IOS 12.0(5.1) + Radius
Hi Guys,
I'm trying to configure the RADIUS Authentication in IOS 12.0(5.1). However, even though I can configure the aaa new-model and use local username and passwords, I seem unable to find the necessary "radius-server' commands. Is it that RADIUS Server is not supported in this IOS? If it is supported can someone guide me or provide the necessary documentation.
Thanks
Nik
Hi Wen,
Thanks for your response. Please find the show version below. As for the "radius-server" it does not seem to exist on the device as if i type r? all I see is rmon.
Cisco Internetwork Operating System Software
IOS (tm) C2900XL Software (C2900XL-H2S-M), Version 12.0(5.1)XP, MAINTENANCE INTE
RIM SOFTWARE
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Fri 10-Dec-99 10:57 by cchang
Image text-base: 0x00003000, data-base: 0x002BA814
ROM: Bootstrap program is C2900XL boot loader
Switch-1 uptime is 1 week, 5 days, 10 hours, 1 minute
System returned to ROM by power-on
System restarted at 13:24:43 Canada-DST Sun Oct 17 2010
System image file is "flash:c2900XL-h2s-mz-120.5.1-XP.bin"
cisco WS-C2924M-XL (PowerPC403GA) processor (revision 0x11) with 8192K/1024K byt
es of memory.
Processor board ID 0x10, with hardware revision 0x03
Last reset from power-on
Processor is running Enterprise Edition Software
Cluster member switch capable
24 FastEthernet/IEEE 802.3 interface(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:30:7B:D9:56:C0
Motherboard assembly number: 73-3425-10
Power supply part number: 34-0920-01
Motherboard serial number: FAA03499D5P
Power supply serial number: NONE
Model revision number: A0
Model number: WS-C2924M-XL-EN
System serial number: FAA0402H023
Configuration register is 0xF
Hope this helps
Similar Messages
-
I have two issues but related and need help:
anyone know how to disable or stop a radius host test message send every seconds from a IOS router after the test statement removed and all radius server information removed from the configuration? I have this odd testing for the new ISE server. the purpose of testing is not for load balancing, but find out if IOS support different protocol using radius other than PAP if PPP is not used. after the test, I cannot stop it. I have a case opened with Cisco, the answer is no way to stop it other than reboot the router. I tried to remove aaa new model and add it back, no help. I have put an access-list on the LAN interface deny the IP any to the radius host and port, no match found.
On the ISE (version 1.1.1), due to the IOS router test cannot be stopped, the alive authentication page fills up all the authentication failure messages. anyone know how to block the host from ISE live authentication log (the router has been removed from the device page)?
below is part of messages from the IOS router (version 15.0.1M6) debug. where 10.2.2.144 is the ISE IP and totally removed from the config. there is no any radius or the ISE IP in the config.
Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
Aug 28 10:21:15.384: AAA/SG/TEST: Verifying if further testing required to determine server state.
Aug 28 10:21:15.384: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
Aug 28 10:21:15.384: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
Aug 28 10:21:33.752: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
Aug 28 10:21:33.976: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
Aug 28 10:21:33.976: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) quarantined.
Aug 28 10:22:33.976: AAA/SG/TEST: Sending 1 Access-Requests, 1 Accounting-Requests in current batch.
Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
Aug 28 10:22:33.976: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
Aug 28 10:22:52.760: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
Aug 28 10:22:53.176: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
Aug 28 10:22:53.176: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
Aug 28 10:21:15.384: AAA/SG/TEST: Verifying if further testing required to determine server state.
Aug 28 10:21:15.384: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
Aug 28 10:21:15.384: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
Aug 28 10:21:33.752: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
Aug 28 10:21:33.976: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
Aug 28 10:21:33.976: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) quarantined.
Aug 28 10:22:33.976: AAA/SG/TEST: Sending 1 Access-Requests, 1 Accounting-Requests in current batch.
Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
Aug 28 10:22:33.976: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
Aug 28 10:22:52.760: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
Aug 28 10:22:53.176: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
Aug 28 10:22:53.176: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
Thanks in advance,It seems reload is the only way to fix it. I don't think there is any way to stop or ignore messages for specific host in live authentication page of ISE. From security point of view it is required to logs all the authentication hits.
Regards,
~JG
Do rate helpful posts! -
I have a ap1220running ios configured as a local radius server. The problem I am have is that my leap will fail 75% on the radius server telling me that my password is invalid but if i use leap manual it works fine.
Make sure that the radius server is configured with the required username and passwords.
-
RADIUS (NGS) is not disconnecting users
Hi,
I have a guest network set up on a WLC with an external RADIUS server (NAC Guest Server). However when the time profile expires (user account expires) on NGS the active user is not disconnected.
Now if the user logs off the guest network (either using the logout window or via the idle/session timeout) and tries to log back in they correctly get an error message when they try and log back in on the portal. The issue is that active users are not getting foraceably logged off the guest network.
I'm sure i've seen this issue referenced somewhere before but I couldnt find it.
Eoin.the key point is that Radius is an authentication that happens when the client connects. The Radius server cannot take actions unless it is contacted in the first place so a radius server cannot kick users.
This is "too bad" and yes things are coming to change that. The new versions of IOS switches start to support "Radius Change of Authorization" that allows the radius server to kick people on demand etc ... But that's not yet there.
The session timeout is the time for which the WLC leaves the client in peace before asking for a reauthentication.
For a WPA SSID, the client laptop will automatically reprovide credentials after timeout usually so it's a smooth reauthentication. But for guest, if the authentication method is a login page, the user will have to re-enter his credentials and if he was doing a file transfer, that got interrupted so that's not cool to set a very small session timeout.
So you have to decide I'm afraid to set a session timeout of 2 hours let's say, time that you find acceptable to have to reauthenticate again. This means that the clients will definitely not be able to have network access 2 hours (maximum ! once their NGS user account expires, they will be kicked at the next reauthentication which happens between 0 and 120 minutes later) after their account expired.
Nicolas -
Opinions on best CLI IOS authentication model
Anyone care to mention what works well and what doesn't for alternatives to the default enable/exec password scheme in IOS? I've got RADIUS authentication working on an AP1200, and am thinking of using it elsewhere, but I'm concerned about what happens if the RADIUS server goes down. Can I fall back to enable/exec passwords? Does console access still use these?
Ben
There are a number of alternatives to the default of using line and enable passwords. Most of these alternatives are configured through aaa in IOS. If you have Radius working in an AP1200 then you should have a head start in understanding what to do in IOS.
The basics of configuring aaa authentication is that you refer to method lists. Line passwords are a method list, enable passwords are a method list, radius is a method list. You can refer to multiple method lists for authentication. When you have multiple method lists for authentication the IOS will try the first one and if it is not available IOS will try the next one. So for example you might configure this:
aaa authentication login default group radius line
This will provide authentication for login (by default this includes console, vty lines, but you can change that in the configuration if you want to) and will first try the Radius server but if the Radius server is not available the IOS will use the configured line passwords.
To authenticate privilege mode you might configure this:
aaa authentication enable default group radius enable
This configuration authenticates privilege mode by using the Radius server first and if it is not available IOS will fall back to using the configured enable secret (or password).
HTH
Rick -
1. Suppose we have mutliple Radius server in a Netowrk. If primary Radius server goes down , how secondary server will come into the picture..
2. Where can we check ,which Radius server is active (Primary or secondary Radius server)
3. Is there any limit like one server can authenticate a number of clients?
Thanks
SriSri,
1) Its the NAS that brings up secondary radius server. First it will try hitting primary radius server and if there is no response it will then try seoncdary radius.
2) On ASA you can use this command to check the server status,
ASA# show aaa-server protocol radius
On IOS
Switch#show aaa servers
RADIUS: id 3, priority 1, host 192.168.26.119, auth-port 1645, acct-port 1646
State: current UP, duration 151040s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 6, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 190ms
Transaction: success 6, failure 0
Author: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Account: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Elapsed time since counters last cleared: 1d17h33m
RADIUS: id 4, priority 2, host 192.168.1.99, auth-port 1645, acct-port 1646
State: current UP, duration 151040s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Author: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Account: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Elapsed time since counters last cleared: 0m
3) I'm not aware of any limit that can be configured on radius. But there are certain paremeters you can set up (That depends on verdor)
Regards,
~JG
Do rate helpful posts -
CVPN3030 and FreeRADIUS - attribute "Framed-IP-Address"
We are authenticating VPN users via a FreeRADIUS server (see www.freeradius.org). This works fine for username/password, but we don't seem to be able to pass RADIUS attributes back to the VPN, or at least not in a way that affects the user's session. I'm focussing on "Framed-IP-Address" (to assign the VPN client a specific IP); if I can get it working for this, I'm sure I can port the method to other attributes.
Ayone out there doing this? With FreeRADIUS?
Thanks!Hi!
As far as i remember VPN3k don't understand neither "Framed-IP-Address" nor cisco-av-pair.
I've used "Group Lock" feature to specify which ip-pool concentrator should use for authenticated user. It works like specifying "cisco-av-pair=ip:addr-pool" in Radius for usual (ios) NAS.
In your Radius-server you should add "Class" attribute. When user authenticates he moves to a new group which has an associated address pool.
For more detail look at the http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800946a2.shtml -
I have a 1200 AP w/ latest IOS trying to do PEAP for wireless clients. When pointing the 1200 to a Funk or ACS radius server it works great. When I point to an IAS server runnng on W2K SP3, I get an IAS error in the event viewer saying "The specified authentication type is not supported on this system"
When I use a Symbol AP with the same IAS server, it works fine.
I have sniffer traces comparing the 2 scenarios and the only difference I can see is the attributes for
NAS Port and NAS port type.
Bad auth (Cisco AP)
NAS Port Type - virtual
NAS Port - 414
Good auth (Symbol AP)
NAS Port Type - 0x00000013
NAS Port - 29
Anyone know what is going on here?This is a reply I received from Cisco when I asked this question..
This is actually a software bug CSCeb36095
Here is the release note from the bug
IOS based APs will pass Radius attribute 61 (NAS-Port-Type) with value 5 (virtual), while VxWorks based APs use value 19 (Wireless IEEE802.11)
Users may need to re-configure Radius server setting if this attribute is used to grant access to the user, when migrating AP from VxWorks to IOS.
No ETA on when this should be fixed yet but if the work around doesnt work then please contact the TAC and open a case have you case linked to the bug then you can be kept updated of when the fix will be released
What I had to do was change IAS from 802.11 in the policy to virtual. The user then authenticated...
However, I was also using per user VLANS and the VLAN assignment was not working and they opened another bug on it. This was with a VXworks AP that had been "upgraded" to the IOS version....Needless to say it is sitting on the shelf waiting for the next release of IOS for the 1220's.
Hope that helps some...
don -
IOS SSL VPN WITH RADIUS Authorization
Hi
I'm trying to authenitcate and authorize the users loggining into SSLVPN via ACS and although the ACS loggs and "TEST" command on the router shw succeeful authentication i receive the flollowing debug
*Jun 6 22:39:50.157: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4346
Rack1R1(config)#
*Jun 6 22:40:09.409: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4357
Rack1R1(config)#
*Jun 6 22:40:21.409: WV-AAA: AAA authentication request sent for user: "SSLUSER"
*Jun 6 22:40:21.409: RADIUS/ENCODE(00000000):Orig. component type = INVALID
*Jun 6 22:40:21.409: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jun 6 22:40:21.409: RADIUS(00000000): Config NAS IP: 150.1.1.1
*Jun 6 22:40:21.409: RADIUS(00000000): sending
*Jun 6 22:40:21.409: RADIUS(00000000): Send Access-Request to 10.0.0.100:1645 id 1645/27, len 60
*Jun 6 22:40:21.409: RADIUS: authenticator AC 16 B3 54 46 72 37 05 - 4C 00 19 21 81 97 40 6E
*Jun 6 22:40:21.409: RADIUS: User-Name [1] 16 "SSLUSER@SSLVPN"
Rack1R1(config)#
*Jun 6 22:40:21.409: RADIUS: User-Password [2] 18 *
*Jun 6 22:40:21.409: RADIUS: NAS-IP-Address [4] 6 150.1.1.1
*Jun 6 22:40:21.669: RADIUS: Received from id 1645/27 10.0.0.100:1645, Access-Accept, len 282
*Jun 6 22:40:21.669: RADIUS: authenticator 2D 2C B0 39 89 4C 41 88 - 40 32 E2 09 0D 7F 6B 0C
*Jun 6 22:40:21.669: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco [26] 28
*Jun 6 22:40:21.669: RADIUS: Cisco AVpair [1] 22 "webvpn:svc-enabled=1"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco [26] 29
*Jun 6 22:40:21.669: RADIUS: Cisco AVpair [1] 23 "webvpn:svc-required=1"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco [26] 50
*Jun 6 22:40:21.669: RADIUS: Cisco AVpair [1] 44 "webvpn:split-include=6.6.6.0 255.255.255.0"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco [26] 35
*Jun 6 22:40:21.669: RADIUS: Cisco AVpair [1] 29 "webvpn:keep-svc-installed=1"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco [26] 31
*Jun 6 22:40:21.669: RADIUS: Cisco AVpair [1] 25 "webvpn:addr-pool=SSLVPN"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco [26] 41
*Jun 6 22:40:21.669: RADIUS: Service-Type [6] 6 Outbound [5]
*Jun 6 22:40:21.669: RADIUS: Class [25] 36
*Jun 6 22:40:21.669: RADIUS: 43 41 43 53 3A 30 2F 34 37 30 2F 39 36 30 31 30 [CACS:0/470/96010]
*Jun 6 22:40:21.669: RADIUS: 31 30 31 2F 53 53 4C 55 53 45 52 40 53 53 4C 56 [101/SSLUSER@SSLV]
*Jun 6 22:40:21.669: RADIUS: 50 4E [PN]
*Jun 6 22:40:21.673: RADIUS(00000000): Received from id 1645/27
*Jun 6 22:40:21.673: RADIUS(00000000): Unique id not in use
Rack1R1(config)#
*Jun 6 22:40:21.673: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored
*Jun 6 22:40:21.673: AAA/AUTHOR (0x0): Pick method list 'RAD'
Rack1R1(config)#
*Jun 6 22:40:23.673: WV-AAA: AAA Authentication Failed!
Rack1R1(config)#
*Jun 6 22:40:24.069: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4359
Rack1R1(config)#
router Configuration
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Rack1R1
boot-start-marker
boot-end-marker
! card type command needed for slot/vwic-slot 0/1
logging message-counter syslog
enable password cisco
aaa new-model
aaa authentication login RAD group radius
aaa authorization network RAD group radius
aaa session-id common
dot11 syslog
ip source-route
ip cef
no ip domain lookup
ip domain name INE.com
ip host cisco.com 136.1.121.1
ip host www.cisco.com 136.1.121.1
ip host www.google.com 136.1.121.1
ip host www.ripe.net 136.1.121.1
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-3354934498
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3354934498
revocation-check none
rsakeypair TP-self-signed-3354934498
crypto pki certificate chain TP-self-signed-3354934498
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333534 39333434 3938301E 170D3132 30363036 31333030
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33353439
33343439 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1E5 889BEB9A 31DFC0D4 7C7F698F 0F52E404 0849263A BD443A96 13C6A440
DCBD4345 EF301E91 0D4AADD9 3C2A17F2 E26E5E96 90F96809 D8FCCF32 7EB58100
74E4772C 6395E03C 1B7F1AF5 482F861F DD62D079 F9977FE2 0E544E18 5FAAF290
DF665B45 EF10D3EC D924E87A 5F827F07 06DE8961 F361C3FA EDBE5F68 452221C8
B9570203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603
551D1104 13301182 0F526163 6B315231 2E494E45 2E636F6D 301F0603 551D2304
18301680 140B00B8 FD9B58CF 8A6F51BE 25DEC6C5 85E14495 05301D06 03551D0E
04160414 0B00B8FD 9B58CF8A 6F51BE25 DEC6C585 E1449505 300D0609 2A864886
F70D0101 04050003 81810006 4192E2DB ABAF533E 9C4BF24E DF6BFD45 144A6AE9
C874E311 27B23E7B E8DB18C3 4FFB4ACA 4B09F63E 62501578 D8F58D73 D08F016F
49C99B8D DA1073E5 A141C1C7 505BD191 FC58EA7F 54BD9B98 579E1726 7C1CA619
A45DDABC 8F315EE9 D20A30A8 2BD5D67D B744BD69 353B4670 E5BA4540 47059E60
9DC4C940 E91AACBB 4EAFFA
quit
username admin privilege 15 password 0 admin
username SSLUSER@SSLVPN password 0 cisco
archive
log config
hidekeys
crypto ipsec client ezvpn EZVPN_CLIENT
connect auto
mode client
xauth userid mode interactive
ip tcp synwait-time 5
interface Loopback0
ip address 150.1.1.1 255.255.255.0
interface Loopback6
ip address 6.6.6.6 255.255.255.0
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet0/1
no ip address
duplex auto
speed auto
interface FastEthernet0/1.11
encapsulation dot1Q 12
ip address 136.1.11.1 255.255.255.0
interface FastEthernet0/1.121
encapsulation dot1Q 121
ip address 136.1.121.1 255.255.255.0
interface FastEthernet0/0/0
interface FastEthernet0/0/1
interface FastEthernet0/0/2
interface FastEthernet0/0/3
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
interface Vlan1
no ip address
router rip
version 2
passive-interface FastEthernet0/1.11
network 136.1.0.0
network 150.1.0.0
no auto-summary
ip local pool SSLVPN 40.0.0.1 40.0.0.254
ip forward-protocol nd
ip route 10.0.0.0 255.255.255.0 136.1.121.12
ip http server
ip http secure-server
ip dns server
ip access-list extended SPLIT
permit ip 136.1.11.0 0.0.0.255 10.0.0.0 0.0.0.255
ip radius source-interface Loopback0
radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
line vty 0 4
password cisco
scheduler allocate 20000 1000
webvpn gateway SSLVPN
ip interface Loopback0 port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-3354934498
logging enable
inservice
webvpn install svc flash:/webvpn/anyconnect-win-2.5.3055-k9.pkg sequence 1
webvpn context SSLVPN
title "**SSLVPN **"
ssl encryption rc4-md5
ssl authenticate verify all
aaa authentication list RAD
aaa authentication domain @SSLVPN
aaa authorization list RAD
gateway SSLVPN
inservice
end
Any Idea?Hi,
As I understand , you need to know if you can assign static ip to a user and also is there any other way of assiging a ip other than local pool.
There are three ways of assinging an ip address to VPN client: using local pool, AAA server,DHCP.
You can use the following link for more information:-
Assigning static ip for user present locally on ASA:-
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a7afb2.shtml
For user present on Active Directory:-
http://technet.microsoft.com/en-us/library/cc786213%28WS.10%29.aspx
The following is the link for assigning ip address using DHCP:-
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml
I hope it helps.
Thanks,
Shilpa -
Is there a minimum IOS version for windows radius 2012R2
Hello,
We use a windows server 2008R2 and NPS for radius authentication of our 887,881 and 891 routers, ASA V8.4, and 3750 switches.
We are thinking about migrate our radius to windows 2012R2, wich is a new version of NPS.
do you know if there is a minimum IOS version required for NPS on 2012R2 Windows ?
ThanksHi,
Yes NPS will work with Window Server 2012R2 and for the minimum server certificate requirement
check the below link.
http://msdn.microsoft.com/en-us/library/cc731363.aspx -
Hi Guys,
can anyone confirm or point out errors in this config that I wish to pop on our 6509. We don't have a test environment, so I need to get as much feedback as I can on this.
Thanks in advance,
James
no natpool WSB_RADIUS 10.176.57.115 10.176.57.115 netmask 255.255.255.128
no serverfarm WSB_RADIUS
no serverfarm WSB_RADIUS_NAT
no policy WSB_RADIUS_NAT
no vserver WSB_RADIUS
no probe WSB_RADIUS_AUTH udp
ip slb serverfarm WSB_RADIUS
nat server
real 10.176.57.38
faildetect numconns 8 numclients 1
inservice
real 10.176.57.39
faildetect numconns 8 numclients 1
inservice
real 10.176.57.40
faildetect numconns 8 numclients 1
inservice
real 10.176.57.41
faildetect numconns 8 numclients 1
inservice
ip slb vserver WSB_RADIUS
virtual 10.176.57.115 udp 1813 service radius
serverfarm WSB_RADIUS
idle radius request 2
inservice standby WSB
interface Vlan130
standby 130 name WSBIOS SLB provides RADIUS load-balancing capabilities for RADIUS servers. In addition, IOS SLB can load-balance devices that proxy the RADIUS Authorization and Accounting flows in both traditional and mobile wireless networks, if desired. IOS SLB does this by correlating data flows to the same proxy that processed the RADIUS for that subscriber flow.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1833/products_feature_guide09186a00802081ce.html#wp2889077 -
AS5350 Radius with IOS 12.2(11)T - changing source port
Hi,
My problem is that in versions prior to 12.2(11)T, when the gateway issued a radius authentication request, the packet had the source port 1645, but in the newer IOS releases (including 12.3) the port varies (it starts by sending auth requests with the sport 21645 but after a while it sends requests with the sport 21646). I would like to know if anyone at cisco or whoever reads this can tell me how to make my 5350 to send a packet to the radius server with sport 1645 (or any sport but not varying).
Please don't ask me why I need this, I just do !
ThanksIt is set that way... the problem is that I need the packet leaving the gateway with source port 1645. Anyway, I have the answer now, thanks .. and for anyone interesed :
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCea72719&Submit=Search -
Hallo,
i hace a cisco 881 router with a Anyconnect VPN. the web interface works
but when i enter a username i'm getting a login failt.
looking at the Eventviewer of the NPS i can see that is is using the wrong NETWORK and CONNECT POLICY,
it needs to use the VPN policy.
configuration router Radius:
aaa group server radius VPN
server 172.16.200.10 auth-port 1645 acct-port 1646
configuration router AnyConnect:
webvpn gateway ANYCONNECT
ip interface FastEthernet4 port 8080
ssl trustpoint TP-self-signed-4264276022
inservice
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.176.pkg sequence 1
webvpn context ANYCONNECT-CONTEXT
title "welcome to office"
ssl authenticate verify all
policy group ANYCONNECT-POLICY
functions svc-required
svc address-pool "Pool"
svc keep-client-installed
svc dns-server primary 8.8.8.8
default-group-policy ANYCONNECT-POLICY
aaa authentication list VPN
gateway ANYCONNECT
inservice
WHAT IS GOING WRONG?Looks like settings on your server.
Have a look at:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml#configldap
Step 2. -
I am trying to use DNS for a radius server. It allows me to ues the name but the resolves the ip and puts the IP in the table. Is there a way to have DNS name in the table so if the IP changes it can be resolved without having to go back into the AP?
Generally DNS table entry contains both the Name and the ip address , so that names are resolved. But there is a concept called Dynamic DNS where names are stored and IP addresses are updated dynamically.
-
while configuring a 3560G for aaa\radius my router froze and had to be manually booted.
aaa settings are ok, didn't get any problems with this part
but when I started typing the radius commands... oh boy!
this is the first line: ip radius source-interface Vlan200
then this is the second command which broke it all:
radius-server host 192.168.200.x auth-port 1645 acct-port 1646 key 7 password
any idea what & why this command would break and how can I configure my radius without breaking the switch?This example shows how to enable AAA, use RADIUS authentication and enable device tracking:
Switch(config) configure terminal
Switch(config)# aaa new-model
Switch(config)# aaa authentication login default group radius
Switch(config)# aaa authorization auth-proxy default group radius
Switch(config)# radius-server host key key1
Switch(config)# radius-server attribute 8 include-in-access-req
Switch(config)# radius-server vsa send authentication
Switch(config)# ip device tracking
Switch(config) end
Maybe you are looking for
-
SQL Server Reporting Services Service - missing in Central Admin
Hi, I am following "Install Reporting Services SharePoint Mode for SharePoint 2013" at http://msdn.microsoft.com/en-us/library/jj219068(v=sql.110).aspx#bkmk_install_SSRS_sharedservice . I have a WFE, APP and SQL server. We have SQL Server 2012 SP1.
-
How does the Out of Warranty process work?
My iPad mini decided it wanted to take a bath the other day and now it's done for. Left it in a bag of rice for a week and it will not turn on. I was doing some research and saw that it can be replaced under the Out of Warranty fee for $219 but did
-
I need to interface PXI 6508 with my board which is 3.3V logic. I am not the hardware guy so looking for inputs which can help me to do this. vishi
-
this is a nightmare. if anyone can come up with a suggestion I'd apprecuate it.
-
Adobe reader sign in access denied
due to service eligibility requirements - help??