PIX 501 and AAA Radius Server

Similar Messages

• Cisco ISE with both internal and External RADIUS Server

  Hi
  I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
  I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
  So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
  I will like to know if it is possible to configure it and how I can do it ?
  Thanks in advance for your help
  Regards
  Blaise

  Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
  Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
  The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

• AnyConnect SSL-client Certificate AND AAA RADIUS

  Hi All,
  I'm trying to setup Anyconnect VPN Phone feature. I have the license, and I have been able to get the phone to authenticate / register etc with a username / password.
  I want to use the cert on the phone, use the CN as the username and just verify that against my ACS server via RADIUS.... Easier said than done. The ASA is grabbing the Username, but for the life of me, i can't get it to send the username over to the RADIUS server. I have enabled all sorts of aaa and radius debugging and just get no output at all...
  Here are some relevant log messages I'm getting:
  Starting SSL handshake with client outside:72.91.xx.xx/42501 for TLSv1 session
  Certificate was successfully validated. serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc..
  Certificate chain was successfully validated with warning, revocation status was not checked.
  Tunnel group search using certificate maps failed for peer certificate:  serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc., issuer_name:  cn=Cisco Manufacturing CA,o=Cisco Systems.
  Device completed SSL handshake with client outside:72.91.xx.xx/42501
  Group SSLClientProfile: Authenticating ssl-client connection from  72.91.14.42 with username, CP-7942G-SEP002155551BD7, from client  certificate
  Teardown TCP connection 35754 for outside:72.91.xx.xx/42501 to  identity:173.227.xxx.xxx/443 duration 0:00:05 bytes 5473 TCP Reset by  appliance
  Relevant Config:
  tunnel-group SSLClientProfile type remote-access
  tunnel-group SSLClientProfile general-attributes
  authentication-server-group RADIUS
  default-group-policy GroupPolicy1
  tunnel-group SSLClientProfile webvpn-attributes
  authentication aaa certificate
  radius-reject-message
  pre-fill-username ssl-client
  group-alias SSLClientProfile enable
  group-url https://URL enable
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  wins-server none
  dns-server value <ip1> <ip2>
  vpn-tunnel-protocol ssl-client
  default-domain value xxxxxxxx
  address-pools value VPNPOOL
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 192.168.102.242
  key *****
  aaa-server RADIUS (inside) host 192.168.240.242
  key *****
  ASA version 8.4
  What am I doing wrong? It will not send the request to the AAA server, very much frustating me...

  PRogress....
  I changed the authentication to Certificate ONLY and set authorization to be RADIUS... now it's sending the request to my ACS server. Next question: What's the password that's being sent? Is it blank? I've tried the phone's whole username, tried the MAC and tried just the SEP part. No Dice. Thoughts?

• Aaa radius server control privilege level

  I've got radius authentication working on my switch, but I'm trying to allow two types of users login using Windows Active Directory. NetworkUsers who can view configuration and NetworkAdmins who can do anything. I would like for NetworkAdmins to when they login go directly into privilege level 15 but cant get that part to work. Here is my setup:
  Windows 2008 R2 Domain controller with NPS installed.
  Radius client: I have the IP of the switch along with the key. I have cisco selected under the vendor name in the advance tab
  Network Policies:
  NetworkAdmins which has the networkadmin group under conditions and under settings i have nothing listed under Standard and for Vendor Specific i have :
  Cisco-AV-Pair    Cisco    shell:priv-lvl=15
  My switch config:
  aaa new-model
  aaa group server radius MTFAAA
   server name dc-01
   server name dc-02
  aaa authentication login NetworkAdmins group MTFAAA local
  aaa authorization exec NetworkAdmins group MTFAAA local
  radius server dc-01
   address ipv4 10.0.1.10 auth-port 1645 acct-port 1646
   key 7 ******
  radius server dc-02
   address ipv4 10.0.1.11 auth-port 1645 acct-port 1646
   key 7 ******
  No matter what i do it doesnt default to privilege level 15 when i login. Any thoughts

  Have you specified the authorization exec group under line vty? I think it is authorization exec command. Something like that.

• WLC2106 and External Radius Server

  I have a linux freeradius running fine.
  I have a WLC2106 configured and running fine.
  I have created a Wlan and I am trying to have authentication done by linux freeradius server, but controller even try to reach radius server.
  Any sugestion?
  Tks
  Rosa
  First of all radius configuration:
  Wlan configuration

  Thanks Jatin.
  Yes, I have defined linux server.
  I guess info can not go through and reach linux server because of a combination of some
  config like Radius Server Overwrite interface and Allow AAA Override

• Persistent VPN between PIX 501 and ASA 5505

  I am a networking newbie with 2 small retail stores. I would like to create a persistent VPN between the stores. I already have a PIX 501 firewall, and I am looking at getting an ASA 5505. Would I have any problems creating a persistent VPN between these two firewalls?

  No problems whatsoever :-)
  There are loads of examples for the config on the Cisco website, and basically these boxes can run exactly the same software, so the config on each is virtually the same. Main difference is the ASA defines the interfaces in a different way. Even if you have different versions of software, say 6.3 on the PIX and 7.2 on the ASA they will still work fine for the VPN, just the configs will be a lot more different. Hope this helps to remove any worries you had?

• Problems with re authentications in a wireless with WLC working with web authentication and a radius server

  Hi everyone, im having problems in a wireless network, the SSID has security layer 2 WPA, layer 3 web authentication (internal default page), and external RADIUS.
  When a client makes a roaming from one AP to another one or when he has a idle time, he needs to re authenticate in the web login page. Somebody knows a solution to avoid this behavior?. Or somebody has a troubleshooting way to determine why the clients have this problems??

  A few things I can share that might help .. Your actually feet on the ground will be importnat to see this issue for yourself.
  I know when a client or if the AP sends a DEAUTH frame the client will need to reestablish its connection and it will 100% of the time require a new web auth. If a client loses connection while roaming and a DEAUTH is sent on either side you will get the page. If youre client isnt romaing cleanly this can be a problem.
  Another problem is your using EAP. Are you using CCK or a device that supports OKC. What does your radius server say when a client roams ?
  You could also simply your config and then reapply your security and see where it breaks. By this I mean. For testing, create a SSID turn off security and leave layer 3 web auth on. Roam and see what happens. If it works, then start to apply the security and see where it breaks.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• WLC 5508 and Microsoft Radius Server 2008

  Hi, I am trying to setup WLC 5508 for a customer who want to use MS NPS for Radius authentication, however there aren't many good documents showing how to configure the MS NPS.
  I have couple of questions:
  1, Does WLC 5508 support MS NPS on Server 2008 R2?
  2, Are there any good document showing how to configure this?
  Thanks

  Hadisharifi,
  There is no single document that we can pick for configuring WLC and NPS. However, you may visit the below listed document for NPS  and WLC side configuration:
  Configure the WLC for RADIUS Authentication through an External RADIUS Server
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c2
  Fo the NPS side configuration, you may consider the attached document.
  Regds,
  JK
  Do rate helpful posts-

• Pix 501 and H323

  Thank you in advanced.
  Is video teleconference supported on the PIX 501?
  I am trying to configure a static router from the inside to the outside using static routers and I can not do it.
  Please can some one send me config examples if Pix 501 supports VIdeo COnferencing using H323.
  Cristian

  Have a look here:
  http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html#wp1079378
  If connectivity still fails, a look at the pix log might help ('sh log').

• PIX 501 and UPnP

  Does the PIX 501 support UPnP? According to an older post, "PIX is currently not UPnP aware." The eight-year old answer lead to a "Request for UPnP support in PIX": https://tools.cisco.com/bugsearch/bug/CSCdy26037. If it has been made "aware" where would I find a resource on enabling it? Thanks.

  Agree with Steven, most if not all of our recommendations to clients is to use the newer asa firewall products in a migration path, beside, not will the asa5505 provide you with up to 20 virtual interfaces with Sec plus license, but other numerous features pix code 6.3(5) does not come close to providing.
  Ultimatelly the pix 506 cannot go beyond code 6.3(5) and probably give you up to 2 vlans maximun, and from clients experience out there they end up in a dead lock when needing new features, you want to have a product in your network whether is small that would be able to move forward with 7.x/8.x codes.
  If the above is not of a concern at all, then what Andrew sugested would work.
  Rgds
  -Jorge

• PIX 501 and Java

  Hello,
  Trying to move some servers today and lo and behold this.... not good news...
  Does anyone have an easy workaround for the Java issue for a Cisco Pix 501? Is there an easy way to revert to older versions of Java without affecting everything else? Does QuickTime use Java? This is very frustrating.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/productsfieldnotice09186a008046c805.shtml
  "Customers running these versions of PDM or IDM should either uninstall the newer Java Plug-Ins and re-install previous versions of the Java Plug-In, or upgrade their PDM and IDM images to the versions indicated in the following table."
  Thanks,
  Rich

  Rich,
  Welcome to the forums.
  This notice doesn't apply to using Java programs or applets.
  It specifically applies to computers that will need to access the PDM or IDM to make changes.
  "Impacted PDM and IDM versions will not load when launched from a browser"
  As long as you don't need to access the PDM or IDM from the browser, you don't need to worry about this advisory.
  If you do, my advice would be to upgrade the PIX, as that seems the most logical thing to do (especially as it's a fix that Cisco has already released).

• PIX 501 and Linksys VPN Router (WRV200)

  I have inherited a job where we have a Cisco PIX 501 firewall at one site, and Linksys WRV200 VPN Router on two other
  sites. I have been asked to connect these Linksys routers to the PIX firewall via VPN.
  I believe the Linksys vpn routers can only connect via IPSec VPN, so i am looking for help on configuring the PIX 501 to allow the linksys to connect with the following parameters, if possible.
  Key Exchange Method: Auto (IKE)
  Encryption: Auto, 3DES, AES128, AES192, AES256
  Authentication: MD5
  Pre-Shared Key: xxx
  PFS: Enabled/Disabled
  ISAKMP Key Lifetime: 28800
  IPSec Key Lifetime: 3600
  On the PIX i have the PDM installed and i have tried using the VPN Wizard to no avail.
  I chose the following settings when doing the VPN Wizard:
  Type of VPN: Remote Access VPN
  Interface: Outside
  Type of VPN Client Device used: Cisco VPN Client
  (can choose Cisco VPN 3000 Client, MS Windows Client using PPTP, MS Windows client using L2TP)
  VPN Client Group
  Group Name: RabyEstates
  Pre Shared Key: rabytest
  Extended Client Authentication: Disabled
  Address Pool
  Pool Name: VPN-LAN
  Range Start: 192.168.2.200
  Range End: 192.168.2.250
  DNS/WINS/Default Domain: None
  IKE Policy
  Encryption: 3DES
  Authentication: MD5
  DH Group: Group 2 (1024-bit)
  Transform Set
  Encryption: 3DES
  Authentication: MD5
  I have attached the VPN log from the Linksys VPN Router.
  This is the first time i've ever worked with PIX so i'm still trying to figure the thing out, but i'm confident with CCNA level networking.
  Thanks for your help!

  Hi again,
  I believe the pix has a 3des license because of the following parts of the "show version"
  Licensed Features:
  Failover: Disabled
  VPN-DES: Enabled
  VPN-3DES-AES: Enabled
  This PIX has a Restricted (R) license.
  I've tried reconnecting the VPN tunnel with debugging on the PIX and get the output as shown in the attached file "vpndebug.txt"
  As for the other show commands they give:
  pixfirewall# show crypto isakmp sa
  Total : 0
  Embryonic : 0
  dst src state pending created
  pixfirewall# show crypto ipsec sa
  interface: outside
  Crypto map tag: transam, local addr. 10.0.0.1
  local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
  current_peer: 10.0.0.2:0
  PERMIT, flags={origin_is_acl,}
  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
  #send errors 0, #recv errors 0
  local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
  path mtu 1500, ipsec overhead 0, media mtu 1500
  current outbound spi: 0
  inbound esp sas:
  inbound ah sas:
  inbound pcp sas:
  outbound esp sas:
  outbound ah sas:
  outbound pcp sas:
  pixfirewall#
  Thanks again Daniel, i really appreciate your help on this matter.

• Pix 501 and Client VPN's

  Hi, I've had this 501 for several months now and really stuggled to get the client VPN side working.
  I can get site to site working with no problems using the wizard but the Client VPN never works.
  Latest i've set it up for pptp which I can get the client to connect with no problems but fails to get any traffic from the pix - I can however ping the remote PC from a PC behind the PIX.
  I'm setting these up by the PDM buy i've attached a copy of the config anyway.
  Best,
  Chris

  Hi Kamal.
  It didnt like the command
  nat (inside) 0 access0list nonat
  I can attach via Cisco VPN Client but the same occurs - I can ping the remote from the network - but not the other way round.
  Config attached. - Best, Chris
  : Written by enable_15 at 02:14:05.990 UTC Mon Feb 12 2007
  PIX Version 6.3(5)
  interface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password xxx
  passwd xxx
  hostname pixfirewall
  domain-name ciscopix.com
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
  access-list outside_cryptomap_dyn_20 permit ip any 10.10.10.0 255.255.255.240
  access-list split permit ip 192.168.1.0 255.255.255.0 any
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  ip address outside 213.x.146.72 255.255.x.0
  ip address inside 192.168.1.1 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool vpnpool 10.10.10.1-10.10.10.10
  pdm logging informational 100
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  route outside 0.0.0.0 0.0.0.x.249.x.65 1
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout sip-disconnect 0:02:00 sip-invite 0:03:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set myset esp-des esp-md5-hmac
  crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
  crypto dynamic-map cisco 1 set transform-set myset
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map client authentication LOCAL
  crypto map dyn-map 20 ipsec-isakmp dynamic cisco
  crypto map dyn-map interface outside
  isakmp enable outside
  isakmp nat-traversal 20
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash md5
  isakmp policy 10 group 1
  isakmp policy 10 lifetime 86400
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  vpngroup vpn address-pool vpnpool
  vpngroup vpn dns-server 192.168.1.1
  vpngroup vpn idle-time 1800
  vpngroup vpn password 634083
  vpngroup VPNclient split-tunnel split
  vpngroup VPNclient idle-time 1800
  vpngroup VPNclient password ******
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.1.2-192.168.1.33 inside
  dhcpd dns 89.238.129.211
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd auto_config outside
  dhcpd enable inside
  username chris password 9DgK/T8KJkq.BhX6 encrypted privilege 15
  terminal width 80
  Cryptochecksum:xxx
  : end

• Integrating AAA Radius-server with Micro-soft IAS for SSH

  Hi,
  I am configuring aaa-server on ASA-5505(Radius) and i am Using microsoft IAS for authentication for SSH connections on ASA, so during " test aaa-server authentication " i getting this message
  ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch
  All users are there on active  directory  And below are the debug radius and debug aaa authentication.
  ASA# test aaa-server authentication SSH-TULIP-ASA host 172.16.1.10 usern$
  INFO: Attempting Authentication test to IP address <172.16.1.10> (timeout: 12 seconds)
  radius mkreq: 0xd4
  alloc_rip 0xd83bb99c
      new request 0xd4 --> 124 (0xd83bb99c)
  got user 'praveeny'
  got password
  add_req 0xd83bb99c session 0xd4 id 124
  RADIUS_REQUEST
  radius.c: rad_mkpkt
  RADIUS packet decode (authentication request)
  Raw packet data (length = 66).....
  01 7c 00 42 37 a4 0d c2 d3 10 09 0e 2f 3c c5 1a    |  .|.B7......./<..
  4b 28 41 e6 01 0a 70 72 61 76 65 65 6e 79 02 12    |  K(A...praveeny..
  a1 8f e1 ae 58 dd c2 52 d6 37 f7 32 13 3a 1c 71    |  ....X..R.7.2.:.q
  04 06 ac 1e 1e 06 05 06 00 00 00 0e 3d 06 00 00    |  ............=...
  00 05                                              |  ..
  Parsed packet data.....
  Radius: Code = 1 (0x01)
  Radius: Identifier = 124 (0x7C)
  Radius: Length = 66 (0x0042)
  Radius: Vector: 37A40DC2D310090E2F3CC51A4B2841E6
  Radius: Type = 1 (0x01) User-Name
  Radius: Length = 10 (0x0A)
  Radius: Value (String) =
  70 72 61 76 65 65 6e 79                            |  praveeny
  Radius: Type = 2 (0x02) User-Password
  Radius: Length = 18 (0x12)
  Radius: Value (String) =
  a1 8f ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch
  Tulip-ASA# e1 ae 58 dd c2 52 d6 37 f7 32 13 3a 1c 71    |  ....X..R.7.2.:.q
  Radius: Type = 4 (0x04) NAS-IP-Address
  Radius: Length = 6 (0x06)
  Radius: Value (IP Address) = 172.30.30.6 (0xAC1E1E06)
  Radius: Type = 5 (0x05) NAS-Port
  Radius: Length = 6 (0x06)
  Radius: Value (Hex) = 0xE
  Radius: Type = 61 (0x3D) NAS-Port-Type
  Radius: Length = 6 (0x06)
  Radius: Value (Hex) = 0x5
  send pkt 172.16.1.10/1645
  rip 0xd83bb99c state 7 id 124
  rad_vrfy() : bad req auth
  rad_procpkt: radvrfy fail
  RADIUS_DELETE
  remove_req 0xd83bb99c session 0xd4 id 124
  free_rip 0xd83bb99c
  radius: send queue empty
  Thanks in advance all comments and suggestion are welcome
  Regards,
  Praveen

  Hi,
  RADIUS as a protocol does not support command accounting, ie., logging of commands that a users enters once authenticated to a router/switch. You will need to use TACACS+ for this purpose. The aaa command accounting commands that you used has been removed from IOS since 12.2T. Please take a look at this for details: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdp57020.
  Thanks,
  Wen

• WCS reports Radius server port 1813 up and down.

  Hi all,
  Help me on this, please. I use Radius server 172.20.104.253 and .254 port 1812 to authenticate some wireless clients. However, the .254 keep failling, deactivate on port 1813 (this is from the log); resulting some clients can't authenticate. How do I approach this? Why port 1813 fail effect the authentication which is on port 1812 ?
  Thanks.

  jedubois!
  I use Cisco ACS as my radius. For laptops, instead using pre-shared key, I use radius to authenticated the laptop. I create user/password on AD (username is laptop name). On laptop under Intel Proset/Wireless utility, I create a profile with this username. Upon startup, the Proset/Wireless utility authenticates this user this radius server; then gives the laptop wireless connectivity; no pre-shared key needed.
  On the WCS event view; radius server is timeout (activated and deactivated) every 2 seconds (like you said; it is default). But is on port 1813 and I config radius server on WCS on port 1812.
  My questions are what is ideal timeout on each radius server? and why radius server report timeout on port 1813 instead of 1812?
  FYI, I ping -t both of my radius servers. And radius servers are available all the time.
  Regards.