RADIUS-4-RADIUS_DEAD problem

I'm having a weird issue with two devices when I'm trying to use Radius for login authentication.
I get the following log messages.
%RADIUS-4-RADIUS_DEAD: RADIUS server 10.1.1.20:1645,1646 is not responding.
Jun 17 09:01:34.256: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.1.1.20:1645,1646 has returned.
Jun 17 09:01:53.810: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.1.1.23:1645,1646 is not responding.
There will occasionaly be these entries in the log. I can also "force" these messages to be generated by trying to login with Radius.
I know the Radius server is available. It runs on our primary domain controller via IAS and is used for all of our RAS and Wireless authentication. In this particular case, the IAS server is 1 switch hop away. I've checked the uplink ports on the switch and they're clean of errors, same duplex / speed on both sides. The IAS logs show a successful authentication, but the switch says it timed out.
I've done some forum-digging and people have referred to this same problem and said that an IOS upgrade has fixed the problem, Is this an IOS bug or what's the deal?
I have two devices in particular this is occuring on:
2960: c2960-lanlitek9-mz.122-37.EY.bin
Located in my datacenter, 1 switch hop from server
2801: c2801-spservicesk9-mz.124-9.T7.bin
Located across the WAN. WAN links are clean and free of errors. Same scenario.
Any thoughts as to why this is happening? Will an IOS upgrade really fix my problems?
Thanks.

Error Message: %RADIUS-4-RADIUS_ALIVE: RADIUS server [IP_address]:[int],[int] has
returned.
Explanation:A RADIUS server that previously was not responding has responded to a new request.
Recommended Action:No action is required.
Error Message: %RADIUS-4-RADIUS_DEAD: RADIUS server [IP_address]:[int],[int] is not
responding.
Explanation: A RADIUS server has not responded to repeated requests.
Recommended Action: Check to see if the RADIUS server is still active.

Similar Messages

Radius configuration(dot1x) problem with ios version 15

Hello all,
I upgrade one 3750x from version 12.2 55 to 15.0(2)SE7 and i see that some configuration must be changed
Warning: The CLI will be deprecated soon
'radius-server host xxxxxxxx auth-port 1645 acct-port 1646 test username name key 7 sharedsecret
Please move to 'radius server <name>' CLI.
I try to adapt the configuration but the 802.1x fails :
radius server RADIUS-SRV
address ipv4 xxxxxxxxxx auth-port 1645 acct-port 1646
timeout 15
retransmit 3
automate-tester username name (username created in global configuration mode)
key 7 sharedsecret
aaa group server radius RADIUS-SRV
server-private xxxxxxxxxx key 7 sharedsecret
ip radius source-interface VlanX
aaa authentication dot1x default group RADIUS-SRV
aaa authorization network default group RADIUS-SRV
Here's the configuration for the interface with an IP phone connected :
authentication event fail action authorize vlan 1
authentication event server dead action authorize vlan 1
authentication event no-response action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation protect
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
On the logs, i have the server-dead result (not the message that the switch can't reach the radius server):
Apr 28 12:33:45.075: %AUTHMGR-5-START: Starting 'dot1x' for client (MAC) on Interface Gi1/0/1 AuditSessionID 0A175140000004640014346D
Apr 28 12:34:05.191: %DOT1X-5-FAIL: Authentication failed for client (MAC) on Interface Gi1/0/1 AuditSessionID 0A175140000004640014346D
Apr 28 12:34:05.191: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'dot1x' for client (MAC) on Interface Gi1/0/1 AuditSessionID 0A175140000004640014346D
When i put the old fashion config, the IP phone is authenticated without problems, see capture from the ACS server (attached file 802.1x-OK)
With the new configuration, see attached file 802.1x-NOK ; i don't have the same field in the ACS (username field) and i have the message 11036 The Message-Authenticator RADIUS attribute is invalid
Why the authentication doesn't "come" to the ACS like before with this new configuration? What i'm missing?
Thank you

Hello all,
I modify the configuration and now it's working :
aaa group server radius RADIUS-SRV
server-private xxxxxxxxxxxx timeout 15 retransmit 3 test username xxxxxxxxx key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ip radius source-interface xxxxx
radius server RADIUS-SRV
address ipv4 xxxxxx auth-port 1645 acct-port 1646
key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx
aaa authentication dot1x default group RADIUS-SRV
aaa authorization network default group RADIUS-SRV
Regards

SG300: MAC authentication with Radius VLAN assignment problems

Hi,
I just can't get the dynamic vlans working. I've tried everything, switch in L3 mode, switch in L2, several port configs, several tunnel configs in Radius server (freeradius 2.1.1)
Here's the final switch config:
config-file-header
switchf460dc
v1.3.7.18 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
no spanning-tree
vlan database
vlan 12,100,110,666
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
no bonjour enable
hostname switchf460dc
line ssh
exec-timeout 0
exit
encrypted radius-server host 192.168.99.93 key xXx priority 1 usage dot1.x
logging host 1.2.3.4 severity debugging
passwords aging 0
ip ssh server
snmp-server server
snmp-server community public ro 192.168.99.93 view Default
clock timezone " " +1
clock summer-time web recurring eu
clock source sntp
sntp unicast client enable
sntp server 172.16.1.1
interface vlan 12
ip address 192.168.99.170 255.255.255.0
no ip address dhcp
interface gigabitethernet5
dot1x host-mode multi-sessions
dot1x reauthentication
dot1x authentication mac
dot1x radius-attributes vlan static
dot1x port-control auto
switchport mode general
switchport general allowed vlan add 100,110,666 untagged
no macro auto smartport
interface gigabitethernet6
switchport mode access
switchport access vlan 110
interface gigabitethernet9
switchport mode access
switchport access vlan 12
interface gigabitethernet10
switchport trunk allowed vlan add 12,100,110
exit
ip default-gateway 192.168.99.1
On the switch side I would expect VLAN 666 to be set but it's not there:
switchf460dc#show dot1x users
                          MAC               Auth   Auth   Session        VLAN
Port     Username         Address           Method Server Time
gi5      0090dca15880     00:90:dc:a1:58:80 MAC    Remote 01:09:25
This is the radius users file. It's a simple file for test.
DEFAULT Auth-Type := Accept
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-Id = 666
I am attaching a screenshot of the Radius reply sent by the server.
I also tried setting "copy_request_to_tunnel = yes" and "use_tunneled_reply = yes" as found in another post, no success.
It may be that the tag is missing in the Radius reply? If yes, how do I add it?
Any ideas?
Thanks.
Update Dec 11: I tried with FW 1.4.0, and using the same config the switch doesn't perform any Radius requests at all anymore.

I was wrong when I said that 1.4.0 wouldn't work at all. I simply had a device connected which didn't produce much traffic. My bad.
So 1.4.0 works as far as the auth is concerned, but no improvement as far as dynamic VLAN is concerned. So there is no improvement over 1.3.7, or there is a config issue.
I have opened SR 633001533 although the last appointment for WebEx went by without anyone getting back to me. I'll try again on Monday.
Feel free to get back to me if you need anything to make experiments. I'll keep this thread updated too.

Config RADIUS on WLC 5508 - Problems comunication with NPS Server

Hi,
I'm facing some problems when configuring RADIUS auth with a NPS Windows Server.
My WLAN interface is in a different vlan than the management interface, is that a problem?
I want this wlan to be on a different vlan from the management. When i use wlan interface in the same vlan the RADIUS works without problems. But in different vlans is not working.
The NPS server as 2 NICs, 1 for the wireless vlan, and another for the management vlan.
the logs from the WLC shows this, but i have difficulties interpreting all this data:
*apfMsConnTask_0: Dec 29 12:49:14.636: Association request from the P2P Client Process P2P Ie and Upadte CB
*apfMsConnTask_5: Dec 29 12:49:36.607: 3c:c2:43:94:3e:bc Adding mobile on LWAPP AP d4:d7:48:45:fb:20(0)
*apfMsConnTask_5: Dec 29 12:49:36.607: 3c:c2:43:94:3e:bc Association received from mobile on AP d4:d7:48:45:fb:20
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying site-specific Local Bridging override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying Local Bridging Interface Policy for station 3c:c2:43:94:3e:bc - vlan 900, interface id 16, interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying site-specific override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc STA - rates (8): 130 132 139 12 18 150 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Processing RSN IE type 48, length 20 for mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Received RSN IE with 0 PMKIDs from mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Setting active key cache index 8 ---> 8
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc unsetting PmkIdValidatedByAp
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) DHCP required on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8for this client
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Not Using WMM Compliance code qosCap 00
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8 flex-acl-name:
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfMsAssoStateInc
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Idle to Associated
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc Sending Assoc Response to station on BSSID d4:d7:48:45:fb:20 (status 0) ApVapId 8 Slot 0
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Station 3c:c2:43:94:3e:bc setting dot1x reauth timeout = 0
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Stopping reauth timeout for 3c:c2:43:94:3e:bc
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 1)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 2)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Received EAPOL EAPPKT from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Received Identity Response (count=2) from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc EAP State update from Connecting to Authenticating for mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Authenticating state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Entering Backend Auth Response state for mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.794: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.794: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Aborting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 4)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Reached Max EAP-Identity Request retries (3) for STA 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Sent Deauthenticate to mobile on BSSID d4:d7:48:45:fb:20 slot 0(caller 1x_auth_pae.c:3165)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Scheduling deletion of Mobile Station: (callerId: 6) in 10 seconds
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Disconnected state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Not sending EAP-Failure for STA 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:55.518: 3c:c2:43:94:3e:bc Association received from mobile on AP d4:d7:48:45:fb:20
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying site-specific Local Bridging override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying Local Bridging Interface Policy for station 3c:c2:43:94:3e:bc - vlan 900, interface id 16, interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying site-specific override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Processing RSN IE type 48, length 20 for mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Received RSN IE with 0 PMKIDs from mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Setting active key cache index 8 ---> 8
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc unsetting PmkIdValidatedByAp
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) DHCP required on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8for this client
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Not Using WMM Compliance code qosCap 00
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8 flex-acl-name:
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc Sending Assoc Response to station on BSSID d4:d7:48:45:fb:20 (status 0) ApVapId 8 Slot 0
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Station 3c:c2:43:94:3e:bc setting dot1x reauth timeout = 0
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Stopping reauth timeout for 3c:c2:43:94:3e:bc
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 1)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 2)

yes, I thought of that. But if i use a simple password authentication on the wireless, i can reach the server with the same subnet interface. But i don't want to allow this subnet to acess the management subnet of the wireless controller.
One question i have is: The WLC uses whitch subnet on radius? Uses the subnet of the wireless interface or uses always the management interface?
Could you help me understand how the radius auth works with this wireless controller? Did you see anything strange in the logs that I posted above? It seems to run ok until:
dot1x - moving mobile 3c:c2:43:94:3e:bc into Authenticating state
Entering Backend Auth Response state for mobile 3c:c2:43:94:3e:bc
Received EAPOL START from mobile 3c:c2:43:94:3e:bc
dot1x - moving mobile 3c:c2:43:94:3e:bc into Aborting state
I also note this: "Applying Local Bridging Interface Policy for station "
What does this means?

Radius problems/ichain

we have Nw6.5 SP2 with radius files from ichain 2.3 CD(overwrite all)
with the nmas patch
nmas V2.6.8
radius v4.15
problems:
1.were getting radius client unknown (radius nlm does load but wont
unload, just hangs)
2. i can only get nwadmin to save the client details in the DAS object
C1 just wont save it- ive tried V136c,136,135 and the server version
which errors with
"waiting for reading vendor list from attribute file" however the
radius.atr file does exist
3. not sure if this is relevant here but vasco token wont assign to a user
errors with "unable to write configuration data"
thanks for help

well for no reason at all it started working with C1 locally 2 days later !
weird
Also if I assign a DAS object to a container and all users underneath are
told to inherit the DAS from the container settings
then I wont have to configure each user object ? This doesnt sem to inherit
for some reason.
Is the Radus.nlm form the ichain 2.3 auth CD good enough for a NW6.5 SP2
server or is
there an update
Thanks?
"Scott Kiester" <[email protected]> wrote in message
news:bYq%[email protected]...
> Your first and third items could be due to an inconsistent or missing tree
> key. You can use SDIDIAG to troubleshoot and correct tree key issues.
> SDIDIAG is available as a free download from the support site.
>
> Your second issue is due to a bug in the RADIUS ConsoleOne snapin. The
> problem should go away if you run ConsoleOne from your local workstation,
> instead of running it from a drive mapped to the server. The snapin uses a
> very inefficient method of parsing the radius.atr file, which requires it
to
> do several seeks for each record that is processed. When ConsoleOne has to
> go over the network to access the file, it can take a very long time to
> parse (10-15 minutes in my experience).
>
> Also, don't administer NMAS RADIUS with NWAdmin. NWAdmin is for BMAS 3.7
and
> older BMAS servers only. (BMAS 3.8 is NMAS RADIUS, and therefore uses
> ConsoleOne.)
>
> >>> <[email protected]> 09/07/04 7:12 AM >>>
> we have Nw6.5 SP2 with radius files from ichain 2.3 CD(overwrite all)
> with the nmas patch
> nmas V2.6.8
> radius v4.15
>
> problems:
> 1.were getting radius client unknown (radius nlm does load but wont
> unload, just hangs)
> 2. i can only get nwadmin to save the client details in the DAS object
> C1 just wont save it- ive tried V136c,136,135 and the server version
> which errors with
> "waiting for reading vendor list from attribute file" however the
> radius.atr file does exist
> 3. not sure if this is relevant here but vasco token wont assign to a user
> errors with "unable to write configuration data"
>
> thanks for help
>
>

Single local Radius in a Wireless ennvoirement

Hi
I have 3 AccessPoints 1242AG running on the same subnet. To keep it simple I configured only one AccessPoint acting as a Radiuserver and on the other 2 AccessPoints I point to the correct AccessPoint(the one with the Radius configured). But when I try to connect with the client to one of the 2 AccessPoints I recieve these messages:
*Mar 1 03:18:43.310: %DOT11-7-AUTH_FAILED: Station 0040.96a2.d736 Authentication failed
*Mar 1 03:20:38.271: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.50.1.207:1812,1813 is not responding.
*Mar 1 03:20:38.271: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.50.1.207:1812,1813 has returned.
*Mar 1 03:20:48.735: %DOT11-7-AUTH_FAILED: Station 0013.cec6.fa80 Authentication failed
I already checked the shared secret of the Radius. Is it a timeout or what's the problem?
Regards
Peter

What version of IOS are you running on the three APs?
Also keep in mind that the AP processor's priority is moving traffic; if the AP is busy handling a traffic load, it may not have time to handle RADIUS requests (liek "not responding" followed by "Returned")
Try shutting down the radio on the RADIUS-serving AP and see if you get these messages. If the AP is also acting as a WDS Master, try moving the RADIUS to another AP ... distribute the processing load as much as possible.
What flavor of authentication are you using the RADIUS for (PEAP, LEAP, MAC ...)?
Let us know
Scott

Radius dead-time

Hi,
At one of our sites we regularly have problems that the access-points can't connect to the radius server in the central site. My collegue configured the aaa dead-time but this gave no difference.
This is the error message :
10:02:14 bstonw53 RADIUS-4-RADIUS_DEAD: RADIUS server 10.161.5.22:1812,1813 is not responding.
10:02:14 bstonw53 RADIUS-4-RADIUS_ALIVE: RADIUS server 10.161.5.22:1812,1813 has returned.
Within a second he claims that the radius server is dead en alive again .
We are pretty sure that the line is under heavy load but tried to resolve it with the aaa dead-time configuration.
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server radius rad_pmip
aaa group server radius dummy
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server dead-criteria tries 5
radius-server host 10.161.5.22 auth-port 1812 acct-port 1813 key xxx
radius-server host 10.161.5.21 auth-port 1812 acct-port 1813 key xxx
radius-server retransmit 20
radius-server timeout 20
radius-server vsa send accounting
Can somebody help me with the radius configuration ?
gr
wim

Have you looke over this doc:
http://cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
I have seen this before... take a look at the radius server log. that shows alot more. Also do a debug on the ap and post what that shows.

Radius authentication with ISE - wrong IP address

Hello,
We are using ISE for radius authentication. I have setup a new Cisco switch stack at one of our locations and setup the network device in ISE. Unfortunately, when trying to authenticate, the ISE logs show a failure of "Could not locate Network Device or AAA Client" The reason for this failure is the log shows it's coming from the wrong IP address. The IP address of the switch is 10.xxx.aaa.241, but the logs show it is 10.xxx.aaa.243. I have removed and re-added the radius configs on both ISE and the switch, but it still comes in as .243. There is another switch stack at that location (same model, IOS etc), that works properly.
The radius config on the switch:
aaa new-model
aaa authentication login default local
aaa authentication login Comm group radius local
aaa authentication enable default enable
aaa authorization exec default group radius if-authenticated
ip radius source-interface Vlanyy
radius server 10.xxx.yyy.zzz
address ipv4 10.xxx.yyy.zzz auth-port 1812 acct-port 1813
key 7 abcdefg
The log from ISE:
Overview
Event 5405 RADIUS Request dropped
Username
Endpoint Id
Endpoint Profile
Authorization Profile
Authentication Details
Source Timestamp 2014-07-30 08:48:51.923
Received Timestamp 2014-07-30 08:48:51.923
Policy Server ise
Event 5405 RADIUS Request dropped
Failure Reason 11007 Could not locate Network Device or AAA Client
Resolution Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices
Root cause Could not find the network device or the AAA Client while accessing NAS by IP during authentication.
Username
User Type
Endpoint Id
Endpoint Profile
IP Address
Identity Store
Identity Group
Audit Session Id
Authentication Method
Authentication Protocol
Service Type
Network Device
Device Type
Location
NAS IP Address 10.xxx.aaa.243
NAS Port Id tty2
NAS Port Type Virtual
Authorization Profile
Posture Status
Security Group
Response Time
Other Attributes
ConfigVersionId 107
Device Port 1645
DestinationPort 1812
Protocol Radius
NAS-Port 2
AcsSessionID ise1/186896437/1172639
Device IP Address 10.xxx.aaa.243
CiscoAVPair
   Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11007 Could not locate Network Device or AAA Client
5405
As a test, I setup a device using the .243 address. While ISE claims it authenticates, it really doesn't. I have to use my local account to access the device.
Any advice on how to resolve this issue would be appreciated. Please let me know if more information is needed.

Well from the debug I would say there may be an issue with the addressing of the radius server on the switch.
radius-server host 10.xxx.xxx.xxx key******** <--- Make sure this address and Key matches what you have in ISE PSN and that switch. Watch for spaces in your key at the begining or end of the string.
What interface should your switch be sending the radius request?
ip radius source-interface VlanXXX vrf default
Here is what my debug looks like when it is working correctly.
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265): ask "Password: "
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265):Orig. component type = EXEC
Aug 4 15:58:47 EST: RADIUS(00000265): Config NAS IP: 10.xxx.xxx.251
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265): acct_session_id: 613
Aug 4 15:58:47 EST: RADIUS(00000265): sending
Aug 4 15:58:47 EST: RADIUS(00000265): Send Access-Request to 10.xxx.xxx.35:1645 id 1645/110, len 104
Aug 4 15:58:47 EST: RADIUS: authenticator 97 FB CF 13 2E 6F 62 5D - 5B 10 1B BD BA EB C9 E3
Aug 4 15:58:47 EST: RADIUS: User-Name           [1]   9   "admin"
Aug 4 15:58:47 EST: RADIUS: Reply-Message       [18] 12
Aug 4 15:58:47 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
Aug 4 15:58:47 EST: RADIUS: User-Password       [2]   18 *
Aug 4 15:58:47 EST: RADIUS: NAS-Port            [5]   6   3
Aug 4 15:58:47 EST: RADIUS: NAS-Port-Id         [87] 6   "tty3"
Aug 4 15:58:47 EST: RADIUS: NAS-Port-Type       [61] 6   Virtual                   [5]
Aug 4 15:58:47 EST: RADIUS: Calling-Station-Id [31] 15 "10.xxx.xxx.100"
Aug 4 15:58:47 EST: RADIUS: Service-Type        [6]   6   Login                     [1]
Aug 4 15:58:47 EST: RADIUS: NAS-IP-Address      [4]   6   10.xxx.xxx.251
Aug 4 15:58:47 EST: RADIUS(00000265): Started 5 sec timeout
Aug 4 15:58:47 EST: RADIUS: Received from id 1645/110 10.xxx.xxx.35:1645, Access-Accept, len 127
Aug 4 15:58:47 EST: RADIUS: authenticator 1B 98 AB 4F B1 F4 81 41 - 3D E1 E9 DB 33 52 54 C1
Aug 4 15:58:47 EST: RADIUS: User-Name           [1]   9   "admin"
Aug 4 15:58:47 EST: RADIUS: State               [24] 40
Aug 4 15:58:47 EST: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61 [ReauthSession:0a]
Aug 4 15:58:47 EST: RADIUS:   30 63 66 65 32 33 30 30 30 31 46 37 30 37 35 33 [0cfe230001F70753]
Aug 4 15:58:47 EST: RADIUS:   44 46 45 35 46 37            [ DFE5F7]
Aug 4 15:58:47 EST: RADIUS: Class               [25] 58
Aug 4 15:58:47 EST: RADIUS:   43 41 43 53 3A 30 61 30 63 66 65 32 33 30 30 30 [CACS:0a0cfe23000]
Aug 4 15:58:47 EST: RADIUS:   31 46 37 30 37 35 33 44 46 45 35 46 37 3A 50 52 [1F70753DFE5F7:PR]
Aug 4 15:58:47 EST: RADIUS:   59 49 53 45 30 30 32 2F 31 39 33 37 39 34 36 39 [YISE002/19379469]
Aug 4 15:58:47 EST: RADIUS:   38 2F 32 30 36 33 31 36          [ 8/206316]
Aug 4 15:58:47 EST: RADIUS(00000265): Received from id 1645/110
---------------------------------------------------------------------------------------------------------------This is after I added the incorrect Radius server address.
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268): ask "Password: "
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268):Orig. component type = EXEC
Aug 4 16:05:19 EST: RADIUS(00000268): Config NAS IP: 10.xxx.xxx.251
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268): acct_session_id: 616
Aug 4 16:05:19 EST: RADIUS(00000268): sending
Aug 4 16:05:19 EST: RADIUS(00000268): Send Access-Request to 10.xxx.xxx.55:1645 id 1645/112, len 104
Aug 4 16:05:19 EST: RADIUS: authenticator FC 94 BA 5D 75 1F 84 08 - E0 56 05 3A 7F BC FB BB
Aug 4 16:05:19 EST: RADIUS: User-Name           [1]   9   "admin"
Aug 4 16:05:19 EST: RADIUS: Reply-Message       [18] 12
Aug 4 16:05:19 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
Aug 4 16:05:19 EST: RADIUS: User-Password       [2]   18 *
Aug 4 16:05:19 EST: RADIUS: NAS-Port            [5]   6   7
Aug 4 16:05:19 EST: RADIUS: NAS-Port-Id         [87] 6   "tty7"
Aug 4 16:05:19 EST: RADIUS: NAS-Port-Type       [61] 6   Virtual                   [5]
Aug 4 16:05:19 EST: RADIUS: Calling-Station-Id [31] 15 "10.xxx.xxx.100"
Aug 4 16:05:19 EST: RADIUS: Service-Type        [6]   6   Login                     [1]
Aug 4 16:05:19 EST: RADIUS: NAS-IP-Address      [4]   6   10.xxx.xxx.251
Aug 4 16:05:19 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:23 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:23 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:23 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:29 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:29 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:29 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:33 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:33 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
Aug 4 16:05:33 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
Aug 4 16:05:33 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:33 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:38 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:38 EST: RADIUS: Fail-over to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:38 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:43 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:43 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:43 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:48 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:48 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:48 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:53 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:53 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
Aug 4 16:05:53 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
Aug 4 16:05:53 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:53 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:57 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:57 EST: RADIUS: No response from (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:57 EST: RADIUS/DECODE: parse response no app start; FAIL
Aug 4 16:05:57 EST: RADIUS/DECODE: parse response; FAIL
This is a default template I use for all my devices routers or switches hope it helps. I have two PSN's that is why we have two radius-server host commands..
aaa authentication login vty group radius local enable
aaa authentication login con group radius local enable
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting system default start-stop group radius
ip radius source-interface VlanXXX vrf default
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
radius-server vsa send accounting
radius-server vsa send authentication
You can use this in the switch to test radius
test aaa group radius server 10.xxx.xxx.xxx <username> <password>

VPN Tunnel w/ 802.1X port authentication against remote RADIUS server

I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X. The tunnel works fine and comes up if theirs correct traffic. I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.
If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work. I'll see the following. This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone. No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.
If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly. In this situation, I can ping the RADIUS servers from VLAN10. If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.
Current configuration : 6199 bytes
! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router1
boot-start-marker
boot-end-marker
aaa new-model
aaa local authentication default authorization default
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
ip cef
ip dhcp pool pool
import all
network 192.168.28.0 255.255.255.248
bootfile PXEboot.com
default-router 192.168.28.1
dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2
domain-name domain.local
option 66 ip 192.168.23.10
option 67 ascii PXEboot.com
option 150 ip 192.168.23.10
lease 0 2
ip dhcp pool phonepool
network 192.168.28.128 255.255.255.248
default-router 192.168.28.129
dns-server 192.168.26.10 192.168.1.100
option 150 ip 192.168.1.132
domain-name domain.local
lease 0 2
ip dhcp pool guestpool
network 10.254.0.0 255.255.255.0
dns-server 8.8.8.8 4.2.2.2
domain-name local
default-router 10.254.0.1
lease 0 2
no ip domain lookup
ip domain name remote.domain.local
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO892-K9
dot1x system-auth-control
username somebody privilege 15 password 0 password
redundancy
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key secretpassword address 123.123.123.123
crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac
mode tunnel
crypto map pix 10 ipsec-isakmp
set peer 123.123.123.123
set transform-set pix-set
match address 110
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
interface FastEthernet0
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet1
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet2
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet3
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet4
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet5
switchport access vlan 12
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet6
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet7
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map pix
interface Vlan1
no ip address
interface Vlan10
ip address 192.168.28.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
interface Vlan11
ip address 192.168.28.129 255.255.255.248
interface Vlan12
ip address 10.254.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 101 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
ip radius source-interface Vlan10
ip sla auto discovery
access-list 101 deny ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.28.0 0.0.0.255 any
access-list 101 permit ip 10.254.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255
radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey
radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey
control-plane
mgcp profile default
line con 0
line aux 0
line vty 0 4
transport input all
ntp source FastEthernet0
ntp server 192.168.26.10
ntp server 192.168.1.100
end

I have 802.1X certificate authentication enabled on the computers. As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication. It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.

RADIUS AAA Config - can't console or exec

Greetings,
Been trying to get RADIUS working on our network. All Cisco devices running 12.1(13)EA1a or 12.2(20)EW.
Config -
aaa new-model
aaa authentication login default local group radius
aaa authorization network default group radius
The server is all set up and I can log in with radius authentication no problem. I can not get it to enable with out using the default enable password. I also can not get into the switches using the console port with the RADIUS server down. Not good.
I tried the following commands for a back door to no avail -
aaa authentication login console line
aaa authentication login locale enable
aaa authentication login default local line - this just uses all defaults
aaa authentication login local line none - wide open
I am using Funk Software Steel Belted Radius on Solaris, Version 4.52.497.

Thanks for the posts.
I have searched CISCO for so much, I don't know how I missed these documents. Did you search by IOS? Basically, is there a trick to searching the CISCO site?
I will read them and update tomorrow. I will also try that commnad. I think I tried it before but can't remember what happened. I don't think it worked, but I will let you all know.
Thanks so much for the replies.
JT

Star tool is dragging from the inner radius

I wonder if anyone else has this problem. I'am using illustrator CC but while using the star tool, instead of being drawn while being dragged by the tip or the outer radius, my star is getting dragged from the inner radius. The problem does not occur when dragging while holding the alt key.

That's just the way they built the star tool. The polygon and flare tools work the same way: from center outward. It might have to do with a geometric efficiency where the shape can more easily be defined from the center (not sure about that).
On Mac, holding down option (Mac's alt) doesn't change this. Does alt really make a star draw from the outside inward on PC?
For rectangle and ellipse, option/alt allows shapes to be built from the center, but their default is outside-in.

Roaming problem

I've confured a new site with 4 radiobases AIR-AP1231G-E-K9 c1200-k9w7-tar.123-8.JA2.
No Vlan, WPA, TKIP,(The same config as many other sites).Authenticating to a central Radius.
My problem is that I cant move around whithout losing the connection. I have a very good signal from the bases.
The only thing that is diffrent from the other sites is that here Im using a Cisco express 500-TT and the other sites have 2900 and 3500 switches.
Im getting an errormessage from the switch "Access denied to one or more connecting devices on this port." when Im moving around.
Or is the signal to strong (Dont thinks so)
When Im roaming over to a new base I loosing connection to the network. But if I do repair on my laptop the new base gets to be the active one......
Greatfull for help
Killroy

Yes it looks that way.
When I get roamed over to a new AP I get authenticated and have connection after a few second I lose my connection to the network but have still connection to the AP and Im authenticated. And I loose my IP address.
If I do repair in my laptop I get back my IP address and the Cisco Express 500 TT have a critical error on the interface for the new AP.
"Access denied to one or more connecting devices on this port."
Seem like a rule problem but there isnt very much configurationoptions on the 500!

How to configure ACS to authenticate Modem with radius

Hi,
How do I configure ACS to authenticate and authorize modem users with radius. My problem is with authorization(authentication is ok in the debug). Do I need to configure specific Av pairs (006 and 007 in IETF)

Hi Dominic,
Are we have Microsoft radius server or ACS?
Yes, these attributes should be configured.
006-service-type: login
007-framed-protocol: PPP
HTH
JK

Detect up/down radius server

Hello,
I was wondering how does a switch proceed to detect when one or several radius server is down.
If I leave only one radius server in a C3560-24PS (running with the lastest software version) and shut all services associated with my ACS4.2 through the web interface, I receive the following error logs:
13:55:31:%RADIUS-4-RADIUS_DEAD: RADIUS server x.x.x.x:1645,1646 is not responding.
13:55:31:%RADIUS-4-RADIUS_ALIVE: RADIUS server x.x.x.x:1645,1646 is being marked alive.
Anyone can explain me why a such ouput?
Thank you for your help!
David

Hello,I was wondering how does a switch proceed to detect when one or several radius server is down.If
I leave only one radius server in a C3560-24PS (running with the
lastest software version) and shut all services associated with my
ACS4.2 through the web interface, I receive the following error logs:13:55:31:%RADIUS-4-RADIUS_DEAD: RADIUS server x.x.x.x:1645,1646 is not responding.
13:55:31:%RADIUS-4-RADIUS_ALIVE: RADIUS server x.x.x.x:1645,1646 is being marked alive.Anyone can explain me why a such ouput?Thank you for your help!David
Hi David,
Following are the comments for the above messages
%RADIUS-4-RADIUS_DEAD -- A RADIUS server has not responded to repeated requests
For checking purpose check to see if the RADIUS server is still active.
%RADIUS-4-RADIUS_ALIVE -- A RADIUS server that previously was not responding has responded
to a new request
Hope to Help !!
Remember to rate the helpful post
Ganesh.H

Please Help: 3550 lab switch locked by radius server

Hi All,
Any idea? After clean up all routers and switches config files, sw3 still asks for radius username and password.
When console login and using 3550 password recovery procedure, it still asks for username and password.
When config aaa new-model, no username is asked only the passowrd cisco in typed in. (please see detail config file in the following)
Note: This is for CCIE R&S home lab rack.
==========
// radius server locks sw3
Access-Server#9
[Resuming connection 9 to sw3 ... ]
User Access Verification
Username:
Username: cisco
Password:
% Backup authentication
00:27:36: %RADIUS-4-RADIUS_DEAD: RADIUS server 150.100.1.254:1645,1646 is not responding.
00:27:36: %RADIUS-4-RADIUS_ALIVE: RADIUS server 150.100.1.254:1645,1646 has returned.
Username:
===========
sw3#sh run
Building configuration...
Current configuration : 4655 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname sw3
aaa new-model
aaa authentication dot1x default group radius
aaa session-id common
mls qos
ip subnet-zero
ip routing
no ip domain-lookup
dot1x system-auth-control
dot1x guest-vlan supplicant
no file verify auto
interface FastEthernet0/11
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/12
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/13
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/14
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/15
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/16
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/17
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/18
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 999
dot1x auth-fail vlan 999
interface FastEthernet0/19
switchport mode dynamic desirable
channel-group 1 mode desirable
interface FastEthernet0/20
switchport mode dynamic desirable
channel-group 1 mode desirable
interface FastEthernet0/21
switchport mode dynamic desirable
interface FastEthernet0/22
switchport mode dynamic desirable
interface FastEthernet0/23
switchport mode dynamic desirable
channel-group 2 mode desirable
interface FastEthernet0/24
switchport mode dynamic desirable
channel-group 2 mode desirable
interface GigabitEthernet0/1
switchport mode dynamic desirable
interface GigabitEthernet0/2
switchport mode dynamic desirable
interface Vlan1
no ip address
shutdown
ip classless
ip http server
ip http secure-server
radius-server host 150.100.1.254 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key cisco

try to do password recovery per cisco doc, but config.text file is missing from flash dir:
switch: dir flash:
Directory of flash:/
2 -rwx 5276 syslog
3 -rwx 0 env_vars
4 -rwx 7131928 c3550-ipservicesk9-mz.122-25.SEE.bin
5 drwx 64 crashinfo
24 -rwx 326 system_env_vars
7 drwx 192 c3550-i9q3l2-mz.121-13.EA1a
26 -rwx 24 private-config.text

RADIUS-4-RADIUS_DEAD problem

Similar Messages

Maybe you are looking for