[ ISSUE ] NCS / PI authentication using Microsoft NPS as a RADIUS server
So here is my goal:
Authenticate employees who use NCS or PI with their ActiveDirectory credentials against Microsoft NPS.
Background:
I have successfully configured our switches to use the NPS server and our AD credentials to log into and receive plvl=15 access.
I've also used NPS to authenticate wireless clients in a lab setting.
Problem:
I cannot figure out what is going on with NCS/PI authentication against NPS.
Here are a couple/few steps I've taken:
- I've added the RADIUS client to the list.
- I've created a network policy to grant access to a specific group of users (AD group). It accepts either CHAP or PAP authentication
- I've also taken out the default radius attributes and inserted these:
- - Vendor Specific, Cisco-AV-Pair
- - - - I've used both the ASCII format of the task list and/or variations of the HEX value
- - Vendor-Specific, RAIDUS Standard
- - - - I've used both the ASCII format of the task list and/or variations of the HEX value
On the NPS server I can see the request coming in on the NPS logs. Access has been granted and it matches the Network Policy I created.
The usual message I receive is this:
No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server
Attached is a picture from a packet capture. The RAIDUS "Access-Accept" message has something under the Attribute Value Pairs section:
- "[Not enough room in packet for AVP] "
This capture was taken when I was only using the RAIDUS role value and not all the RAIDUS Tasks.
Has anyone gotten this to work using Cisco NCS/PI and Microsoft NPS?
Here are some of guides I used:
http://mihai.radoveanu.ro/2010/11/configuring-the-radius-authentication-with-cisco-wireless-control-system-6-0-196-0/
https://supportforums.cisco.com/thread/339057
http://www.cisco.com/en/US/products/ps6305/products_tech_note09186a00809038e6.shtml
Hi Kyujin,
I wish I had finished my guide. Didn't realize it would take this long.
But what I meant is that when adding the attributes to my NPS (Microsoft's Network Policy Server) I only had to add the role and virtual domain if using Prime Infrastructure.
If you use NCS, you have to add the role, all the tasks, and the virtual domain.
See the screenshots and see if that helps explain it. Not sure how TACACS will work as I'm not familiar with it.
Microsoft NPS - Attributes for NCS
Microsoft NPS - Attributes for PI
Similar Messages
-
Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS
I have a Nexus 7010 running
Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
>>ip radius source-interface mgmt 0
>>radius-server key XXXXX
>>radius-server host X.X.X.X key XXXXX authentication accounting
>>radius-server host X.X.X.X key XXXXX authentication accounting aaa
>>authentication login default group Radius_Group aaa authentication
>>login console local aaa group server radius Radius_Group
>> server X.X.X.X
>> server X.X.X.X
>> source-interface mgmt0
Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
shell:roles="vdc-admin" in the Attribute Value field in the RADIUS server
Does anyone know if this works????
ThanksI have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*"network-admin vdc-admin"
For more information take a look at this link:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
Hope this helps
Thank you for rating helpful posts! -
WLC 2504 - Issue with using Microsoft NPS for Radius Management Login
Hello,
In our environment we like to have our network admins and engineers use their Active Directory credentials when logging into devices so we can log who logged into which devices and if any changes were made. To do this we use a Server 2008 R2 NPS server with all our routers, switches and ASA's. We recently purchased a WLC to begin adding wireless to our environment. (See WLC_Radius_Config.png and NPS_Radius_Config.png)
On the WLC, I am able to authenticate in using my AD credentials but when I go to apply any config changes I get a message saying "Authorization Failed. No sufficient privileges." (See error.png) I have a feeling I am missing something small but this is very important to us.
I checked the Radius server and there are no login errors or NPS errors pointing to the WLC logins. Has anyone else run into this issue or know what I can do to solve it?
Thanks,Hi Kyujin,
I wish I had finished my guide. Didn't realize it would take this long.
But what I meant is that when adding the attributes to my NPS (Microsoft's Network Policy Server) I only had to add the role and virtual domain if using Prime Infrastructure.
If you use NCS, you have to add the role, all the tasks, and the virtual domain.
See the screenshots and see if that helps explain it. Not sure how TACACS will work as I'm not familiar with it.
Microsoft NPS - Attributes for NCS
Microsoft NPS - Attributes for PI -
Windows Authentication using Microsoft SQL Server 2005 JDBC Driver
Hi,
I am using Microsoft SQL Server 2005 JDBC Driver to connect to SQL Server 2000 database, can anyone tell me the connection URL for windows authentication. SQL authentication is working fine.
DataDirect has drivers for windows authentication but I am not using it.
Regards
ArupYou can't do it with the Microsoft driver. There's a free driver called jTDS that may be able to (I don't know).
(edit) Looking at their FAQ it looks like it does:
http://jtds.sourceforge.net/faq.html -
Web Service Authentication using Microsoft Active Directory
Hi
Is there a way to create Oracle Java Web Services that requires authentication using Active Directory?
Regards,
Néstor BoscánIf you use the SOA Suite the Oracle Web Service Manager is included in there. Using this you can add steps that will authenticate against an AD.
cu
Andreas -
Trying to implement EAP/TLS using java (as part of RADIUS server)
Hi
This is a cross port since I didn't know which forum to post in!
I'm trying to implement a RADIUS server (EAP/TLS) as part of my master thesis. I'm not used to Java SSL libraries and can't get it to work. The server will respond to an accesspoint that uses 802.1x. I have created certificates using openssl and imported the "cert-clt.pl2"and "root.pem" to a laptop trying to connect to the accesspoint. On the server side i imported the "cacert.pem" and "cert-srv.der" using keytool to a keystore. In my code I read the keystore and create the SSLEngine with following code:
KeyStore ksKeys = KeyStore.getInstance("JKS");
ksKeys.load(new FileInputStream("certs/FeebeeCommunity.keystore"), passphrase);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ksKeys, passphrase);
KeyStore ksTrust = KeyStore.getInstance("JKS");
ksTrust.load(new FileInputStream("FeebeeCommunity.keystore"), passphrase);
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ksKeys);
sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(false);
sslEngine.setNeedClientAuth(true);
sslEngine.setWantClientAuth(true);
sslEngine.setEnableSessionCreation(true);
appBuffer = ByteBuffer.allocate(sslEngine.getSession().getApplicationBufferSize());
appBuffer.clear();
netBuffer = ByteBuffer.allocate(sslEngine.getSession().getPacketBufferSize());
netBuffer.clear();All I want to do with TLS is a handshake.
I'm not talking ssl using sockets instead I receive and send all TLS data encapsulated in EAP packet that are incapsulated in RADIUS packets. I start off with sending TLS-Start upon I recive TLS data. I handle it with the following code:
SSLEngineResult result = null;
SSLEngineResult.HandshakeStatus hsStatus = null;
if( internalState != EAPTLSState.Handshaking ) {
if( internalState == EAPTLSState.None ) {
TLSPacket tlsPacket = new TLSPacket( packet.getData() );
peerIdentity = tlsPacket.getData();
internalState = EAPTLSState.Starting;
try {
sslEngine.beginHandshake();
} catch (SSLException e) {
e.printStackTrace();
return;
else if(internalState == EAPTLSState.Starting ) {
internalState = EAPTLSState.Handshaking;
try {
sslEngine.beginHandshake();
} catch (SSLException e) {
e.printStackTrace();
TLSPacket tlsPacket = new TLSPacket( packet.getData() );
netBuffer.put( tlsPacket.getData() );
netBuffer.flip();
while(true) {
hsStatus = sslEngine.getHandshakeStatus();
if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
Runnable task;
while((task=sslEngine.getDelegatedTask()) != null) {
new Thread(task).start();
else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP) {
try {
result = sslEngine.unwrap( netBuffer, appBuffer );
} catch (SSLException e) {
e.printStackTrace();
else {
return;
}When I try to send data I use the following code:
SSLEngineResult.HandshakeStatus hsStatus = null;
SSLEngineResult result = null;
// netBuffer = ByteBuffer.allocate(EAPTLSMethod.BUFFER_SIZE);
netBuffer.clear();
while(true) {
hsStatus = sslEngine.getHandshakeStatus();
if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
Runnable task;
while((task=sslEngine.getDelegatedTask()) != null) {
new Thread(task).start();
else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
try {
result = sslEngine.wrap( dummyBuffer, netBuffer );
} catch (SSLException e) {
e.printStackTrace();
else {
if( result != null && result.getStatus() == SSLEngineResult.Status.OK ) {
int size = Math.min(result.bytesProduced(),this.MTU);
byte [] tlsData = new byte[size];
netBuffer.flip();
netBuffer.get(tlsData,0,size);
TLSPacket tlsPacket = new TLSPacket((byte)0,tlsData);
if( size < result.bytesProduced() ) {
tlsPacket.setFlag(TLSFlag.MoreFragments);
return new EAPTLSRequestPacket( ID,
(short)(tlsPacket.getData().length + 6),
stateMachine.getCurrentMethod(), tlsPacket );
else {
return null;
}After I sent TLS-Start I receive data and manage to process it but when then trying to produce TLS data I get the following error:
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:992)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1054)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1026)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.java:125)
at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStateMachine.java:358)
at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.java:262)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:930)
Any help wold be most greatfull, if any questions or anything unclear plz let me know.
add some additional information here is a debug output
Before this I have sent a TLS-star package and this is when I receive new information and then try to create the answer
[Raw read]: length = 5
0000: 16 03 01 00 41 ....A
[Raw read]: length = 65
0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
0040: 00 .
Thread-2, READ: TLSv1 Handshake, length = 65
*** ClientHello, TLSv1
RandomCookie: GMT: 1084488726 bytes = { 168, 20, 137, 240, 89, 129, 200, 201, 4
1, 194, 9, 209, 10, 112, 24, 88, 220, 46, 176, 200, 20, 144, 212, 253, 164, 198,
50, 201 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH
_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA,
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EX
PORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DE
S_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
Compression Methods: { 0 }
[read] MD5 and SHA1 hashes: len = 65
0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
0040: 00 .
Thread-5, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
Thread-5, SEND TLSv1 ALERT: fatal, description = handshake_failure
Thread-5, WRITE: TLSv1 Alert, length = 2
Thread-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeEx
ception: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:9
92)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineI
mpl.java:459)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineIm
pl.java:1054)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:10
26)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.ja
va:153)
at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStat
eMachine.java:358)
at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.j
ava:262)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1
352)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(Serve
rHandshaker.java:638)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHands
haker.java:450)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHa
ndshaker.java:178)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:4
95)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.
java:930)
... 1 moreI am developing a simple client/server SSL app using sdk 1.4 (no SSLEngine) and am faced with the same problem. Could anybody track down the problem further?
-
Issues with client authentication using certificates
We have upgraded from sun-one directory server 5.1 sp4 to odsee 11g. We were using client certificates for authenticating connections to the directory server and it is no longer working. We had a certmap.conf that worked fine on 5.1 but it no longer seems to work on 11g. We are getting the following errors in the access log:
[04/Apr/2011:16:41:17 -0400] conn=1692 op=-1 msgId=-1 - SSL failed to map client certificate to LDAP DN (User's LDAP entry doesn't have any certificates to compare)
[04/Apr/2011:16:41:17 -0400] conn=1692 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=EXTERNAL
[04/Apr/2011:16:41:17 -0400] conn=1692 op=0 msgId=1 - RESULT err=49 tag=97 nentries=0 etime=0.099660, client certificate mapping failed
I checked and there is a usercertificate;binary entry which contains the certificate.
Also, it does seem to find the entry for the cn, as shown by these two lines:
[04/Apr/2011:16:41:17 -0400] conn=-1 op=-1 msgId=-1 - ENTRY dn="cn=XXXXXXXX, ou=certs, ou=yyyy,dc=zzzzzzz,dc=net"
[04/Apr/2011:16:41:17 -0400] conn=-1 op=-1 msgId=-1 - RESULT err=0 tag=101 nentries=1 etime=0.001150
All we did was to install the upgraded server software and migrate the data. Is there something more required for this version in order to implement client certificate authentication? I thought I saw something about a directory server proxy, which we aren't running. Is that necessary for this to work?
Any help you can provide would be greatly appreciated.
Thanks.
deanI am using verifycert set to on. We want to verify the certificate.
I am not using CmapLdapAttr. I saw a reference in one other post regarding using that attribute. I am hesitant to go there because while it seems to be a fix, I was unsure whether it was something which happened to work but was not part of standard implementation of using client certificates or whether it was a requirement in order for it to work and it was just serendipitous that it wasn't needed in 5.1. I wouldn't want to start using, apply a patch, and have it stop working again because that was a workaround.
Thanks. -
Issue with SAP Authentication in a Windows 2003 64 Bits Server
Hi Experts
I have an issue in a Windows 2003 64 Bits Server in CMC when i'm in the authentication section i choose SAP the Role Import works fine and I can see the Users Group from SAP BW but the users don't appear.
I try the same thing in a Windows 2003 32 Bits with the same parameters and works fine i can see de User Groups and The Users from the same BW Server.
I Think i could be a problem with the 64 bits server the issue is the users from SAP BW are not imported.
Regards Marvin Soto.Hi Ingo,
we have some thing similar issue. can you please help us out.
We Imported users and in options we selected concurrent and every thing worked fine up to 1 month and then automatically our license key say you have only 2 named users. we have a license key for 100 named users now. do we need to delete all the concurrent users from sap now and we need to re-import them by selecting named in options tab of sap. what is the work around for this. i tested by changing the one of the sap user profile to named instead of concurrent, then i am able to login to infoview using sap credentials but when i open a report its says you don't have enough license to perform this operation. can i know why is this happening.
Environment:
BOBJ XI 3.1, SUN SOLARIS, SAP INTEGRATION KIT.
Thanks,
SK.
Edited by: Siva Vallabhaneni on May 27, 2009 3:28 PM -
How to use Microsoft Excel dll in SQL Server Reporting Services
Hi,
Can you please explain me the steps to use excel .dll in ssrsHi PrakashThandra,
Based on my understanding, you have created a chart in Excel, then you want to use this chart in Reporting Services, right?
In Reporting Services, it’s not supported to use a chart which created in Excel directly. But we can use Excel as datasource to create a report, please refer to this article:
Create SSRS report using Excel Data Source Step by Step. In your scenario, since you want to use the Excel chart in Reporting Services, you could create a same report in Reporting Services refer to this article:
Charts (Report Builder and SSRS)
If you have any question, please feel free to ask.
Best regards,
Qiuyun Yu
Qiuyun Yu
TechNet Community Support -
Using a BM 3.8 RADIUS Server to Assign Users to VLANs
I'm trying to use Bordermanager 3.8 RADIUS to assign VLANs to users. The
users are accessing the network via Cisco 1100 Aironet Wireless Access
Points. We have defined two VLANs on the network. One goes directly to
the internet for GUEST, VLAN1, and the other goes to our private network
MEMBERS, VLAN2. The problem I'm having is getting the RADIUS to assign
attributes to the user accounts. I need attribute: IETF 64 (Tunnel Type)
set to VLAN, IETF 54 (Tunnel Medium Type) set to 802, and IETF (Tunnel
Private Group ID) set the VLAN-ID which is 1 or 2. These attribute are
not available in the RADIUS.ATR file. Is there some way of editing the
ATR file to add these attributes? Is there another solution to assign
VLANs with Bordermanager?> I need attributes: IETF 64 (Tunnel Type) set to VLAN, IETF 65 (Tunnel
Medium Type) set to 802, and IETF 81 (Tunnel Private Group ID) set the
VLAN-ID which is 1 or 2. These attribute are not available in the
RADIUS.ATR file. Is there some way of editing the ATR file to add these
attributes? Is there another solution to assign VLANs with Bordermanager? -
ACS for 802.1x Authentication using RSA Tokens and Microsoft PEAP
Has anyone been able to configure 802.1x authentication on Windows XP machines using RSA tokens using Cisco ACS as the RADIUS server?
I have come up with bunch of incompatibilities between the offered support e.g.
1. Microsoft PEAP does not support anything but smartcard/certificate or MSCHAP2.
2. Cisco support PEAP and inside it MSCHAP2 or EAP-GTC
We tried using RSA provided EAP client both the EAP security and EAP-OTP options within Microsoft PEAP but ACS rejects that as "EAP type not configured"
I know it works with third party EAP software like Juniper Odyssey client and the Cisco Aegis Client but we need to make it work with the native Windows XP EAP client.Hi,
We have tried to do the exact same setup as you and we also failed.
When we tried to authenticate the user with PEAP-MSCHAPv2 (WinXP native) ACS gives "external DB password invalid", and does not even try (!) to send the login to the RSA server. No traffic is seen between RSA and ACS.
MS-PEAP relies on hashing the password with MS-CHAPv2 encoding. This is not reversible. RSA, on the other hand, does not require hashing of the password due to the one time nature of it. So they (RSA) don't.
When we authenticate using e.g. a 3rd party Dell-client, we can successfully authenticate using either PEAP-GTC (Cisco peap), EAP-FAST and EAP-FAST-GTC.
A list with EAP protocols supported by the RSA is in attach.
Also below is the link which says the MS-PEAP is NOT supported with the RSA, please check the
table "EAP Authentication Protocol and User Database Compatibility "
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/o.htm#wp792699
What we are trying to do now in the project is leaving the AP authentication open and try to authenticate it using RADIUS through a firewall or Cisco router authentication proxy. -
802.1x MAB with Microsoft NPS ieee802Device object group
Hi,
according to http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.pdf (MAC Authentication Bypass Deployment Guide as of May 2011), when you use Microsoft NPS, you cannot simply add MAC-Adresses as Active Directory user objects if your domain has strict password enforcement policies (because passwords are not allowed to match usernames under that circumstances). The guide mentions the use of the 'ieee802Device' class that is build into Windows Server 2003R2 and above. I have tried to get this working (with no success...), unfortunately I did not find any guidelines on the web how to accomplish this. What I did so far was:
- Created a new structural class"myieee802Device", based on the abstract class "ieee802Device"
- Created a new OU "ethers" in AD
- Created a simple objekt by means of an ldifde.exe import
dn: CN=001b21******,OU=ethers,DC=dot1x,DC=com
changetype: add
objectClass: myieee802Device
cn: 001b21******
macAddress: 00:1b:21:**:**:**
When I trigger 802.1x authentication at a supplicant, NPS does not find the device (MAC-Address) in AD.
Has anybody got this running so far?
StefanStefan,
Many thanks for your reply. in my test environment, what I have encountered is:
1. I created the user account and used the mac address as account and password, which can access into the AD.
2. I enabled the function of MD5-Challenge in Windows 2008 R2 NPS server. pls refer the link:
http://social.technet.microsoft.com/Forums/en/winserverNAP/thread/e801bdac-9347-4efb-9d7c-bcf4d64aa927
3. Created the network policy, which use the MD5 as the EAP type, and select PAP as the authentication method.
4. Enable the 802.1x and MAB function in the port of cisco 3750.
by test, 802.1x works fine, but when I try to let it authenticate with MAB, got the below error in NPS event log:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: QBBB\002622c997ff
Account Name: 002622c997ff
Account Domain: QBBB
Fully Qualified Account Name: qbbb.net/Sales/002622c997ff
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 3C-DF-1E-C6-48-13
Calling Station Identifier: 00-26-22-C9-97-FF
NAS:
NAS IPv4 Address: 10.197.40.2
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Ethernet
NAS Port: 50219
RADIUS Client:
Client Friendly Name: Wired
Client IP Address: 10.197.40.2
Authentication Details:
Connection Request Policy Name: Secure Wired (Ethernet) Connections
Network Policy Name: Connections to other access servers
Authentication Provider: Windows
Authentication Server: QINGXXX1.QBBB.net
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 65
Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
Just for you reference and hope can get you help, thanks a lot!
--Scott -
Wirelss AP1140 Radius authentication with Microsoft IAS
Hi,
I have a Cisco C1140 Ap. I have cnfigured the device. Initially for testing i used WPA and authenticated locally. I have now setup a radius server and added my AP in as a client etc. I have changed my SSID's to authenticate with the radius server and i am having issues authenticating.
I can connect via a PC and an iphone. They say that i am connected but i get no ip address and the debugs state that the authentication fails:
000466: Sep 5 14:33:07.074 AEST: %DOT11-7-AUTH_FAILED: Station 40a6.d967.8b13 Authentication failed
000467: Sep 5 14:33:28.368 AEST: %DOT11-7-AUTH_FAILED: Station bc77.3771.b15f Authentication failed
000468: Sep 5 14:33:39.837 AEST: %DOT11-7-AUTH_FAILED: Station 40a6.d967.8b13 Authentication failed
I can see the Radius server as connected
imc-syd-ap1#show aaa servers
RADIUS: id 4, priority 1, host 10.10.0.2, auth-port 1645, acct-port 1646
State: current UP, duration 4337s, previous duration 0s
Dead: total time 0s, count 0
Authen: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Author: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Account: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Elapsed time since counters last cleared: 1h12m
The debugs show:
000474: Sep 5 14:36:00.969 AEST: %DOT11-7-AUTH_FAILED: Station bc77.3771.b15f Authentication failed
000475: Sep 5 14:36:01.485 AEST: AAA/BIND(00000109
show dot11 associations:
imc-syd-ap1#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [IMC-Wireless-Data] :
MAC Address IP address Device Name Parent State
bc77.3771.b15f 0.0.0.0 ccx-client DAVID self AAA_Auth
Any ideas or recomendations would be greatly appreciated
Thanks
Below is a copy of my wireless config:
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname xxxxxxxxxxxxxx
logging buffered 40960 debugging
enable secret 5 xxxxxxxxxxxxx
aaa new-model
aaa group server tacacs+ IMC
server 172.16.100.3
aaa group server radius AUTHVPN
server 10.10.0.2 auth-port 1645 acct-port 1646
server 10.11.0.24 auth-port 1645 acct-port 1646
aaa authentication login default group IMC local enable
aaa authorization exec default group IMC local if-authenticated
aaa session-id common
clock timezone AEST 10
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
no ip domain lookup
ip domain name imc.net.au
dot11 syslog
dot11 ssid IMC-Wireless-Data
vlan 10
authentication open eap AUTHVPN
authentication network-eap AUTHVPN
guest-mode
mbssid guest-mode
infrastructure-ssid optional
information-element ssidl
dot11 ssid IMC-Wireless-Voice
vlan 14
authentication open eap AUTHVPN
authentication network-eap AUTHVPN
mbssid guest-mode
information-element ssidl
dot11 aaa authentication attributes service login-only
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode wep mandatory
ssid IMC-Wireless-Data
ssid IMC-Wireless-Voice
antenna gain 0
mbssid
station-role root
interface Dot11Radio0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.14
encapsulation dot1Q 14
no ip route-cache
bridge-group 14
bridge-group 14 subscriber-loop-control
bridge-group 14 block-unknown-source
no bridge-group 14 source-learning
no bridge-group 14 unicast-flooding
bridge-group 14 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
encryption mode wep mandatory
ssid IMC-Wireless-Data
ssid IMC-Wireless-Voice
antenna gain 0
no dfs band block
mbssid
channel dfs
station-role root
interface Dot11Radio1.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1.14
encapsulation dot1Q 14
no ip route-cache
bridge-group 14
bridge-group 14 subscriber-loop-control
bridge-group 14 block-unknown-source
no bridge-group 14 source-learning
no bridge-group 14 unicast-flooding
bridge-group 14 spanning-disabled
interface GigabitEthernet0
description IMC-Wireless-Data
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
interface GigabitEthernet0.10
description IMC-Wireless-Data
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.14
description IMC-Wireless-Voice
encapsulation dot1Q 14
no ip route-cache
bridge-group 14
no bridge-group 14 source-learning
bridge-group 14 spanning-disabled
interface BVI1
description IMC-Wireless-Data
ip address 10.10.0.245 255.255.255.0
no ip route-cache
ip default-gateway 10.10.0.254
ip http server
ip http authentication local
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any eq telnet
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq 22
snmp-server community public RO
snmp-server enable traps tty
tacacs-server host 172.16.100.3 key 7 xxxxxxxxxxxxxxxxxxx
tacacs-server directed-request
radius-server host 10.10.0.2 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxx
bridge 1 route ip
wlccp wds aaa authentication attributes service login-only
line con 0
line vty 0 4
access-class 111 in
exec-timeout 5 0
line vty 5 15
access-class 111 in
exec-timeout 5 0
sntp server 10.10.0.254
endInside the ssid, when you put "authentication open" it's an eap_method that follows. You put your AUTHVPN aaa server group name. that's wrong.
aaa authentication login group AUTHVPN
and adjust your "authentication open eap " to match with that method name.
Also your group authvpn contains a 2nd server that is undefined in yoru global config ...
Nicolas -
Can I use Microsoft Office with Lion?
I am working with someone who has a PC computer using the windows VISTA operating system.
My computer is the original flat panel iMac with MAC OX 10.4.11.
I would like to purchase another MAC but most importantly I need to be able to run Microsoft Office.
Knowledgeable guidance and advice is requested.Be aware of one issue, if you are using Microsoft Exchange and the version is 2007R1 sp3 or earlier you must use Office 2008 as 2011 only supports R1 sp4 or later.
-
Receive Original Email Whenever I Reply to an Email Using Microsoft Outlook Exchange Server
This is a problem I've seen other people post about, but I haven't found a solution. Whenever I reply to an email using Microsoft Outlook 2007 with Exchange Server on my computer, I receive a copy of the original email (not the reply, but the original email that I replied to) on my Curve. My BB email is set up with BIS and my carrier is Verizon, but I've seen people post about this with other carriers.
Apparently there is some kind of incompatibility between Microsoft Exchange Server and BIS that is causing this problem.
This is a huge pain, because everytime I reply to an email, I have to delete a copy of the original email on my blackberry.
Does anyone know the solution to this?Under "tools", "Options" , "applications" on my computer there isn't a "mailto". so these instructions don't work. Any other ideas?
Maybe you are looking for
-
Read_image_file in web mode
hello, when i'm using the read_image_file in web mode, i've got the ORA 99 999 error message. but it works in client/server. my image is a gif format in the same path as the form. i use a unix ware 7 server with OAS. when i execute the form directly
-
Saving AIF as AIF in STP3?
Last week I upgraded from STP 1 to STP 3. Lots of changes and I'm not sure that STP 3 works all that well with Snow Leopard. Anyhow, I'm wondering if there's some setting I've missed that allows me to automatically save an .aif file as an .aif file?
-
Sun ONE Directory SDK for C support on RHAs 4.0 and Win 2003 R2
What version of Sun One Directory SDK supported on RHAS 4.0 and Windows 2003 R2. Please confirm. Thanks, Rahul
-
Can't open mail in iCloud using Firefox on Windows
Hi I'm in Botswana and have tried at internet cafes, the library and other peoples computers to access my iCloud email, but it says there is an error and can't load the page. On wifi I can login and get my mail on my own computer. PLEASE HELP!! Why c
-
Dear all, This empty dashboard has occurred not within period of two month in which admin node portal just went empty. TAC was called the first time and restart the services everything work fine. But I am curious knowing under what circumstances can