ISE: Reauthentication timer

Hi,
I am doing authentication of endpoint devices. The default reauthentication timer on switchports are 3600 seconds. Why is reauthentication needed? Isn't it enough that a device is authenticated when it connects only?
When the reauthentication timer is set to server (authentication timer reauthenticate server), I guess that the server is ISE. Where in ISE do I configure the timer?
Regards,
Philip

Philip,
I'll provide you one of many use-cases of reauthentication, imagine that you authenticate with certificates.
If the certificate became invalid (expired/device stolen) you cannot kick a user off the network if it authnenticated prior to you noticing.
So in essence if the device was stolen but you have not noticed it before it was plugged in, without reauthentication, it potentially could be allowed on the network for quite some time.
That being said we recommend not using re-authentication for performance reasons or setting the timer to at least 2 hours.
On ISE you can send auth timers from authorization policy

Similar Messages

  • ISE CWA Time Profiles

    Hi
    Trying to make ISE CWA with WLC2500 to work according to guest time profiles.
    - When suspend guest users in ISE they still can connect and it seems that there is no communications between WLC and ISE (i suspect that ISE will communicate to WLC regarding this)
    - Then creating a guest user with "OnlyFirstLogin".... the user is still connected after shutdown/restart..
    I'm aware of the WLC timeout settings, but not sure if there are in play with CWA
    Any who knows about these time profiles in ISE regards to WLC
    Thx
    Kasper

    Please review the below links which might be helpful:
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/February2012/SBA_Ent_BN_BYOD-GuestWirelessAccessDeploymentGuide-February2012.pdf
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html
    http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_guest_pol.pdf

  • Cisco ISE - Reauthentication of client if server becomes alive again

    Dears,
    I have this case where Cisco ISE server is used to authenticate & authorize clients on the network.
    I configured the switch port to authorize the client in case the ISE server is dead (or not reachable).
    The thing is that I want to reauthenticate the client once the ISE server becomes alive again but I am not able to.. ("Additional Information is needed to connect to this network" bullet is not appearing and the client PC remains authenticated and assigned to the VLAN.
    Below is the switch port configuration:
    interface FastEthernet0/5
    switchport access vlan 240
    switchport mode access
    switchport voice vlan 156
    authentication event server dead action authorize vlan 240
    authentication event server alive action reinitialize
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication priority mab
    authentication port-control auto
    mab
    dot1x pae authenticator
    spanning-tree portfast
    Anyone can help?
    Regards,

    Please check whether the switch is dropping the connection or the server.
    Symptoms or Issue
     802.1X and MAB authentication and authorization are successful, but the switch is dropping active sessions and the epm session summary command does not display any active sessions.
    Conditions
     This applies to user sessions that have logged in successfully and are then being terminated by the switch.
    Possible Causes
     •The preauthentication ACL (and the subsequent DACL enforcement from Cisco ISE) on the NAD may not be configured correctly for that session.  
    •The preauthentication ACL is configured and the DACL is downloaded from Cisco ISE, but the switch brings the session down.  
    •Cisco ISE may be enforcing a preposture VLAN assignment rather than the (correct) postposture VLAN, which can also bring down the session.
    Resolution
     •Ensure the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.  
    •Check to see whether or not the DACL name in Cisco ISE contains a blank space (possibly around or near a hyphen "-"). There should be no space in the DACL name. Then ensure that the DACL syntax is correct and that it contains no extra spaces.  
    •Ensure that the following configuration exists on the switch to interpret the DACL properly (if not enabled, the switch may terminate the session):  
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server vsa send accounting
    radius-server vsa send authentication

  • ISE Endpoint losing IP after transition to Low-Impact-Mode

    I've recently moved an ISE implementation into the low-impact authentication phase, and the client's security cameras are having a rough go of it. In monitor mode, they were able to stay connected as they should but in low-impact mode they are losing their IP addresses as evidenced in the auth session output below:
    SWITCH-1#sh auth sess int g4/0/6            Interface:  GigabitEthernet4/0/6          MAC Address:  0040.8cc7.4822           IP Address:  10.92.6.3            User-Name:  00-40-8C-C7-48-22               Status:  Authz Success               Domain:  DATA       Oper host mode:  multi-domain     Oper control dir:  both        Authorized By:  Authentication Server          Vlan Policy:  N/A              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c      Session timeout:  3600s (local), Remaining: 338s       Timeout action:  Reauthenticate         Idle timeout:  N/A    Common Session ID:  0AFF320A000661C965742D42      Acct Session ID:  0x00067E9F               Handle:  0x72000982Runnable methods list:       Method   State       dot1x    Failed over       mab      Authc SuccessSWITCH-1#sh auth sess int g4/0/6            Interface:  GigabitEthernet4/0/6          MAC Address:  0040.8cc7.4822           IP Address:  169.254.45.196            User-Name:  00-40-8C-C7-48-22               Status:  Authz Success               Domain:  DATA       Oper host mode:  multi-domain     Oper control dir:  both        Authorized By:  Authentication Server          Vlan Policy:  N/A              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c      Session timeout:  3600s (local), Remaining: 338s       Timeout action:  Reauthenticate         Idle timeout:  N/A    Common Session ID:  0AFF320A000661C965742D42      Acct Session ID:  0x00067E9F               Handle:  0x72000982Runnable methods list:       Method   State       dot1x    Failed over       mab      Authc Success
    This is happening approx. every 10 seconds which curiously is the timer value of my dot1x tx-period. As well, the host never has its reauthentication timer restarted but I can see the following in ISE approx. every 10-15 seconds:
    Why is it going through Dynamic Authorization? Why am I losing my legitimate IP address every 10 seconds and getting an APIPA address in its place? The port configuration is as follows:
    interface GigabitEthernet4/0/6 description Security switchport access vlan 292 switchport mode access ip access-group ACL-DEFAULT in power inline auto max 15400 authentication event fail action next-method authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication violation restrict mab dot1x pae authenticator dot1x timeout tx-period 10 storm-control broadcast level 2.00 storm-control action shutdown spanning-tree portfast spanning-tree bpduguard enableend
    And my ACL-DEFAULT is...
    Extended IP access list ACL-DEFAULT    10 permit udp any eq bootpc any eq bootps    20 permit udp any any eq domain    30 permit icmp any any    40 permit udp any any eq tftp    50 deny ip any any log
    Upon switch log review, I'd noticed that the ACL-DEFAULT is blocking the cameras from certain igmp and tcp/554 (RTSP) communications. To see if it would help, even though I shouldn't have to, I placed ACE's into my ACL-DEFAULT to permit this traffic and would still drop my IP address every 10 seconds. I shouldn't have to do this because the "xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c" is a simple "permit ip any any" ACL which should allow all of the traffic to flow.
    Ideas?
    Kind Regards,
    Kevin

    As well, the dACL is properly replacing the first "any" with the endpoint's IP:
    SWITCH-1#show ip access-lists interface g4/0/6
         permit ip host 169.254.45.196 any
    SWITCH-1#show ip access-lists interface g4/0/6
         permit ip host 10.92.6.3 any
    Kind Regards,
    Kevin

  • ISE, Windows 7, Machine AuthZ

    I'm running into an issue that has me dead in the water on the completion of a roll out of ISE for Wireless.  The enterprise has two SSIDs, one internal, and one open, which is essentially an internet-only conduit.  No internal resources (other than DHCP and DNS) are available.  We moved this from a legacy SSID to using ISE several months ago. Very simple, no BYOD, no device registration, just Sponsor Portal for external laptops, and AD user authentication for employees smartphones.  Work Great.
    The second task was to take a legacy internal SSID and convert it to ISE 1.2.  My thoughts on how to do this, as based upon previous experience, the SISE courseware, the "Cisco ISE BYOD and Secure Unified Access" text (which I recommend), and that of a couple of consultants, was to use 802.1X to enforce machine and user authentication.  Seems pretty straight forward.
    Of course, I need to implement this in such a way that it is completely transparent to the users.  The legacy SSID is controlled via AD Group Policy, so it seemed a simple matter of modifying GP such that the new SSID kicks in at a higher priority.  Users will see both, AD will suggest the new one, and life goes on.
    That's exactly how it is supposed to work, and as far as I can tell, for any/all cold starting laptops, that exactly what happens.
    See coldstart.png.
    Until some user decides to close his or her laptop and sleep/hibernation sets in.
    In an overnight situation, upon waking up, the laptop proceeds to perform a user authZ but no machine AuthZ.  Because there is no machine authZ, the machine fails to get internal access, which is a problem.  In the log I see this step:
    24423  ISE has not been able to confirm previous successful machine authentication for user in Active Directory
    In talking with TAC, they are pushing me to use NAM as the supplicant, as opposed to the Native Windows 7 supplicant.  While I have AnyConnect installed on every laptop, I don't at present have NAM configured, and that breaks my "completely transparent to users" directive.
    I'm also working with Microsoft, and while they've yet to confirm that Windows 7 is just too stupid to understand the situation the laptop is in, I suspect them to tell me this soon, as we're running out of things to try on the client.
    I am aware of the Reauthentication timer that exists under the appropriate Authe\orization Profile, and that number seems to max out at ~18 hours (16 bit).
    At present, the I've set the Reauth timer in the policy results at 1800 seconds.  I could probably set it to be a longer time, but weekends will mess up that as a good solution.
    Regarding Authentication, my Default Network Policy in ISE, I'm allowing PEAP and EAP-FAST.  PEAP is preferred.  PACs are being utilized.  See Defaultaccess.png, Defaultaccess2.png
    So, I can't believe I'm the only person having this issue.  Telling users to not suspend their machines is not an option.  So, I have to ask...  Anybody else been able to use 802.1X, ISE, Windows 7 such that it works with sleep/hibernate?

    You are not the only one. Performing true machine and user authentication (EAP-TEAP) is currently not supported by any native supplicants out there. If you notice, the Windows 7 supplicant settings allow you to define "user, machine, or user or machine" but not "Machine and User" This is the reason Cisco was pushing you the NAM client. You can check the Cisco deployment guide for EAP-TEAP (aka EAP-Chaining here):
    http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
    In addition, a draft RFC for TEAP was already posted:
    http://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01
    Just tell your MS and Apple reps about it and demand for it to be supported in future releases and patches. :)
    I don't know enough about your environment but I am suspecting that you are using MAR (Machine access restriction). If you are using MAR, there is a timer, that is set under the "AD" integration tab. Once that timer expires ISE removes the machine's mac address from the database, thus preventing the machine to come on the network until it performs another machine authentication. Unfortunately, that type of machine authentication only happens during a reboot or during a log off/log in. There are other limitations associated with MAR (see link below) and I personally don't like nor recommend it:
    http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html
    With all of that being said I see the following options for you:
    1. Bump the MAR timer to 168 hrs (1 week) and instruct users that they have to reboot their machines first thing on Mondays.
    2. Set the Windows supplicants to only perform PEAP machine authentications. This is different than MAR as the actual AD machine credentials are used. You won't be able to perform user auth but at least you will only be allowing corp assets on the network. 
    3. Implement the Cisco NAM client and perform EAP-TEAP
    Hope this helps!
    Thank you for rating helpful posts!

  • ISE 1.2 Guest Access for EAP(Dot1x) Authentication

    Hi.
    I want to use encryption for guest access. 
    In order to use the "RADIUS-NAC" in the WLC, you can not use or "Open + MAC" only "WPA + dot1". 
    (Specification of the WLC) 
    When the "Open + MAC", return from the ISE at the time of the "Web Authentication" in the "Session-Timeout Attribute", I was able to forcibly disconnect the radio. 
    (Attribute is the same value as the (ISE TimeProfile) time the guest user can use) 
    If you connect to a wireless terminal to forced disconnect after screen of Web authentication is displayed, you can not login. 
    (Because the account has been revoked) 
    I want to make even dot1x this environment. 
    However, because it becomes the "re-authentication time" If dot1x, as long as the terminal is connected to the radio, it is not cut. 
    In addition, even in the setting of "Attribute Termination-Action = Default", does not return until the Web authentication. 
    (Status of the WLC remains "Auth Yes") 
    (Session of the ISE remains "Started") 
    Use the (EAP) Dot1x, Can I "is allowed to forcibly disconnected," "to match the time of TimeProfile" in the same way as "Open + MAC" thing? 
    Thank you.

    Note:
    Cisco ISE:Version1.2.0.899-8
    Cisco WLC(5508):Version 7.6.120

  • Error message running powershell as admin, not running ISE as admin

    I have a powershell script local on my dc. When I run the script from inside ISE (as admin) it works beautifully. When I run it just inside a powershell window (as admin) it gives me an error:
    Register-ScheduledTask : Cannot bind argument to parameter 'Action', because PSTypeNames of the argument do
    the PSTypeName required by the parameter: Microsoft.Management.Infrastructure.CimInstance#MSFT_TaskAction.
    Why would it be different running from ISE than from powershell window? I don't want to have to open ISE ever time to execute the script.
    mpleaf

    Back quotes and smart quotes from Web pasted code can create big headaches too.
    If you want to see an example of this, take a look at the code here:
    https://dthomo.wordpress.com/2011/02/10/disabling-activesync-by-default-on-exchange-2010/
    Many moons ago, I copied that, pasted it into Notepad++, saved it as xml, and put it up on my Exchange servers.
    Result = broken, very angry Exchange. The code is perfectly fine, but those quotes...
    Now, one interesting thing I just noticed. I pasted that code above into Notepad++ and saw the smart quotes as expected. I then pasted it into the ISE, and the quotes appeared as normal straight quotes. I saved the file as test.xml to see if the
    ISE was somehow smart enough to save me from these quotes. Opened it up in Notepad++. Smart quotes survived.
    I think this could be kind of dangerous, as you'd never know that your quotes were bad by looking at the text in the ISE... Can either of you confirm this behavior?
    EDIT: The text highlighting of the saved file in the ISE is apparently a good indicator of this though:
    Don't retire TechNet! -
    (Don't give up yet - 12,830+ strong and growing)

  • System Generator on ISE 13.1

    Hello everybody.
    I am experiencing problems trying to run System Generator within ISE v13.1. In order to isolate the problem I implemented a very simple design, which is only one In gateway, one Out gateway and one AddSub block.
    It happens that System Generator is not able to generate the core for the AddSub block (what any other block). Looking at the error log I get:
    INFO:sim - Generating implementation netlist for   'addsb_11_0_1846f6db66fd2e6e'...
    INFO:sim - Pre-processing HDL files for 'addsb_11_0_1846f6db66fd2e6e'...
    ERROR:sim - ios failureERROR:sim - Could not open destination for writing.
    ERROR:sim - Failed executing Tcl generator.
    ERROR:sim - Failed to generate 'addsb_11_0_1846f6db66fd2e6e'.  Failed executing   Tcl generator.
    ERROR:sim:877 - Error found during execution of IP 'Adder Subtracter v11.0'
    It seems it cannot open a file for writing in it. If I try to implement exactly the same design in ISE 12.4, at the same PC, it works fine. I tried reinstalling ISE several times without success.
    I am using Windows XP Professional Edition Service Pack 3 and do have administrator privileges in my machine.
    Does anybody have the same problem?
    Thank you very much.
    Daniel

    Hi
    The original issue was fixed using the temp path with no special characters in it which you can cross check.
    Provide more details on the tools used and versions(ISE and MATLAB) and exact error message if the temp path is fine in your environment.
     

  • ISE in High Availability (HA) mode.. Factors to look upon

    We are setting up lab where we have installed 2 ISE on VM.  We  are deploying them in HA mode. While deploying them we are facing error  after registering ISE-2 with Primary ISE-1. Even after periodic refresh  of 'Sync' tab we are getting 'out of sync' Error. 
    We have checked certificate which is bound correctly as we could register ISE-2 under primary ISE-1
    TIme: Time on all the devices are synched up properly and are in UTC timezone.
    What are the factors that play role for HA in ISE. Which things has to look upon while resolving the error.
    ---Securview Support

    Hello,
    I went through your query and found some pre-requisite which would help in solving your query:-
    Ensure that you have a second ISE node configured with the Administration persona before you can promote it to become your primary Administration ISE node.
    •Before you configure the Administration ISE nodes for high availability, we recommend that you obtain a backup of the Cisco ISE configuration from the standalone node that you are going to register as a secondary Administration ISE node.
    •Every ISE administrator account is assigned one or more administrative roles. To perform the operations described in the following procedure, you must have one of the following roles assigned: Super Admin or System Admin. See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.

  • Reopen last used tabs in Powershell ISE

    Hi Scripting Guys
    I use a lot of tabs in Powershell ISE console in my work, as an Administrator, and every time I close the ISE I need to reopen every tabs that I used before. So my question is:
    When I open Powershell ISE can it automatically reopen last tabs, that I used? Can Powershell ISE remember that last used tabs like IE can remember last open browser session?
    Best regards,
    Thorkell

    Hi,
    I do this by killing the ISE process with process explorer instead of closing the window. The next time you open the ISE it will note that it didn't shut down properly and will reopen the tabs you had open previously.
    I'm not aware of a graceful way to do this though.
    Don't retire TechNet! -
    (Don't give up yet - 12,830+ strong and growing)
    kill $PID -Force
    I've done this a few times to keep my tabs when I open up ISE another time. :)
    Boe Prox
    Blog |
    Twitter
    PoshWSUS |
    PoshPAIG | PoshChat |
    PoshEventUI
    PowerShell Deep Dives Book

  • Apple sleeps and authenticates again

    We have wlc 5508, 7.6.130.0, 2600, 1600 APs on our network, we are using CWA (mac-auth + radius).
    After apple device  go to/out sleep mode (energy saving), it need to authenticate again instead of RUN
    state and big session and idle timeout on controller. 

    Konstantin I was also initially use ISE to send a Radius override with a session timeout value. I did this with different values for different authorization policies. I think this somehow meant ISE was controlling the session, not the WLC. So when the iPad dropped WiFi during sleep, the controller lost it's state, and ISE terminated the session. To resolve it, I remove the Reauthentication timer from ISE and let the controller provide the session timeout value. Now, when the iPad goes to sleep, it still drops WiFi, but the session state is maintained in the WLC, the iPad just reauths successfully with ISE. So the user doesn't have to hit the web-auth page again upon waking the device, WiFi is just up and connected.
    On a side note, I found out that the iPad sends wireless beacons out every 10 minutes. So essentially, it reauthenticates with ISE every 10 minutes. I have not hit my idle timeoute value yet, but I'm afraid that because of this 10 minute beacon, even a sleeping iPad will not be idle long enough to be disassociated.

  • Guest Re-Authentication

    I have setup a Sponsored Guest Wifi on a 2504 with ISE 1.3.  I can create Guests, they can associate, and get re-directed to a Web Auth.  It all works great.
    I have a few guest types, one of which is a 5 day guest.  With the 5 day guest with access hours between 8am - 6pm, I'd like to have the end user login to the network every morning.  As it works now, the guest can login once during, and they are good for the entire 5 days.
    I have two Auth Profiles setup.  The first one is to do the CWA to get the user to sign on to the network.  The 2nd Profile is to allow guest endpoints access to the network.  I set the Reauthentication timer in the "Access" policy to 6000 seconds, however I am not sure that is working as expected.
    Any hints on pushing Guest users back to the portal for authentication periodically?

    Not sure if this will apply to wireless but this is how I did it for wired devices.  On my system, ISE adds the guest users mac address to the appropriate endpoint identity group based on the Guest Type profile.  I setup a re-authentication timer on the Authorization Profile and created a Endpoint Purge rule to remove any devices in the endpoint identity group.  This was the only thing I could think of to make sure guest users where kicked off daily and login again the next day.

  • Continuous Re-authentications

    We are in the process of migrating from ACS 4.x to ACS 5.5. At our smaller branch offices we have Sonicwall TZ205/215 that act as a wireless AP. The SSID uses RADIUS to authenticate users. I've noticed that wireless clients at these sites are endlessly authenticating. One example is that a user authenticated 21 times in 10 minutes. The authentication method listed was Lookup for all 21 occurrences. Is this normal behavior? I would like to think there is a client configuration issue or a timeout issue on the Sonicwall.

    Reauthentication
    Reauthentication Timer
    Select whether to use a session timeout value.
    If you select Static , you must enter a value in the Seconds field. The default value is 3600 seconds.
    If you select Dynamic , you must select the dynamic parameters.
    Maintain Connectivity during Reauthentication
    Click Yes to ensure connectivity is maintained while reauthentication is performed. By default, Yes is selected . This field is enabled only if you define the Reauthentication Timer.
    http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/pol_elem.html#25833

  • ACS Upgrade in live network ok?

    I am about to upgrade our CiscoSecure  ACS from 4.1 to 4.2.  If I do so on a live network, can that affect anything within my network?
    I would hate to bring down an entire network and upset about 3000 users.
    Thanks in advance!

    That will prevent that particular ACS to authenticate new users for the time of the upgrade ...
    Existing users won't be kicked out unless you configured a very frequent reauthentication timer.
    If you have more than one ACS then the other should be there to take the job

  • Wireless local radius authentication

    Greetings,
    I have a AIR-AP1121G-A-K9, and I would like to authenticate users with a username and password on the AP using the local radius server.
    I used the configuration at http://www.aironet.info/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
    and tried a couple other posted configuration, but are running into the same issue regardless of which method I am using.
    show ver
    Cisco IOS Software, C1100 Software (C1100-K9W7-M), Version 12.3(8)JED1, RELEASE
    SOFTWARE (fc3)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2010 by Cisco Systems, Inc.
    Compiled Tue 27-Apr-10 12:52 by alnguyen
    ROM: Bootstrap program is C1100 boot loader
    BOOTLDR: C1100 Boot Loader (C1100-BOOT-M) Version 12.2(8)JA, EARLY DEPLOYMENT RE
    LEASE SOFTWARE (fc1)
    ORP_ROOFDECK uptime is 21 hours, 3 minutes
    System returned to ROM by power-on
    System image file is "flash:/c1100-k9w7-mx.123-8.JED1/c1100-k9w7-mx.123-8.JED1"
    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by sending email to
    [email protected].
    cisco AIR-AP1121G-A-K9     (PowerPCElvis) processor (revision A0) with 15138K/12
    36K bytes of memory.
    Processor board ID FOC08370K83
    PowerPCElvis CPU at 197Mhz, revision number 0x0950
    Last reset from power-on
    1 FastEthernet interface
    1 802.11 Radio(s)
    32K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address: 00:12:01:6B:86:46
    Part Number                          : 73-7886-07
    PCA Assembly Number                  : 800-21481-07
    PCA Revision Number                  : A0
    PCB Serial Number                    : XXX
    Top Assembly Part Number             : 800-22053-04
    Top Assembly Serial Number           : XXX
    Top Revision Number                  : A0
    Product/Model Number                 : AIR-AP1121G-A-K9
    Configuration register is 0xF
    show run
    Current configuration : 4240 bytes
    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname XXX
    ip subnet-zero
    ip domain name XXX!
    ip ssh version 2
    aaa new-model
    aaa group server radius rad_eap
    server 172.16.1.35 auth-port 1812 acct-port 1813
    aaa group server radius rad_acct
    server 172.16.1.35 auth-port 1812 acct-port 1813
    aaa authentication login eap_methods group rad_eap
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    dot11 syslog
    dot11 ssid YYY
       authentication open eap eap_methods
       authentication network-eap eap_methods
       guest-mode
    bridge irb
    interface Dot11Radio0
    no ip address
    ip helper-address 172.16.1.1
    no ip route-cache
    encryption key 1 size 128bit 7 66061D688B874859701297485642 transmit-key
    encryption mode wep mandatory
    broadcast-key change 300
    ssid YYY
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
    54.0
    channel 2437
    station-role root
    rts threshold 2312
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface BVI1
    ip address 172.16.1.35 255.255.255.0
    ip helper-address 172.16.1.1
    no ip route-cache
    ip default-gateway 172.16.1.1
    ip http server
    ip http authentication local
    ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    radius-server local
      no authentication eapfast
      no authentication mac
      nas 172.16.1.35 key 7 VVV
      group YYY
        ssid YYY
        block count 3 time 30
        reauthentication time 300
      user zzz nthash 7 0225540F2A2429741C162F3C2636455854560E72760A6A667B315E37
    5553010B7A group YYY
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 172.16.1.35 auth-port 1812 acct-port 1813 key 7 VVV
    radius-server vsa send accounting
    bridge 1 route ip
    line con 0
    line vty 0 4
    access-class 10 in
    line vty 5 15
    end
    Debug Output:
    331: AAA/ACCT(00000000): add node, session 4
    *Mar  1 21:37:37.331: AAA/ACCT/NET(00000004): add, count 1
    *Mar  1 21:37:37.331: dot11_auth_add_client_entry: Create new client 0023.6c85.3
    2cd for application 0x1
    *Mar  1 21:37:37.331: dot11_auth_initialize_client: 0023.6c85.32cd is added to t
    he client list for application 0x1
    *Mar  1 21:37:37.331: dot11_auth_add_client_entry: req->auth_type 4
    *Mar  1 21:37:37.331: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    *Mar  1 21:37:37.331: dot11_auth_add_client_entry: eap list name: eap_methods
    *Mar  1 21:37:37.331: dot11_run_auth_methods: Start auth method EAP or LEAP
    *Mar  1 21:37:37.331: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    *Mar  1 21:37:37.331: dot11_auth_dot1x_send_id_req_to_client: Sending identity r
    equest to 0023.6c85.32cd
    *Mar  1 21:37:37.332: EAPOL pak dump tx
    *Mar  1 21:37:37.332: EAPOL Version: 0x1  type: 0x0  length: 0x0036
    *Mar  1 21:37:37.332: EAP code: 0x1  id: 0x1  length: 0x0036 type: 0x1
    00ECBA00: 01000036 01010036 01006E65 74776F72  ...6...6..networ
    00ECBA10: 6B69643D 4F52505F 5075626C 69632C6E  kid=YYY,n
    00ECBA20: 61736964 3D4F5250 5F524F4F 46444543  asid=YYY
    00ECBA30: 4B2C706F 72746964 3D30               K,portid=0
    *Mar  1 21:37:37.333: dot11_auth_send_msg:  sending data to requestor status 1
    *Mar  1 21:37:37.333: dot11_auth_send_msg: Sending EAPOL to requestor
    *Mar  1 21:37:37.333: dot11_auth_dot1x_send_id_req_to_client: Client 0023.6c85.3
    2cd timer started for 30 seconds
    *Mar  1 21:38:07.333: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TI
    MEOUT) for 0023.6c85.32cd
    *Mar  1 21:38:07.333: dot11_auth_dot1x_send_client_fail: Authentication failed f
    or 0023.6c85.32cd
    *Mar  1 21:38:07.333: dot11_auth_send_msg:  sending data to requestor status 0
    *Mar  1 21:38:07.333: dot11_auth_send_msg: client FAILED to authenticate 0023.6c
    85.32cd, node_type 64 for application 0x1
    *Mar  1 21:38:07.333: dot11_auth_delete_client_entry: 0023.6c85.32cd is deleted
    for application 0x1
    *Mar  1 21:38:07.334: %DOT11-7-AUTH_FAILED: Station 0023.6c85.32cd Authenticatio
    n failed
    *Mar  1 21:38:07.334: AAA/ACCT/HC(00000004): Update DOT11/00A83CE0
    *Mar  1 21:38:07.335: AAA/ACCT/HC(00000004): DOT11/00A83CE0 [pre-sess] (rx/tx) b
    ase 0/0 pre 6861/188 call 6861/188
    *Mar  1 21:38:07.335: AAA/ACCT/HC(00000004): DOT11/00A83CE0 [pre-sess] (rx/tx) a
    djusted, pre 6861/188 call 0/0
    *Mar  1 21:38:07.335: AAA/ACCT/HC(00000004): Deregister DOT11/00A83CE0
    *Mar  1 21:38:07.335: dot11_auth_client_abort: Received abort request for client
    0023.6c85.32cd
    *Mar  1 21:38:07.335: dot11_auth_client_abort: No client entry to abort: 0023.6c
    85.32cd for application 0x1
    *Mar  1 21:38:07.335: AAA/ACCT/EVENT/(00000004): CALL STOP
    *Mar  1 21:38:07.335: AAA/ACCT/CALL STOP(00000004): Sending stop requests
    *Mar  1 21:38:07.336: AAA/ACCT(00000004): Send all stops
    *Mar  1 21:38:07.336: AAA/ACCT/NET(00000004): STOP
    *Mar  1 21:38:07.336: AAA/ACCT/NET(00000004): Method list not found
    *Mar  1 21:38:07.336: AAA/ACCT(00000004): del node, session 4
    *Mar  1 21:38:07.336: AAA/ACCT/NET(00000004): free_rec, count 0
    *Mar  1 21:38:07.336: AAA/ACCT/NET(00000004) reccnt 0, csr TRUE, osr 0
    *Mar  1 21:38:07.337: AAA/ACCT/NET(00000004): Last rec in db, intf not enqueued
    *Mar  1 21:41:34.645: AAA/BIND(00000005): Bind i/f
    *Mar  1 21:41:34.645: AAA/ACCT/EVENT/(00000005): CALL START
    *Mar  1 21:41:34.645: Getting session id for NET(00000005) : db=C4EBC0
    *Mar  1 21:41:34.645: AAA/ACCT(00000000): add node, session 5
    *Mar  1 21:41:34.646: AAA/ACCT/NET(00000005): add, count 1
    *Mar  1 21:41:34.646: Getting session id for NONE(00000005) : db=C4EBC0
    *Mar  1 21:41:34.646: AAA/AUTHEN/LOGIN (00000005): Pick method list 'Permanent L
    ocal'
    *Mar  1 21:41:39.002: AAA/AUTHOR (0x5): Pick method list 'default'
    *Mar  1 21:41:39.002: AAA/AUTHOR/EXEC(00000005): processing AV cmd=
    *Mar  1 21:41:39.003: AAA/AUTHOR/EXEC(00000005): processing AV priv-lvl=15
    *Mar  1 21:41:39.003: AAA/AUTHOR/EXEC(00000005): Authorization successful
    Any ideas how I can get simple username/password working on an autonomous AP with local radius server?
    Thank you,

    You could get a better idea of why the auth is being failed with the output of "show radius local-server statistics".  You could also run "debug radius local-server client" and "debug radius local-server error".

Maybe you are looking for