LEAP Radius proxy with PEAPv0

Similar Messages

• ASA cut through proxy with RADIUS challenge response?

  Have this working for IPSEC VPN on same box (tested on 8.2.1 and 8.2.3)
  Want to do cut through proxy with challenge response - same ASA and same RADUIS server but using aaa authentication match command and this is what happens...
  It looks like the ASA sends a completely different radius authentication request than with VPN authentication request. Is there any way to specify what request is sent?
  What the RADIUS Server sees with ASA VPN auth - THIS WORKS OK (included for comparison)
  Date: 15/11/2010
  Time: 3:53:57 PM
  Type: Information
  Source: Server
  Category: RADIUS
  Code: I-006001
  Description: A RADIUS Access-Request has been received.
  AMID: 0xC8500B80B3D8F49C6CB37E5D32DA6682
  Details:
  Source Location : 10.xx.21.24
  Client Location : 10.xx.21.230:1025
  Request ID : 31
  Password Protocol : PAP
  Input Details : RADIUS Code:1, RADIUS Id:31, , User-Name:xxxx, User-Password:******, NAS-IP-Address:10.xx.21.230, NAS-Port:31, NAS-Port-Type:Virtual, vendor(9):attrib(1):0x1A2000000009011A69703A736F757263652D69703D31302E32312E352E313137, Calling-Station-Id:ip:source-ip=10.21.5.117
  Action : Process
  What the RADIUS Server sees with ASA cut thru - THIS FAILS (any help V welcome)
  Date: 17/11/2010
  Time: 2:29:31 PM
  Type: Warning
  Source: Server
  Category: RADIUS
  Code: W-006001
  Description: An invalid RADIUS packet has been received.
  AMID: 0xC19D988F83365F20151C3F6339DEC74B
  Details:
  Source Location : 10.xx.21.24:1812 (Authentication)
  Client Location : 10.xx.21.230:1025
  Reason : The sub-protocol of the received RADIUS packet cannot be determined
  Request ID : 33
  Input Details : 0x01210066055A8B6881266714BDB20380B9FE5FAC01066962333504060AC815E60506000000203D06000000051A2000000009011A69703A736F757263652D69703D31302E34302E352E3131311F1A69703A736F757263652D69703D31302E34302E352E313131
  Request Type : Access-Request
  Thanks in advance
  IB

  Hi Ian,
  sorry for the late reaction - do you still need help with this?
  The difference between the working (VPN) auth and the failing (CTP) auth seems to be that VPN is using PAP (so no challenge-response!) while the CTP is using MS-Chapv2
  So my guess is that your Radius server does not support MS-Chapv2. If that is the case then you may want to try this:
  aaa-server () host
  no mschapv2-capable
  Although this command is not really meant to be used in this scenario, so I'm not sure if it will work but I'm hoping it will make the ASA revert to PAP for all auth requests to this host.
  Note that you won't be doing challenge/response, so your passwords will be transmitted over the wire (encrypted).
  hth
  Herbert

• ISE acting as Radius Proxy Client?

  Hi,
  I have an issue where a remote company has there internal redius server and I have my ISE radius server.
  When there users come to my site, they can authenticate with my wireless and my ISE server proxies the request to there home site to be authenticated and tells me if I should allow them access or not.
  So standard radius proxy and it all works well when my ISE server begins the exchange.
  However if my staff go to there site the reverse is not working, they are proxying the requests back OK, and I can see on the firewall and router the incomming radius packets destined to my ISE server. But there is no recourd on the ISE server of ever reciving them and it all times out.
  Is tehre some thing I need to do to allow ISE to act as the client in a radius proxy set up?
  Cheers.
  Oh I am running version 1.2

  Hi Aaron,
  Check the Cisco ISE dashboard (Operations > Authentications) for any indication regarding the nature of RADIUS communication loss. (Look for instances of your specified RADIUS usernames and scan the system messages that are associated with any error message entries.)
  Log into the Cisco ISE CLI5 and enter the following command to produce RADIUS attribute output that may aid in debugging connection issues:
  test aaa group radius new-code
  If this test command is successful, you should see the following attributes:
  Connect      port
  Connect NAD      IP address
  Connect      Policy Service node IP address
  Correct      server key
  Recognized      username or password
  Connectivity      between the NAD and Policy Service node
  You can also use this command to help narrow the focus of the potential problem with RADIUS communication by deliberately specifying incorrect parameter values in the command line and then returning to the administrator dashboard (Operations > Authentications) to view the type and frequency of error message entries that result from the incorrect command line. For example, to test whether or not user credentials may be the source of the problem, enter a username and or password that you know is incorrect, and then go look for error message entries that are pertinent to that username in the Operations > Authentications page to see what Cisco ISE is reporting.)
  Note This command does not validate whether or not the NAD is configured to use RADIUS, nor does it verify whether the NAD is configured to use the new AAA model.
  The Cisco ISE network enforcement device (switch) is missing the radius-server vsa send accounting command.
  Verify that the switch RADIUS configuration for this device is correct and features the appropriate command(s).
  For more details please go through the following link:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html#pgfId-192989

• ACS 5.1 - RADIUS Proxy Accounting Logs

  Recently I'm using ACS 5.1 to support external RADIUS Servers, and read the manauls to process with the following workflow.
  Install Linux RADIUS Service (this part was tested)
  Install FreeRADIUS Service
  Add new linux user account
  Cisco ACS 5.1
  Add External RADIUS servers
  Network Resources -> External RADIUS Servers
  Add informations.
  Add RADIUS Proxy Serivce
  Access Policies -> Access Services
  Create with User Selected Service Type , RADIUS Proxy
  Advanced Options -> Accounting
  Remote Accounting and Local Accounting enabledAccess Policies -> Access Services -> Service Selection Rules
  Create #1 rule , Conditions : match Radius , Results : RADIUS Service
  Add Network Resources for accepting network
  Network Device Groups -> Network Devices and AAA Clients
  Enable RADIUS Debug Messages
  System Administration > Configuration > Log Configuration  > Logging Categories > Global > Edit: "RADIUS Diagnostics"
  Configure Log Category Log Severity : DEBUG
  Add 3GPP VSA
  Send out Radius Accounting Packet to ACS
  ACS got the Packet, but didn't redirect to External Radius Server
  I got this message from ACS 5.1
  Others is 'Failed to forward request to current remote RADIUS server; an invalid response was received.' in the iv.csv file.
  There are two problem.
  RADIUS Accounting Packets didn't redirect to external server, but it works without proxy. (Auth is ok.)
  Other Attributes didn't collect all informations, and even the debug is enabled.

  Hi Steve,
  The shared secret is 100% correct.
  Finally I find out that there may be some white lists for attributes.
  If I keep NAS-Identifier , it will work.
  But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
  The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
  When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
  The RADIUS Server gets the message from NSA.
  Of course, there is the Proxy-State attribute.
  In this condition, the ACS has incorrect output in the sub-attribute.
  Now I try 5.2 to see the problem exist or not.

• WLC 7.6.120.0 Radius problems with FreeRadius server

  Hi there
  we have 3 WLC 5508 with version 7.6.120.0 and 2 FreeRadius servers. In the WLC log we see a lot of "radius auth-server unavailable" messages and some users can not authenticate against our dot1x (PEAP).
  The problems occur most of the time, when there are a lot of WLAN clients trying to connect to the SSID at the same time.
  Does anybody have the same problems or are there any known bug for this phenomena?
  Thanks in advance and best regards
  Anna

  Hi Anna
  your problems seems to be this bug here: https://tools.cisco.com/bugsearch/bug/CSCuo96366
  Symptom:
  Clients are not able to Authenticate at Peak loads when using FreeRadius.
  Conditions:
  Using Freed radius (most susceptible), we observe at high auth rate and if Radius server is not responding to all Radius packets in seq order or if the server is slow, WLC when wraps around 0-255 Radius ID's, it does not do a check when posting new packet.
  So essentially you have 2 packets with same ID being presented to AAA server.
  Workaround:
  Recover's when load is reduced.
  Further Problem Description:
  So far, issue has not been brought to notice while using ISE/ACS/NPS.
  There are two possible solutions I see:
  1. Downgrade to an earlier WLC version <7.6 (e.g. 7.4.121.0)
  2. Try to have another radius server in between (radius proxy, e.g. Cisco ACS or Microsoft NPS)
  Best regards
  Dominic

• Sample config requested: IOS AP with WPAv2 with PEAPv0 aka EAP-MSCHAPv2

  Would someone be kind enough to share a sanitized config with me for the following:
  AIR-LAP1131AG-A-K9 LWAP converted to autonomous mode running IOS v12.3(8)JEA
  WPAv2 with PEAPv0 aka EAP-MSCHAPv2.
  Thanks,
  Richard

  Hello,
  Here's what I would use. The AP is actually unaware of the EAP type:
  aaa group server radius rad_eap
  server RADIUS_IP auth-port 1812 acct-port 1813
  aaa authentication login eap_methods group rad_eap
  aaa authorization exec default local
  aaa session-id common
  dot11 ssid SSID_PRIVATE
  VLAN X
  authentication open eap eap_methods
  authentication key-management wpa
  guest-mode
  username cisco password 0 cisco
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan x mode ciphers aes-ccm
  broadcast-key vlan x change 360
  ssid SSID_PRIVATE
  interface Dot11Radio0.x
  encapsulation dot1Q x
  interface FastEthernet0.x
  encapsulation dot1Q x
  radius-server attribute 32 include-in-access-req format %h
  radius-server host RADIUS_IP auth-port 1812 acct-port 1813 key 0 RADIUS_KEY
  radius-server timeout 30
  radius-server vsa send accounting
  Serge

• IIS Reverse Proxy with URL rewrite.

  Hi all, hoping to leverage the wealth of knowledge contained here.
  Any assistance would be very welcome.
  I'm having an issue getting a reverse proxy and URL rewrite working in IIS 7.0.
  I need to redirect all requests with a specific virtual directory suffix only.
  ie; https://domain.test.com/outbound/Content/query_etc
  With /Outbound/ being the trigger.
  This should be redirected to http://10.10.10.10/inbound/Content/query_etc
  While at the same time, requests without the /outbound/ suffix should be handled locally.
  I have configured the reverse proxy as described in a few articles, and have had no luck.
  Here's a snippet from my (sanitized) web.config at the site level.
  <rewrite>
  <outboundRules>
  <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
  <match filterByTags="A" pattern="^http(s)?://10.10.10.10/inbound/(.*)" />
  <action type="Rewrite" value="https://domain.test.com/outbound/{R:2}" />
  </rule>
  <preConditions>
  <preCondition name="ResponseIsHtml1">
  <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
  </preCondition>
  </preConditions>
  </outboundRules>
  <rules>
  <rule name="ReverseProxyInboundRule1" stopProcessing="true">
  <match url="^outbound/(.*)" />
  <action type="Rewrite" url="http://10.10.10.10/inbound/{R:1}" appendQueryString="true" logRewrittenUrl="false" />
  </rule>
  </rules>
  </rewrite>
  To me, this looks correct, yet it doesn't work.
  With this, I get the normal 404 - Error Code 0x80070002, with the text indicating the local directory doesn't exist, so.... not being picked up by the filter for redirection.

  Hi Andrew,
  Looking at your requirements it appears you need Reverse Proxy To Another Site/Server.
  By using URL Rewrite Module together with
  Application Request Routing module you can have IIS 7 act as a
  reverse proxy.
  It seems like URL Rewrite can't re-route the request somewhere else out of the server.
  Even when you rewrite the url the actual connection remains with the server. Hence if your original server doesn't have /inbound/Content/query_etc  it will fail with 404.
  Hosting multiple domain names under a single account using URL Rewrite.
  It’s a common desire to have a single IIS website that handles multiple sites with different domain names.
  References:
  How to create a url alias using IIS URL Rewrite:
  http://blogs.technet.com/b/mspfe/archive/2013/11/27/how-to-create-a-url-alias-using-iis-url-rewrite.aspx
  Reverse Proxy with URL Rewrite v2 and Application Request Routing:
  http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing
  Regards,
  Satyajit
  Please“Vote As Helpful”
  if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• Trying to setup a RADIUS connection with challenge response

  I need to test a RADIUS authentication and I've read note id 272804.1 and http://download.oracle.com/docs/cd/B19306_01/network.102/b14268/asoradus.htm.
  I'm trying to connect from DEVDB machine using sqlplus as client and connect to the local database server 10gr2 which then should act as RADIUS client to finally try to reach another machine with hostname DEVRADIUS.
  I'm using freeRadius which delegate authentication and authorization phases to a OTP service. Other middleware services are able to use this kind of RADIUS authentication with no problem: so this radius configuration is perfectly working for other clients.
  I've done some tests, but I'm not able to connect to DEVRADIUS from the Oracle database.
  Executing ./adapters and ./adapters ./oracle showed me the RADIUS authentication is available.
  When I try to connect using my external user I'm receiving the following error:
  ORA-12638: Credential retrieval failed
  A firewall exists between the database server and clients, but the port 1812 used to connect my database DEVDB to radius server DEVRADIUS has been open (UDP)
  My sqlnet.ora
  # sqlnet.ora Network Configuration File: /u01/app/oracle/product/10.2.0/db_1/network/admin/sqlnet.ora
  # Generated by Oracle configuration tools.
  SQLNET.AUTHENTICATION_SERVICES= (RADIUS)
  SQLNET.RADIUS_PORT= (1812)
  SQLNET.RADIUS_AUTHENTICATION_PORT = 1812
  SQLNET.RADIUS_SECRET = (/u01/app/oracle/product/10.2.0/db_1/network/security/radius.key)
  SQLNET.RADIUS_AUTHENTICATION_TIMEOUT = 10
  SQLNET.RADIUS_AUTHENTICATION = DEVRADIUS
  SQLNET.RADIUS_CHALLENGE_RESPONSE = (ON)
  SQLNET.RADIUS_CHALLENGE_KEYWORD = (CHALLENGE)
  NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)Into /u01/app/oracle/product/10.2.0/db_1/network/security/radius.key there's only the shared secret RADIUS key.
  Previously I've created this user:
  SQL> create user rad_user identified externally;
  SQL> grant connect, resource to rad_user;
  SQL> show parameter OS_A
  NAME TYPE VALUE
  os_authent_prefix string
  remote_os_authent boolean FALSE
  SQL> show parameter OS_RO
  NAME TYPE VALUE
  os_roles boolean FALSE
  remote_os_roles boolean FALSEThis is the error I receive:
  sqlplus /nolog;
  SQL> connect /@DEVDB;
  ERROR:
  ORA-12638: Credential retrieval failedOn RADIUS server started in debug mode, I don't see any attempt to connect.
  Any suggestions?

  loqs wrote:You built the package (using --asroot with makepkg is not a good idea ) but you did missed Install_the_package
  Also see Kernel_Modules so the module is loaded automatically at boot.
  Seriously? I spent that many hours searching for my several error messages, trying to solve them, not wanting to ask for help without putting too much of my own effort into it and when I finally decide to ask for help it is when I didn't get a super essential thing like makepkg doesn't install and is merely to create .pkg.tar.xz?? Oh gosh... (;
  Well, thank you! I guess I'll take my next change to use Google to find out how to use makepkg without --asroot. Yes, wl is loaded now and it's set as the kernel driver in use!
  Unfortunately, after ip link set wlp2s0 up and typing dmesg | grep wl I get:
  wl: module license 'Mixed/Proprietary' taints kernel.
  wlan0: Broadcom BCM4727 802.11 Hybrid Wireless Controller 6.30.223.248 (r487574)
  systemd-udevd[148]: renamed network interface wlan0 to wlp2s0
  wl 0000:02:00.0: no hotplug settings from platform
  wl 0000:02:00.0: no hotplug settings from platform
  wl 0000:02:00.0: no hotplug settings from platform
  wl 0000:02:00.0: no hotplug settings from platform
  And therefor: No firmware loaded. Google doesn't give much about this message but hints to PCI or PCI-Express not working as it should. I found this and tried starting with pciehp.pciehp_force=1 and ordered a modprobe acpiphp but nothing changed.

• SOAP to Abap Proxy with attachment

  Hi Experts,
  i am facing one problem while developing one interface from SOAP to ABAP Proxy with attachment.
  the sender system is sending empty soap message but with all its content in the attachment.
  we need to parse the attachment and send the data to ECC system through proxy.
  we made some research on SDN and found out that in sender soap adapter PayloadSwapBean is not supported.
  however in receiver XI adapter the module tab is not editable.
  could you suggest any solution to handle this interface?
  thanks in advance.

  Hi Aditya,
  Can you just try to  use SOAP with Servlet(Axis) protocol, since standard SOAP sender does not allow modules to be used.
  please refer http://help.sap.com/saphelp_nw04/helpdata/en/45/a39e244b030063e10000000a11466f/frameset.htm
  The first attachment is put in the main payload; further attachments become attachments of the XI message.
  http://help.sap.com/saphelp_nw70/helpdata/EN/45/a4f8bbdfdc0d36e10000000a114a6b/frameset.htm
  Regards,
  Srinivas

• Java client for OSB proxy with JMS Transport

  Hi,
  I am trying to call OSB proxy with JMS Transport. I am generating the client through ant task clientgen and following this article
  http://www.oracle.com/technetwork/articles/murphy-soa-jms-092653.html
  The osb proxy is req-response and is simply routing to BS which return a string value.
  When I run my client, it get stuck and does not return at all. Has any one trying java client in such scenario?
  What I may be missing?
  Below is snipped of client code:
  String url = "http://localhost:7021/sbresource?PROXY/MySample/MyJMSProxyService";
  CreditLoanApprovalServiceSoapBindingQSService service = new CreditLoanApprovalServiceSoapBindingQSService_Impl(url);
  MyPortType port = service.getCreditLoanApprovalServiceSoapBindingQSPort();
  LoanStruct in = new LoanStruct(); //populated the data structure
  String loanResult = port.processLoanApp(in); // Stuck here without any error
  System.out.println("LoanResult--> " + loanResult);
  Thx
  /Ashwani

  http://localhost:7021/sbresource?PROXY/MySample/MyJMSProxyService is the WSDL URL of the proxy.
  Transport is is picked by the client from wsdl.
  As far as the documentation of client generation is there, there is no change.
  But meanwhile I have started working on sending the message directly to queue. JMSProxy is getting called. May be I will first run the proxy this way and then try troubleshooting the java client.
  Regards
  Ashwani

• ABAP client proxy With Receiver JDBC Adapter

  Hello Experts,
  I am working on a scenerio ABAP client proxy With Receiver JDBC Adapter.
  The client proxy program will fetch the master data related to equipment in plant maintenance module and  will update the sql database through Receiver JDBC Adapter .
  my requirement is if the equipement is created in sap then the  scheduled job has to trigger the client proxy program and send the message with status 'created'  to sql data base.
  if the equipment is modified in sap then the scheduled job has to trigger the client proxy program and send the message with status 'modify' to sql data base.
  please let me know how can i write the logic/code for this scenerio in client proxy program.
  Tables for equipment master i am using  is EQUI and fields are   ERDAT and AEDAT which is created date and modified date.
  fields for scheduling start date is tbtcp-sdldate.
  Thanks in advance.
  Ram.

  Hello Ram,
     Here you can check if updated date field is not empty then send status as created and if this field is not blank then send status as modified record.
  Monica

• How to create Web Service Proxy with help of WSDL.

  Hi ,
  How to create Web Service Proxy with help of WSDL .
  Please help me .
  Thanks in advacne for reply .

  check out this article. It has all the details
  http://www.oracle.com/technology/products/jdev/howtos/1013/wsadf/adfcomplexwstypes.html

• ACS 5.1 RADIUS Proxy - Adding RADIUS attributes

  Is there anyway under ACS 5.1 to add RADIUS attributes to outgoing RADIUS proxy auth requests or failing this to RADIUS proxy accounting updates?
  As soon as I configure a RADIUS proxy services, there is little config I can do other than to say whether or not the prefix and suffix is to be stripped.
  I can add these attributes if using an external RADIUS box as an identity store, but I cannot do this for this particular service and instead I need to use RADIUS proxying.
  Thanks
  Paul

  Hi Steve,
  The shared secret is 100% correct.
  Finally I find out that there may be some white lists for attributes.
  If I keep NAS-Identifier , it will work.
  But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
  The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
  When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
  The RADIUS Server gets the message from NSA.
  Of course, there is the Proxy-State attribute.
  In this condition, the ACS has incorrect output in the sub-attribute.
  Now I try 5.2 to see the problem exist or not.

• Cisco ISE - radius proxy

  Hi,
  Is the following possible:
  - let the ISE do the authentication and then proxy to another radius server which does the authorization.
  At the moment we have a freeradius server that does the following:
  1) authenticates 802.1x requests (eap-tls)
  2) during authorization the server checks an external database that determines the vlan that should be returned (in radius attribute) based on originating switch and/or mac address.
  I am checking if I can migrate to ISE but then the above would have to work.
  For MAB I can easily do authentication/authorization on freeradius so I will proxy MAB requests to there.
  regards
  Thomas

  ISE acts as a RADIUS proxy server by proxying the requests from a network access  device (NAD) to a RADIUS server. The RADIUS server processes the request and  returns the result to Cisco ISE. Cisco ISE then sends the response to the  NAD
  FYI
  you can use the RADIUS server sequences to proxy the requests to a  RADIUS server.
  The RADIUS server sequence strips the domain name from the  RADIUS-Username attribute for RADIUS authentications. This domain stripping is  not applicable for EAP authentications, which use the EAP-Identity attribute.  The RADIUS proxy server obtains the username from the RADIUS-Username attribute  and strips it from the character that you specify when you configure the RADIUS  server sequence. For EAP authentications, the RADIUS proxy server obtains the  username from the EAP-Identity attribute. EAP authentications that use the  RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username  values are the same.

• ISG Debug - IP configuration missing for radius proxy session initiation

  Folks,
  We are trying to configure the ISG as a Radius-Proxy for EAP Authentication. I have configured aaa server radius proxy, clients and aaa auth radius-proxy group as per the guide. I have my interface config as follows:
  interface TenGigabitEthernet0/2/0.205
  encapsulation dot1Q 205
  ip vrf forwarding CS
  ip address 10.20.0.1 255.255.224.0
  ip helper-address global 172.X.X.X
  no ip redirects
  no ip proxy-arp
  ip tcp adjust-mss 1420
  service-policy type control DEFAULT_RULES
  ip subscriber l2-connected
    initiator dhcp
    initiator radius-proxy
    arp ignore local
  When I try to connect a wifi client to an AP, I can see that the AP is forwarding the Access-Request to the ISG but the ISG does not forward it to the AAA. In the ISG debug I see the following message:
  RADIUS: IP configuration missing for radius proxy session initiation
  Can any one help to identify what is missing here pls?
  Thank You in advance!

  Kiran,
  Did you follow this guide? It looks like the interface configuration is there but you didnt include the actual radius configuration does it follow the guide here -
  http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_radius_proxy.html#wp1055053
  Thanks,
  Tarik Admani