Radius 802.1x LAB TEST

Similar Messages

• How to re-initialize a Unity Connection 8.5 DataBase for Lab testing

  I have built an Active/Active Unity Connection 8.5 Cluster on UCS for lab testing and I am wondering how to re-initialize the database (Clean out the database like a new install) without having to reinstall the application. I forgot to take a DRS of the newly installed server to revert back to.
  I have tried using Bulk Administration but subscribers and Callhandlers with Dependencies will not be touched by the Bulk Administration job. I need a quick way of getting the database back to fresh install status.

  Hi,
  Unlike Unity, there isn't a way to do this with UC without re-installing the entire application.
  Brad

• Remote Access VPN Design Sizing Values with Radius or PKI Stress Test

  Hello,
  We would like to guess about the maximum number of  Remote Access VPN Clients (IPSEC or SSL VPN). The Endpoint may be ISRG2 or ASA FW series.  In the attached documents, the maximum numbers are given as a general guideline, but we think this number may decrease if the Radius Authentication is used instead of Local User Authentication, or PKI is used. We don't want to underestimate or overestimate and design with a 20% Margin. Is there a testing done for these effects, wrt CPU, Memory or similar Router or Firewall Resources,  or  method we can test this?   If there is a tool or method that we may simulate a number of Remote Access VPN Clients simultaneously (i.e 500) for different Authentication scenarios? We have found that IXVPN from Ixia or Load Runner from HP may be helpful, but complex to configure and use.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e39.html
  Devices include a license for two Premium VPN users for evaluation and remote management purposes. The total concurrent IPsec and SSL (clientless and tunnel-based) VPN sessions may not exceed the maximum concurrent IPsec session count shown in the chart. The SSL/IPsec IKEv2 VPN session number (clientless or AnyConnect client) may also not exceed the number of licensed sessions on the device. The ASA 5580 supports greater simultaneous users than the ASA 5550 at comparable overall SSL VPN throughput to the ASA 5550. VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken in to consideration as part of your capacity planning.
  Thanks in Advance,
  Best Regards,

  Hello,
  We would like to guess about the maximum number of  Remote Access VPN Clients (IPSEC or SSL VPN). The Endpoint may be ISRG2 or ASA FW series.  In the attached documents, the maximum numbers are given as a general guideline, but we think this number may decrease if the Radius Authentication is used instead of Local User Authentication, or PKI is used. We don't want to underestimate or overestimate and design with a 20% Margin. Is there a testing done for these effects, wrt CPU, Memory or similar Router or Firewall Resources,  or  method we can test this?   If there is a tool or method that we may simulate a number of Remote Access VPN Clients simultaneously (i.e 500) for different Authentication scenarios? We have found that IXVPN from Ixia or Load Runner from HP may be helpful, but complex to configure and use.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e39.html
  Devices include a license for two Premium VPN users for evaluation and remote management purposes. The total concurrent IPsec and SSL (clientless and tunnel-based) VPN sessions may not exceed the maximum concurrent IPsec session count shown in the chart. The SSL/IPsec IKEv2 VPN session number (clientless or AnyConnect client) may also not exceed the number of licensed sessions on the device. The ASA 5580 supports greater simultaneous users than the ASA 5550 at comparable overall SSL VPN throughput to the ASA 5550. VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken in to consideration as part of your capacity planning.
  Thanks in Advance,
  Best Regards,

• Radius 802.1x authentication with computer AND users.

  Hi !
  I don't know if what I trying to do is possible so please excuse me if this sounds silly :)
  I have a Cisco Wireless lan manager where I've configure 2 differents SSID's : COMPANY and COMPANY_mobiles.
  What I want is to create a policy to restrict the access to the COMPANY SSID to only my company laptops with authenticaded users (both groups exists in the AD).
  Therefore I created a new policy with the following conditons :
  - NAS Port Type : Wireless
  - Client IPv4 Address : <my cisco ip>
  - Called Station ID : ^AA:BB:CC:DD:EE:FF:COMPANY$
  - Users Groups : EUROPE\MY_USER_GROUP
  - Machine Groups : EUROPE\Domain Computers
  When trying to connect a notebook on windows 7 to that COMPANY ssid, I'm beeing rejected with the following error :
  User:
      Security ID:            EUROPE\HOSTNAME$
      Account Name:            host/HOSTNAME.my.server.com
      Account Domain:            EUROPE
      Fully Qualified Account Name:    EUROPE\HOSTNAME$
  Authentication Details:
      Connection Request Policy Name:    Secure Wireless Connections
      Network Policy Name:        Connections to other access servers
      Authentication Provider:        Windows
      Authentication Server:       My.radius.server.com
      Authentication Type:        EAP
      EAP Type:            -
      Account Session Identifier:        -
      Logging Results:            Accounting information was written to the local log file.
      Reason Code:            65
      Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network
  Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
  It therefore seems that it doesn't match my network policy and falls bacj to the default one.
  If I remove the user rule, and let the computer rule : Connection OK
  If I remove the computer rule, and let the user rule : Connection OK
  but if I put both, i can't connect :s
  Can someone help me with this issue ?
  Thanks a lot !
  Geoffrey

  Hi Geoffrey,
  I would like to know if
  EAP-TLS wireless authentication has been used since it uses user and computer certificates to authenticate wireless access clients.
  Please try to use NPS wizard to configure 802.1x wireless connection,
  and
  you will find that it
  creates new connection request policy and network policy. Network policy NAS Port type will be "Wireless -Other OR Wireless -IEEE 802.11".If
  you
  need filter by user and computer account, the log should show both authenticate user and machine account name.
  EAP-TLS-based Authenticated Wireless Access Design
  http://technet.microsoft.com/en-us/library/dd348478(WS.10).aspx
  Regards, Rick Tan

• AD Radius 802.1x Login Window Connection Problems

  Mac Mini/10.10.1
  I'm using two profile manager profiles for testing:
  1. AD Certificate
      Installs certificate for AD Certificate Authority.
       Requests Machine Certificate from CA
  2. Network Settings
       Network Payload:
            Interface WIFI
            SSID our 802.1x SSID
            Auto Join - Checked
            Security Type - WPA / WPA2 Enterprise
            Use as Login Window Config - Checked
            EAP Types: PEAP
            Use Directory Auth - Checked
  Issue:
       Certificate services work fine, login window works fine. User is able to login and authenticate to wireless. However users are experiencing problems with computer sleep, roaming on network etc. I can simulate their problems by turning off air port and back on while logged in. What I'm seeing happen is that when airport is turned back on, it begins to connect to the 802.1x wireless network but does not authenticate does not receive an IP address. eventually resulting in self assigned address. If I press the connect button it will then authenticate and work as expected.
  Why is it necessary to press the connect button, why does it not automatically connect? Am I doing something incorrect or is this normal behavior?
  Going into network preferences, choosing wifi adapter and clicking connect is too much to expect from my users. And it would be annoying even for me if this happened every time I went offline.
  Thank you for suggestions.
  Joe

  Hi Geoffrey,
  I would like to know if
  EAP-TLS wireless authentication has been used since it uses user and computer certificates to authenticate wireless access clients.
  Please try to use NPS wizard to configure 802.1x wireless connection,
  and
  you will find that it
  creates new connection request policy and network policy. Network policy NAS Port type will be "Wireless -Other OR Wireless -IEEE 802.11".If
  you
  need filter by user and computer account, the log should show both authenticate user and machine account name.
  EAP-TLS-based Authenticated Wireless Access Design
  http://technet.microsoft.com/en-us/library/dd348478(WS.10).aspx
  Regards, Rick Tan

• Free RADIUS/802.1X Service for WPA/WPA2-Enterprise

  Hi, just wanted to let everyone know that I recently started offering a Free Edition of our AuthenticateMyWiFi service, a hosted RADIUS/AAA service offering 802.1X authentication for use with WPA/WPA2-Enterprise encryption.
  The Free Edition features 1 user account, supports 1 AP, and includes: PEAP authentication for wireless and wired connections, web-based control panel, and activity logging.
  This is great for IT professionals wanting to experiment with 802.1X or to get enterprise Wi-Fi security in homes and small offices.
  For more info visit our site:
  http://www.nowiressecurity.com/service.htm
  - Eric Geier

  I recommend contacting Linksys support on the phone and ask them which model router has Radius or Enterprise WPA features. Some home class routers may not have this. Ask and see what is available. 

• Lab test scenario

  Hi guys,
  we want to set up a test scenario in our lab to get familiar with PI 7.0. We want to send messages between 2 SAP systems separated by two PI servers to simulate a wan connection with firewalls etc. I'm sure somebody has done this before, but i'm not able to find any infos about this topic. Can you guys help out?Thanks a lot!
  Regards,
  Michael

  Michael,
  Yes lots of questions...so had to paste ur q`s here...
  yes if properly configured PI server is secure enough.
  1) what firewalls are you using..i used a combo of linux with ipchains and Aix with secureway firewall to do the dmz..yes i had to publish the servers in the secureway firewall. The linux one we used one box on each end as a protocol/port firewall.
  This is what i did as the documentation for this is quite limited...lots of general links..no specifics..!!!
  The set up i had done ..was a combination of Sap R/3 talking through XI to IBM WebSphere, users could input data into webSphere after passing through ldap, WebSPhere Security and Tivoli WebSeal, the certificate..key was generated using Tivoli PKI..and this then we had in one scenario for each adapter..and had a set of tests where at diffrent times different machines would be in the dmz...finally we settled with the webSphere server being in the extranet and the rest in the intranet...why do you need to setup 2 PI servers to talk to each other using idoc`s..its preferable to go with soap for that. We did  tunnel the http traffic into the Lan(P.S: Check the ports for http..its not 8080 or 8000 as expected ..;).
  Hope this helps..let me know if you need more info....
  Regards
  Ravi Raman
  I'm looking for information how to set up the two PI servers that they communicate via HTTP/S and internally via IDOCs. Especially the part when we have to publish the PI servers in the DMZ is interesting. How is this done generally? Do I have to set up the servers in the DMZ or is it ok when the servers are behind the Firewall and I would just tunnel the HTTP traffic into the LAN. Have you any experience with the security topics when we are not in the DMZ? IS a PI server secure enough to be out there? You see, a lot of questions...
  Regards,
  Michael

• TACACS=admin RADIUS=802.1x same ACS?

  I have an ACS appliance set up for TACACS auth for administrative users. I need to configure 802.1x with RADIUS as I'm sending the VLAN ID back down when the user authenticates. Is this possible? Doesn't seem to be working for me. Also, I am doing this on both CatOS and IOS so IOS only solutions won't help.
  Thanks!

  Yes, it's possible. You need to set the following stndard RADIUS attributes via a per-group or per-user basis:
  [64] Tunnel-Type ? ?VLAN?
  [65] Tunnel-Medium-Type ? ?802?
  [81] Tunnel-Private-Group-ID - ""
  Hope this helps.

• Question in ACS radius ports and how test connectivity between router

  hi all
  im asking here about default ports used in cisco acs for radius protocol
  is it 1812 and 1813 ???
  or there is another ports ??
  Q2-
  how to test connectivity between ACS "server aaa"  and the router "client aaa " ??????
  Q3-
  can anyone give me simple config on router for radius protocol to connect acs based on radius protocol ?
  regards

  The default authentictaion port is 1812 and the default accounting port is 1813.
  Here's an example config-
  aaa new-model
  aaa group server radius ACME-RADIUS
  server-private 192.168.1.5 auth-port 1812 acct-port 1813 key SeCrEtPaSsWoRd
  aaa authentication login default local
  aaa authentication login ACME-AAA group ACME-RADIUS local
  aaa accounting send stop-record authentication failure
  aaa accounting exec default start-stop group ACME-RADIUS
  line vty 0 4
  login authentication ACME-AAA
  You can test with-
  test aaa group radius server 192.168.1.5 mmessier St@nleyCup
  where mmessier is your username and the password is St@nleyCup

• Radius server for lab work

  I am studying Routing & Switching, but I also need to have a general understanding of the security features: AAA authentication, dot1x etc. It is probably the weakest link in my chain of knowledge because I have never used those
  features.
  I really need to play with the protocols in the lab to get a basic understanding of them. Is there some cut-down Radius server, preferably freeware running on a PC, that can be used for basic lab work? Can someone guide me through obtaining and installing it?
  Kevin Dorrell
  Luxembourg

  Hi Kevin
  You should be able to get an eval license for Cisco's Secure ACS that you could use in the lab. It is free for download on the Cisco site.
  It does run out after 3 months so it depends on how long you need it for.
  The other option is to use the Microsoft Radius server (IAS) which comes with the W2K Advanced server. I haven't used it so i can't really comment other than that.
  HTH
  Jon

• Running test on Lab: Test run cannot be found

  Every so often I'll get a automated test running on a lab environment fail because the test run cannot be found. This happens during the middle of the test, so the test run was there at one point. What is happening here?

  Hi Brandon,
  According to your description, it seems that you are using LabTemplate to run the test.
  Could you succeed run test through MTM directly?
  Could you find that test run in MTM?
  What’s the version of your TFS?
  Best Regards
  Starain
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Question Re IAS/RADIUS 802.1x Authentiction on SG300 Switches

  Good Morning All,
  We have just aquired one of these new SG300 series switches which gives us the ability to play around with 802.1x authentication.
  We have everything configured correctly for any clients which have 802.1x (eg PC's, IP Phones)
  Our problem comes to non 802.1x compliant devices, in this case a printer.  The documentation says the switch should detect there is no 802.1x client, and pass the authentication as itself, with the username.  It does this, but we get a weird error on our ISA server...  Its weird, I am puzzled.  We have some other vendor switches which perform this without causing the below issue, so am I missing something easy?
  Help greatly appreciated.
  ===
  User 0014389c24f0 was denied access.
  Fully-Qualified-User-Name = nuffieldhospitals.org.uk/Test OU - IT Infrastructure/MAC Address Testing/0014389c24f0
  NAS-IP-Address = 10.101.180.250
  NAS-Identifier = <not present>
  Called-Station-Identifier = <not present>
  Calling-Station-Identifier = 00-14-38-9C-24-F0
  Client-Friendly-Name = FWCORPAMEXHouse
  Client-IP-Address = 10.101.180.250
  NAS-Port-Type = Ethernet
  NAS-Port = 55
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = CISCO_FWCORP_PCMACS
  Authentication-Type = EAP
  EAP-Type = <undetermined>
  Reason-Code = 22
  Reason = The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
  For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
  ===
  Any help greatly appreciated.
  Thanks
  AJ

  Hi,
  Can you do the following:
  Go to IAS > Remote Access Policies > Double click on the policy CISCO_FWCORP_PCMACS .
  Click Edit Profile.
  On the Authentication tab, click EAP Methods.
  In Select EAP providers, click Add.  Select the authentication methods that you want to use, and then click OK.
  In Select EAP providers, click the EAP type that you  want to configure, and then click Edit. Depending on  the EAP type selected, one of the following dialog boxes is displayed:
  If Protected EAP (PEAP) is selected, the Protected  EAP Properties dialog box opens. In Certificate Issued,  select the certificate that the server uses to identify itself to  client computers. To enable PEAP fast reconnect for 802.11 wireless  client computers, click Enable Fast Reconnect.  Secure  password user authentication with EAP-MSCHAPv2 is the default in EAP  Types. To configure EAP-MSCHAPv2 properties, click Edit.  To configure certificate or smart card user authentication click Add.  In Authentication methods, click Smart Card or  other certificate, and then click OK.
  If Smart Card or other Certificate Properties is  selected, the Smart Card or other Certificate Properties dialog box opens. In Certificate issued to, select the  certificate that the server uses to authenticate to client computers.
  In Select EAP providers, click Move Up or Move Down to specify the negotiation order of EAP  methods. The server starts negotiation with the client according to the  order specified in EAP types.
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

• Device controller - Is it necessary for a lab test?

  Hi all,
  Newbie here, nice to finally see an RFID with some actual SAP content and real life experiments
  Anyway, we are about to start to test the AII with R/3 and we have purchased all the hardware (fixed and mobile readers).  I was wondering whether it was to bypass the device controller and "plug" our readers directly into AII?  I know that it wouldn't be realistic in a real life environment, but right now we are more interested in just making the thing work without spending too much $$$
  Thanks,
  Steve

  Hello Steve!
  > Our current goal is more to test the R/3 -
  > AII integration than to do technical tests on the
  > RFID side.
  You can't integrate AII with R/3 without using a XI between. Except you are going to do some programming in AII.
  > A couple of extra questions:
  > - Johannes, you mention that SAP offers a JAVA device
  > controller as a reference.  Any idea where I may find
  > that?
  You wrote, that you are using Intermec devices. Ask the Intermec support for the device controller for SAP AII. They have one.
  > - What is the ball park price for a device
  > controller?
  A device controller is hardware specific. So, your hardware vendor should provide you with the necessary software. If not, you have to use some generic solution, which is normally much more expensive.
  If you consider to program something by our own, take a look at the HTTP and XML capabilities of Microsofts .NET compact framework. It runs on Pocket PC 2002 and higher.
  Communicating with AII is the easy part. You just need to be able to send XML messages, formatted using the PML specification publicly available from EPCglobal, and a HTTP library to transport the messages to AII.
  Communicating with the RFID devices is the much more difficult part of it. You need to know how the data is organized on your RFID tag (EPC data tag formatting is standardized by EPCglobal), you need a OS specific driver for your reader interface (Intermec IP3 on WinCE/PocketPC) and you need a LAN/WLAN connection to AII.
  Once you are able to read your tags, you will face a lot of troubles with reading errors, multiple readings and so on. Your DC software have to handle that.
  You will find more on the DC stuff here: http://www.radioactivehq.org/ and here: http://www.i-konect.com/singularity/
  Greetings,
  Johannes

• MPLS lab test

  hi guyz, i got three 2500 router with MPLS support, and a 2621 with Telco feature IOS. One 3620.....
  4 routers can play MPLS & BGP / VPN ??

  Hi,
  yes this is possible. F.e. CE1(3620) - PE1(2500MPLS) - PE2(2500MPLS) - CE2
  In case you have Serial interfaces use Frame Relay with different, separate PVCs and you can also setup "redundancy" and the like.
  If your 3620 and 2621 IOS supports tag-switching you could use them as PE routers. There is no need for a "P" router to test MPLS VPN.
  Hope this helps! Please rate all posts.
  Regards, Martin

• VPLS lab test ?

  hi guys, i plan to test for VPLS ... wat device i need. i got 2950c, 2600, 2500, 3600.

  Hello,
  officially you will need Cisco 7600 or 12000 to setup VPLS. VPLS is not supported on the equipment you mentioned. You can only use it as CE devices.
  Regards, Martin