ISE RADIUS Authentication Details

I have installed ISE on vSphere 5 working fine but when I look for the detail Authentication logs, I dont see any details, page is blank, snapshot is attached.

Yep. Running the report page in compatibility mode in IE9 resolved the problem even though it had been working without an issue. I didn't think about the brower/flash since the rest of the ISE management pages rendered without an issue. I also tried uninstalling and reinstalling flash activex control just in case there was a corrupt flash component and that did not resolve the issue in IE, only the compatibility mode change resolved it. I did also try it in firefox and the page displayed without issue.
Thanks for the pointer in the right direction.

Similar Messages

WLC, ISE certificate authentication issue

Hi Folks,
This is the setup:
Redundant pair of WLC 5508 (version 7.5.102.0)
Redundant Pair of ISE (Version 1.2.0.899)
     The ISE servers are connected to the corporate Active Directory (the AD servers are configured as external identity sources)
     There is a rule based authentication profile which queries the AD identity source when it receives wireless 802.1x authentication requests.
A corporate WLAN is configured on the WLC:
L2 security WPA+WPA2 (AES Encryption), ISE server 1 and 2 configured as the AAA Authentication servers.
This is all working correctly - I associate to the Corp WLAN (Authentication WPA2 enterprise, encryption AES CCMP, 802.1x auth MS-CHAPv2 using AD credentials) ... I can see the authentication request being processed correctly by the ISE, and I get access to the network.
The client I am working for wants to restrict access to the WLAN to users who have been allocated a certificate from the corporate CA, and this is where I am having issues.
I took a test laptop, and requested a new certificate (mmc, add snapin, certificates, current user, personal, request new cert).
The cert that was issued was signed only by a Corporate AD server with CA services (there is nothing in the certification path above the cert I was issued, apart from the issuing server itself).   I changed the security settings of my connection to the corp wlan (using TLS instead of mschapv2, and pointing to the certificate I requested)
Initally authentication failed because the ISE did not trust the CA that provided my certificate (the ISE radius authentication troubleshooting tool had this entry: '12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain').
I exported the issuing CA's root certificate (followed this process http://support.microsoft.com/kb/555252), and imported the cert into ISE (administration, system, certificates, certificate store, import) - status of the cert is enabled, and it is trusted for client auth.
After I did this, I could no longer associate to the Corp WLAN.
My laptop's wireless management software logs were filled with messages saying that the authentication server did not respond.
The ISE troubleshooting tool reported no new failed or successful authentication attempts.
Strangely though, the WLC log had a lot of entries like this: 'AAA Authentication Failure for UserName:host/laptop_asset_tag.corp.com User Type: WLAN USER'.
It looks like the WLC is trying to locally authenticate my session when I use TLS, rather than hand off the authentication request to the ISE.    Other users who authenticate using their AD credentials only (as I described above) can still authenticate ok.
Anyone able to shed some light on where I have gone wrong or what additional troubleshooting I can do?
Thanks in advance,
Darragh

Hi,
I had the same issue with microsoft CA and running ISE 1.1.4. The CA file was "corrupted", but you didn't see it at first glance. You can verify if the client CA matches the root CA via openssl.
Try to export the root CA and the issuing CA in a different format (Base64), import both root and issuing into ise and check if that works. Also check if "Trust for client authentication or Secure Syslog services" in the Certificate Store -> CA -> Edit, is set.
If this does not work, try to import the CA into another system and export it, then import into ISE.
Regards,

Radius authentication with ISE - wrong IP address

Hello,
We are using ISE for radius authentication. I have setup a new Cisco switch stack at one of our locations and setup the network device in ISE. Unfortunately, when trying to authenticate, the ISE logs show a failure of "Could not locate Network Device or AAA Client" The reason for this failure is the log shows it's coming from the wrong IP address. The IP address of the switch is 10.xxx.aaa.241, but the logs show it is 10.xxx.aaa.243. I have removed and re-added the radius configs on both ISE and the switch, but it still comes in as .243. There is another switch stack at that location (same model, IOS etc), that works properly.
The radius config on the switch:
aaa new-model
aaa authentication login default local
aaa authentication login Comm group radius local
aaa authentication enable default enable
aaa authorization exec default group radius if-authenticated
ip radius source-interface Vlanyy
radius server 10.xxx.yyy.zzz
address ipv4 10.xxx.yyy.zzz auth-port 1812 acct-port 1813
key 7 abcdefg
The log from ISE:
Overview
Event 5405 RADIUS Request dropped
Username
Endpoint Id
Endpoint Profile
Authorization Profile
Authentication Details
Source Timestamp 2014-07-30 08:48:51.923
Received Timestamp 2014-07-30 08:48:51.923
Policy Server ise
Event 5405 RADIUS Request dropped
Failure Reason 11007 Could not locate Network Device or AAA Client
Resolution Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices
Root cause Could not find the network device or the AAA Client while accessing NAS by IP during authentication.
Username
User Type
Endpoint Id
Endpoint Profile
IP Address
Identity Store
Identity Group
Audit Session Id
Authentication Method
Authentication Protocol
Service Type
Network Device
Device Type
Location
NAS IP Address 10.xxx.aaa.243
NAS Port Id tty2
NAS Port Type Virtual
Authorization Profile
Posture Status
Security Group
Response Time
Other Attributes
ConfigVersionId 107
Device Port 1645
DestinationPort 1812
Protocol Radius
NAS-Port 2
AcsSessionID ise1/186896437/1172639
Device IP Address 10.xxx.aaa.243
CiscoAVPair
   Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11007 Could not locate Network Device or AAA Client
5405
As a test, I setup a device using the .243 address. While ISE claims it authenticates, it really doesn't. I have to use my local account to access the device.
Any advice on how to resolve this issue would be appreciated. Please let me know if more information is needed.

Well from the debug I would say there may be an issue with the addressing of the radius server on the switch.
radius-server host 10.xxx.xxx.xxx key******** <--- Make sure this address and Key matches what you have in ISE PSN and that switch. Watch for spaces in your key at the begining or end of the string.
What interface should your switch be sending the radius request?
ip radius source-interface VlanXXX vrf default
Here is what my debug looks like when it is working correctly.
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265): ask "Password: "
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265):Orig. component type = EXEC
Aug 4 15:58:47 EST: RADIUS(00000265): Config NAS IP: 10.xxx.xxx.251
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265): acct_session_id: 613
Aug 4 15:58:47 EST: RADIUS(00000265): sending
Aug 4 15:58:47 EST: RADIUS(00000265): Send Access-Request to 10.xxx.xxx.35:1645 id 1645/110, len 104
Aug 4 15:58:47 EST: RADIUS: authenticator 97 FB CF 13 2E 6F 62 5D - 5B 10 1B BD BA EB C9 E3
Aug 4 15:58:47 EST: RADIUS: User-Name           [1]   9   "admin"
Aug 4 15:58:47 EST: RADIUS: Reply-Message       [18] 12
Aug 4 15:58:47 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
Aug 4 15:58:47 EST: RADIUS: User-Password       [2]   18 *
Aug 4 15:58:47 EST: RADIUS: NAS-Port            [5]   6   3
Aug 4 15:58:47 EST: RADIUS: NAS-Port-Id         [87] 6   "tty3"
Aug 4 15:58:47 EST: RADIUS: NAS-Port-Type       [61] 6   Virtual                   [5]
Aug 4 15:58:47 EST: RADIUS: Calling-Station-Id [31] 15 "10.xxx.xxx.100"
Aug 4 15:58:47 EST: RADIUS: Service-Type        [6]   6   Login                     [1]
Aug 4 15:58:47 EST: RADIUS: NAS-IP-Address      [4]   6   10.xxx.xxx.251
Aug 4 15:58:47 EST: RADIUS(00000265): Started 5 sec timeout
Aug 4 15:58:47 EST: RADIUS: Received from id 1645/110 10.xxx.xxx.35:1645, Access-Accept, len 127
Aug 4 15:58:47 EST: RADIUS: authenticator 1B 98 AB 4F B1 F4 81 41 - 3D E1 E9 DB 33 52 54 C1
Aug 4 15:58:47 EST: RADIUS: User-Name           [1]   9   "admin"
Aug 4 15:58:47 EST: RADIUS: State               [24] 40
Aug 4 15:58:47 EST: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61 [ReauthSession:0a]
Aug 4 15:58:47 EST: RADIUS:   30 63 66 65 32 33 30 30 30 31 46 37 30 37 35 33 [0cfe230001F70753]
Aug 4 15:58:47 EST: RADIUS:   44 46 45 35 46 37            [ DFE5F7]
Aug 4 15:58:47 EST: RADIUS: Class               [25] 58
Aug 4 15:58:47 EST: RADIUS:   43 41 43 53 3A 30 61 30 63 66 65 32 33 30 30 30 [CACS:0a0cfe23000]
Aug 4 15:58:47 EST: RADIUS:   31 46 37 30 37 35 33 44 46 45 35 46 37 3A 50 52 [1F70753DFE5F7:PR]
Aug 4 15:58:47 EST: RADIUS:   59 49 53 45 30 30 32 2F 31 39 33 37 39 34 36 39 [YISE002/19379469]
Aug 4 15:58:47 EST: RADIUS:   38 2F 32 30 36 33 31 36          [ 8/206316]
Aug 4 15:58:47 EST: RADIUS(00000265): Received from id 1645/110
---------------------------------------------------------------------------------------------------------------This is after I added the incorrect Radius server address.
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268): ask "Password: "
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268):Orig. component type = EXEC
Aug 4 16:05:19 EST: RADIUS(00000268): Config NAS IP: 10.xxx.xxx.251
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268): acct_session_id: 616
Aug 4 16:05:19 EST: RADIUS(00000268): sending
Aug 4 16:05:19 EST: RADIUS(00000268): Send Access-Request to 10.xxx.xxx.55:1645 id 1645/112, len 104
Aug 4 16:05:19 EST: RADIUS: authenticator FC 94 BA 5D 75 1F 84 08 - E0 56 05 3A 7F BC FB BB
Aug 4 16:05:19 EST: RADIUS: User-Name           [1]   9   "admin"
Aug 4 16:05:19 EST: RADIUS: Reply-Message       [18] 12
Aug 4 16:05:19 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
Aug 4 16:05:19 EST: RADIUS: User-Password       [2]   18 *
Aug 4 16:05:19 EST: RADIUS: NAS-Port            [5]   6   7
Aug 4 16:05:19 EST: RADIUS: NAS-Port-Id         [87] 6   "tty7"
Aug 4 16:05:19 EST: RADIUS: NAS-Port-Type       [61] 6   Virtual                   [5]
Aug 4 16:05:19 EST: RADIUS: Calling-Station-Id [31] 15 "10.xxx.xxx.100"
Aug 4 16:05:19 EST: RADIUS: Service-Type        [6]   6   Login                     [1]
Aug 4 16:05:19 EST: RADIUS: NAS-IP-Address      [4]   6   10.xxx.xxx.251
Aug 4 16:05:19 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:23 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:23 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:23 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:29 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:29 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:29 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:33 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:33 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
Aug 4 16:05:33 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
Aug 4 16:05:33 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:33 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:38 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:38 EST: RADIUS: Fail-over to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:38 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:43 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:43 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:43 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:48 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:48 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:48 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:53 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:53 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
Aug 4 16:05:53 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
Aug 4 16:05:53 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:53 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:57 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:57 EST: RADIUS: No response from (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:57 EST: RADIUS/DECODE: parse response no app start; FAIL
Aug 4 16:05:57 EST: RADIUS/DECODE: parse response; FAIL
This is a default template I use for all my devices routers or switches hope it helps. I have two PSN's that is why we have two radius-server host commands..
aaa authentication login vty group radius local enable
aaa authentication login con group radius local enable
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting system default start-stop group radius
ip radius source-interface VlanXXX vrf default
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
radius-server vsa send accounting
radius-server vsa send authentication
You can use this in the switch to test radius
test aaa group radius server 10.xxx.xxx.xxx <username> <password>

Cisco ISE IPEP and Non Radius Authenticator

Is it possible for a Juniper FW or Aruba Wireless or anything else that does native AD authentication can use an IPEP for policy enforcement without converting the authenticator (juniper / aruba etc…) to a Radius request to a PDP for the IPEP to build the session from?
Does the IPEP simply "sniff" the packets and build a session from that or does it require RADIUS authentication to pass through for the IPEP to function?
I believe RADIUS is required but the client said he was told it is not and the authenticator can pass the traffic through the IPEP even if it authenticates clients by Native AD.
Anyone have any exmaples or traffic flows if this is possible?
Thanks,
Michael Wynston

Got my answer and it is as I thought. The iPEP only works if it sees RADIUS requests to a PDP that then provides the iPEP with the policy to enforce.
Have a client migrating from CCA which will natively check AD inline based on seen authentication requests. They were told (not by me) ISE can do that too.
Guess not
Sent from Cisco Technical Support iPhone App

IP address in ISE live authentication after vlan change

Hi all,
on ISE live authentication dashboard we can see IP address of the client (known from FRAMED-IP-ADDRESS).
But what about vlan change and the situation when client gets new IP address after relocation to different vlan.
Live logs shows only the first IP address - client mapping (from the guest vlan), after authorization new vlan and dACL is assigned but logs don't include new IP address.
session ID is the same all the time.
so maybe ip helper or other trick?
regards

thx for reply.
I added "aaa accounting update newinfo" and I'll see tommorow how it works with anyconnect and 802.1x.
Meanwhile I think I must clarify what I meant
Not all logs have IP address present in live authentication (this is MAB for test only)
the situation with 802.1x and anyconnect is a bit better cause there are IP addresses but only from the first dhcp address assignment (authentication open with default ACL). Then if the policy changes vlan and the client gets new IP address from different scope we have wrong information in this log.
but getting back to our MAB...
details of this entry looks like:
so this is probably the reason that no IP address is visible it was too soon for MAB to get this info and send it as framed IP address (according to this config command "radius-server attribute 8 include-in-access-req")
nevertheless clicking the accounting details (from the 2nd screenshot)
we see that this information is present
so my first question is on which stage this column is fulfilled? only when "FRAMED-IP-ADDRESS" is send in radius-request? or from accounting?
maybe ISE should dynamically modify this record after each accounting newinfo message?
regards

ISE Radius - Access-accept is returned with no autorization policy

Hello,
With ISE Radius service / PAP, the authentication passes OK, but the Network Element which send the autorization request, returns message "not enough user priviledges to execute command" and the HTTP page is blank.
The reason for that is, the Network Element is sending in the Access-Request with Service-Type value = 8, which means Authenticate-Only (and this can be seen at ISE . This causes the Radius server to authenticate, but not to send the authorization parameters back to the NE in the Access-Accept, causing the login to fail. A bit inside of the RFC:
5.6. Service-Type
    Description
       This Attribute indicates the type of service the user has
      requested, or the type of service to be provided. It MAY be used
      in both Access-Request and Access-Accept packets. A NAS is not
      required to implement all of these service types, and MUST treat
      unknown or unsupported Service-Types as though an Access-Reject
      had been received instead.
   Type
       6 for Service-Type.
      The Value field is four octets.
       1      Login
       2      Framed
       3      Callback Login
       4      Callback Framed
       5      Outbound
       6      Administrative
       7      NAS Prompt
       8      Authenticate Only
       9      Callback NAS Prompt
      10      Call Check
      11      Callback Administrative
There is no way to modify the value on the network element in the Access-Request packet.
Question: Is there a way to for the Cisco ISE to ignore the service type value (Authenticate Only), and return the autorization parametes back with the Access-Accept packet?
Thanks,
Lucho

Lucho,
I Checked the rfc and the answer is no, rfc states that no authorzation information needs to returned for this request.
http://www.ietf.org/rfc/rfc2865.txt
Thanks,
Tarik

WPA2-Enterprise Radius Authentication Windows Server 2008 R2

Hello,
I have tried a few online tutorials for providing secure wireless access. I currently have a server running Server 2008 R2 that has RRAS, NAP, and AD CS installed on it. My goal is to create a wireless SSID that utilizes WPA2-Entperise for users
to connect. Their AD credentials would need to belong to my "Wireless Users" group. I have seen tutorials that involved certificates, and some tutorials that simply added the RADIUS clients along with the network/connection policies,
and then added the settings to the router. When I've tried both ways, the wireless network never connects to the network. If I un-check the "Use Windows login credentials" a username/password field pops up. I enter the credentials
(tried both username and domain\username) of an account that is part of "Wireless Users". When I hit OK it sits for a few moments, and then pops back up again. When I do check "Use Windows login credentials" it says it can't
connect.
I have tried different firmware on the router, and I know the router is not the issue. This server is joined to my domain controller. It feels like the NAP server is not reaching the domain to authenticate credentials. Am I doing anything
wrong that I should be made aware of? In NAP if I right click the server, the "register in active directory" is greyed out, which I assume is because it's already joined to the domain.
I appreciate any help you can provide.
-Ken

I've searched in "Event Viewer" on the NPS server, and came across an interesting error. I have Google'd the error, and there are only a select few articles about it. If I try to connect, often times I will get two information events:
Event ID 4400 "A LDAP connection with domain controller DC-VPN-IIS-01.dc.cooper.org for domain COOPER is established."
And now...the issue
Event ID 6273
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: COOPER\LAPTOP3-W7$
Account Name: host/laptop3-w7.dc.cooper.org
Account Domain: COOPER
Fully Qualified Account Name: COOPER\LAPTOP3-W7$
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: c0c1c074bfb6
Calling Station Identifier: 00216a902b70
NAS:
NAS IPv4 Address: 172.16.4.2
NAS IPv6 Address: -
NAS Identifier: c0c1c074bfb6
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 11
RADIUS Client:
Client Friendly Name: CiscoAP
Client IP Address: 172.16.4.2
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Connections to other access servers
Authentication Provider: Windows
Authentication Server: dc-vpn-iis-01.dc.cooper.org
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 65
Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
Clearly, when I try to connect, it's completely bypassing the network policy I created, but going to the "Connections to other access servers", which by default denys access. I've tried everything....removed and re-added the security policy...added
2 network policies for wireless. Does anyone know why the network policy I create for wireless is not being recognized?

RADIUS Authentication Problems with NPS Server Eventid 6274

Hi,
We have struggled for a while with RADIUS auth for some clients against an NPS Server when the user or computer tries to connect to the wireless network the following error can be seen on the NPS server:
Network Policy Server discarded the request for a user
Contact the Network Policy Server administrator for more information.
User:
   Security ID:           NULL SID
   Account Name:           host/hostname.domainname.com
   Account Domain:           -
   Fully Qualified Account Name:   -
Client Machine:
   Security ID:           NULL SID
   Account Name:           -
   Fully Qualified Account Name:   -
   OS-Version:           -
   Called Station Identifier:       40-20-B1-F4-BB-15:Wireless-SSID
   Calling Station Identifier:       C1-18-85-08-10-E1
NAS:
   NAS IPv4 Address:       192.168.10.10
   NAS IPv6 Address:       -
   NAS Identifier:            AP name
   NAS Port-Type:           Wireless - IEEE 802.11
   NAS Port:           0
RADIUS Client:
   Client Friendly Name:        name
   Client IP Address:            192.168.10.10
Authentication Details:
   Connection Request Policy Name:   Secure Wireless Connections
   Network Policy Name:       -
   Authentication Provider:       Windows
   Authentication Server:        NPS servername
   Authentication Type:       -
   EAP Type:           -
   Account Session Identifier:       -
   Reason Code:           3
   Reason:               The RADIUS Request message that Network Policy Server received from the network access server was malformed.
Network Policy Server discarded the request for a user.
Contact the Network Policy Server administrator for more information.
User:
   Security ID:           NULL SID
   Account Name:            domainname\username
   Account Domain:           -
   Fully Qualified Account Name:   -
Client Machine:
   Security ID:           NULL SID
   Account Name:           -
   Fully Qualified Account Name:   -
   OS-Version:           -
   Called Station Identifier:        20-18-B1-F4-BB-15:Wireless-SSID
   Calling Station Identifier:       09-3E-8E-3E-5A-C9
NAS:
   NAS IPv4 Address:        192.168.10.10
   NAS IPv6 Address:       -
   NAS Identifier:            AP name
   NAS Port-Type:           Wireless - IEEE 802.11
   NAS Port:           0
RADIUS Client:
   Client Friendly Name:        name
   Client IP Address:            192.168.10.10
Authentication Details:
   Connection Request Policy Name:   Secure Wireless Connections
   Network Policy Name:       -
   Authentication Provider:       Windows
   Authentication Server:        NPS server name
   Authentication Type:       -
   EAP Type:           -
   Account Session Identifier:       -
   Reason Code:           3
   Reason:               The RADIUS Request message that Network Policy Server received from the network access server was malformed.
Message seen from the AP's logs:
(317)IEEE802.1X auth is starting (at if=wifi0.2)
(318)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=157 length=162, User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
(319)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=157 length=90
(320)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=158 length=286, User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
(321)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=161 length=162, User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
(322)Receive message from RADIUSServer: code=11 (Access-Challenge) identifier=161 length=90 BASIC
Output omitted
(330)Sta(at if=wifi0.2) is de-authenticated because of notification of driver
We have other NPS Servers with corresponding policy settings which are working so I am having trouble to understand why this errors occurs.
Initally the problem seemed to be related to the Cert on the NPS server cause it used the cert generated from the Somputer template. Now it uses the template for Domain controller just as the other NPS servers so this should not be the issue(Not sure if
this matters?)
Please guide me on how to take this further
Thank you :)
//Cris

Hi,
NPS Event ID: 6274.
This condition occurs when the NPS discards accounting requests because the structure of the accounting request message that was sent by a RADIUS client does not comply with the RADIUS protocol. You should reconfigure, upgrade, or replace the RADIUS client.
Detailed information reference：
Event ID 6274 — NPS Accounting Request Message Processing
https://technet.microsoft.com/en-us/library/cc735339(v=WS.10).aspx
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

RADIUS Authentication for Guest users

Hi,
I currently use a 4402 WLC located in our DMZ to authenticate Guest users - local authentication is in place. I would not like to setup RADIUS authentication via a Cisco NAC server. In order not to affect current guest users, I created a new WLAN and configured with RADIUS server details under WLANs->Edit->Security. I can associate to new WLAN and obtain a DHCP address no problem, but when I browse to an external website, I do not get prompted for authentication from the RADIUS server. I don't see any auth requests hitting our firewal, so am assuming the problem is with the WLC config.
Can anyone provide any details of what config is required?
Security Policy - Web-Auth
Security-> L2 - None
Security-> L3 - Authentication
Security-> AAA Servers - Auth and Acc server set
Many thanks
Liam

your setup sounds pretty okay. have you got local user accounts set up on the WLC for the test WLAN? if you do, check to see that the priority order for web authentication for the test WLAN prefers the AAA account. you will have to do it directly on your controller as i do not think you have that option in WCS.
hope that helps

Cisco ISE - radius proxy

Hi,
Is the following possible:
- let the ISE do the authentication and then proxy to another radius server which does the authorization.
At the moment we have a freeradius server that does the following:
1) authenticates 802.1x requests (eap-tls)
2) during authorization the server checks an external database that determines the vlan that should be returned (in radius attribute) based on originating switch and/or mac address.
I am checking if I can migrate to ISE but then the above would have to work.
For MAB I can easily do authentication/authorization on freeradius so I will proxy MAB requests to there.
regards
Thomas

ISE acts as a RADIUS proxy server by proxying the requests from a network access device (NAD) to a RADIUS server. The RADIUS server processes the request and returns the result to Cisco ISE. Cisco ISE then sends the response to the NAD
FYI
you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

802.1x not saving authentication details

Hey all,
We're having a small issue with this.
We have an 802.1x implimentation working successfully, devices can connect and have correct network access etc.
The issue we have is that from IOS 4.3 upwards, the authentication details aren't being saved for the wireless connection.
Users are able to connect to the SSID, accept the certificate and login with domain credentials - but when the phone autolocks and the network disconnects it drops the authentication details, so users have to reconnect to the SSID manually and input username / password again.
So I'm wondering if this is by design in 4.3 upwards?
IOS 4.2.1 saves the credentials and automatically reconnects when the device is unlocked (which is how i expected 4.3 to behave)?
Appreciate any information anybody has on this.

Your RADIUS server needs to send the VSA Cisco-AV-Pair "device-traffic-class=voice" so that the switch puts the switch port into the voice domain to activate the Voice VLAN from the phones. Having your phones fall to the data domain is a classic problem of the missing VSA. Additionally, you want to have the switch port fail open for voice devices to "save the phones" in a server-dead scenario as well as provide users with an option to get to the critical VLAN:
authentication event server dead action authorize vlan 205
authentication event server dead action authorize voice
If a RADIUS server fails to respond, the switch will authorize the static voice VLAN.
Don't do "authentication periodic" for with IP phones. This can cause disruptions in an existing phone conversation as during authentication, the phone will lose network access until authentication succeeds (or a server dead event).
You will also want to provide a way to get users out of the auth-fail VLAN, guest VLAN, or critical VLAN (for you and I these are the same usually, your VLAN 205) if your dead server returns, and have the switch rerun dot1x:
authentication even server alive action reinit
Good luck!

RADIUS Authentication Error Across the Subnet

Hi Guyz
I have configured Microsoft Server 2012 R2 as a RADIUS for Cisco IOS Devices
Server IP Address : 10.95.6.12
Router IP Address Fa 0/0.192 ---->>> 192.193.194.195
Router IP Address Fa 0/0.6 --->>> 10.95.6.1
Switch IP Address VLAN 192    ---->>> 192.193.194.2010.95.6.11
Switch IP Address VLAN 6 ---->>> 10.95.6.11
When i access the Cisco Devices RADIUS CLIENT with 10.95.6.x Subnet, It works fine
When i access the Cisco Devices through RADIUS CLIENT 192.193.194.x Subnet, It does not pass through the RADIUS Authentication.
Attached in the Picture i can not access the 192.193.194.20 Device but I can access 10.95.6.1 Device. As soon as I change the IP Address 10.95.6.11 I can access the Device.
Ping is successful across the Routers / Switches and Server as well. Below is unsuccessful debug details as well:
===
Home_Switch#
01:52:30: RADIUS/ENCODE(00000008): ask "Password: "
Home_Switch#
01:52:41: RADIUS/ENCODE(00000008):Orig. component type = EXEC
01:52:41: RADIUS: AAA Unsupported Attr: interface [171] 4
01:52:41: RADIUS: 74 74 [ tt]
01:52:41: RADIUS/ENCODE(00000008): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
01:52:41: RADIUS(00000008): Config NAS IP: 0.0.0.0
01:52:41: RADIUS/ENCODE(00000008): acct_session_id: 8
01:52:41: RADIUS(00000008): sending
01:52:41: RADIUS/ENCODE: Best Local IP-Address 10.95.6.11 for Radius-Server 10.95.6.12
01:52:41: RADIUS(00000008): Send Access-Request to 10.95.6.12:1812 id 1645/6, len 85
Home_Switch#
01:52:41: RADIUS: authenticator 95 FB 3F FE 79 BB AA D6 - C9 26 F4 EC 95 32 80 06
01:52:41: RADIUS: User-Name [1] 7 "cisco"
01:52:41: RADIUS: User-Password [2] 18 *
01:52:41: RADIUS: NAS-Port [5] 6 2
01:52:41: RADIUS: NAS-Port-Id [87] 6 "tty2"
01:52:41: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
01:52:41: RADIUS: Calling-Station-Id [31] 16 "192.193.194.50"
01:52:41: RADIUS: NAS-IP-Address [4] 6 10.95.6.11
01:52:41: RADIUS(00000008): Started 5 sec timeout
Home_Switch#
01:52:46: RADIUS(00000008): Request timed out
01:52:46: RADIUS: Retransmit to (10.95.6.12:1812,1813) for id 1645/6
01:52:46: RADIUS(00000008): Started 5 sec timeout
Home_Switch#
===
Any help will really appreciate.

Duplicate posts.
Go here: http://supportforums.cisco.com/discussion/12154866/radius-authentication-error-across-subnet

NAC guest server with RADIUS authentication for guests issue.

Hi all,
We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
-----START QUOTE-----
Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
•Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
•Self Service—This option allows guest self service. After selection proceed to Step 8.
•Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
----- END QUOTE-----
Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
Regards
Kevin Woodhouse

Well I will try to answer your 2nd questions.... will it work... yes. It is like any other radius server (high end:)) But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD. Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right. Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that. That is my opinion.

Radius authentication for privileged access

Hello,
          I have configured Cisco 6513 for radius authentication with following commands.
aaa new-model
aaa authentication login authradius group radius line
aaa accounting exec acctradius start-stop group radius
radius-server host <radius-ip> auth-port 1812 acct-port 1646 key 6912911
line vty 0 4
accounting exec acctradius
login authentication authradius
     This is working pretty fine. I want to configure radius authentication for priviledged access / for enable access.
     I am using TeKRadius as Radius server.
     Please help.
Thanks and Regards,
Pratik

Hi Pratik
Sorry I mostly use only TACACS+ for AAA as it provides better granularity of access controls.
You'll need to make some specific changes to your RADIUS config so that nominated users ( the ones you want to be able to go to enable mode ) get put straight into enable mode upon login.
There's a guide here http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ which details the steps if you're using the Microsoft IAS radius server - you should be able to figure out that changes you need to make to your own server from there.
Nick
Message was edited by: NickNac79 - Spelt the OP's name wrong, sorry.

RADIUS authentication on IAS server

I have a 1200 AP configured for RADIUS authentication on Microsoft IAS server but I am experiencing a problem getting clients authenticated. (Association is working fine.)
The 1200 is connected to the IAS Server via an 837 router (no switch involved) and I am wondering if any RADIUS settings have to be configured on the 837 for AAA communication to pass through to the IAS server or will the requests pass through automatically?

ScottMac is correct, if you're using IAS you need to use PEAP which requires a security cert. Microsoft provide a very nice toolkit of scripts and documents to simplify the installation and configuration of IAS, Cert Services, etc, etc, you can get it from here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=CDB639B3-010B-47E7-B234-A27CDA291DAD&displaylang=en

ISE RADIUS Authentication Details

Similar Messages

Maybe you are looking for