aaaQueueReader: Oct 26 11:02:29.987: 00000020: 12 3c ce a0 87 ac df 7a a5 35 af 7c ef 83 c7 58 .<.....z.5.|...X
*aaaQueueReader: Oct 26 11:02:29.987: 00000030: ed 03 13 28 a7 5a 0d 26 6d ab 49 ea da 7c 5a 8e ...(.Z.&m.I..|Z.
*aaaQueueReader: Oct 26 11:02:29.987: 00000040: 1d 94 70 69 06 06 00 00 00 01 04 06 0a 02 00 06 ..pi............
*aaaQueueReader: Oct 26 11:02:29.987: 00000050: 05 06 00 00 00 01 20 0a 50 41 52 2d 57 4c 43 31 ........PAR-WLC1
*aaaQueueReader: Oct 26 11:02:29.987: 00000060: 3d 06 00 00 00 13 1a 0c 00 00 37 63 01 06 00 00 =.........7c....
*aaaQueueReader: Oct 26 11:02:29.988: 00000070: 00 04 1f 0c 31 30 2e 32 2e 30 2e 31 35 36 1e 0a ....10.2.0.156..
*aaaQueueReader: Oct 26 11:02:29.988: 00000080: 31 30 2e 32 2e 30 2e 36 50 12 7f 86 5a c5 61 ad 10.2.0.6P...Z.a.
*aaaQueueReader: Oct 26 11:02:29.988: 00000090: af 54 fa fa 42 e7 f6 16 9e 10 .T..B.....
*radiusTransportThread: Oct 26 11:02:29.988: 00000000: 03 56 00 14 a9 10 07 84 83 00 87 83 b9 10 64 e1 .V............d.
*radiusTransportThread: Oct 26 11:02:29.988: 00000010: 66 b3 c5 5e f..^
*radiusTransportThread: Oct 26 11:02:29.988: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Oct 26 11:02:29.988: ****Enter processRadiusResponse: response code=3
*radiusTransportThread: Oct 26 11:02:29.988: 00:24:d7:40:e5:00 Access-Reject received from RADIUS server 10.2.0.15 for mobile 00:24:d7:40:e5:00 receiveId = 0
*radiusTransportThread: Oct 26 11:02:29.989: 00:24:d7:40:e5:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d7:40:e5:00
*radiusTransportThread: Oct 26 11:02:29.989: AuthorizationResponse: 0xb97fe774
*radiusTransportThread: Oct 26 11:02:29.989: structureSize................................32
*radiusTransportThread: Oct 26 11:02:29.989: resultCode...................................-4
*radiusTransportThread: Oct 26 11:02:29.989: protocolUsed.................................0xffffffff
*radiusTransportThread: Oct 26 11:02:29.989: proxyState...................................00:24:D7:40:E5:00-00:00
*radiusTransportThread: Oct 26 11:02:29.989: Packet contains 0 AVPs: -
Exchange Server 2013 with a RADIUS server (freeRADIUS).
Hello,
I am a student and doing an internship. I have to test Microsoft Exchange Server 2013.
I am using Windows Server 2012, I already installed Exchange Server 2013 on it and everything works as intended.
But I couldn't find out how to configure my Windows Server 2012 in order to authenticate my mailbox users from Exchange Server 2013 with a RADIUS server which is not on my Windows Server 2012. I have to use their RADIUS server (freeRADIUS), the RADIUS server
from the company where I am doing my internship.
I already created a NPS and added the RADIUS Client + Remote
RADIUS Server Groups. I created a Connection Request Policies with the condition:
User Name *
I forwarded the Connection Request to the
Remote RADIUS server that I created in Remote RADIUS Server Groups and then I registered the NPS in th AD. But it's still not working.
Maybe I did something wrong or I misunderstood something or does this even work with Exchange Server 2013? To authenticate mailbox users with a RADIUS server before they can login into their mailbox and use their mailbox?
Thanks in advance.Hi,
I suggest we refer to the following article to double confirm the Network Policy Server is registered properly.
http://technet.microsoft.com/library/cc732912.aspx
Thanks,
Simon Wu
TechNet Community Support -
Dynamic IP allocation by Radius server
Hi community,
Can Cisco Radius server allocation different IP pools for requests from difference source IP addresses but having the same username/ password information? We have multiple GGSNs using dynamic IP allocation by Radius server. In Radius server, we configure username is subscriber's MSISDN. So we face a situation that a subscriber can go through any GGSN but for different GGSN, Radius server return different IP pools, even for the same subscriber. Is it possible?
Thanks and regards,
HieuI'm not sure if the Autonomous APs have the option for AAA Override. On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override". I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
Hope this helps -
Authentication Policy ISE with External RADIUS Server
Hi All,
I would like to authenticate client by using External RADIUS. Once I create authentication policy using the new compound condition (wireless dot1x + Radius Username Matches "domainB\") I would like to forward the user authentication who make an authen using domainB\username to the External RADIUS Server Sequence. But when I check on the authentication dashboard, it still authenticate using the default authentication rule.
Please suggest about this scenario.
Regards,
Sent from Cisco Technical Support Android AppHi jrabinow,
Which details you would like to see ?
Here is some infos.
ISEs are deployed in 2 domains such as "acme.com" and "sub.acme.com"
Each domain does not make a trusted relationship so these 2 domains cannot communicate between them.
Each domain has owned Enterprise Root CA (Microsoft)
Client who need to access the network need to authenticate with EAP-TLS.
My environment
My ISE node joined into domain "acme.com"
User will be "[email protected]"
Once the user from "[email protected]" try to authenticate, I would like to forward the RADIUS request from ISEs (acme.com) to other ISEs (sub.acme.com)
After ISEs in "sub.acme.com" return RADIUS-ACCEPT then ISEs in "acme.com" will process an authorization policy.
Regards,
Pongsatorn -
Configuring Cisco ISE for Authorization with External Radius Server attribute
Hi,
I'm trying to integrate an external radius server with Cisco ISE.
I created an External Identity Store>Radius Token Server.
I created a Identity Store sequence with just one identity store just as creadted above.
And I was able to authenticate successfully.
But when it comes to authorization.
I observed we just have one tab named Authorization while creating Radius Token server.
And it always refers to ACS:attribute_name.
If I want to define a IETF radius attribute, (lets say class with attribute id as 25), how could I do it.
In Cisco ACS we have a direct entry option in authorization tab where we can define the radius (IETF) attribute within Radius token server creation (within radius token server>Directory attribute tab).
How ever I try to define the IETF attribute here (class,IETF:Class) I am not able to authorize with this attribute value.
I tried with just one single authorization rule where it could hit.But observed it to go the default(as none of the rules defined matches the condition).
Can anyone guide me how can we define a IETF radius attribute for authorization within Cisco ISE and what policy could we set it to work as authorization.
Thanks in advance
Senthil KThis is the step of Creating and Editing RADIUS Vendors
To create and edit a RADIUS vendor, complete the following steps:
Step 1 From the Administration mega menu, choose Resources > RADIUS Vendors.
The RADIUS Vendors page appears with a list of RADIUS vendors that ISE supports.
Step 2 Click Create to create a new RADIUS vendor or click the radio button next to the RADIUS vendor that
you want to edit and click Edit.
Step 3 Enter the following information:
• Name—(Required) Name of the RADIUS vendor.
• Description—An optional description for the vendor.
• Vendor ID—(Required) The Internet Assigned Numbers Authority (IANA)-approved ID for the
vendor.
• Vendor Attribute Type Field Length—(Required) The number of bytes taken from the attribute value
to be used to specify the attribute type. Valid values are 1, 2, and 4. The default value is 1.
• Vendor Attribute Size Field Length—(Required) The number of bytes taken from the attribute value
to be used to specify the attribute length. Valid values are 0 and 1. The default value is 1.
Step 4 Click Submit to save the RADIUS vendor. -
When WLC authenticate users with secondary RADIUS server?
Hi Sir,
I'm configuring a WLC4404-100. One of the WLANs points to two RADIUS Servers for Authentication and Accounting (please see attached).
I'd like to know, under what circumstances will the WLC authenticate users against the secondary RADIUS Server (in my case, the ACS with IP address 10.200.67.84)?
Please advise.
Thank you.
B.Rgds,
Lim TSHi,
I navigated to the following on the WLC:
MANAGEMENT -> SNMP -> Trap Logs
I noticed the following SNMP trap:
Fri Dec 8 11:23:21 2006 No Radius Servers Are Responding
I checked the 2nd ACS server, and true, at around the same time 11:23, the 2nd ACS server was authenticating users.
I checked the 1st ACS server; at around the same time 11:23, there wasn't any service suspension or database replication going on. What's the cause of this WLC authenticating with the 2nd ACS server? The network is robust and I don't expect any latency issue. The two RADIUS servers are serving only wireless users, the number is about 120.
On the WLC, I used the default of 2 seconds Retransmit Timeout for both the RADIUS Authentication Servers. Should I fine-tune it to higher value?
Retransmit Timeout - Specify the time in seconds after which the RADIUS authentication request will timeout and a retransmission will be taken up by the controller. You can specify a value between 2 to 30 seconds.
There are Passed Authentications logged on the 1st ACS server after during & after 11:23. So, I suspect the WLC is doing a kind of load-balancing across the two RADIUS servers.
Please advise.
Thank you.
B.Rgds,
Lim TS -
1100 with Local Radius Server problems Atheros Client
I have Local authentication turned on for the 1100 and am using the Atheros Client Utility configuring LEAP with username/password and it is failing, here is the debug from the 1100.Any help much appreciated.
Xcon-ap1100#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Xcon-ap1100(config)#radius
Xcon-ap1100(config)#radius-server local
Xcon-ap1100(config-radsrv)#no nas 10.201.1.5
Xcon-ap1100(config-radsrv)#nas 10.201.1.5 key thiskey
Xcon-ap1100(config-radsrv)#end
Xcon-ap1100#debug radius
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol debugging is on
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Xcon-ap1100#term mon
Xcon-ap1100#
*Apr 3 16:26:26.961: RADIUS: AAA Unsupported [248] 10
*Apr 3 16:26:26.961: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
*Apr 3 16:26:26.962: RADIUS: AAA Unsupported [150] 3
*Apr 3 16:26:26.962: RADIUS: 32 [2]
*Apr 3 16:26:26.962: RADIUS(000000FC): Storing nasport 246 in rad_db
*Apr 3 16:26:26.962: RADIUS(000000FC): Config NAS IP: 10.201.1.5
*Apr 3 16:26:26.963: RADIUS/ENCODE(000000FC): acct_session_id: 251
*Apr 3 16:26:26.963: RADIUS(000000FC): Config NAS IP: 10.201.1.5
*Apr 3 16:26:26.963: RADIUS(000000FC): sending
*Apr 3 16:26:26.963: RADIUS(000000FC): Send Access-Request to 10.201.1.5:1645 id 21645/158, len 130
*Apr 3 16:26:26.963: RADIUS: authenticator 74 20 7D 86 32 7B 1A 65 - 88 DE A7 58 51 91 FA 5D
*Apr 3 16:26:26.963: RADIUS: User-Name [1] 6 "test"
*Apr 3 16:26:26.964: RADIUS: Framed-MTU [12] 6 1400
*Apr 3 16:26:26.964: RADIUS: Called-Station-Id [30] 16 "000f.f751.7970"
*Apr 3 16:26:26.964: RADIUS: Calling-Station-Id [31] 16 "0090.963d.7bf6"
*Apr 3 16:26:26.964: RADIUS: Service-Type [6] 6 Login [1]
*Apr 3 16:26:26.965: RADIUS: Message-Authenticato[80] 18 *
*Apr 3 16:26:26.965: RADIUS: EAP-Message [79] 11
*Apr 3 16:26:26.965: RADIUS: 02 02 00 09 01 74 65 73 74 [?????test]
*Apr 3 16:26:26.965: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Apr 3 16:26:26.965: RADIUS: NAS-Port [5] 6 246
*Apr 3 16:26:26.965: RADIUS: NAS-IP-Address [4] 6 10.201.1.5
*Apr 3 16:26:26.965: RADIUS: Nas-Identifier [32] 13 "Xcon-ap1100"
*Apr 3 16:26:31.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
*Apr 3 16:26:36.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
*Apr 3 16:26:41.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
*Apr 3 16:26:46.965: RADIUS: No response from (10.201.1.5:1645,1646) for id 21645/158
*Apr 3 16:26:46.965: RADIUS/DECODE: parse response no app start; FAIL
*Apr 3 16:26:46.965: RADIUS/DECODE: parse response; FAIL
*Apr 3 16:26:46.966: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
*Apr 3 16:26:50.070: RADIUS: AAA Unsupported [248] 10
*Apr 3 16:26:50.070: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
*Apr 3 16:26:50.071: RADIUS: AAA Unsupported [150] 3
*Apr 3 16:26:50.071: RADIUS: 32 [2]
*Apr 3 16:26:50.071: RADIUS(000000FD): Storing nasport 247 in rad_db
*Apr 3 16:26:50.072: RADIUS(000000FD): Config NAS IP: 10.201.1.5
*Apr 3 16:29:29.041: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
*Apr 3 16:29:52.253: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failedI have a very similar situation here. Took me a while to figure out why existing user certificates are OK but no new users can enroll. I checked all certificates for expiry. No go. It was not the expiry ("Valid to") time, but rather the "Valid From" time that is messed up.
This is what happens: The rollover gets created and replaces the original one (which remains in memory, no flash) But the new one is valid from the expiry of the old one - in my case TOMORROW and after a power-outage the day before yesterday (the most definitive way to get a reboot!) I only have the new NOT YET VALID certificate.
OK, I can wait until tomorrow and see if it works. But the design is far from intelligent. The industry standard is that when you renew a certificate, the validity of the new one is immediate - even if it means it runs for a few days longer than the designated lifetime.
So much for the overlap period of 30 days (as you can see from your own post) if the old certificate goes away after a reboot and the new one is not yet valid! (The CA certificate expiration timer gets reset to some Unix time-zero ( 01:00:00 CEST Jan 1 1970) which I take to mean "not valid yet".)
I only have a few days of trouble - and just one to go after finally working it out, but it could have been up to 30 days if I for any reason had rebooted after the roll-over certificate got created.
Cheers
Bernhard -
Cisco AAA authentication with windows radius server
Cisco - Windows Radius problems
I need to created a limited access group through radius that I can have new network analysts log into
and not be able to commit changes or get into global config.
Here are my current radius settings
aaa new-model
aaa group server radius IAS
server name something.corp
aaa authentication login USERS local group IAS
aaa authorization exec USERS local group IAS
radius server something.corp
address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
key mypassword
line vty 0 4
access-class 1 in
exec-timeout 0 0
authorization exec USERS
logging synchronous
login authentication USERS
transport input ssh
When I log in to the switch, the radius server is passing the corrrect attriubute
***Jan 21 13:59:51.897: RADIUS: Cisco AVpair [1] 18 "shell:priv-lvl=7"
The switch is accepting it and putting you in the correct priv level.
***Radius-Test#sh priv
Current privilege level is 7
I am not sure why it logs you in with the prompt for privileged EXEC mode when
you are in priv level 7. This shows that even though it looks like your in priv exec
mode, you are not.
***Radius-Test#sh run
^
% Invalid input detected at '^' marker.
Radius-Test#
Now this is where I am very lost.
I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
global config mode.
***Radius-Test#enable
Radius-Test#
Debug log -
Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
***Radius-Test#sh priv
Current privilege level is 15
Radius-Test#
I have tried to set
***privilege exec level 15 enable
It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
Even if I try to do
***privilege exec level 7 show running-config (or other variations)
It will allow you to type sh run without errors, but it doest actually run the command.
What am I doing wrong?
I also want to get PKI working with radius.I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch? -
WLC not integrating with Radius Server
Hello world,
I have the following situation:
One WLC 2000 Series (software version 7.0.230.0) with multiple SSID`s, one is with 802.1x integrated with a Radius Server.
Everything worked fine until fiew days ago, when users were unable to logon via they`re certificates on Windows XP.
The infrastracture didn`t suffer modifications.
What i have checked: Radius certification isn`t expired, client certification isn`t expired, the password between controller and Radius is correct.
There are no ACL`s between the WLC and the remote Server. I can ping the devices, other SSIDs on the same controller (wpa/psk) are working correct.
The AP`s are 1242.
I have tried deleting the SSID, configure it back. The OS on Windows Server is 2003 Standard. The AP`s are configured H-Reap.
I have increased the Server Timeout from Radius Authentication Servers from 2 to 30 sec.
The message logs recived on WLC Trap Logs:
RADIUS server X.X.X.X:1812 failed to respond to request (ID 161) for client xx.xx.xx.xx.xx.xx/ user 'unknown'
The message from the debug dot1x aaa enable:
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLING_STATION_ID(31) index=1
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLED_STATION_ID(30) index=2
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT(5) index=3
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_VAP_ID(1) index=7
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_SERVICE_TYPE(6) index=8
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_FRAMED_MTU(12) index=9
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_EAP_MESSAGE(79) index=11
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_RAD_STATE(24) index=12
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_MESS_AUTH(80) index=13
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df AAA EAP Packet created request = 0x1cff348c.. !!!!
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Sending EAP Attribute (code=2, length=6, id=10) for mobile xx.xx.xx.xx.xx.xx.
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00000000: 02 0a 00 06 0d 00 ......
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] AAA response 'Interim Response'
*radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] Returning AAA response
*radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df AAA Message 'Interim Response' received for mobile xx.xx.xx.xx.xx.xx.
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.329: 00:15:e9:33:75:df Skipping AVP (0/27) for mobile xx.xx.xx.xx.xx.xx.
The messages on Windows 2003 Standard:
User Y was denied access.
Fully-Qualified-User-Name = xx.domain.com/Users_T/user
NAS-IP-Address = X.X>X.X
NAS-Identifier = Cisco_
Called-Station-Identifier = ---------------------
Calling-Station-Identifier = ---------------------
Client-Friendly-Name = ---------------------
Client-IP-Address = ---------------------
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Policy
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 262
Reason = The supplied message is incomplete. The signature was not verified.User Y was denied access.
Fully-Qualified-User-Name = xx.domain.com/Users_T/user
NAS-IP-Address = X.X>X.X
NAS-Identifier = Cisco_
Called-Station-Identifier = ---------------------
Calling-Station-Identifier = ---------------------
Client-Friendly-Name = ---------------------
Client-IP-Address = ---------------------
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Policy
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 262
Reason = The supplied message is incomplete. The signature was not verified.
Can anyone help why i cannot log the users via 802.1x ?Okay that is good..... this is what I would do next. I would create a test ssid that uses PEAP MSchapv2 and create a new policy in IAS that is basic. Allow 802.1x wireless and user group only and see if you can reconfigure one of the XP machines for PEAP. Can you also post a screen shot of your polices (connection and network) so we can review it.
-
Question about RADIUS server configuration with a MacBook Pro
Hello,
I own a modem router which is capable of WPA2 Enterprise and I want to use it with a RADIUS server for authentication and security purposes.
However, I have a few doubts about this.
MY CONFIGURATION:
The modem router would be connected to a fixed PC with Windows and to a MacBook Pro (both with Ethernet)
The RADIUS server would be running on the MacBook Pro (freeRADIUS)
The bold is the issue, that comes when I disconnect the MBP (it's a notebook, so I use it disconnected from the router sometimes).
Supposing the router would have recognized it (correct configuration), it would disconnect from it.
My questions:
Would Wi-Fi be lost in this manner? Or would the modem router automatically switch to another Wi-Fi authentication?
If I reconnected the MBP to the modem router and re-run the RADIUS server, would I need to access the control panel and re-configure the WPA2 Enterprise in order for Wi-Fi to work again?
Thanks in advance,
Tyrexionibus"Full HD 3DD camcorder..." Marketing at it's best.
This is HDV, right? HDV has the same data rate as DV...13.6GB/hour. But because of the MPEG-2 Long GOP format the HDV format employs, it can be a bit tough to edit, but mainly when rendering effects. IT will be slower than DV, and you can't monitor thru the camera like you can with DV, but a simple FW400 drive and Intel Mac will be fine. Better if you can convert to ProRes upon ingest, but then that eats up a LOT more space and requires at least FW800...
http://library.creativecow.net/articles/poisson_chris/hdv-prores.php
Shane -
Can't authenticate Mac VPN client from RADIUS server
Hello,
I'm a real noob here so please bear with me.
I have been able to configure my PIX 515E to allow VPN connections onto my network, but what I need to do is set up some sort of user authentication to control access at a user level. From what I've read here and in the Configuration Guide I should be able to do this authentication with a RADIUS server. I'm running a Corriente Networks Elektron Security server which has RADIUS server capabilities. It is running on my (inside) interface at IP 192.168.10.26.
I thought that I had everything configured properly but it never seems to authenticate. I connect, the XAUTH window pops up, I add my username and password as it's configured on my RADIUS server, but when I click OK it just cycles the progress bar at the bottom and eventually times out. The client log doesn't show me anything and the log on the RADIUS server shows me nothing. Any ideas? this seems like it should be simple because I can connect until I attempt to authenticate to the RADIUS server.
TIA for any direction you can provide me.
ChristineIf it helps, here is my config with a some of the non-related bits deleted:
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password ********* encrypted
passwd ******* encrypted
hostname pixfirewall
domain-name acme.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol http 80
fixup protocol http 82
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
access-list inside_outbound_nat0_acl permit ip any 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.10.26 192.168.10.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip host 192.168.10.69 192.168.10.192 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.10.192 255.255.255.224
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 207.XXX.XXX.130 255.255.255.0
ip address inside 192.168.10.1 255.255.255.0
ip address DMZ 192.168.100.1 255.255.255.0
multicast interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool CBI_VPN_Pool 192.168.10.201-192.168.10.220
pdm location 192.168.10.50 255.255.255.255 inside
pdm group CBI_Servers inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 200 interface
global (DMZ) 200 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 200 192.168.10.0 255.255.255.0 0 0
static (inside,outside) 207.XXX.XXX.150 192.168.10.27 netmask 255.255.255.255 0 0
static (inside,outside) 207.XXX.XXX.132 192.168.10.26 dns netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 207.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1812
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.10.26 ************* timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.10.3 255.255.255.255 inside
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
crypto map inside_map interface inside
isakmp enable outside
isakmp nat-traversal 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Test_VPN address-pool CBI_VPN_Pool
vpngroup Test_VPN dns-server 142.77.2.101 142.77.2.36
vpngroup Test_VPN default-domain acme.com
vpngroup Test_VPN idle-time 1800
vpngroup Test_VPN authentication-server RADIUS
vpngroup Test_VPN user-authentication
vpngroup Test_VPN user-idle-timeout 1200
vpngroup Test_VPN password ********
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.100-192.168.10.254 inside
dhcpd dns 142.77.2.101 142.77.2.36
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside -
Exchange Server 2013 and RADIUS server(freeRADIUS2)
I am a student and doing an internship. I have to test Microsoft Exchange Server 2013.
I am using Windows Server 2012, I already installed Exchange
Server 2013 on it and everything works as intended.
But I couldn't find out how to configure my Windows Server 2012 in order to authenticate my mailbox users from Exchange Server 2013 with a RADIUS
server which is not on my Windows Server 2012. I have to use their RADIUS server ( freeRADIUS2 ), the RADIUS server from
the company where I am doing my internship.
I already did the checklist that is on http://technet.microsoft.com/en-us/library/cc772591.aspx. I configured the NPS as
a RADIUS proxy, because that's what I need.
So after doing everything that is on that checklist, my question is:
Is it possible that the Exchange Server 2013 will use my NPS which is now configured as a NPS RADIUS proxy to authenticate my mailbox users that I have on my Exchange Server 2013?thanks for such a quick response.
Just a small question about the link that you put. Does member server mean other server other than domain controller?
Regards,
Yes, Also the server on which you are installing Exchange should have exchange installed.
Cheers,
Gulab Prasad
Technology Consultant
Blog:
http://www.exchangeranger.com Twitter:
LinkedIn:
Check out CodeTwo’s tools for Exchange admins
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. -
Web Authentication with MS IAS Server
I'm trying to configure my 2106 WLC to authenticate with an MS IAS Radius Server. I had this working, but my boss did not want to do any configuration on the client side and now wants to do all authentication through Web authentication with the Radius server. The wireless client connects and is redirected to the login page like they're supposed to, but when I enter my credentials the login fails. However, if I enter the login of a local user to the controller the authentication works.
I see in the logs the following error: AAA Authentication Failure for UserName:chevym User Type: WLAN USER. The authentication is reaching the server too, but the logs don't tell you much.
Here is what is in the server logs: 192.168.0.77,chevym,07/29/2008,05:58:16,IAS,TESTLAB1,25,311 1 192.168.0.221 07/28/2008 17:27:10 48,4127,2,4130,TESTLAB\chevym,4129,TESTLAB\chevym,4154,Use Windows authentication for all users,4155,1,4128,Wireless LAN Controller,4116,9,4108,192.168.0.77,4136,3,4142,19
I don't really understand any of that and I'm not really sure if I have the server itself configured correctly for what I want to do. Does anyone have instructions on how to do this?I had another thread going on this, but since it appears to be an IAS problem, I've been posting on the MS forum instead of here.
I'm trying to set up wireless laptop-WLC-IAS authentication using PEAP.
The machine authenticates on boot, but any login by any user results in this message in the Windows Event log on the IAS server:
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 9/3/2008
Time: 11:00:55 PM
User: N/A
Computer: DC1
Description:
User SCOTRNCPQ003.scdl.local was denied access.
Fully-Qualified-User-Name = SCDL\SCOTRNCPQ003.scdl.local
NAS-IP-Address = 10.10.10.10
NAS-Identifier = scohc0ciswlc
Called-Station-Identifier = 00-21-55-C0-7D-70:Domain Staff
Calling-Station-Identifier = 00-90-4B-4C-92-B7
Client-Friendly-Name = WLAN Controller
Client-IP-Address = 10.10.10.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name =
Authentication-Type = EAP
EAP-Type =
Reason-Code = 8
Reason = The specified user account does not exist.
The policy is the default connection policy created when installing IAS.
In ADUC, I've tried setting both the machine and users Dial-In properties to Allow Access or Control through policy, with the same result.
I've gone through the policy and there isn't anything there, other than the Day-Time rule which is set to allow access for all hours of the whole day, every day.
In the last few days, I've read about the Ignore User Dial In properties, but can't find where/how you set this.
It sounded to me as if this had been resolved in this thread, so I wanted to know how this had been accomplished. -
Setting up Radius server on Autonomous1200 series AP
We have two Autonomous AP's (1220B) that we want to communicate with our RADIUS server using Open Authentication with EAP. When this is set to Open Authentication without additions, I can connect to the network, however when it is set to use EAP, and try to reconnect to the network, an error message is displayed saying "Failed to authenticate." The IP Address of the RADIUS server and the shared secret are the same. Can anybody explain why this is please?
I've got a SonicWall configured for L2TP over IPSec VPN. However, I'm not able to login to it using a Windows domain account only local SonicWall users accounts I've created. I get Error 691: (wrong password or authentication protocol not permitted) - I know the password is correct.
I setup the RADIUS Network Policies on the Windows 2012 Server. However I'm not sure what I need to change on the SonicWall. We also have Global VPN clients connecting to the VPN with IKEv2 so I don't want to prevent them from continuing to use the Global VPN client or have to make any changes on those pre-existing clients. We just want the ability for people to also login to the VPN with the native Windows VPN client too via L2TP over IPSec.
This topic first appeared in the Spiceworks Community
Maybe you are looking for
-
Entrada de Nota Fiscal de energia elétrica modelo 6 com 9 digítos
Ola, Gostaria de entender qual a medida adotada para entrar com uma nota modelo 6 que tem mais do que 6 digitos. A nota de fornecimento de energia elétrica de SP tem 7 digitos "5754899", e o campo NFNUM tem apenas 6 posições. Não falamos de uma nota
-
What is the best way to set up itunes with 2 different ipods on same desktop?
I have a new computer, was able to transfer itunes fine. now having probs figuring out how to set up 2 ipods. older ones - 2gb nano and a 30gb classic. wld like to use same library. thought about setting up 3 itunes - one main, one for each ipod.
-
Does anyone know how to change one sound (voice) opposed to an entire preset of sounds in Ultrabeat? Say you have a preset loaded but you would like to change out the kick drum for one that resides in another preset. If I click on the Import button i
-
How much ram,etc.??
Friends - I am running OS10.4.6 on 384 mb sdram. mostly all works satisfactorily. occasionally when I transfer photos or certain graphics into MSWD I get the spinning wheel and have to force quit and start over. I also get the wheel on occasion elsew
-
The contacts bar is visible when I open FaceTime. How do I remove it. There is not an option to close it.