Programming tacacs &radius server-keys ?

I'm having an issue programming the tacacs & radius server-keys. I'm not sure if I missed a step or my use of the syntax. I appreciate any help you can provide. It's a first time for me and I'm attempting to duplicate an existing switch which states server-key 7 <removed>.
Thanks
Roy

Roy
I can appreciate that the first time doing this can seem daunting. But it really is not so difficult when you get right down to it.
The first thing to understand is that in the existing config the key has already been encrypted for storage on the switch. So what you see in the running config is crypto text and not really the exact key.
You have two options in how to configure your new switch:
- you could cut and paste the server key from the existing config to the new switch. So you would be inputting the type 7 encrypted key directly to the new switch.
- you could manually configure the key on the new switch. In this case you would configure
server-key <key_value>
where <key_value> is the clear text key to use. If you do this, and assuming that you have configured service password-encryption, then the switch will take the clear text key and will encrypt it for storage on the new switch.
HTH
Rick

Similar Messages

ASA 5585-X TACACS+/RADIUS Server

All,
Can the ASA 5585-X's act as a AAA TACACS+ and/or RADIUS server for network infrastructure devices?
I've used Cisco Secure ACS for TACACS and RADIUS AAA..
My client has ordered a bunch of them. They don't have an AAA solution and were just told they will need to implement AAA on network infrastructure devices.
Thanks for any information.
Stephanie

Adding to Jan's correct answer.
The current Cisco RADIUS offerings are either the ACS product (RADIUS and TACACS+) or Identity Services Engine (ISE - RADIUS only). Both are offered in both appliance and VM formats.
Beside NPS on Windows server, there are also open source projects of both RADIUS and TACACS servers available.

RADIUS Server is Unreachable

Hi All
i am using Cisco 3640 router.i have a problem with radius server.
i did basic aaa configuration but i still have problem...the problem is
01:30:39: RADIUS: Initial Transmit id 6 171.68.118.115:1645,
Access-Request, Len 67
01:30:39: Attribute 4 6 0A1F0196
01:30:39: Attribute 61 6 00000000
01:30:39: Attribute 1 11 70726F78
01:30:39: Attribute 2 18 E552A3E5
01:30:39: Attribute 6 6 00000005
01:30:44: RADIUS: Retransmit id 6
01:30:49: RADIUS: Retransmit id 6
01:30:59: RADIUS: Marking server 171.68.118.115 dead
01:30:59: RADIUS: Tried all servers.
01:30:59: RADIUS: No valid server found. Trying any viable server
01:30:59: RADIUS: Tried all servers.
01:30:59: RADIUS: No response for id 6
01:30:59: RADIUS: No response from server
01:30:59: AAA/AUTHEN (1597176845): status = ERROR
Can anyone help me....
Thanks

Dear Rick,
thanks for your reply.
We have check all options you've mentioned one by one. All are ok.
- We can ping - and get reply back
- No firewalls - direct connection via ethernet
We connected the same Radius server directly to a 4000 series Cisco Router and it worked fine.
When we use the same commands and setup on the Cisco 3640 we get the above message.
- Could it be the ethernet ports?
- or maybe the IOS of the router?
The IOS is: IOS (tm) 3600 Software (C3640-IK9S-M), Version 12.2(17a),
Any help will be much appreciated,
Kind Regards
Shefik
==================
sh version:
isco Internetwork Operating System Software
IOS (tm) 3600 Software (C3640-IK9S-M), Version 12.2(17a), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Thu 19-Jun-03 11:24 by pwade
Image text-base: 0x60008930, data-base: 0x61296000
ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
ISPACCESS uptime is 1 day, 2 hours, 24 minutes
System returned to ROM by power-on
System image file is "flash:c3640-ik9s-mz.122-17a.bin"
cisco 3640 (R4700) processor (revision 0x00) with 125952K/5120K bytes of memory.
Processor board ID 17632609
R4700 CPU at 100Mhz, Implementation 33, Rev 1.0
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
2 FastEthernet/IEEE 802.3 interface(s)
DRAM configuration is 64 bits wide with parity disabled.
125K bytes of non-volatile configuration memory.
32768K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Building configuration...
Current configuration : 1136 bytes
version 12.2
service config
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname ISPACCESS
aaa new-model
aaa group server radius test
server 202.52.62.104 auth-port 1812 acct-port 1813
aaa authentication login secure1 group test
aaa authentication ppp default group radius
aaa authorization network default group radius
enable secret 5
username xxxx password 7
username xxxxx password 7
ip subnet-zero
call rsvp-sync
interface FastEthernet0/0
ip address 192.168.1.250 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 220.245.140.46 255.255.255.248
ip access-group 115 in
duplex auto
speed auto
ip classless
ip route 0.0.0.0 0.0.0.0 220.245.140.41
ip http server
access-list 115 permit tcp any any
radius-server host 202.52.62.104 auth-port 1812 acct-port 1813
radius-server key 7
dial-peer cor custom
privilege exec level 7 clear line
line con 0
password 7
line aux 0
line vty 0 3
password 7
line vty 4
login authentication secure1
end

EAP-TLS with Radius Server configuration (1130AG)

Hi All,
Im currently tryign to get eap-tls user certificate based wireless authentication working. The mismatch of guides im trying to follow has me ocming up trumps with success so far, so heres hoping you guys can right me wrongs and put me on the right path again.
My steps for radius:- (i think this part ive actually got ok)
http://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx
Steps for the wirless profile on a win 7 client:- this has me confused all over the place
http://technet.microsoft.com/en-us/library/dd759246.aspx
My 1130 Config:-
[code]
Current configuration : 3805 bytes
! Last configuration change at 11:57:56 UTC Fri Jan 25 2013 by apd
! NVRAM config last updated at 14:43:51 UTC Fri Jan 25 2013 by apd
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname WAP1
aaa new-model
aaa group server radius RAD_EAP
server 10.1.1.29 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication login EAP_LOGIN group RAD_EAP
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
ip domain name ************
dot11 syslog
dot11 ssid TEST
   authentication open eap EAP_LOGIN
   authentication network-eap EAP_LOGIN
   guest-mode
crypto pki trustpoint TP-self-signed-1829403336
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1829403336
revocation-check none
rsakeypair TP-self-signed-1829403336
quit
username ***************
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid TEST
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
ssid TEST
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.1.2.245 255.255.255.0
ip helper-address 10.1.1.27
no ip route-cache
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
radius-server host 10.1.1.29 auth-port 1812 acct-port 1813 key **************
radius-server key ************
bridge 1 route ip
line con 0
logging synchronous
transport preferred ssh
line vty 0 4
logging synchronous
transport input ssh
sntp server 130.88.212.143
end
[/code]
and my current debug
[code]
Jan 25 12:00:56.703: dot11_auth_send_msg: sending data to requestor status 1
Jan 25 12:00:56.703: dot11_auth_send_msg: Sending EAPOL to requestor
Jan 25 12:00:56.703: dot1x-registry:registry:dot1x_ether_macaddr called
Jan 25 12:00:56.703: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
WAP1#
Jan 25 12:01:26.698: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
Jan 25 12:01:26.698: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
Jan 25 12:01:26.698: dot11_auth_send_msg: sending data to requestor status 0
Jan 25 12:01:26.698: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
Jan 25 12:01:26.699: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
Jan
WAP1#25 12:01:26.699: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
Jan 25 12:01:26.699: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
Jan 25 12:01:26.699: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
Jan 25 12:01:27.580: AAA/BIND(000000
WAP1#12): Bind i/f
Jan 25 12:01:27.580: dot11_auth_add_client_entry: Create new client 74de.2b81.56c4 for application 0x1
Jan 25 12:01:27.580: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
Jan 25 12:01:27.581: dot11_auth_add_client_entry: req->auth_type 0
Jan 25 12:01:27.581: dot11_auth_add_client_entry: auth_methods_inprocess: 2
Jan 25 12:01:27.581: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
Jan 25 12:01:27.581: dot11_run_auth_methods: Start aut
WAP1#h method EAP or LEAP
Jan 25 12:01:27.581: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
Jan 25 12:01:27.581: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
Jan 25 12:01:27.581: EAPOL pak dump tx
Jan 25 12:01:27.581: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Jan 25 12:01:27.581: EAP code: 0x1 id: 0x1 length: 0x002B type: 0x1
01801670:                   0100002B 0101002B          ...+...+
01801680: 01006E65 74776F72 6B69643D 54455354 ..networkid=TEST
WAP1#
01801690: 2C6E6173 69643D41 50445741 50312C70 ,nasid=WAP1,p
018016A0: 6F727469 643D30                      ortid=0
Jan 25 12:01:27.582: dot11_auth_send_msg: sending data to requestor status 1
Jan 25 12:01:27.582: dot11_auth_send_msg: Sending EAPOL to requestor
Jan 25 12:01:27.582: dot1x-registry:registry:dot1x_ether_macaddr called
Jan 25 12:01:27.583: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
WAP1#
[/code]
Can anyone point me in the right direction with this?
i also dont like it that you can attempt to join the network first before failing
can i have user cert based + psk? and then apply it all by GPO
Thanks for any help

ok ive ammdened the wireless profile as suggested
i already have the root ca and a user certificate installed with matching usernames
I had already added the radius device to the NPS server and matched the keys to the AP
now heres the debug im getting, when i check the NPS server, still doesnt look like its getting any requests at all :|
Jan 29 11:53:13.501: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
Jan 29 11:53:13.501: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
Jan 29 11:53:13.501: dot11_auth_send_msg: sending data to requestor status 0
Jan 29 11:53:13.501: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
Jan 29 11:53:13.501: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
Jan
WAP1#29 11:53:13.501: dot11_mgr_disp_callback: Received message from Local Authenticator
Jan 29 11:53:13.501: dot11_mgr_disp_callback: Received FAIL from Local Authenticator
Jan 29 11:53:13.501: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_FAIL) for 74de.2b81.56c4
Jan 29 11:53:13.502: dot11_mgr_sm_send_client_fail: Authentication failed for 74de.2b81.56c4
Jan 29 11:53:13.502: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
Jan 29 11:53:13.502: dot11_mgr_disp_auth_abort
WAP1#: Sending abort request for client 74de.2b81.56c4 to local Authenticator
Jan 29 11:53:13.502: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
Jan 29 11:53:13.502: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
Jan 29 11:53:14.619: AAA/BIND(00000019): Bind i/f
Jan 29 11:53:14.619: dot11_mgr_disp_auth_request: Send auth request for client 74de.2b81.56c4 to local Authenticator
Jan 29 11:53:14.619: dot11_auth_add_client_entry: Create new c
WAP1#lient 74de.2b81.56c4 for application 0x1
Jan 29 11:53:14.620: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
Jan 29 11:53:14.620: dot11_auth_add_client_entry: req->auth_type 0
Jan 29 11:53:14.620: dot11_auth_add_client_entry: auth_methods_inprocess: 2
Jan 29 11:53:14.620: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
Jan 29 11:53:14.620: dot11_run_auth_methods: Start auth method EAP or LEAP
Jan 29 11:53:14.620: dot11_auth_dot1x_start: in the dot11
WAP1#_auth_dot1x_start
Jan 29 11:53:14.620: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
Jan 29 11:53:14.620: EAPOL pak dump tx
Jan 29 11:53:14.621: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Jan 29 11:53:14.621: EAP code: 0x1 id: 0x1 length: 0x002B type: 0x1
01808560: 0100002B 0101002B 01006E65 74776F72 ...+...+..networ
01808570: 6B69643D 54455354 2C6E6173 69643D41 kid=TEST,nasid=A
01808580: 50445741 50312C70 6F727469 643D30    WAP1,portid=0
Jan 29 11:53
WAP1#:14.621: dot11_auth_send_msg: sending data to requestor status 1
Jan 29 11:53:14.621: dot11_auth_send_msg: Sending EAPOL to requestor
Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received message from Local Authenticator
Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received DOT11_AAA_EAP from Local Authenticator
Jan 29 11:53:14.622: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_REPLY) for 74de.2b81.56c4
Jan 29 11:53:14.622: dot11_mgr_sm_send_response_to_client: Forwarding Authenti
WAP1#cator message to client 74de.2b81.56c4
Jan 29 11:53:14.622: EAPOL pak dump tx
Jan 29 11:53:14.622: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Jan 29 11:53:14.622: EAP code: 0x1 id: 0x1 length: 0x002B type: 0x1
01808690:                   0100002B 0101002B          ...+...+
018086A0: 01006E65 74776F72 6B69643D 54455354 ..networkid=TEST
018086B0: 2C6E6173 69643D41 50445741 50312C70 ,nasid=WAP1,p
018086C0: 6F727469 643D30                      ortid=0
Jan 29 11:53:14.623: dot1x-regi

Leap, tacacs+/radius fixed ip (pool)

dear,
Is there a way while using leap & mobile ip technology to make it happen when a users becomes associated to an ap (proxy mobile) he always obtains an ip adres from a predefined pool or just one personal ip-adress which we define on our tacacs+/radius server without it having configured statically on the user's computer.
Purpose is for some external consultants browsing around our wireless network, to home them in a segment behind our firewall using mobile ip, but giving the person an ip-adres based on his credentials (tacacs+/radius server) so based on that we can buld a rulebase on our firewall and allow only restricted access to intra or internet. So what we want is actually a user-to-ip mapping without need to configure it on computer or authenticate multiple times. We have something similar with dial-in routers, but I don't find any documentation if we could do something similar with our wireless infrastructure.
Any hints or info would be helpfull.
H.

No, this can't work - you can't use RADIUS to tell an AP which IP address to give to which client, because the AP is not directly involved in assigning layer 3 addresses to clients. It is (basically) only a layer 2 device.

Access denied when ssh in window server 2008 after set it as radius server

yesterday i succeed to use aaa to login and can see aaa in sh aaa session
https://murison.wordpress.com/2010/11/11/cisco-radius-configuration-with-server-2008-r2/
today i simulate again, it access denied, do not know where is wrong
win 192.168.2.12 --- switch 192.168.2.5 --- 192.168.2.1 R1
R1
conf t
hostname router1
int FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
no shut
end
conf t
ip route 192.168.2.0 255.255.255.0 192.168.2.5
end
enable
configure terminal
enable secret cisco
end
conf t
aaa new-model
username radiusclient privilege 15 password 0 cisco
crypto key generate rsa
ip ssh time-out 60
ip ssh version 2
line vty 0 4
transport input ssh
exit
line vty 5 15
transport input ssh
exit
ip domain-name radius1.local
radius-server host 192.168.2.12
radius-server key cisco
aaa group server radius NPSSERVER
server 192.168.2.12
exit
aaa authentication login default group NPSSERVER local
aaa authorization exec default group NPSSERVER local
exit
R2
conf t
vlan 10
int vlan 10
ip address 192.168.2.5 255.255.255.0
end
conf t
hostname router2
int FastEthernet1/0
switchport
switchport access vlan 10
switchport mode access
shutdown
no shut
end
conf t
hostname router2
int FastEthernet1/1
switchport
switchport access vlan 10
switchport mode access
shutdown
no shut
end
conf t
hostname router2
int FastEthernet1/2
switchport
switchport access vlan 10
switchport mode access
shutdown
no shut
end
R3
conf t
hostname router3
int FastEthernet0/0
ip address 192.168.2.7 255.255.255.0
no shut
end
conf t
ip route 192.168.2.0 255.255.255.0 192.168.2.5
end

Hi,
The configuration looks fine. What do you see in radius server as the reason for authentication failure?
Regards,
Kanwal
Note: Please mark answers if they are helpful.

Primary-secondary radius server configuration

Hi all ,
I have a couple of ACS 5.2 configured as active and backup and I am doing dot 1x authentication using these servers . I have configured the switch with the bellow configuration.
radius-server host 10.0.10.15 auth-port 1645 acct-port 1646
radius-server host 10.0.10.16 auth-port 1645 acct-port 1646
radius-server key 7 aaaaaaaaaaaaaa
please help to understand what will happen in switch
1) in case of primary failure
2)in case if primary returns alive .
thanks in advance ,
Selva

Hi Selva,
You need to post all your AAA config. the above lines show you added the radius servers but it is not necessarily all server will be reached. We need to look into the AAA config to see what server groups are configured and what servers under the groups.
In general, if things are configured correctly:
- If the primary did not reply at all (down, not reachable...etc) the AAA client (switch in your case) will try the next radius server.
- If the primary server replies (with access-reject, error, ...etc) the AAA client (switch in your case) send auth failure to the host.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"

Please Help: 3550 lab switch locked by radius server

Hi All,
Any idea? After clean up all routers and switches config files, sw3 still asks for radius username and password.
When console login and using 3550 password recovery procedure, it still asks for username and password.
When config aaa new-model, no username is asked only the passowrd cisco in typed in. (please see detail config file in the following)
Note: This is for CCIE R&S home lab rack.
==========
// radius server locks sw3
Access-Server#9
[Resuming connection 9 to sw3 ... ]
User Access Verification
Username:
Username: cisco
Password:
% Backup authentication
00:27:36: %RADIUS-4-RADIUS_DEAD: RADIUS server 150.100.1.254:1645,1646 is not responding.
00:27:36: %RADIUS-4-RADIUS_ALIVE: RADIUS server 150.100.1.254:1645,1646 has returned.
Username:
===========
sw3#sh run
Building configuration...
Current configuration : 4655 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname sw3
aaa new-model
aaa authentication dot1x default group radius
aaa session-id common
mls qos
ip subnet-zero
ip routing
no ip domain-lookup
dot1x system-auth-control
dot1x guest-vlan supplicant
no file verify auto
interface FastEthernet0/11
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/12
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/13
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/14
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/15
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/16
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/17
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/18
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/19
switchport mode dynamic desirable
channel-group 1 mode desirable
interface FastEthernet0/20
switchport mode dynamic desirable
channel-group 1 mode desirable
interface FastEthernet0/21
switchport mode dynamic desirable
interface FastEthernet0/22
switchport mode dynamic desirable
interface FastEthernet0/23
switchport mode dynamic desirable
channel-group 2 mode desirable
interface FastEthernet0/24
switchport mode dynamic desirable
channel-group 2 mode desirable
interface GigabitEthernet0/1
switchport mode dynamic desirable
interface GigabitEthernet0/2
switchport mode dynamic desirable
interface Vlan1
no ip address
shutdown
ip classless
ip http server
ip http secure-server
radius-server host 150.100.1.254 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key cisco

try to do password recovery per cisco doc, but config.text file is missing from flash dir:
switch: dir flash:
Directory of flash:/
2 -rwx 5276 syslog
3 -rwx 0 env_vars
4 -rwx 7131928 c3550-ipservicesk9-mz.122-25.SEE.bin
5 drwx 64 crashinfo
24 -rwx 326 system_env_vars
7 drwx 192 c3550-i9q3l2-mz.121-13.EA1a
26 -rwx 24 private-config.text

Tacacs-server key working in some Cisco switches for AAA, but not in other switches???

Good day,
Has anyone experienced this before? I am using Cisco ACS 5.2. I have a very simple word (no, not cisco ) for my tacacs-server key. I've used the same key within the ACS and on two other Cisco switches, and AAA is working fine between the two switches; however, in setting up the key via the ACS and on a third Cisco switch and using PuTTY, I'm getting the error of "Access Denied. Using keyboard-interactive authentication."
I've re-entered the simple tacacs key multiple times within the ACS and on the switch making sure to not fat finger or misspell it.
I don't think there is a problem with the AAA setup I have within the switches as all of the AAA configs are the same on every switch we have.
Any other possible ideas anyone can suggest?
Cliffs:
-tacacs-server key is a simple key and is the same for every switch and within ACS
-AAA config is the same on every switch, so I do not believe it to be a AAA config issue
-Running config on switch that is not working is pretty much the same as the other two working switches
Any advice is greatly appreciated.
Thanks,
Y

Hi, and thank you for your reply back; however, when I got into the Authentication logs, I see nothing, like it's not even logging the failed attempts.

Radius server for 802.1x port authentication

Does anybody know if CiscoSecure for Unix version 2.3.6.2 can be used as a Radius server for 802.1x port authentication? I know the Windows version will do this and can be configured to assign a user to a specific VLAN, but can the UNIX software do the same?
Thanks

Check connectivity between the PIX and the server.
If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
aaa-server group_tag (if_name) host server_ip key timeout 5
If you are using TACACS+, verify that the PIX and server are communicating on the same port (Transmission Control Protocol (TCP)/49).
If you are using RADIUS, verify that the PIX and server are communicating on User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server is using port 1812, verify that the PIX is using software version 6.0 or later, and then issue the aaa-server radius-authport 1812 command to specify port 1812.
Ensure that the secret key is correct.
Check the server logs for failed attempts. All servers have some kind of logging function.

WPA2-Enterprise + EAP (PEAP) and 802.1x to authenticate to RADIUS server NPS

I need to connect my iPhone and my iPad to the corporate wireless network using WPA2-Enterprise and 802.1x to authenticate against a RADIUS server with my corporate user. What is the procedure to configure the clients? Certificates is not necessary on the client. Radius server is a NPS of Microsoft and the WLC is a 5508 of Cisco.
thanks !!!

WPA and WPA2 are all actually interim protocols that are used until the standardization of IEEE 802.11i standard. Wi-fi appliance decided that ratification and standardization of 802.11i standards will take more time. So, they came up with WPA.
Now, WPA2 is advanced version of WPA. WPA2 uses AES as encryption algorithm. Whereas, WPA use TKIP as encryption mode which in turn uses RC4 encryption algorithm.
WPA and WPA2 are actually are of 2 types respectively.
WPA/WPA2-PSK - This is mainly for small offices. This uses Pre-Shared Key for authentication.
WPA/WPA2 -Enterprise - This uses a RADIUS Server for authentication. This is an extension to 802.1x authentication. But this uses stronger encryption scheme(WPA uses RC4 and WPA2 uses AES).
Any authentication mechanism that involves a separation authentication server for authentication like ACS server is called 802.1x authentication.
EAP stands for Extensible Authentication Protocol. It refers to the type or method of 802.1x Authentication by the RADIUS/Tacacs server. A RADIUS server can authenticate a wireless client with various EAP methods.
LEAP is one type of EAP. It uses username and password for authenticating wireless clients. LEAP is cisco proprietory.
There are also EAP types which uses other user credentials like Certificates, SIM etc for authentcation.
The following document might clarify your doubts.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e8297.shtml

New command for radius-server source-ports

I am trying to find the new command fro radius-server source-ports 1645-1646 since it appears to be depricated. We use tacacs so we do not have the radius server specified but we do need to put in the ports. Can someone please tell me the new command for radius-server source-ports?
Thanks

Both of the links that Peter posted are interesting and helpful. I would like to take a slightly different approach in answering your question.
In every version of IOS there are certain commands that get inserted into running-config when a particular feature is activated. It looks like in your version the radius-server source-ports is one of those commands. I do not think it is anything that you should be concerned about.
And I do not believe that having the radius-server source-ports command would prevent TACACS from working. I believe that there is likely to be some fault in your configuration. If you would post the aaa parts of the config then maybe we could see what the problem is.
In my experience configuring aaa some of the common problems include not correctly identifying the TACACS server, not having exactly the same key configured on the Cisco device and the TACACS server, not having connectivity to the TACACS server (can the Cisco device ping the server, and can the server ping the device), or errors in the authentication or authorization prameters specified.
Post some information and we will see what we can do.
HTH
Rick

RADIUS Server High Availability?

Hi,
I have two RADIUS servers in my network (one to be the failover serv) and one of them has been having problems, the server is not getting down but the radius service is getting crashed. Don't know why the failover server doesn't respond the authentication for the users if the books said that this is something automatic.
Is there one command to allow the switch to recognize if the service is down in one of the radius servers and automatically use the other one to authenticate the users?.
tks

Hi,
In switches you need to configure two radius server with secret key along with,so as per the sequence in the IOS the request will directed to radius servers.
Below will the command to configure tacas/radius server in switches
tacacs-server host 10.1.x.x
tacacs-server host 10.2.x.x
Hope that help out your query !!
Regards
Ganesh.H

1602i standalone AP cannot ping RADIUS server

I have a new 1602i standalone AP trying to use RADIUS authentication. For some reason the 1602 cannot ping the RADIUS server, but will get a response from other devices. Both are on the same subnet, the new one at .213 and the RADIUS at .209.
AP6#ping xxx.xx.120.209
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xxx.xx..120.209, timeout is 2 seconds:
Success rate is 0 percent (0/5)
AP6#ping xxx.xx.120.217
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xxx.xx..120.217, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
The RADUIS server is able to ping the new AP successfully.
AP1#ping xxx.xx.120.213
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xxx.xx.120.213, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms
Any thoughts to why that AP is unable to ping that one particular client? Other APs are successfully contacting it for RADIUS authentication.

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP6
logging rate-limit console 9
enable secret 5 xxxxxxxxxxxx
aaa new-model
aaa group server radius rad_eap
server xxx.xx.120.209 auth-port 1812 acct-port 1813
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone -0500 -5 0
clock summer-time -0400 recurring
no ip routing
no ip cef
dot11 syslog
dot11 ssid xxx.xx
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
crypto pki token default removal timeout 0
username Cisco privilege 15 password 7 xxxxx
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers tkip
ssid MANH
antenna gain 0
stbc
beamform ofdm
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
snmp-server view dot11view ieee802dot11 included
snmp-server community RW
snmp-server chassis-id AP6
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps entity
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server enable traps cpu threshold
snmp-server enable traps aaa_server
snmp-server host .0.39 public
radius-server local
user user1 nthash 7
radius-server attribute 32 include-in-access-req format %h
radius-server host xxx.xx.120.209 auth-port 1812 acct-port 1813 key 7
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
transport input all
sntp server xxx.xx.0.11
sntp broadcast client
end

EAP-FAST on Local Radius Server : Can't Get It Working

Hi all
I'm using an 877w router (flash:c870-advsecurityk9-mz.124-24.T4.bin) as local radius server and have followed various config guides on CCO. LEAP works fine but I just can't get EAP-FAST to work.
I'm testing with win7 client using anyconnect secure mobility client, and also a mac book pro but without luck.
the router sees unknown auth type, and when I run some debugs it talks of unknown eap type 3
sh radius local-server s
Successes              : 1           Unknown usernames      : 0
Client blocks          : 0           Invalid passwords      : 0
Unknown NAS            : 0           Invalid packet from NAS: 17
NAS : 172.27.44.1
Successes              : 1           Unknown usernames      : 0
Client blocks          : 0           Invalid passwords      : 0
Corrupted packet       : 0           Unknown RADIUS message : 0
No username attribute : 0           Missing auth attribute : 0
Shared key mismatch    : 0           Invalid state attribute: 0
Unknown EAP message    : 0           Unknown EAP auth type : 17
Auto provision success : 0           Auto provision failure : 0
PAC refresh            : 0           Invalid PAC received   : 0
Can anyone suggest what I might be doing wrong?
Regs, Tim

Thanks Nicolas, relevant snippets from config:
aaa new-model
aaa group server radius rad_eap
server 172.27.44.1 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa session-id common
dot11 ssid home
vlan 3
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
ip dhcp pool home
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 194.74.65.68 194.74.65.69
ip inspect name ethernetin tcp
ip inspect name ethernetin udp
ip inspect name ethernetin pop3
ip inspect name ethernetin ssh
ip inspect name ethernetin dns
ip inspect name ethernetin ftp
ip inspect name ethernetin tftp
ip inspect name ethernetin smtp
ip inspect name ethernetin icmp
ip inspect name ethernetin telnet
interface Dot11Radio0
no ip address
encryption vlan 1 mode ciphers aes-ccm tkip
encryption vlan 2 mode ciphers aes-ccm tkip
encryption vlan 3 mode ciphers aes-ccm tkip
broadcast-key vlan 1 change 30
broadcast-key vlan 2 change 30
broadcast-key vlan 3 change 30
ssid home
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.3
encapsulation dot1Q 3
no cdp enable
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
interface Vlan3
no ip address
bridge-group 3
interface BVI3
ip address 192.168.1.1 255.255.255.0
ip inspect ethernetin in
ip nat inside
ip virtual-reassembly
radius-server local
no authentication mac
nas 172.27.44.1 key 0 123456
user test1 nthash 0 B151E8FF684B4F376C018E632A247D84
user test2 nthash 0 F2EEAE1D895645B819C9FD217D0CA1F9
user test3 nthash 0 0CB6948805F797BF2A82807973B89537
radius-server host 172.27.44.1 auth-port 1812 acct-port 1813 key 123456
radius-server vsa send accounting

Programming tacacs &radius server-keys ?

Similar Messages

Maybe you are looking for