IOS 12.0(5.1) + Radius

Similar Messages

• ISE continue to receiving authentication message after removed the radius host test configuration on a IOS router

  I have two issues but related and need help:    
  anyone know how to disable or stop a radius host test message send every seconds from a IOS router after the test statement removed and all radius server information removed from the configuration?   I have this odd testing for the new ISE server.  the purpose of testing is not for load balancing, but find out if IOS support different protocol using radius other than PAP if PPP is not used. after the test, I cannot stop it.  I have a case opened with Cisco, the answer is no way to stop it other than reboot the router. I tried to remove aaa new model and add it back, no help. I have put an access-list on the LAN interface deny the IP any to the radius host and port, no match found.
  On the ISE (version 1.1.1), due to the IOS router test cannot be stopped, the alive authentication page fills up all the authentication failure messages. anyone know how to block the host from ISE live authentication log (the router has been removed from the device page)? 
  below is part of messages from the IOS router (version 15.0.1M6) debug. where 10.2.2.144 is the ISE IP and totally removed from the config. there is no any radius or the ISE IP in the config.
  Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
  Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
  Aug 28 10:21:15.384: AAA/SG/TEST: Verifying if further testing required to determine server state.
  Aug 28 10:21:15.384: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
  Aug 28 10:21:15.384: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
  Aug 28 10:21:33.752: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
  Aug 28 10:21:33.976: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
  Aug 28 10:21:33.976: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
  Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
  Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
  Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
  Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) quarantined.
  Aug 28 10:22:33.976: AAA/SG/TEST: Sending 1 Access-Requests, 1 Accounting-Requests in current batch.
  Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
  Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
  Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
  Aug 28 10:22:33.976: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
  Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
  Aug 28 10:22:52.760: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
  Aug 28 10:22:53.176: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
  Aug 28 10:22:53.176: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
  Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
  Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
  Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
  Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
  Aug 28 10:21:15.384: AAA/SG/TEST: Verifying if further testing required to determine server state.
  Aug 28 10:21:15.384: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
  Aug 28 10:21:15.384: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
  Aug 28 10:21:33.752: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
  Aug 28 10:21:33.976: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
  Aug 28 10:21:33.976: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
  Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
  Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
  Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
  Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) quarantined.
  Aug 28 10:22:33.976: AAA/SG/TEST: Sending 1 Access-Requests, 1 Accounting-Requests in current batch.
  Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
  Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
  Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
  Aug 28 10:22:33.976: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
  Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
  Aug 28 10:22:52.760: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
  Aug 28 10:22:53.176: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
  Aug 28 10:22:53.176: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
  Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
  Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
  Thanks in advance,

  It seems reload is the only way to fix it. I don't think there is any way to stop or ignore messages for specific host in live authentication page of ISE. From security point of view it is required to logs all the authentication hits.
  Regards,
  ~JG
  Do rate helpful posts!

• Ap 1220 runnig ios and radius

  I have a ap1220running ios configured as a local radius server. The problem I am have is that my leap will fail 75% on the radius server telling me that my password is invalid but if i use leap manual it works fine.

  Make sure that the radius server is configured with the required username and passwords.

• RADIUS (NGS) is not disconnecting users

  Hi,
  I have a guest network set up on a WLC with an external RADIUS server (NAC Guest Server). However when the time profile expires (user account expires) on NGS the active user is not disconnected.
  Now if the user logs off the guest network (either using the logout window or via the idle/session timeout) and tries to log back in they correctly get an error message when they try and log back in on the portal. The issue is that active users are not getting foraceably logged off the guest network.
  I'm sure i've seen this issue referenced somewhere before but I couldnt find it.
  Eoin.

  the key point is that Radius is an authentication that happens when the client connects. The Radius server cannot take actions unless it is contacted in the first place so a radius server cannot kick users.
  This is "too bad" and yes things are coming to change that. The new versions of IOS switches start to support "Radius Change of Authorization" that allows the radius server to kick people on demand etc ... But that's not yet there.
  The session timeout is the time for which the WLC leaves the client in peace before asking for a reauthentication.
  For a WPA SSID, the client laptop will automatically reprovide credentials after timeout usually so it's a smooth reauthentication. But for guest, if the authentication method is a login page, the user will have to re-enter his credentials and if he was doing a file transfer, that got interrupted so that's not cool to set a very small session timeout.
  So you have to decide I'm afraid to set a session timeout of 2 hours let's say, time that you find acceptable to have to reauthenticate again. This means that the clients will definitely not be able to have network access 2 hours (maximum ! once their NGS user account expires, they will be kicked at the next reauthentication which happens between 0 and 120 minutes later) after their account expired.
  Nicolas

• Opinions on best CLI IOS authentication model

  Anyone care to mention what works well and what doesn't for alternatives to the default enable/exec password scheme in IOS? I've got RADIUS authentication working on an AP1200, and am thinking of using it elsewhere, but I'm concerned about what happens if the RADIUS server goes down. Can I fall back to enable/exec passwords? Does console access still use these?

  Ben
  There are a number of alternatives to the default of using line and enable passwords. Most of these alternatives are configured through aaa in IOS. If you have Radius working in an AP1200 then you should have a head start in understanding what to do in IOS.
  The basics of configuring aaa authentication is that you refer to method lists. Line passwords are a method list, enable passwords are a method list, radius is a method list. You can refer to multiple method lists for authentication. When you have multiple method lists for authentication the IOS will try the first one and if it is not available IOS will try the next one. So for example you might configure this:
  aaa authentication login default group radius line
  This will provide authentication for login (by default this includes console, vty lines, but you can change that in the configuration if you want to) and will first try the Radius server but if the Radius server is not available the IOS will use the configured line passwords.
  To authenticate privilege mode you might configure this:
  aaa authentication enable default group radius enable
  This configuration authenticates privilege mode by using the Radius server first and if it is not available IOS will fall back to using the configured enable secret (or password).
  HTH
  Rick

• Doubts on Radius Server

  1. Suppose we have mutliple Radius server in a Netowrk. If primary Radius server goes down , how secondary server will come into the picture..
  2. Where can we check ,which Radius server is active (Primary or secondary Radius server)
  3. Is there any limit like one server can authenticate a number of clients?
  Thanks
  Sri

  Sri,
  1) Its the NAS that brings up secondary radius server. First it will try hitting primary radius server and if there is no response it will then try seoncdary radius.
  2) On ASA you can use this command to check the server status,
  ASA# show aaa-server protocol radius
  On IOS
  Switch#show aaa servers
  RADIUS: id 3, priority 1, host 192.168.26.119, auth-port 1645, acct-port 1646
       State: current UP, duration 151040s, previous duration 0s
       Dead: total time 0s, count 0
       Quarantined: No
       Authen: request 6, timeouts 0
               Response: unexpected 0, server error 0, incorrect 0, time 190ms
               Transaction: success 6, failure 0
       Author: request 0, timeouts 0
               Response: unexpected 0, server error 0, incorrect 0, time 0ms
               Transaction: success 0, failure 0
       Account: request 0, timeouts 0
               Response: unexpected 0, server error 0, incorrect 0, time 0ms
               Transaction: success 0, failure 0
       Elapsed time since counters last cleared: 1d17h33m
  RADIUS: id 4, priority 2, host 192.168.1.99, auth-port 1645, acct-port 1646
       State: current UP, duration 151040s, previous duration 0s
       Dead: total time 0s, count 0
       Quarantined: No
       Authen: request 0, timeouts 0
               Response: unexpected 0, server error 0, incorrect 0, time 0ms
               Transaction: success 0, failure 0
       Author: request 0, timeouts 0
               Response: unexpected 0, server error 0, incorrect 0, time 0ms
               Transaction: success 0, failure 0
       Account: request 0, timeouts 0
               Response: unexpected 0, server error 0, incorrect 0, time 0ms
               Transaction: success 0, failure 0
       Elapsed time since counters last cleared: 0m
  3) I'm not aware of any limit that can be configured on radius. But there are certain paremeters you can set up (That depends on verdor)
  Regards,
  ~JG
  Do rate helpful posts

• CVPN3030 and FreeRADIUS - attribute "Framed-IP-Address"

  We are authenticating VPN users via a FreeRADIUS server (see www.freeradius.org). This works fine for username/password, but we don't seem to be able to pass RADIUS attributes back to the VPN, or at least not in a way that affects the user's session. I'm focussing on "Framed-IP-Address" (to assign the VPN client a specific IP); if I can get it working for this, I'm sure I can port the method to other attributes.
  Ayone out there doing this? With FreeRADIUS?
  Thanks!

  Hi!
  As far as i remember VPN3k don't understand neither "Framed-IP-Address" nor cisco-av-pair.
  I've used "Group Lock" feature to specify which ip-pool concentrator should use for authenticated user. It works like specifying "cisco-av-pair=ip:addr-pool" in Radius for usual (ios) NAS.
  In your Radius-server you should add "Class" attribute. When user authenticates he moves to a new group which has an associated address pool.
  For more detail look at the http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800946a2.shtml

• Using Peap w/ IAS

  I have a 1200 AP w/ latest IOS trying to do PEAP for wireless clients. When pointing the 1200 to a Funk or ACS radius server it works great. When I point to an IAS server runnng on W2K SP3, I get an IAS error in the event viewer saying "The specified authentication type is not supported on this system"
  When I use a Symbol AP with the same IAS server, it works fine.
  I have sniffer traces comparing the 2 scenarios and the only difference I can see is the attributes for
  NAS Port and NAS port type.
  Bad auth (Cisco AP)
  NAS Port Type - virtual
  NAS Port - 414
  Good auth (Symbol AP)
  NAS Port Type - 0x00000013
  NAS Port - 29
  Anyone know what is going on here?

  This is a reply I received from Cisco when I asked this question..
  This is actually a software bug CSCeb36095
  Here is the release note from the bug
  IOS based APs will pass Radius attribute 61 (NAS-Port-Type) with value 5 (virtual), while VxWorks based APs use value 19 (Wireless IEEE802.11)
  Users may need to re-configure Radius server setting if this attribute is used to grant access to the user, when migrating AP from VxWorks to IOS.
  No ETA on when this should be fixed yet but if the work around doesnt work then please contact the TAC and open a case have you case linked to the bug then you can be kept updated of when the fix will be released
  What I had to do was change IAS from 802.11 in the policy to virtual. The user then authenticated...
  However, I was also using per user VLANS and the VLAN assignment was not working and they opened another bug on it. This was with a VXworks AP that had been "upgraded" to the IOS version....Needless to say it is sitting on the shelf waiting for the next release of IOS for the 1220's.
  Hope that helps some...
  don

• IOS SSL VPN WITH RADIUS Authorization

  Hi
  I'm trying to authenitcate and authorize  the users loggining into SSLVPN via ACS and although the ACS loggs and "TEST" command on the router shw succeeful authentication i receive the flollowing debug
  *Jun  6 22:39:50.157: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4346
  Rack1R1(config)#                          
  *Jun  6 22:40:09.409: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4357
  Rack1R1(config)#                          
  *Jun  6 22:40:21.409: WV-AAA: AAA authentication request sent for user: "SSLUSER"
  *Jun  6 22:40:21.409: RADIUS/ENCODE(00000000):Orig. component type = INVALID
  *Jun  6 22:40:21.409: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
  *Jun  6 22:40:21.409: RADIUS(00000000): Config NAS IP: 150.1.1.1
  *Jun  6 22:40:21.409: RADIUS(00000000): sending
  *Jun  6 22:40:21.409: RADIUS(00000000): Send Access-Request to 10.0.0.100:1645 id 1645/27, len 60
  *Jun  6 22:40:21.409: RADIUS:  authenticator AC 16 B3 54 46 72 37 05 - 4C 00 19 21 81 97 40 6E
  *Jun  6 22:40:21.409: RADIUS:  User-Name           [1]   16  "SSLUSER@SSLVPN"
  Rack1R1(config)#                          
  *Jun  6 22:40:21.409: RADIUS:  User-Password       [2]   18  *
  *Jun  6 22:40:21.409: RADIUS:  NAS-IP-Address      [4]   6   150.1.1.1                
  *Jun  6 22:40:21.669: RADIUS: Received from id 1645/27 10.0.0.100:1645, Access-Accept, len 282
  *Jun  6 22:40:21.669: RADIUS:  authenticator 2D 2C B0 39 89 4C 41 88 - 40 32 E2 09 0D 7F 6B 0C
  *Jun  6 22:40:21.669: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255          
  *Jun  6 22:40:21.669: RADIUS:  Vendor, Cisco       [26]  28 
  *Jun  6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   22  "webvpn:svc-enabled=1"
  *Jun  6 22:40:21.669: RADIUS:  Vendor, Cisco       [26]  29 
  *Jun  6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   23  "webvpn:svc-required=1"
  *Jun  6 22:40:21.669: RADIUS:  Vendor, Cisco       [26]  50 
  *Jun  6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   44  "webvpn:split-include=6.6.6.0 255.255.255.0"
  *Jun  6 22:40:21.669: RADIUS:  Vendor, Cisco       [26]  35 
  *Jun  6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   29  "webvpn:keep-svc-installed=1"
  *Jun  6 22:40:21.669: RADIUS:  Vendor, Cisco       [26]  31 
  *Jun  6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   25  "webvpn:addr-pool=SSLVPN"
  *Jun  6 22:40:21.669: RADIUS:  Vendor, Cisco       [26]  41 
  *Jun  6 22:40:21.669: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
  *Jun  6 22:40:21.669: RADIUS:  Class               [25]  36 
  *Jun  6 22:40:21.669: RADIUS:   43 41 43 53 3A 30 2F 34 37 30 2F 39 36 30 31 30  [CACS:0/470/96010]
  *Jun  6 22:40:21.669: RADIUS:   31 30 31 2F 53 53 4C 55 53 45 52 40 53 53 4C 56  [101/SSLUSER@SSLV]
  *Jun  6 22:40:21.669: RADIUS:   50 4E                                            [PN]
  *Jun  6 22:40:21.673: RADIUS(00000000): Received from id 1645/27
  *Jun  6 22:40:21.673: RADIUS(00000000): Unique id not in use
  Rack1R1(config)#                          
  *Jun  6 22:40:21.673: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored
  *Jun  6 22:40:21.673: AAA/AUTHOR (0x0): Pick method list 'RAD'
  Rack1R1(config)#                          
  *Jun  6 22:40:23.673: WV-AAA: AAA Authentication Failed!
  Rack1R1(config)#                          
  *Jun  6 22:40:24.069: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4359
  Rack1R1(config)# 
  router Configuration
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Rack1R1
  boot-start-marker
  boot-end-marker
  ! card type command needed for slot/vwic-slot 0/1
  logging message-counter syslog
  enable password cisco
  aaa new-model
  aaa authentication login RAD group radius
  aaa authorization network RAD group radius
  aaa session-id common
  dot11 syslog
  ip source-route
  ip cef
  no ip domain lookup
  ip domain name INE.com
  ip host cisco.com 136.1.121.1
  ip host www.cisco.com 136.1.121.1
  ip host www.google.com 136.1.121.1
  ip host www.ripe.net 136.1.121.1
  no ipv6 cef
  multilink bundle-name authenticated
  crypto pki trustpoint TP-self-signed-3354934498
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3354934498
  revocation-check none
  rsakeypair TP-self-signed-3354934498
  crypto pki certificate chain TP-self-signed-3354934498
  certificate self-signed 01
    30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33333534 39333434 3938301E 170D3132 30363036 31333030
    32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33353439
    33343439 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100B1E5 889BEB9A 31DFC0D4 7C7F698F 0F52E404 0849263A BD443A96 13C6A440
    DCBD4345 EF301E91 0D4AADD9 3C2A17F2 E26E5E96 90F96809 D8FCCF32 7EB58100
    74E4772C 6395E03C 1B7F1AF5 482F861F DD62D079 F9977FE2 0E544E18 5FAAF290
    DF665B45 EF10D3EC D924E87A 5F827F07 06DE8961 F361C3FA EDBE5F68 452221C8
    B9570203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603
    551D1104 13301182 0F526163 6B315231 2E494E45 2E636F6D 301F0603 551D2304
    18301680 140B00B8 FD9B58CF 8A6F51BE 25DEC6C5 85E14495 05301D06 03551D0E
    04160414 0B00B8FD 9B58CF8A 6F51BE25 DEC6C585 E1449505 300D0609 2A864886
    F70D0101 04050003 81810006 4192E2DB ABAF533E 9C4BF24E DF6BFD45 144A6AE9
    C874E311 27B23E7B E8DB18C3 4FFB4ACA 4B09F63E 62501578 D8F58D73 D08F016F
    49C99B8D DA1073E5 A141C1C7 505BD191 FC58EA7F 54BD9B98 579E1726 7C1CA619
    A45DDABC 8F315EE9 D20A30A8 2BD5D67D B744BD69 353B4670 E5BA4540 47059E60
    9DC4C940 E91AACBB 4EAFFA
          quit
  username admin privilege 15 password 0 admin
  username SSLUSER@SSLVPN password 0 cisco
  archive
  log config
    hidekeys
  crypto ipsec client ezvpn EZVPN_CLIENT
  connect auto
  mode client
  xauth userid mode interactive
  ip tcp synwait-time 5
  interface Loopback0
  ip address 150.1.1.1 255.255.255.0
  interface Loopback6
  ip address 6.6.6.6 255.255.255.0
  interface FastEthernet0/0
  no ip address
  shutdown
  duplex auto
  speed auto
  interface FastEthernet0/1
  no ip address
  duplex auto
  speed auto
  interface FastEthernet0/1.11
  encapsulation dot1Q 12
  ip address 136.1.11.1 255.255.255.0
  interface FastEthernet0/1.121
  encapsulation dot1Q 121
  ip address 136.1.121.1 255.255.255.0
  interface FastEthernet0/0/0
  interface FastEthernet0/0/1
  interface FastEthernet0/0/2
  interface FastEthernet0/0/3
  interface Virtual-Template1 type tunnel
  no ip address
  tunnel mode ipsec ipv4
  interface Vlan1
  no ip address
  router rip
  version 2
  passive-interface FastEthernet0/1.11
  network 136.1.0.0
  network 150.1.0.0
  no auto-summary
  ip local pool SSLVPN 40.0.0.1 40.0.0.254
  ip forward-protocol nd
  ip route 10.0.0.0 255.255.255.0 136.1.121.12
  ip http server
  ip http secure-server
  ip dns server
  ip access-list extended SPLIT
  permit ip 136.1.11.0 0.0.0.255 10.0.0.0 0.0.0.255
  ip radius source-interface Loopback0
  radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO
  control-plane
  line con 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  line aux 0
  exec-timeout 0 0
  privilege level 15
  line vty 0 4
  password cisco
  scheduler allocate 20000 1000
  webvpn gateway SSLVPN
  ip interface Loopback0 port 443
  http-redirect port 80
  ssl encryption rc4-md5
  ssl trustpoint TP-self-signed-3354934498
  logging enable
  inservice
  webvpn install svc flash:/webvpn/anyconnect-win-2.5.3055-k9.pkg sequence 1
  webvpn context SSLVPN
  title "**SSLVPN  **"
  ssl encryption rc4-md5
  ssl authenticate verify all
  aaa authentication list RAD
  aaa authentication domain @SSLVPN
  aaa authorization list RAD
  gateway SSLVPN
  inservice
  end
  Any Idea?

  Hi,
  As I understand , you need to know if you can assign static ip to a user and also is there any other way of assiging a ip other than local pool.
  There are three ways of assinging an ip address to VPN client: using local pool, AAA server,DHCP.
  You can use the following link  for more information:-
  Assigning static ip  for user present locally on ASA:-
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a7afb2.shtml
  For user present on Active Directory:-
  http://technet.microsoft.com/en-us/library/cc786213%28WS.10%29.aspx
  The following is the link for assigning ip address using DHCP:-
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml
  I hope it helps.
  Thanks,
  Shilpa

• Is there a minimum IOS version for windows radius 2012R2

  Hello,
  We use a windows server 2008R2 and NPS for radius authentication of our 887,881 and 891 routers, ASA V8.4, and 3750 switches.
  We are thinking about migrate our radius to windows 2012R2, wich is a new version of NPS.
  do you know if there is a minimum IOS version required for NPS on 2012R2 Windows ?
  Thanks

  Hi,
  Yes NPS will work with Window Server 2012R2 and for the minimum server certificate requirement
  check the below link.
  http://msdn.microsoft.com/en-us/library/cc731363.aspx

• IOS SLB RADIUS loadbalancing

  Hi Guys,
  can anyone confirm or point out errors in this config that I wish to pop on our 6509. We don't have a test environment, so I need to get as much feedback as I can on this.
  Thanks in advance,
  James
  no natpool WSB_RADIUS 10.176.57.115 10.176.57.115 netmask 255.255.255.128
  no serverfarm WSB_RADIUS
  no serverfarm WSB_RADIUS_NAT
  no policy WSB_RADIUS_NAT
  no vserver WSB_RADIUS
  no probe WSB_RADIUS_AUTH udp
  ip slb serverfarm WSB_RADIUS
  nat server
  real 10.176.57.38
  faildetect numconns 8 numclients 1
  inservice
  real 10.176.57.39
  faildetect numconns 8 numclients 1
  inservice
  real 10.176.57.40
  faildetect numconns 8 numclients 1
  inservice
  real 10.176.57.41
  faildetect numconns 8 numclients 1
  inservice
  ip slb vserver WSB_RADIUS
  virtual 10.176.57.115 udp 1813 service radius
  serverfarm WSB_RADIUS
  idle radius request 2
  inservice standby WSB
  interface Vlan130
  standby 130 name WSB

  IOS SLB provides RADIUS load-balancing capabilities for RADIUS servers. In addition, IOS SLB can load-balance devices that proxy the RADIUS Authorization and Accounting flows in both traditional and mobile wireless networks, if desired. IOS SLB does this by correlating data flows to the same proxy that processed the RADIUS for that subscriber flow.
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1833/products_feature_guide09186a00802081ce.html#wp2889077

• AS5350 Radius with IOS 12.2(11)T - changing source port

  Hi,
  My problem is that in versions prior to 12.2(11)T, when the gateway issued a radius authentication request, the packet had the source port 1645, but in the newer IOS releases (including 12.3) the port varies (it starts by sending auth requests with the sport 21645 but after a while it sends requests with the sport 21646). I would like to know if anyone at cisco or whoever reads this can tell me how to make my 5350 to send a packet to the radius server with sport 1645 (or any sport but not varying).
  Please don't ask me why I need this, I just do !
  Thanks

  It is set that way... the problem is that I need the packet leaving the gateway with source port 1645. Anyway, I have the answer now, thanks .. and for anyone interesed :
  http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCea72719&Submit=Search

• Anyconnect IOS Radius

  Hallo,
  i hace a cisco 881 router with a Anyconnect VPN. the web interface works
  but when i enter a username i'm getting a login failt.
  looking at the Eventviewer of the NPS i can see that is is using the wrong NETWORK and CONNECT POLICY,
  it needs to use the VPN policy.
  configuration router Radius:
  aaa group server radius VPN
  server 172.16.200.10 auth-port 1645 acct-port 1646
  configuration router AnyConnect:
  webvpn gateway ANYCONNECT
  ip interface FastEthernet4 port 8080
  ssl trustpoint TP-self-signed-4264276022
  inservice
  webvpn install svc flash:/webvpn/sslclient-win-1.1.4.176.pkg sequence 1
  webvpn context ANYCONNECT-CONTEXT
  title "welcome to office"
  ssl authenticate verify all
  policy group ANYCONNECT-POLICY
     functions svc-required
     svc address-pool "Pool"
     svc keep-client-installed
     svc dns-server primary 8.8.8.8
  default-group-policy ANYCONNECT-POLICY
  aaa authentication list VPN
  gateway ANYCONNECT
  inservice
  WHAT IS GOING WRONG?

  Looks like settings on your server.
  Have a look at:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml#configldap
  Step 2.

• IOS ap / RADIUS / DNS

  I am trying to use DNS for a radius server. It allows me to ues the name but the resolves the ip and puts the IP in the table. Is there a way to have DNS name in the table so if the IP changes it can be resolved without having to go back into the AP?

  Generally DNS table entry contains both the Name and the ip address , so that names are resolved. But there is a concept called Dynamic DNS where names are stored and IP addresses are updated dynamically.

• Radius broke my IOS?

  while configuring a 3560G for aaa\radius my router froze and had to be manually booted.
  aaa settings are ok, didn't get any problems with this part
  but when I started typing the radius commands... oh boy!
  this is the first line: ip radius source-interface Vlan200
  then this is the second command which broke it all:
  radius-server host 192.168.200.x auth-port 1645 acct-port 1646 key 7 password
  any idea what & why this command would break and how can I configure my radius without breaking the switch?

  This example shows how to enable AAA, use RADIUS authentication and enable device tracking:
  Switch(config) configure terminal
  Switch(config)# aaa new-model
  Switch(config)# aaa authentication login default group radius
  Switch(config)# aaa authorization auth-proxy default group radius
  Switch(config)# radius-server host key key1
  Switch(config)# radius-server attribute 8 include-in-access-req
  Switch(config)# radius-server vsa send authentication
  Switch(config)# ip device tracking
  Switch(config) end