Local radius question?
Hi,
I was just taking a look at the local radius functionality on a router. I've found a strange problem which doesn't make sense to me and I was wondering if someone could explain what I'm seeing. As a basic lab to learn the ropes with local radius I created a local radius server on my router and got the local vty lines to use it for authentication.
This is my config:
interface Loopback0
ip address 192.168.0.1 255.255.255.255
ip radius source-interface Loopback0
aaa group server radius LOCAL-RADIUS
server 192.168.0.1 auth-port 1812 acct-port 1813
aaa authentication login default group LOCAL-RADIUS
radius-server local
nas 192.168.0.1 key 0 <removed>
user mwhittle nthash 0 <removed>
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key <removed>
radius-server vsa send accounting
Now he's the strange thing... If I configure the radius user to "mwhittle" with the password "mwhittle" it works and I get an Access-Accept. If I configure anything another than the username for the password it doesn't work and I get an Access-Reject. I have tried many combinations but as long as the username and password are the same it works and if they aren't it doesn't. This can't be normal behavior unless I'm missing something.
Any ideas?
Kind regards,
Mike
Hi,
What kind of RADIUS client application are you using with the IOS local RADIUS server? Please note that this server supports *only* wireless clients,
and only for the LEAP and EAP-FAST EAP types, and also MAC authentication. It does not provide support for other kinds of RADIUS clients.
The fact that username=password happens to seem to work is, I believe, an accidental artifact of the MAC authentication support, where username
is always equal to password.
If we are not using the MAC auth, then please feel free to open up a TAC case and we will help you..
lemme know if this answered your question..
Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull
Similar Messages
-
EAP-FAST on Local Radius Server : Can't Get It Working
Hi all
I'm using an 877w router (flash:c870-advsecurityk9-mz.124-24.T4.bin) as local radius server and have followed various config guides on CCO. LEAP works fine but I just can't get EAP-FAST to work.
I'm testing with win7 client using anyconnect secure mobility client, and also a mac book pro but without luck.
the router sees unknown auth type, and when I run some debugs it talks of unknown eap type 3
sh radius local-server s
Successes : 1 Unknown usernames : 0
Client blocks : 0 Invalid passwords : 0
Unknown NAS : 0 Invalid packet from NAS: 17
NAS : 172.27.44.1
Successes : 1 Unknown usernames : 0
Client blocks : 0 Invalid passwords : 0
Corrupted packet : 0 Unknown RADIUS message : 0
No username attribute : 0 Missing auth attribute : 0
Shared key mismatch : 0 Invalid state attribute: 0
Unknown EAP message : 0 Unknown EAP auth type : 17
Auto provision success : 0 Auto provision failure : 0
PAC refresh : 0 Invalid PAC received : 0
Can anyone suggest what I might be doing wrong?
Regs, TimThanks Nicolas, relevant snippets from config:
aaa new-model
aaa group server radius rad_eap
server 172.27.44.1 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa session-id common
dot11 ssid home
vlan 3
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
ip dhcp pool home
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 194.74.65.68 194.74.65.69
ip inspect name ethernetin tcp
ip inspect name ethernetin udp
ip inspect name ethernetin pop3
ip inspect name ethernetin ssh
ip inspect name ethernetin dns
ip inspect name ethernetin ftp
ip inspect name ethernetin tftp
ip inspect name ethernetin smtp
ip inspect name ethernetin icmp
ip inspect name ethernetin telnet
interface Dot11Radio0
no ip address
encryption vlan 1 mode ciphers aes-ccm tkip
encryption vlan 2 mode ciphers aes-ccm tkip
encryption vlan 3 mode ciphers aes-ccm tkip
broadcast-key vlan 1 change 30
broadcast-key vlan 2 change 30
broadcast-key vlan 3 change 30
ssid home
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.3
encapsulation dot1Q 3
no cdp enable
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
interface Vlan3
no ip address
bridge-group 3
interface BVI3
ip address 192.168.1.1 255.255.255.0
ip inspect ethernetin in
ip nat inside
ip virtual-reassembly
radius-server local
no authentication mac
nas 172.27.44.1 key 0 123456
user test1 nthash 0 B151E8FF684B4F376C018E632A247D84
user test2 nthash 0 F2EEAE1D895645B819C9FD217D0CA1F9
user test3 nthash 0 0CB6948805F797BF2A82807973B89537
radius-server host 172.27.44.1 auth-port 1812 acct-port 1813 key 123456
radius-server vsa send accounting -
Local Radius Authentication - Fails
Hello all,
Access Point 1230AG (c1200-k9w7-mx.123-2.JA)
Client Adapter ABG (PCI)
I am new to Wireless Lan configuration with Aironet products (first project). I am configuring an Access Point for a small LAN and i can not get local radius authentication working. The password always fails if I try:
test aaa group radius xxxxx port 1812 new-code
although the password is matching..........
another thing is that in the configuration, it always defaults to 'nthash' mode. is this normal? in other words if i type:
radius-server local
user dgarnett password xxxx
when i do a 'show run' it displays as
user xxxx
I also get the following during a debug:
There is no RADIUS DB Some Radius attributes may not be stored
any help greatly appreciated
ap#test aaa group radius dgarnett 123456789 port 1812 new-code
Trying to authenticate with Servergroup radius
User rejected
ap#
Feb 19 20:57:44.535: RADIUS(00000000): Config NAS IP: 10.14.14.14
Feb 19 20:57:44.535: RADIUS(00000000): Config NAS IP: 10.14.14.14
Feb 19 20:57:44.535: RADIUS(00000000): sending
Feb 19 20:57:44.535: RADIUS(00000000): Send Access-Request to 10.14.14.14:1812 id 21645/14, len 64
Feb 19 20:57:44.535: RADIUS: authenticator 9C C4 E8 64 80 8B 64 8A - E7 5F 0A 64 14 2F 5D B6
Feb 19 20:57:44.536: RADIUS: User-Password [2] 18 *
Feb 19 20:57:44.536: RADIUS: User-Name [1] 10 "dgarnett"
Feb 19 20:57:44.536: RADIUS: Service-Type [6] 6 Login [1]
Feb 19 20:57:44.536: RADIUS: NAS-IP-Address [4] 6 10.14.14.14
Feb 19 20:57:44.536: RADIUS: Nas-Identifier [32] 4 "ap"
Feb 19 20:57:44.537: RADSRV: Client dgarnett password failed
Feb 19 20:57:44.537: RADIUS: Received from id 21645/14 10.14.14.14:1812, Access-Reject, len 88
Feb 19 20:57:44.538: RADIUS: authenticator 3C B3 9A 7F 61 27 3A A6 - 84 39 B6 DF 22 DF 45 26
Feb 19 20:57:44.538: RADIUS: State [24] 50
Feb 19 20:57:44.538: RADIUS: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF [????????????????]
Feb 19 20:57:44.539: RADIUS: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF [????????????????]
Feb 19 20:57:44.539: RADIUS: 6B 7C 18 EA F0 20 A4 E5 B1 28 0E BD 57 61 24 9A [k|??? ???(??Wa$?]
Feb 19 20:57:44.539: RADIUS: Message-Authenticato[80] 18 *
Feb 19 20:57:44.539: RADIUS(00000000): Received from id 21645/14
Feb 19 20:57:44.539: RADIUS(00000000): Unique id not in use
Feb 19 20:57:44.540: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be storedJust as an update.......I set this up authenticating to an external (ACSNT) Radius server and it authenticates successfully. But still will not for the local dbase. My goal is to use the Corporate ACS as primary and the local as backup. I think my problem has to do with the Radius attributes 24 (State) and 80 (Message Auth). I also think that it points back to the NTHash stuff. Please advise as I am not new security practices and wireless, but I am new to Cisco Wireless networking.
-
EAP-FAST with local radius on 1242AG
I'm trying to get EAP-FAST working using the local radius server on a 1242AG autonomous AP using the latest firmware from Cisco. The cypher I'm using is CCMP. LEAP works fine with all my clients, however if I move to EAP-FAST in the radius config my clients fail to authenticate
I know I need to set PAC to automatic somewhere, but the EAP-FAST configuration in the 1242AG GUI doesn't make this clear what to do.
Any help or a basic example you be great.
thanks,
SimonI think this is what you're looking for;
Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
HTH
Regards,
Jatin
Do rate helpful posts~ -
Autonomous AP, 12.3.8JE3. EAP-FAST on local radius failure
Hi all,
I've been trying to configure EAPFAST on Autonomous AP 1242 with the above firmware using local radius. Here are the config:
aaa new
aaa group server radius rad_eap
server x.x.x.x auth 1812 acct 1813
aaa authentication login eap_methods group rad_eap
dot11 ssid EAPFAST
vlan 10
authentication open eap eap_methods
authentication key wpa
int d0
encryption vlan 10 mode cipher aes
ssid EAPFAST
no shut
int d0.10
en do 10
bridge 10
int f0.10
en do 10
bridge 10
int f0.100
en do 100 na
bridge 1
int bvi
ip add x.x.x.x 255.255.255.0
radius-server local
eapfast authority info XYZ
eapfast server-key primary auto
nas x.x.x.x key ####
group FAST
eapfast pac expiry 2 grace 2
username eapfast password eapfast group FAST
radius-server host x.x.x.x auth 1812 acct 1813 key ####
For all my tests, I can get the 7921 phone to work. But using CSSC or even win7 supplicant, I can never get the authentication to go through. I think the eap authentication is stuck at pac provisioning. If i am to manual provision the pac using tftp, it will work. Any clue?
AlvinHi,
I was thinking it might be a firmware issue because during some debugs with pac provisoning, there are some errors reporting of some missing cipher suites. I shall try with a new firmware.
Alvin -
How to set local radius with AP 1240AG series
Hi,
I have been trying to set up a AP with AIR-AP1242AG-Ak9 as a local authenticator radius but with no success. I have followed the steps from a lot of posts but no go, even with the most simple and understanable post like this one:
https://supportforums.cisco.com/document/101121/configuring-autonomous-ap-local-radius-authentication
The guy at the end of the post says:
Configuring AP
1. Go to Security>Encryption Manager
2. Specify Encryption (can be WEP or WPA)
3. Specify that WEP is Mandatory
4. Specify the key accordingly
5. Click Apply
6. Go to Security>SSID Manage
7. Select the desired SSID
But when I go via GUI fist of all:
I dont understand why it says it can be WEP o WPA because if I select WEP and follow the rest of the steps, I got an error message: WPA mandatory is supported only with Cipher TKIP or AES CCMP or AES CCMP +TKIP <see encryption managerpage>
Besides WEP, as far as I kknow it only works with a password only and I want the PC clients to aunthenticate with the AP itself as a Radius local server so it should ask for a username and password defined in the AP.
Second of all, the steps from the guy states on item 4, specfy the key acordinly? what this means? I only see keys filed in hexa.
third of all, if I do the steps in the error above, it allows me to set WPA with key management Mandatory but only by selecting the Cipher drop down menu, so which item should I pick ?there are a lot like AES CCMP, AES CCMP+TKIP, etc
But whenever another PC tries to login, it asks for the username and password, but it never get passed just saying error on the network.
I include the debug for the local radius below
I also included the config of the AP
All I want is the AP ask for a username and password, login successfully and thats it.
anybody else or someone that has a function config to share with me? I would appreciate it, cause I have been more than 12 hours in a row trying to set it up but no goHere is a one of my post related to this topic,see if that helps,
http://mrncciew.com/2013/03/03/autonomous-ap-as-local-radius-server/
If supported use WPA2 with AES as that is most secure. Do not use WEP. If WPA2/AES is not supported then try to use WAP with TKIP.
Here is other useful configuration example on the same topic
https://rscciew.wordpress.com/2014/07/24/autonomous-ap-with-local-radius-server-eap-fast/
HTH
Rasika
**** Pls rate all useful responses *** -
Local radius server : one username for several devices ?
I've just installed a AP 1231g as a local radius server and I've got two devices that are authenticated by the AP with the same username/password .
is not there a problem?Hi,
Problem ?? no there is no issues. You are using a single user name to access network devices.
Regards,
~JG
Please rate if helps -
Locale Formatting question
In the preceding code the number 50 represent currency.
The output of NumberFormat is 50 with the local symbol
The output of DecimalFormat is 50.00 without the local symbol
The question is how to show 50.00 with the local symbol ???
import java.text.*;
import java.math.BigDecimal;
public class LocalFormating {
public static void main(String[] args) {
NumberFormat nf = NumberFormat.getCurrencyInstance();
DecimalFormat decfs = new DecimalFormat("#,##0.00");
BigDecimal anumb = new BigDecimal(50);
String temp = nf.format(anumb);
System.out.println("local anumb = " +temp);
String temp2 = decfs.format(anumb);
System.out.println("Decimal format anumb = " +temp2);Locale Formatting question
In the preceding code the number 50 represent currency.
The output of NumberFormat is 50 with the local symbol
The output of DecimalFormat is 50.00 without the local symbol
The question is how to show 50.00 with the local symbol ???
import java.text.*;
import java.math.BigDecimal;
public class LocalFormating {
public static void main(String[] args) {
NumberFormat nf = NumberFormat.getCurrencyInstance();
DecimalFormat decfs = new DecimalFormat("#,##0.00");
BigDecimal anumb = new BigDecimal(50);
String temp = nf.format(anumb);
System.out.println("local anumb = " +temp);
String temp2 = decfs.format(anumb);
System.out.println("Decimal format anumb = " +temp2); -
Wireless local radius authentication
Greetings,
I have a AIR-AP1121G-A-K9, and I would like to authenticate users with a username and password on the AP using the local radius server.
I used the configuration at http://www.aironet.info/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
and tried a couple other posted configuration, but are running into the same issue regardless of which method I am using.
show ver
Cisco IOS Software, C1100 Software (C1100-K9W7-M), Version 12.3(8)JED1, RELEASE
SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 27-Apr-10 12:52 by alnguyen
ROM: Bootstrap program is C1100 boot loader
BOOTLDR: C1100 Boot Loader (C1100-BOOT-M) Version 12.2(8)JA, EARLY DEPLOYMENT RE
LEASE SOFTWARE (fc1)
ORP_ROOFDECK uptime is 21 hours, 3 minutes
System returned to ROM by power-on
System image file is "flash:/c1100-k9w7-mx.123-8.JED1/c1100-k9w7-mx.123-8.JED1"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-AP1121G-A-K9 (PowerPCElvis) processor (revision A0) with 15138K/12
36K bytes of memory.
Processor board ID FOC08370K83
PowerPCElvis CPU at 197Mhz, revision number 0x0950
Last reset from power-on
1 FastEthernet interface
1 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:12:01:6B:86:46
Part Number : 73-7886-07
PCA Assembly Number : 800-21481-07
PCA Revision Number : A0
PCB Serial Number : XXX
Top Assembly Part Number : 800-22053-04
Top Assembly Serial Number : XXX
Top Revision Number : A0
Product/Model Number : AIR-AP1121G-A-K9
Configuration register is 0xF
show run
Current configuration : 4240 bytes
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname XXX
ip subnet-zero
ip domain name XXX!
ip ssh version 2
aaa new-model
aaa group server radius rad_eap
server 172.16.1.35 auth-port 1812 acct-port 1813
aaa group server radius rad_acct
server 172.16.1.35 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 syslog
dot11 ssid YYY
authentication open eap eap_methods
authentication network-eap eap_methods
guest-mode
bridge irb
interface Dot11Radio0
no ip address
ip helper-address 172.16.1.1
no ip route-cache
encryption key 1 size 128bit 7 66061D688B874859701297485642 transmit-key
encryption mode wep mandatory
broadcast-key change 300
ssid YYY
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
channel 2437
station-role root
rts threshold 2312
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 172.16.1.35 255.255.255.0
ip helper-address 172.16.1.1
no ip route-cache
ip default-gateway 172.16.1.1
ip http server
ip http authentication local
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
no authentication eapfast
no authentication mac
nas 172.16.1.35 key 7 VVV
group YYY
ssid YYY
block count 3 time 30
reauthentication time 300
user zzz nthash 7 0225540F2A2429741C162F3C2636455854560E72760A6A667B315E37
5553010B7A group YYY
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.16.1.35 auth-port 1812 acct-port 1813 key 7 VVV
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
access-class 10 in
line vty 5 15
end
Debug Output:
331: AAA/ACCT(00000000): add node, session 4
*Mar 1 21:37:37.331: AAA/ACCT/NET(00000004): add, count 1
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: Create new client 0023.6c85.3
2cd for application 0x1
*Mar 1 21:37:37.331: dot11_auth_initialize_client: 0023.6c85.32cd is added to t
he client list for application 0x1
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: req->auth_type 4
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: auth_methods_inprocess: 2
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: eap list name: eap_methods
*Mar 1 21:37:37.331: dot11_run_auth_methods: Start auth method EAP or LEAP
*Mar 1 21:37:37.331: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar 1 21:37:37.331: dot11_auth_dot1x_send_id_req_to_client: Sending identity r
equest to 0023.6c85.32cd
*Mar 1 21:37:37.332: EAPOL pak dump tx
*Mar 1 21:37:37.332: EAPOL Version: 0x1 type: 0x0 length: 0x0036
*Mar 1 21:37:37.332: EAP code: 0x1 id: 0x1 length: 0x0036 type: 0x1
00ECBA00: 01000036 01010036 01006E65 74776F72 ...6...6..networ
00ECBA10: 6B69643D 4F52505F 5075626C 69632C6E kid=YYY,n
00ECBA20: 61736964 3D4F5250 5F524F4F 46444543 asid=YYY
00ECBA30: 4B2C706F 72746964 3D30 K,portid=0
*Mar 1 21:37:37.333: dot11_auth_send_msg: sending data to requestor status 1
*Mar 1 21:37:37.333: dot11_auth_send_msg: Sending EAPOL to requestor
*Mar 1 21:37:37.333: dot11_auth_dot1x_send_id_req_to_client: Client 0023.6c85.3
2cd timer started for 30 seconds
*Mar 1 21:38:07.333: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TI
MEOUT) for 0023.6c85.32cd
*Mar 1 21:38:07.333: dot11_auth_dot1x_send_client_fail: Authentication failed f
or 0023.6c85.32cd
*Mar 1 21:38:07.333: dot11_auth_send_msg: sending data to requestor status 0
*Mar 1 21:38:07.333: dot11_auth_send_msg: client FAILED to authenticate 0023.6c
85.32cd, node_type 64 for application 0x1
*Mar 1 21:38:07.333: dot11_auth_delete_client_entry: 0023.6c85.32cd is deleted
for application 0x1
*Mar 1 21:38:07.334: %DOT11-7-AUTH_FAILED: Station 0023.6c85.32cd Authenticatio
n failed
*Mar 1 21:38:07.334: AAA/ACCT/HC(00000004): Update DOT11/00A83CE0
*Mar 1 21:38:07.335: AAA/ACCT/HC(00000004): DOT11/00A83CE0 [pre-sess] (rx/tx) b
ase 0/0 pre 6861/188 call 6861/188
*Mar 1 21:38:07.335: AAA/ACCT/HC(00000004): DOT11/00A83CE0 [pre-sess] (rx/tx) a
djusted, pre 6861/188 call 0/0
*Mar 1 21:38:07.335: AAA/ACCT/HC(00000004): Deregister DOT11/00A83CE0
*Mar 1 21:38:07.335: dot11_auth_client_abort: Received abort request for client
0023.6c85.32cd
*Mar 1 21:38:07.335: dot11_auth_client_abort: No client entry to abort: 0023.6c
85.32cd for application 0x1
*Mar 1 21:38:07.335: AAA/ACCT/EVENT/(00000004): CALL STOP
*Mar 1 21:38:07.335: AAA/ACCT/CALL STOP(00000004): Sending stop requests
*Mar 1 21:38:07.336: AAA/ACCT(00000004): Send all stops
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004): STOP
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004): Method list not found
*Mar 1 21:38:07.336: AAA/ACCT(00000004): del node, session 4
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004): free_rec, count 0
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004) reccnt 0, csr TRUE, osr 0
*Mar 1 21:38:07.337: AAA/ACCT/NET(00000004): Last rec in db, intf not enqueued
*Mar 1 21:41:34.645: AAA/BIND(00000005): Bind i/f
*Mar 1 21:41:34.645: AAA/ACCT/EVENT/(00000005): CALL START
*Mar 1 21:41:34.645: Getting session id for NET(00000005) : db=C4EBC0
*Mar 1 21:41:34.645: AAA/ACCT(00000000): add node, session 5
*Mar 1 21:41:34.646: AAA/ACCT/NET(00000005): add, count 1
*Mar 1 21:41:34.646: Getting session id for NONE(00000005) : db=C4EBC0
*Mar 1 21:41:34.646: AAA/AUTHEN/LOGIN (00000005): Pick method list 'Permanent L
ocal'
*Mar 1 21:41:39.002: AAA/AUTHOR (0x5): Pick method list 'default'
*Mar 1 21:41:39.002: AAA/AUTHOR/EXEC(00000005): processing AV cmd=
*Mar 1 21:41:39.003: AAA/AUTHOR/EXEC(00000005): processing AV priv-lvl=15
*Mar 1 21:41:39.003: AAA/AUTHOR/EXEC(00000005): Authorization successful
Any ideas how I can get simple username/password working on an autonomous AP with local radius server?
Thank you,You could get a better idea of why the auth is being failed with the output of "show radius local-server statistics". You could also run "debug radius local-server client" and "debug radius local-server error".
-
Configuring a 1230 AP as a "Local Radius Authenticator"
Configuring a 1230 AP as a "Local Radius Authenticator"
CCO-URL: Configuring an Access Point as a Local Authenticator
http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080184a9b.html
this is the minimal config, i think:
AP# configure terminal
AP(config)# radius-server local
AP(config-radsrv)# nas 1.1.1.1 key 111
AP(config-radsrv)# group clerks
AP(config-radsrv-group)# vlan 2
AP(config-radsrv-group)# ssid batman
AP(config-radsrv-group)# reauthentication time 1800
AP(config-radsrv-group)# lockout count 2 time 600
AP(config-radsrv-group)# exit
AP(config-radsrv)# user jsmith password twain74 group clerks
AP(config-radsrv)# end
whereas 1.1.1.1 is the IP of the AP himself ?
is there a must for additional config commands like this:
radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key 111
aaa group server radius rad_eap
server 1.1.1.1 auth-port 1812 acct-port 1813
aaa group server radius rad_admin
server 1.1.1.1 auth-port 1812 acct-port 1813
all attempts didn't work
"station <MAC> authentication failed"
is there anything else nessecary ???You seem to be missing the following commands;
authentication network-eap eap_methods
authentication key-management cckm optional
The following commands are useful for diagnosis;
Show radius local statistics
show interface dot11Radio 0 aaa client
Debug dot11 aaa dot1x state
Debug dot11 mgmt interface
Local authentication is designed as a fall-back service for when the primary RADIUS server fails. We not encourage the use of Local authentication as a replacement for a radius server.
* With an ACS you get Authentication, Authorization and Accounting. With Local authentication you only get Authentication.
* ACS scales, supports external user-databases, supports multiple authentication types, supports database backup and replication, etc, etc... Local authentication supports a maximum of 50 users, internal static configuration only, and LEAP only.
Following is an IOS configuration, that I have tested, and works on an AP1200 (should work on an 1100 too, I just havent tested it);
· This configuration enables a single AP to do local authentication. No WDS is included for fast roaming.
· This configuration can be cut-and-pasted into an AP that has been write-erased (blank config), and it will configure all the parameters to allow a client to LEAP authenticate to it (even if no Ethernet cable is connected to it)
· Replace usernames/passwords with your own usernames/passwords
· Replace ip-addresseswith the APs IP address
· I added DHCP configuration so you can connect to a stand-alone AP with your DHCP-enabled laptop (with a profile that matches the test APs SSID and LEAP settings).
conf t
host loc-auth-ap-name
enable secret cisco
no ip domain-lookup
line vty 0 4
password cisco
exec-timeout 0 0
login
int bvi 1
ip address 10.11.12.13 255.255.255.0
Interface dot11 0
no ssid tsunami
encryption mode ciphers ckip-cmic
ssid test-loc-auth
authentication network-eap eap_methods
authentication key-management cckm optional
ip dhcp excluded-address 10.11.12.13
ip dhcp pool temp
network 10.11.12.0 255.255.255.0
interface BVI1
ip address 10.11.12.13 255.255.255.0
no ip route-cache
aaa new-model
aaa group server radius rad_eap
! add a real AAA server (with auth-port 1645) before
! the following statement if you are configuring a
! fallback authentication service instead of a
! standalone service
server 10.11.12.13 auth-port 1812 acct-port 1646
aaa authentication login eap_methods group rad_eap
! add a real AAA server (with auth-port 1645) before
! the following statement if you are configuring a
! fallback authentication service instead of a
! standalone service
radius-server host 10.11.12.13 auth-port 1812 acct-port 1646 key 0 l0cal-key-secret
radius-server deadtime 10
dot11 holdoff-time 1
ip radius source-interface BVI1
radius-server local
nas 10.11.12.13 key 0 l0cal-key-secret
user testuser password 0 testuser-key-secret
exit
exit
wri -
Problems w/config AP1200 - WPA Enterprise/Local RADIUS Server
I have been attempting to reconfigure a AP1200 in our lab environment from using static WEP keys to WPA/TKIP. I can make the solution work with WPA-PSK, but not enterprise. I believe I have everything configured correctly but cannot "validate identity" on the client. Below are the details to my configuration.
SSID: labssid (Open authentication with EAP)
Cipher: TKIP
Key management: Mandatory (WPA)
I have a Cisco ACS server but am attempting to get this running intially using the local RADIUS server on the Access Point. I have a user defined locally called "test" with a password of "test".
I am using an IBM ThinkPad T43 with the built-in wireless (Intel PRO/Wireless 2915ABG NIC) for testing. I have the "Use Windows to configure my wireless network settings" checked so I am using the inherant Windows configuration screens. However, I have also attempted to use the IBM NIC configuration utility and receive the same failures. I have the client device configured as follows:
1. Network authentication: WPA
2. Data encryption: TKIP
3. Authentication: Protected EAP (PEAP) (only option other than smartcard, cert.)
3a. (PROPERTIES) - AuthMethod: Secured Password (EAP-MSCHAP v2)
4. Authenticate as computer whe computer information is avail (UNCHECKED)
5. Authenticate as guest when user or computer is unavailable (UNCHECKED)
When I attempt to provide my test/test credientials the Access Point logs the following:
Station 0016.6f77.9ccd Authentication failed
When I look at the Local RADIUS server stats, for each authentication failure the following stat is recorded:
"Unknown EAP Type"
If I try to authenticate 5 times, there will be 5 Unknown EAP Type stats logged.
What am I missing?I didn't realize the local RADIUS couldn't do PEAP. That makes sense now, as in testing I decided to point the AP at my ACS server and was able to authenticate. I'm having an issue authenticating at times because it seems the AP looses it's connection TO the ACS server. The Access Point logs the following:
1. Station 0016.6f77.9ccd Authentication failed
2. RADIUS server 192.168.102.82:1645,1646 has returned.
3. RADIUS server 192.168.102.82:1645,1646 is not responding.
The "not responding" and "returned" logs are recorded at the exact same time period. In my most recent case, it was "Aug 31 18:19:36.981". Both have that time stamp. It's as if the AP looses some heartbeat to the RADIUS server and doesn't check to see if it's alive until a certain interval. When I'm not able to authenticate, if I log into the ACS and manually "restart" the services through the GUI, I authenticate right away. I'm thinking this is an ACS issue not an AP issue, but am wondering if anyone else has ever noticed this behavior. -
1240AG as WDS & Local Radius Server
Have 5 1240AG's and want to use one as WDS and Local Radius Server.
Am using the following as a guide:
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml#hw
The above example uses a Cisco Secure ACS and designates both an AP and a WSLM as the WDS. I just want to use the AP as the WDS.
Isn't it possible to do the whole thing just using a 1240AG as both the WDS and Local Radius Server and not use a Cisco Secure ACS or WSLM?
Is there an online guide for such a thing? (looked, didn't find it)
Appreciate the guidance
CheersThanks, that's what I thought.
I had found the WDS setup link but wasn't sure if I was missing something.
The link you provided for the Local Radius Server setup is for "partners" only I believe? Can't access it.
But I think I should be able to find some guides/examples somewhere else in the archives. I'm starting w/ these 2 links;
https://www.cisco.com/en/US/products/ps6521/prod_configuration_examples_list.html
and
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
Appreciated the heads up about port 1812. -
Cisco 2504 Local radius configuration, is their any ways for backing up the user db? In case the WLC dies
Please find the guide to keep the backup:-
http://www.cisco.com/en/US/partner/docs/wireless/controller/7.0/configuration/guide/c70mfw.html#wp1063850 -
With a Cisco 1120, does the local radius server only support LEAP? Any way to get support for PEAP?
Thanks,The "Local Authentication Server" is currently LEAP only.
-
Local RADIUS trusting external database
Is there any way for the IOS local RADIUS to authenticate against a NT or AD domain account list? I understand I can use ACS, IAS or similar to do this, just looking for a cleaner solution for a small site. I'd be willing to use LEAP for client authentication if it were possible. My dilema is we use ACS to authenticate our larger locations. It is hard to justify a separate ACS install for this "island" site. They have a local AD domain which could be used. I'm considering IAS, but I'd also love to incorporate this AP into our WLSE environment. Any suggestions?
Thanks for your input. Maintaining a duplicate local user database just doesn't seem viable long term. I'd have to work with users every time their password expires, or not have them expire which is not acceptable. The site is only a couple dozen users, but at that volume I'd be dealing with a password change every few days.
My plan in the interum is to remotely authenticate them against my main site ACS which will authenticate them against their local domain. Certainly the long way to go, but I can extend the password cache for a longer than normal period to cut down on delay. I'll see how this operates for awhile and then adjust from there.
It seems that it would not be diffecult to have the AP directed toward a AD server. Cisco's VPN hardware does this nicely already. I'll put a feature request into our SE and see where it goes.
Thanks for the reply.
Maybe you are looking for
-
Remote Panel and Internet Explorer
Hello. I have a problem with a Remote Panel and Internet Explorer. I create a measurement system in LabVIEW. It�s composed of a main front panel and a few subVIs with independent front panels opened from main Front Panel when I press appropriate butt
-
How to connect Iphone4s and Ipad2 through bluetooth
How to connect Iphone 4s and Ipad2 through bluetooth normally as we do for some general phone
-
How to create BMP without "renderasimage" ?
Hi... I wrote a drawing program, using "pencilplay" example project. But I used "renderasimage" to return forte iamge object for saving a image file instead of using forte objects. It is very simple, but the image oject returned was dependent on my W
-
JDeveloper/MySql: 'access denied'
I'm trying to develop a web application using JDeveloper/MySql... My 'try-out' servlet ends here: conn = DriverManager.getConnection("jdbc:mysql://localhost/eyes?user=me&password=pwd"); saying "Access denied for user 'me'@'localhost.localdomain' (usi
-
Firefox 29 crashes on Solaris 10
I recently downloaded both the "pkg" and "tar" packages for Firefox 29 for Solaris 10 from "http://download-origin.cdn.mozilla.net/pub/mozilla.org/firefox/releases/29.0/contrib/". On two different Solaris 10 servers after either install, I find that