LMS , AAA via Radius and cisco AV pair

Similar Messages

• Novell Radius and Cisco 1841 router

  I tried to setup NW Radius and it all seems to be setup perfectly accoriding to this TID# http://support.novell.com/cgi-bin/se...?/10078616.htm
  But when someone tries to connect throgh my Cisco VPN I get this error:
  [2005-05-19 05:03:26 PM] Access request dropped
  <trusted IP>, <Cisco connect group>, Unkown radius client
  I entered the <trusted ip> as a client in Console One and chose Cisco as the vendor (also tried Generic radius).
  <cisco connect group> is the authentication group I setup in the router, and must be entered before connecting through VPN.
  Any clues would be appreciated.

  Jepe,
  It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at http://support.novell.com in both the "free product support" and "paid product support" drop down boxes.
  - You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
  If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Cisco Prime Infrastructure 2.1 GUI authentication via RADIUS server (Cisco ISE 1.2 integrated with AD)

  Hi,
  I want to access Cisco PI 2.1 GUI using my AD credentials, so on PI I've enabled RADIUS AAA Mode and added RADIUS servers (two ISE nodes in our case). On ISE I added PI as RADIUS client and configured the same keys. Next, on ISE I created authorization profile PRIME_ADMIN_ACCESS with only attribute settings defined:
  My authentication and authorization rules relating that case are as on following screenshots:
  So when I open GUI of PI and enter my AD credentials to log in I have no success and I receive following message:
  Looking in ISE's Authentication section I can see following:
  Time difference between these two authentication/authorizations is just 25 msecs and clicking on each of them reveals following:
  So at first I can authenticate and authorize (authorization profile has necessary attributes defined for PI management access (NCS:role0=Root, NCS:virtual-domain0=ROOT-DOMAIN)) and after 25 msecs I am getting failure. So what could be cause of such things and how I can successfully log in to PI GUI authenticating via ISE using AD credentials?

  Hi,
  -- Please Go to Administration > Logging > set the Message level to TRACE > Click save
  -- Then try to add the ISE.
  -- Once it fails, collect the logs from Administration > Logging > 
  check the "ncs-0-0.log"  & search the file for "ERROR" & paste the results here. This will give us exact reason.
  - Ashok
  Please rate the post or mark as correct answer as it will help others looking for similar information

• RADIUS and Cisco 2611 router

  Greetings. First, let me start by saying I am an idiot, I know I am an idiot, and I apologize for wasting everyone's time. I have actually RTFM, many RTFMs, in fact, and I still have not found a resolution.
  Second, I am trying to set up a RADIUS server in my test network. I have installed ClearBox RADIUS on a Windows 2000 system. I have the following configuration on my Cisco 2611 router:
  Using 2297 out of 29688 bytes
  ! Last configuration change at 17:20:27 PDT Tue May 20 2008
  ! NVRAM config last updated at 17:20:29 PDT Tue May 20 2008
  version 12.1
  no service single-slot-reload-enable
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  hostname Tester
  logging buffered 10000 debugging
  aaa new-model
  aaa group server radius RadiusServers
  server 172.26.0.2 auth-port 1812 acct-port 1813
  aaa authentication login default group RadiusServers local
  aaa authentication login localauth local
  aaa authentication ppp default if-needed group radius local
  aaa authorization exec default group radius local
  aaa authorization network default group radius local
  aaa accounting delay-start
  aaa accounting exec default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa processes 6
  enable secret xxx
  username test password xxx
  clock timezone PST -8
  clock summer-time PDT recurring
  ip subnet-zero
  no ip domain-lookup
  no ip bootp server
  interface Loopback0
  ip address 192.168.0.1 255.255.255.0
  interface Ethernet0/0
  description To Main Network
  ip address X.X.X.X 255.255.255.128
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  full-duplex
  no cdp enable
  interface Ethernet0/1
  description To Internal Network
  ip address 172.26.0.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  load-interval 30
  full-duplex
  no cdp enable
  ip nat pool test X.X.X.X X.X.X.X netmask 255.255.255.128
  ip nat inside source list 3 pool test overload
  ip nat inside destination list 3 pool test
  ip classless
  ip route 0.0.0.0 0.0.0.0 X.X.X.X
  no ip http server
  ip radius source-interface Ethernet0/1
  access-list 3 permit 172.26.0.0 0.0.0.255
  no cdp run
  snmp-server community public RO 15
  radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret
  radius-server retransmit 3
  radius-server key secret
  line con 0
  password xxx
  logging synchronous
  line aux 0
  line vty 0 4
  access-class 10 in
  password 7 1234567890
  logging synchronous
  ntp clock-period 17208108
  ntp server 192.43.244.18
  end
  My RADIUS server is up and responding to requests, but my router does not appear to be forwarding authentication requests to it. In fact, when I log into the router using HyperTerm, it times out, and I end up authenticating locally.
  I really don't care whether my Cisco equipment authenticates against the RADIUS server, but I do need to get it set up to authenticate my users so I can track their time online. What have I missed in my router configuration? Why isn't it forwarding user authentication requests to the RADIUS server.
  Thank you for any assistance you may be able to provide.

  I have found that if I am in the middle of composing a response, and I open the thread in another browser window (to refer to it), when I go to submit my response, it doesn't get posted. Perhaps you are running into the same thing.
  The command I shared:
  aaa authentication enable default group radius local
  ... was erroneous. The keyword should have been "enable", as you have discovered.
  Therefore use:
  aaa authentication enable default group radius enable
  When I view a Wireshark trace I see the following:
  AVP: l=18 t=User-Password(2): Decrypted: "user-PWD\000\000\000\000\000\000\000\000"
  Like you, I see the user password appended with the group of \000 grouping's.
  Note the word "Decrypted" which confirms that the password entered in Wireshark is a match with that entered on the AAA client (for what that's worth).
  I'm not sure if I suggested that this would confirm that the server and client were using the same shared secret. If I did, I miss-spoke. I think we would have to gauge the server's response to the attributes we see passed by the client.
  The Wireshark decryption is much more dramatic with TACACS+ because the whole payload is encrypted.
  My issue with your PPPoE is that I saw no "interface" on the router that is configured to perform such authentication. I do seem to recall a global authentication command with the PPP keyword perhaps. I have not attempted to do this, and am not sure whether the interfaces in your router will support this method. Perhaps someone else will weigh in with an opinion.
  However, there are other mainstream authentication methods that I think you should investigate as well.
  You could implement 802.1x on a switch so that a host has to authenticate before it can gain Layer 3 access to the LAN. Depending on the platform, you can download VLAN assignments and ACLs.
  I believe the router also supports 802.1x, but that may determine whether a host can get "through" the router. I have not had cause to investigate 802.1x on the router. I may do so in the future to authorize access to IPsec tunnels.
  The router is also likely to support Authentication Proxy. This feature intercepts a user's attempt to browse resources on the other side of the router. User specific ACLs can be downloaded to the router (from RADIUS) to control what resources a user can access.
  I think you should:
  1. Resolve the issue(s) with AAA logins on the router. It'll establish a baseline of functionality, and give you some short term joy.
  2. Investigate whether PPPoE support exists on your router's interfaces.
  3. Read up on 802.x and Authentication Proxy (docs on Cisco web site).
  4. Decide which methods appeals to you.
  5. Dive in.
  I'd lose the self-deprecation. I don't think it will serve you well. If you're treated badly, move to a newsgroup where the participants display a higher level of emotional maturity. I don't think you will have an issue on the Cisco forums. Others would probably step in.
  I'm going to be absent for several days, so if you don't receive any response, it will be for said reason.
  Good luck.

• 801.x WLANs authenticated via Radius and Active Directory permit any user access any WLAN

  Hi,
  I have configured several WLANs with WPA2 and 8021.x which authenticate users through Radius server (Windows Internet authentication service) that conects with an Active Directory, into the AD exists one user group for each WLAN but the problem is that any user that was added to some group can get access to any WLAN, does anyboby know if I need some configuraion on the WLC to restric that?
  thanks for your help.

  Hi Scott,
  I have done some test modifying the Radius Policy to look at called station ID and test too looking at the NAS-ID, In the first case, I change the Call Station ID Type into WLC RADIUS Authentication Servers configuration to AP MAC Address:SSID and AP Name:SSID and into the Radius Server using .*:SSID-NAME$ and SSID-NAME$ ,but it blocks access for any user. In the second case, I change the NAS-ID into WLC WLAN and interface confguration and into the radius server Policy to match all, but it doesn´t have any impact, what other test could I try?
  thanks for your help. 

• Re - RADIUS and Cisco 2611 router

  Cassandra:
  There is a response to your latest post that would easily be missed.
  The thread has rolled to a second page.
  The response is on the second page, and would be missed if you did not take note of the "Previous and Next" links at the bottom of page one.

  Cassandra:
  There is a response to your latest post that would easily be missed.
  The thread has rolled to a second page.
  The response is on the second page, and would be missed if you did not take note of the "Previous and Next" links at the bottom of page one.

• Cisco ISE with cisco-av-pair

  Hi All
  I am deploying a Cisco ISE together with a WLC to provide guest services. After the authentication the users will be redirected to the device registration page, this is done via the radius attribute "cisco-av-pair = url-redirect=https://FQDN:8443/guestportal/gateway?sessionId=SesionIdValue&portal=..." returned by the ISE. My problem is that there is no internal DNS server in the guest network (point to public DNS servers), so the clients cannot resolve the FQDN. We can manually add the redirect URL, however the SessionIdValue in the URL is a dynamic value, is there a way to put a dynamic value in the attributes manually?
  Thanks a lot!
  Leo

  Thanks Tarik, I saw u helped a lot of ppl on ISE configuration, really appreciate for your help.
  In ISE there is a place to set the default URL for Sponsor and My device, not sure why not for Guest portal. As the DNS server is not available at this moment, we are using the WLC to do the redirect (so not CWA), the downside is we cannot have a whitelist since all request will be redirected to the guest portal.

• WLC Management Admin via RADIUS

  I am trying to have a management user authenticate via radius and have full admin privileges.
  For a WCS I can simply set the radius attribute of "Cisco-AVPair.attr|Wireless-WCS:role0=Admin" and that user will get full admin rights. I found this doc to grant a user lobby admin:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080871921.shtml
  but, it is specific to the using the Cisco ACS as a radius server. What attributes do I need to set for a user to get full admin rights to a WLC when authenticating via radius?  Thanks.

  My problem: I have a local management user profile defined on my WLC and it works fine when the Priority Order is set to LOCAL.  When I change the Priority Order to make RADIUS first and LOCAL second, I can't get logged into the WLC using CLI, GUI, or the console.  The last time this happened I had to reset the WLC and start over.  I don't want to do that again, so I need some way to get into the WLC.
  Once I can get back into the WLI would prefer using Active Directory to authenticate the management user but that doesn't seem to work.  My RADIUS acts as a front end for the Active Directory database and works well for many of our Cisco LAN switches andd Routers. Now I'm trying to set up the WLC to authenticate the management user with RADIUS.  I have set the RADIUS (MS IAS) to return two attributes;
  1. Vendor-Specific -Vendor Code 14179, Value=management
  2. Service-Type - Value=Login
  When I try to login using my AD account, the RADIUS server log shows an Access Request record, then an Access-Accept record that makes it appear RADIUS has successfully authenticated the user.  But the login prompt for the GUI comes back as if it has failed.  Same with the CLI login.  Now I can't get logged into the WLC.  How can I get into the box to manage it again?
  Thanks

• Cisco 1602i + Authenticating users via RADIUS?

                 Hello,
  Our company recently purchased a Cisco 1602i standalone WAP to replace the WAP4410Ns that we were having issues with.  I am now attempting to configure the RADIUS authentication, as we have a User network and a Guest connection.  The Guest connection works fine, using WPA PSK.  However, I can't seem to get the RADIUS authentication to work.  Reading the documentation has got me a little confused, and I have tried turning on debugging (debug radius authentication, debug aaa) but those show nothing.  Also, in the RADIUS server itself (Windows 2008 R2 NPS), I see nothing in the logs when I try to connect using a device or the "test aaa" command.  Can someone guide me on what I'm doing wrong?  I followed someone's advice on another forum and removed "authentication network-eap" from the SSID (phoenix_2), and now when I attempt to connect with a device it just asks me for a password, it doesn't prompt for a username anymore.  I am very stumped.  Here's the relevant config:
  aaa new-model
  aaa group server radius rad_eap
  server 10.200.5.24
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  clock timezone EST -5 0
  ip cef
  ip domain name gst
  dot11 syslog
  dot11 vlan-name guest vlan 255
  dot11 vlan-name user vlan 140
  dot11 ssid phoenix_2
     vlan 140
     band-select
     authentication open eap eap_methods
     mbssid guest-mode
  dot11 ssid walker_2
     vlan 255
     band-select
     authentication open
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 0353035E535879191B
  interface BVI1
  ip address 10.200.5.70 255.255.255.0
  ip default-gateway 10.200.5.1
  ip forward-protocol nd
  no ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip route 0.0.0.0 0.0.0.0 10.200.140.1
  ip route 0.0.0.0 0.0.0.0 10.200.5.1
  ip radius source-interface BVI1
  access-list 111 permit tcp any any neq telnet
  snmp-server community G!0bal RO
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 10.200.5.24 key 7 01445E510E1C07032A495C0D0B0C011718190D3E2E767863
  radius-server vsa send accounting
  The NPS worked just fine with the WAP4410Ns, not sure why we're having so much trouble with the 1602i. 

  Thanks Rasika, your link worked.  I had the authentication key before, but i removed it while I was trying different things.  My main issue was not applying the list name to the ssid, the documentation did not make it clear that when the radius server is specified using the "radius-server ...." command, that the radius group refers to that command when you configure the group.  Once that clicked, it made sense that the method list name was specifed by the radius group, and that the authentication methods then referred to the radius group.  It was a big question mark in my head how the radius server was applied to the SSID prior to reading your post.
  I haven't tried the "erase startup-config" command yet, I will try that next. 
  Quick question, why are both authentication open and authentication network-eap needed?  I would assume authentication network-eap would suffice, unless the authentication open command refers to the allowed devices and not just authentication via RADIUS?

• ZBF: Assign zone to interface via Cisco AV Pair

  Hello,
  I am terminating ADSL connections via an L2TP tunnel from a service provider and have configured Cisco AV Pairs to assign incoming sessions into different VRFs based on the username of the remote router. I am also using Zone Based Firewall configuration and need to also assign the created virtual access interface into a zone in the same manner as I am assigning VRFs.
  I am assigning VRFs like so:
  Cisco-AVpair+=ip:vrf-id=<vrf-name>
  I have tried assigning a zone with the following configuration but with no luck:
  Cisco-AVpair+=ip:interface-config=zone-member security <zone-name>
  Cisco-AVpair+=lcp:interface-config=zone-member security <zone-name>
  I have looked around but am unable to find a definitive list of Cisco AV Pairs to determine if there is one suitable specifically to assign a zone or a more generic AV Pair that can assign arbitrary configuration.
  Any help appreciated.
  Thanks.

  For anyone else who has a similar issue, I raised the issue with Cisco TAC and the solution was to use a Cisco AVpair of
  lcp:interface-config=zone security <zonename>
  I also had to add:
  aaa policy interface-config allow-subinterface
  Once I did this it worked a treat.

• IronPort and Cisco ACS4.2 AAA integration

  Hello,
  could someone points me to some docs explaining how to integrate IronPort appliance with Cisco ACS server 4.2 for admin access and authentication logs (if possible).
  Appreciated.
  Thanks

  So, first off, any currently shipping version of the WSA only allows Admins to be authenticated via RADIUS.
  Role based access (aka authorization) is coming soon.
  Also, I'm not an ACS user, so I'm guessing what needs to be done there based on using SteelBelted...
  Go to ACS, create an entry for the WSA, set a shared secret.  Then go to the WSA, System/Users, click on External Authentication and set the RADIUS server, port and shared secret.
  Now in my testing with SteelBelted Radius, only users set up in the RADIUS server were authenticated, it wasn't passing the auth request on to my Active Directory, so it wasn't a big deal...  
  In the next version you'll set a class attribute for each user in RADIUS and assign that class attribute to a role in the WSA so that you can set some users to Admins, some to Operators, some to Read Only, etc...

• Cisco 1262 AP cannot access via cosole and GUI

  Hi,
  I have a Cisco AIR-LAP1262N-E-9 but I cannot access via console and GUI. Also, I noticed that after getting IP address from DHCP server, its IP address will be released after 2minutes. Then after a while, the access point will get another new IP address. And this happens repeatedly.
  Hoping for some help out there...
  Thanks,
  shawn

  Hi Manas,
  Thanks for your comments.
  I have a WLC 5508 controller. I just want to have a basic setup for my upcoming project implementation. On my test bed, I have WLC, 2 sets of AP, and PoE L3 switch. The L3 switch serves as a DHCP server to APs. I manually set the Management Interface IP address of WLC in the same VLAN of the DHCP scope for AP just for basic connectivity. Upon powering up the APs, the WLC detected the APs. However, after 2-3 minutes, the WLC cannot detect anymore the APs. I also notice that the APs are getting their IP address to DHCP server but it will release after sometime..may about 3minutes. Then the APs will get again IP address and will release it. And this happens continuously. I just wish to hard code the IP settings to APs via console but I cannot access it.
  Hoping for your help and thanks in advance.
  Regards,
  Shawn

• Re-Paired Cisco DMM and Cisco Show & Share

  Hi ...
  guys ... do anyone have experience to re-paired Cisco DMM and Cisco Show & Share ? I do re-paired it, but it doesn't success. First i pair Cisco Show and Share with Cisco DMS it success, but when i pair Cisco DMM with Cisco Show and Share it doesn't success (the proccess took so long about 30 minute i do ctrl C and it says failed to install certificate from Cisco Show and Share).
  Anyone have idea ?
  BR

  Avoid Pairing Failures
  •Pairing fails when you complete these steps in the wrong order. You must use AAI on your Cisco Cisco Show and Share appliance before you use AAI on your Cisco DMM appliance. Do not reverse this order or try to use AAI simultaneously on both appliances.
  •Do not use the POP option on the pairing menu. Doing so may cause Cisco Show and Share to  fail. If you accidently choose the POP option, you will need to re-pair  the Cisco Show and Share and DMM appliances.
  Pair Your Appliances
  Procedure
  Step 1 From the appliance that runs Cisco Show and Share 5.2:
  a. Log in as admin to the Appliance Administration Interface (AAI).
  b. Choose APPLIANCE_CONTROL > PAIR APPLIANCE.
  c. Choose DMM.
  Warning Do not choose any other option than DMM. 
  d. Enter the fully-qualified domain name (FQDN) for your Cisco DMM appliance.
  This is the DNS name. Do not enter an IP address.
  e. Press Enter.
  Your Cisco Show and Share appliance receives and successfully imports a digital certificate from your Cisco DMM appliance.
  Step 2 From the appliance that runs Cisco Digital Media Manager 5.2:
  a. Log in as admin to the Appliance Administration Interface (AAI).
  b. Choose APPLIANCE_CONTROL > PAIR APPLIANCE.
  c. Choose SHOW_AND_SHARE.
  Warning Do not choose any other option than SHOW_AND_SHARE. 
  d. Enter the fully-qualified domain name (FQDN) for your Cisco Show and Share appliance.
  This is the DNS name. Do not enter an IP address.
  e. Press Enter.
  Your Cisco DMM appliance receives and successfully imports a digital certificate from your Cisco Show and Share appliance.
  See Cisco Link :
  http://www.cisco.com/en/US/docs/video/digital_media_systems/5_x/5_2/dms/aai/administration/guide/pair.html

• I have a MacBookPro 5.5 and an iPad 2 32GB 3G; both items are pretty recent. Today I tried connecting them via blootooth. MBP state "pairing success" whereas the iPad seems to be still searching and indicates the MBP as "not connected". That over and over

  I have a MacBookPro 5.5 and an iPad 2 32GB 3G; both items are pretty recent.
  Today I tried connecting them via blootooth. MBP states "pairing success" (only after NUMEROUS attempts!!!) whereas the iPad seems to be still searching and indicates the MBP as "not connected". That over and over.
  Also, the iPad does not seem to recognize ANY bluetooth device in the house (they ARE discoverable since my MBP DOES "see" them) like, for instance, my mini-Mac.
  Any help would be appreciated; (I hope the problem lies NOT in the bluetooth antenna, in other words not in hardware.)
  P.S. The MBP seems fine since it DID connect to Mac-mini.

  Hello:
  Was the iPad paired with another device?  If so, you need to "unpair" it from the previous device.  Bluetooth devices may be connected with only one thing at a time.
  Barry

• HT1338 I bought a new Mac Mini and tried to pair my keyboard with the Mac Mini. They will not pair via Bluetooth. What is wrong?

  I have recently bought a Mac Mini and tried to pair the new apple wireless keyboard with the Mac but after trying 6 times no luck. What can I do about this?

  try this method:
  You need at least a USB mouse. If you don't get any option to pair a keyboard, click through the setup until you get to the "Create Your Computer Account" screen, right click in any of the text fields and select Substitutions --> Show Substitutions.  From there click on text preferences.  The preferences pane will popup and from there you can just click the back button (next to show all) to get to the full preferences menu.  Next click on keyboard, then select setup bluetooth keyboard and you're golden.