Radius and Diameter

Please anyone tell me aboout Radius and Diameter....
as far i know.... Radius and Diameter both for AAA (Authentication, Authorization, and Accounting) function.
Is there any other purpose???

This is a UC community, you should be asking this in the security community.
HTH
java
if this helps, please rate
www.cisco.com/go/pdihelpdesk

Similar Messages

RADIUS and Nortel (Bay Networks)

I have install BMAS 3.8 and the RADIUS server worrks fine with NTRadPing. I am tryig to use the RADIUS server to authenicate users to a Nortel (Bay Networks) 450. I have put a sniffer on the line and find the RADIUS server is sending an Access-Accept message, but the 450 shows access denied. The only thing I can figure is the 450 does not like the authenicator. I have tried just about all the options under Bay Networks in the RADIUS Profile, with no luck.
Has anyone got Nortel switches to authenicate thru a Novell RADIUS server/
John Curran

John,
I am interested in knowing if you found a solution to your problem? We
are currently planning on setting up Radius and we use Nortel devices. Any
information or tips you could provide would be appreciated. Thanks,
Lee Anne
> Your Nortel box is probably expecting an attribute in the access-accept
> packet that is not there. You probably just need to configure this
attribute
> in your RADIUS Dial Access Profile, although it's possible that you need
an
> attribute that is not yet in our dictionary.
>
> I suggest that you check your Nortel documentation to see what
attributes it
> expects from the RADIUS server. If you require an attribute that is not
in
> our dictionary, post the details here and I'll see that it gets added.
>
> >>> John Curran<[email protected]> 12/23/2004 10:59 AM >>>
> I have install BMAS 3.8 and the RADIUS server worrks fine with
NTRadPing. I
> am tryig to use the RADIUS server to authenicate users to a Nortel (Bay
> Networks) 450. I have put a sniffer on the line and find the RADIUS
server
> is sending an Access-Accept message, but the 450 shows access denied.
The
> only thing I can figure is the 450 does not like the authenicator. I
have
> tried just about all the options under Bay Networks in the RADIUS
Profile,
> with no luck.
>
> Has anyone got Nortel switches to authenicate thru a Novell RADIUS
server/
>
> John Curran
>
>
>

Authenticating against RADIUS *AND* TACACS

G'day...
Toys:
Cisco Secure ACS 3.2
Cisco 1242 Access Points
I want to authenticate spectralink phones via LEAP (Radius Aironet) and IT staff logging onto the CLI via TACACS+, all off the same ACS Server.
The only way I have gotten this to work is to setup TWO Network Device Groups, and add the access point in TWICE (with different unique hostnames). One authenticating RADIUS, and the other profile authenticating TACACS.
Is this the right way to go about it? Why can't I pick two authentication methods under the one AAA Client profile?
Cheers,
Andrew.

Hi,
The AAA client hostname configured in Cisco Secure ACS is not required to match the hostname configured on a network device, you can assign any name. What is important is the IP Address to allow the device and ACS to communicate via each AAA protocol.
If your device need to use both TACACS+ and RADIUS to authenticate 2 different users, then your method is right. This is because a device with same name cannot use both AAA methods to authenticate users - different operation. You have to use 2 different names, but running on the same IP on both TACACS+ and RADIUS.
I am using the same approach to authenticate remote access clients and network admin in my Access Server.
Rgds,
AK

Novell Radius and Cisco 1841 router

I tried to setup NW Radius and it all seems to be setup perfectly accoriding to this TID# http://support.novell.com/cgi-bin/se...?/10078616.htm
But when someone tries to connect throgh my Cisco VPN I get this error:
[2005-05-19 05:03:26 PM] Access request dropped
<trusted IP>, <Cisco connect group>, Unkown radius client
I entered the <trusted ip> as a client in Console One and chose Cisco as the vendor (also tried Generic radius).
<cisco connect group> is the authentication group I setup in the router, and must be entered before connecting through VPN.
Any clues would be appreciated.

Jepe,
It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
- Check all of the other support tools and options available at http://support.novell.com in both the "free product support" and "paid product support" drop down boxes.
- You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/

Radius and Billing

Dear NetPros,
I have configured the Radius & Billing Servers on my Cisco AS5350 which is terminating VoIP Traffic as given below. The First two are Mind Billing Primary and Secondary Billing Servers. The Third one is a billing server from another vendor. I want to send CDR information to all the three billing servers simultaneously. Currently the gateway is only sending the Radius and Billing information to the first available server. Is there any way for the gateway to send radius and billing information to all these three servers simultaneously???? Would appreciate any help or suggestion in this area. Thanx
aaa group server radius mind
server AAA.BBB.CCC.DDD auth-port 1645 acct-port 1646
server EEE.FFF.GGG.HHH auth-port 1645 acct-port 1646
server III.JJJ.KKK.LLL auth-port 1812 acct-port 1813
radius-server host AAA.BBB.CCC.DDD auth-port 1645 acct-port 1646 key 7 XXXXXXXXXXXXXXXXXXXX
radius-server host EEE.FFF.GGG.HHH auth-port 1645 acct-port 1646 key 7 YYYYYYYYYYYYYYYYYYYY
radius-server host III.JJJ.KKK.LLL auth-port 1812 acct-port 1813 key 7 ZZZZZZZZZZZZZZZZZZZZ
Cheers
Rushabh
Senior Project Researcher
PP-Ontime Co., Ltd.
Cellular ~ 669-2047331
www.pp-ontime.co.th

The AAA "Broadcast Accounting" feature allows accounting information to be sent to multiple AAA servers at the same time; that is, accounting information can be broadcast to one or more AAA servers simultaneously. This feature allows broadcasting among "groups of servers". And each server group can define its backup servers for fail over independently of other groups.
However, the restriction is that Accounting information can be sent simultaneously to a maximum of four AAA servers.
For the scenario mentioned, in order to send billing info to all the 3 servers simultaneously, the aaa accounting command can be configured globally, as in:
aaa accounting network default start-stop broadcast group mind1 group mind2 group mind3
The individual servers in the server group 'mind' may be split across different server groups.
aaa group server radius mind1
server AAA.BBB.CCC.DDD auth-port 1645 acct-port 1646
aaa group server radius mind2
server EEE.FFF.GGG.HHH auth-port 1645 acct-port 1646
aaa group server radius mind3
server III.JJJ.KKK.LLL auth-port 1812 acct-port 1813
(Backup servers within each server-group may be defined)
Simultaneously accounting records are sent to the first server in each group. If the first server is unavailable, fail over occurs using the backup servers defined within that group.

ASA 5505 VPN Group Policies (RADIUS) and tunnel group

I have a single ASA firewall protecting a small private developing network, and I need it in order to access remotely to two distinct network spaces both of wich are VLAN tagged: 1 is LAN and 3 is management. Each net has its own IP address space and DNS server.
I'd like to set up Anyconnect to land on lan 1, and SSL VPN in order to see the IPMI and management websites sitting on VLAN 3. In order to make things "safer" I have found a free OTP solution, OpenOTP, and I decided to implement it on a virtual machine, setting up a radius bridge to allow user authentication for VPN. I can pass wichever attribute I'd like to using this radius bridge (for example "Class" or "Group-Policy" or whatever is included in the radius dictionaries).
Actually all I need is quite simple. I have to segregate my remote users in 2 groups, one for Anyconnect, and one for SSL based on the radius response from authentication. (I don't need authorization nor accounting) I'm no Cisco Pro, what I've learnt is based on direct "on the field" experience.
I'm using two radius users for testing right now, one is called "kaisaron78" associated to a group policy "RemoteAC" and a second one called "manintra" associated to a group policy called "SSLPolicy". "kaisaron78" after logging in should only see the Anyconnect "deployment portal", while "manintra" should see the webvpn portal populated with the links specified in the URL list "Management_List". However, no matter what I do, I only see the default "clean" webvpn page. This is an example of "sh vpn-sessiondb webvpn" for both users..
Session Type: WebVPN
Username     : kaisaron78             Index        : 1
Public IP    : 172.16.0.3
Protocol     : Clientless
License      : AnyConnect Premium
Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
Bytes Tx     : 518483                 Bytes Rx     : 37549
Group Policy : RemoteAC               Tunnel Group : DefaultWEBVPNGroup
Login Time   : 10:59:33 CEDT Mon Aug 18 2014
Duration     : 0h:00m:23s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : c0a801fa0000100053f1c075
Security Grp : none
Asa5505# sh vpn-sessiondb webvpn
Session Type: WebVPN
Username     : manintra               Index        : 2
Public IP    : 172.16.0.3
Protocol     : Clientless
License      : AnyConnect Premium
Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
Bytes Tx     : 238914                 Bytes Rx     : 10736
Group Policy : SSLPolicy              Tunnel Group : DefaultWEBVPNGroup
Login Time   : 11:01:02 CEDT Mon Aug 18 2014
Duration     : 0h:00m:05s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : c0a801fa0000200053f1c0ce
Security Grp : none
As you can see, it seems like the policies are assigned correctly by radius attribute Group-Policy. However, for example you'll notice no vlan mapping, even if I have declared them explicit in group policies themselves. This is the webvpn section of the CLI script I used to setup remote access.
! ADDRESS POOLS AND NAT
names
ip local pool AnyConnect_Pool 192.168.10.1-192.168.10.20 mask 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_27
subnet 192.168.10.0 255.255.255.224
access-list Split_Tunnel_Anyconnect standard permit 192.168.1.0 255.255.255.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
! RADIUS SETUP
aaa-server OpenOTP protocol radius
aaa-server OpenOTP (inside) host 192.168.1.8
key ******
authentication-port 1812
accounting-port 1814
radius-common-pw ******
acl-netmask-convert auto-detect
webvpn
port 10443
enable outside
dtls port 10443
anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
anyconnect profiles AnyConnect_Profile_client_profile disk0:/AnyConnect_Profile_client_profile.xml
anyconnect enable
! LOCAL POLICIES
group-policy SSLPolicy internal
group-policy SSLPolicy attributes
vpn-tunnel-protocol ssl-clientless
vlan 3
dns-server value 10.5.1.5
default-domain value management.local
webvpn
url-list value Management_List
group-policy RemoteAC internal
group-policy RemoteAC attributes
vpn-tunnel-protocol ikev2 ssl-client
vlan 1
address-pools value AnyConnect_Pool
dns-server value 192.168.1.4
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_Anyconnect
default-domain value home.local
webvpn
anyconnect profiles value AnyConnect_Profile_client_profile type user
group-policy SSLLockdown internal
group-policy SSLLockdown attributes
vpn-simultaneous-logins 0
! DEFAULT TUNNEL
tunnel-group DefaultRAGroup general-attributes
authentication-server-group OpenOTP
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group OpenOTP
tunnel-group VPN_Tunnel type remote-access
tunnel-group VPN_Tunnel general-attributes
authentication-server-group OpenOTP
default-group-policy SSLLockdown
!END
I had to set up DefaultWEBVPNGroup and RAGroup that way otherwise I couldn't authenticate using radius (login failed every time). Seems like in ASDM the VPN_Tunnel isn't assigned to AnyConnect nor to Clientless VPN client profiles. Do I have to disable both default tunnel groups and set VPN_Tunnel as default on both connections in ASDM ? I know I'm doing something wrong but I can't see where the problem is. I'm struggling since may the 2nd on this, and I really need to finish setting this up ASAP!!!!
Any help will be more than appreciated.
Cesare Giuliani

Ok, it makes sense.
Last question then I'll try and report any success / failure. In this Cisco webpage, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1661512 there's a list of supported radius attributes. Actually I'm using number 25 Group-Policy, in order to get the correct group policy assigned to users. I see, in that list an attribute 146 Tunnel-Group-Name. Will it work out for the purpose you explained in the previous post ? I mean, if I set up two tunnel groups instead of 1, 1 for anyconnect with its own alias and its own url, and 1 for SSL VPN again with its own alias and url, do you think that using that attribute will place my users logging in into the correct tunnel group ?
Thank you again for your precious and kind help, and for your patience as well!
Cesare Giuliani

Problem with radius and wep/wpa

Hi
I have problem with wrv200 (1.0.38) +freeradius (2.0.5) +wpc54g v3.1 with wxp with patch to use wpa/wpa2
I think that authentication in my radius pass correct but there is some problem with wpa mode or wpa compatibility
In my wrv200 I try mode: wpa-enterprise, wpa2-enterprise, wpa2 enterpise-mix and radius. In my wirless card a try: wpa and wpa2 my
freeradius.conf:
andy Auth-Type := Accept, User-Password == "andy"
and log from radius:
rad_check_password: Auth-Type = Accept, accepting the user Login OK: [andy] (from client wrv200 port 0 cli 00-18-F8-aa-aa-aa)
Sending Access-Accept of id 4 to 10.0.0.6 port 1026
my wrv200 still send to syslog:
klogd: @ = Add Host : [00:18:f8:aa:aa:aa] VID 9 LinkID 1 PortNumber 6 klogd: @ = Add Host : [00:18:f8:aa:aa:aa] VID 9 LinkID 1 PortNumber 6
klogd: @ = Add Host : [00:18:f8:aa:aa:aa] VID 9 LinkID 1 PortNumber 6
and i never connect to network and i must still (every 30s) type login and password to authenticate When i use only wep, without radius,it's works
I have dwl900ap+ from dlink and when I use radius + wep 64bit everything works
i don't have any idea
thanks for any help
popo

Hey try disabling the security & try connecting to the network if it works fine, if not i mean if you want to connect using the secured network then would suggest you to upgrade the firmware of the router & keep on holding tightly
the reset button in such a way that power light is blinking on the
router & then do a complete network power cycle i.e., unplug the power
cables from the modem & from the router & then plug in the power cable
to the modem first once all the lights are solid green you could plug
in the power cable to the router & check out it will definately work!!

Radius and Internet sharing not compatible

I have 2 MBPs connected to a Leopard Server via an AEBS.
I want to connect a third ethernet device using internet sharing on one of the MBPs
Couldn't get it to work unless I switched of RADIUS authentication and downgrade to WPA/WPA2 personal key.
What am I doing wrong. Does it need additional settings on the AEBS or the server?

I have the same problem only on mobile. Keeps asking to upgrade. Its like the phone doesn't know I have this service. Or the tmo,servers do not know that my account has paid for this. Funny part is,the customer services people say they can see I,have this feature on my acct. Pls jeep me,posted if you get a fix for this

RADIUS and Vendor-Specific attributes

Hi,
I'm trying to add a vendor specific attribute (Cisco AV Pair) to BMAS
(NMAS 3.1.2 on NetWare 6.5 SP6). I can add any generic attribute I
want, but any of the vendor-specific attributes are not sent back in the
radius access-accept packet. Is there some configuration change I need
to make to support vendor specific attributes? They all show up in
ConsoleOne, I can add them, and they are saved when I hit OK.
Thanks for any suggestions!
Greg

In article <UG2Jm.1195$[email protected]>, Greg Palumbo
wrote:
> I read the other two recent threads on this, it does sort of sound like
> a snapin issue, but those are usually under the 1.2\snapins directory I
> thought. what about installing a fresh copy of C1 on the C:\ drive from
> the BMAS CD or from NW65SP7? Also, wouldn't all the replaced sys/public
> files be in SYS/SYSTEM:\BACKSP7? Maybe something like Beyond Compare or
> WinMerge could flag all the changed files easily...
>
My latest thinking is that this is related to security. The failing
attribute contains an encryption of the DAS client password. I'm assuming
that ConsoleOne relies on some background process to do the encryption, and
that between SP7 and SP8, it changed. The new attributes are longer than
the old ones, so the snapin-related issue may simply be that it cannot read
what was stored.
I don't know if there is a particular security-related component that can
be reversed to allow changes to the DAS object, then updated again to put
things back to SP8.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

WLC with ISE as radius and also external web server

Hi friends,
I am biulding a wireless network with 5508 WLC and trying to use ISE as radius server and also to redirect the web-login to it.
I was trying to understand that to achieve the external web-login, do i need to use the raduius-nac option under advanced on the guest wireless where i am trying this out. and if not, where do i actually use it?
So far what i have understood that i do need to have preauth ACL on the Layer 3 security, but the issue is there is no hit reaching the ISE.
any suggestions would be higly appreciated guys!
Regards,
Mohit

Hi mohit,
Please make sure the below steps for guest auth thru ISE,
1)Add the WLC in your ISE as netork devices.
2)In Guest SSID you need to choose the pre authentication acl.That acl should allow the below traffic
    a. any to ISE
    b.ISE to any
    c.any to dns server
    d.dns to any
3)The external redirect url will be
https://ip address:8443/guestportal/Login.action
4)AAA server for that SSId would be your ISE ip with port number 1812.
5)In advanced tab please choose the AAA override. No need of radius nac.
6)Create appropriate authorization profile in ISE for guest.Example is below ,

RADIUS and Cisco 2611 router

Greetings. First, let me start by saying I am an idiot, I know I am an idiot, and I apologize for wasting everyone's time. I have actually RTFM, many RTFMs, in fact, and I still have not found a resolution.
Second, I am trying to set up a RADIUS server in my test network. I have installed ClearBox RADIUS on a Windows 2000 system. I have the following configuration on my Cisco 2611 router:
Using 2297 out of 29688 bytes
! Last configuration change at 17:20:27 PDT Tue May 20 2008
! NVRAM config last updated at 17:20:29 PDT Tue May 20 2008
version 12.1
no service single-slot-reload-enable
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname Tester
logging buffered 10000 debugging
aaa new-model
aaa group server radius RadiusServers
server 172.26.0.2 auth-port 1812 acct-port 1813
aaa authentication login default group RadiusServers local
aaa authentication login localauth local
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa processes 6
enable secret xxx
username test password xxx
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
no ip domain-lookup
no ip bootp server
interface Loopback0
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/0
description To Main Network
ip address X.X.X.X 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
full-duplex
no cdp enable
interface Ethernet0/1
description To Internal Network
ip address 172.26.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
load-interval 30
full-duplex
no cdp enable
ip nat pool test X.X.X.X X.X.X.X netmask 255.255.255.128
ip nat inside source list 3 pool test overload
ip nat inside destination list 3 pool test
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.X.X
no ip http server
ip radius source-interface Ethernet0/1
access-list 3 permit 172.26.0.0 0.0.0.255
no cdp run
snmp-server community public RO 15
radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret
radius-server retransmit 3
radius-server key secret
line con 0
password xxx
logging synchronous
line aux 0
line vty 0 4
access-class 10 in
password 7 1234567890
logging synchronous
ntp clock-period 17208108
ntp server 192.43.244.18
end
My RADIUS server is up and responding to requests, but my router does not appear to be forwarding authentication requests to it. In fact, when I log into the router using HyperTerm, it times out, and I end up authenticating locally.
I really don't care whether my Cisco equipment authenticates against the RADIUS server, but I do need to get it set up to authenticate my users so I can track their time online. What have I missed in my router configuration? Why isn't it forwarding user authentication requests to the RADIUS server.
Thank you for any assistance you may be able to provide.

I have found that if I am in the middle of composing a response, and I open the thread in another browser window (to refer to it), when I go to submit my response, it doesn't get posted. Perhaps you are running into the same thing.
The command I shared:
aaa authentication enable default group radius local
... was erroneous. The keyword should have been "enable", as you have discovered.
Therefore use:
aaa authentication enable default group radius enable
When I view a Wireshark trace I see the following:
AVP: l=18 t=User-Password(2): Decrypted: "user-PWD\000\000\000\000\000\000\000\000"
Like you, I see the user password appended with the group of \000 grouping's.
Note the word "Decrypted" which confirms that the password entered in Wireshark is a match with that entered on the AAA client (for what that's worth).
I'm not sure if I suggested that this would confirm that the server and client were using the same shared secret. If I did, I miss-spoke. I think we would have to gauge the server's response to the attributes we see passed by the client.
The Wireshark decryption is much more dramatic with TACACS+ because the whole payload is encrypted.
My issue with your PPPoE is that I saw no "interface" on the router that is configured to perform such authentication. I do seem to recall a global authentication command with the PPP keyword perhaps. I have not attempted to do this, and am not sure whether the interfaces in your router will support this method. Perhaps someone else will weigh in with an opinion.
However, there are other mainstream authentication methods that I think you should investigate as well.
You could implement 802.1x on a switch so that a host has to authenticate before it can gain Layer 3 access to the LAN. Depending on the platform, you can download VLAN assignments and ACLs.
I believe the router also supports 802.1x, but that may determine whether a host can get "through" the router. I have not had cause to investigate 802.1x on the router. I may do so in the future to authorize access to IPsec tunnels.
The router is also likely to support Authentication Proxy. This feature intercepts a user's attempt to browse resources on the other side of the router. User specific ACLs can be downloaded to the router (from RADIUS) to control what resources a user can access.
I think you should:
1. Resolve the issue(s) with AAA logins on the router. It'll establish a baseline of functionality, and give you some short term joy.
2. Investigate whether PPPoE support exists on your router's interfaces.
3. Read up on 802.x and Authentication Proxy (docs on Cisco web site).
4. Decide which methods appeals to you.
5. Dive in.
I'd lose the self-deprecation. I don't think it will serve you well. If you're treated badly, move to a newsgroup where the participants display a higher level of emotional maturity. I don't think you will have an issue on the Cisco forums. Others would probably step in.
I'm going to be absent for several days, so if you don't receive any response, it will be for said reason.
Good luck.

AAA Authorization with RADIUS and RSA SecurID Authentication Manager

Hi there.
I am in the process of implementing a new RSA SecurID deployment, and unfortunately the bulk of the IOS devices here do not support native SecurID (SDI) protocol. With the older RSA SecurID deployment version, it supported TACACS running on the system, now in 8.x it does not. Myself, along with RSA Support, are having problems getting TACACS working correctly with the new RSA Deployment, so the idea turned to possibly just using RADIUS
I have setup the RADIUS server-host, and configured the AAA authentication and authorization commands as follows:
#aaa new-model
#radius-server host 1.1.1.1 timeout 10 retransmit 3 key cisco123!
#aaa authentication login default group radius enable
#aaa authorization exec default group radius local
I have also tried
#aaa authorization exec default group radius if-authenticated local
I can successfully authenticate via SSH to User Mode using my SecurID passcode -- however, when I go to enter Priv Exec mode, it wont take the SecurID passcode - I just get an "access denied"
I've ran tcpdump on the RSA Primary Instance, looking for 1645/1646 traffic, and I dont get anything
I've turned on RADIUS debugging on the IOS device, and I dont get anything either
I did see this disclaimer in a Cisco doc: "The RADIUS method does not work on a per-username basis." -- not sure if this is related to my issue?
I'm beginning to wonder if IOS/AAA cant pass authorization-exec process to RSA SecurID

I don't have a solution, but can confirm I have the same problem and am also trying to find a solution.
I see no data sent to the RSA server when using the wireless AP. With other equipment on the same ACS, I do see the attempts going to the RSA server.
The first reply doesn't seem to apply to me, since it's not sending a request from the ACS machine to the RSA machine.

801.x WLANs authenticated via Radius and Active Directory permit any user access any WLAN

Hi,
I have configured several WLANs with WPA2 and 8021.x which authenticate users through Radius server (Windows Internet authentication service) that conects with an Active Directory, into the AD exists one user group for each WLAN but the problem is that any user that was added to some group can get access to any WLAN, does anyboby know if I need some configuraion on the WLC to restric that?
thanks for your help.

Hi Scott,
I have done some test modifying the Radius Policy to look at called station ID and test too looking at the NAS-ID, In the first case, I change the Call Station ID Type into WLC RADIUS Authentication Servers configuration to AP MAC Address:SSID and AP Name:SSID and into the Radius Server using .*:SSID-NAME$ and SSID-NAME$ ,but it blocks access for any user. In the second case, I change the NAS-ID into WLC WLAN and interface confguration and into the radius server Policy to match all, but it doesn´t have any impact, what other test could I try?
thanks for your help.

Configuring Cisco Aironet 1140 for Radius and setting up a Radius server

guys i need some help setting up my Radius to work with cisco aironet 1140, i am new at this however i was tasked with setting up a Radius server and setting our AP with WPA2- enterprise so users can log into our AP using AD credentials.
When i try to setup on the AP a new SSID i do not see the option for WPA2- enterprise?

Here are other links with examples:
https://supportforums.cisco.com/thread/331581
http://targetcisco.blogspot.com/2011/03/cisco-autonomous-access-point.html
http://downloads.avaya.com/css/P8/documents/100041614
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

Integration between Cisco RADIUS and RSA

Ciao. I need some help to configure the RADIUS, activating the RSA "NEXT TOKEN CODE" feature. Can you help me?

If you have maintenance with RSA or your product is license, you can contact their support and they can give a step-by-step guide in PDF.
I've done similar using RSA and RADIUS for network staff login to all Cisco network devices using a token. The step-by-step guide provided by their support is very helpful.

Radius and Diameter

Similar Messages

Maybe you are looking for