Radius Attributes for WAP321 AP

Hi
Is there a list with the supported radius attributes for wlan-user-authentication? Now I have the following freeradius entry in my users file:
DEFAULT Ldap-Group == 'wlanusers', Huntgroup-Name == 'accesspoint'
Service-Type := Login,
Fall-Through := No
But it doesn't work. Have I forgotten some attributes?
thx for any help
Matthias

Hi,
Can you please take a screenshot of your configuiration and attach so that it will be used to root cause the issue.
Regards,
Phanikrishna

Similar Messages

ACS 4.2 Windows Radius Attributes for VPN-dial-in

Hello,
this Situation:
Remote-User establish a VPN-Connection (AnyConnect) to a ASA 8.4, ASA forwards Authentication to ACS 4.2. , ACS should assign IP-Adress from a Adress-Pool dependent on GroupMembership (LDAP)
the Problem:
the User gets an IP-Config with a Default-Gateway which is always the 3.Address of the IP-Pool (IP-Pools are /28 Ranges), the Mask is ok (/32).
On the ASA-Log I can see a Message:
%ASA-6-110002: Failed to locate egress interface for protocol from src interface:src IP/src port to dest IP/dest port
I've assigned following Attibutes:
IP Assignement: Assigned from AAA server pool (the accordant pool is selected)
IETF Radius Attributes:
006 Service Type: Framed
007 Framed Protocol: ppp
009 Framed-IP-Netmask: 255.255.255.255
(not sure about) 022 Framed-Route: 0.0.0.0
025 Class: <Group-Policy of ASA>
does anyone of you know, what I'm making wrong?
on The ASA I can't find any settings.
Thanks for any advice

O'Brien Simon
Did you manage to get a reply to your question about the timeout period for dynamic users in ACS 4.2 ? As this is what I was about to ask but noticed your post.
Many thanks
florrieford

Secure-ACS: Special RADIUS-Attributes for Enterasys E7

Hi,
we were running a pretty old version of the Cisco Secure ACS for AAA our network devices.
Unfortunately the server crashed an we had to install and set it up with a new server.
Using TACACS+ for our Cisco devices works fine.
We have a couple of switches made by a vendor called Nexans, which only support RADIUS - this works fine too.
Furthermore we still have some Enterasys E7 and with those RADIUS doesn't work at all.
Sniffering the packets, everything looks good.
With the old server it worked well.
Does anybody know if there are special configurations (e.g. attributes) when configuring an ACS for Enterasys RADIUS-Clients?
Thanks,
Rolf

We have this configuration and works fine with our network and associate in a good manner also the policy which we have configured it on Enterasys in this way
Filter-Id===>
Enterasys:version=1:mgmt=su:policy=Administrator
After we make the update to ACS 5, the "ASA" consider this filter-id as access-list so it consider the field after the filter-id as the name of the acl, and diconnect the VPN connection.
Could soneone help me to resolve that.

Add RADIUS attributes under "Group Setup" in ACS 4.2

Hi Security Experts,
I need to add RADIUS attributes for a custom vendor under "Group Setup" page in ACS 4.2. As of now, I see Cisco Aironet RADIUS Attributes,
IETF RADIUS Attributes etc in "Group Setup" page. How can I make sure that the RADIUS attributes for a vendor also appear on that page?
PS: I rate useful posts
Thanks,
Kashish

Under "Interface" you can enable which RADIUS-Attributes you want to display. Probably there's just one checkmark missing for your vendor.
The Options for RADIUS are described here:
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/A_RADAtr.html

How to get ACS3.2 to assign different attributes for multiples NAS's

We are running ACS3.2 and have 3 different types of NAS for each group of users (two managed dial solutions and 1 home grown VPN concentrator solution).
The problem is that the two dialup NAS's require different RADIUS attributes for the IP address assignment: one NAS uses a named pool, the other NAS assigns the pool based on an IP entry in attribute 8 (framed IP address). Users mapped to one ACS group must be able to use both dial services.
Is it possible to configure ACS so that one type of attribute is used for one NAS and another type of attribute for the other for users belonging to the same group?
Thanks,
Matt

Hmm, I thought you might say that:(
I've done a bit of jiggery pokery and will be doing some testing tomorrow.
I'll post back to this forum to let you know how it goes.
Matt

Cisco 2960-X & ISE accounting- username Radius attribute missing

Hi,
I'm facing an issue with cisco 2960 switch radius accounting with Cisco ISE1.2.1 .here is my senario:
- Username (vendor1) is configured in ISE local database, under group (VENDOR)
- Authentication protocol : wired MAB
- Authentication method : webauth using guest portal , the user is a vendor , so no dot1x configured on his NIC .
the problem is that , the switch is not sending the username as a part of radius attribute , in the authentication log , the username shown as the MAC address of the user machine , therefor , I can not configure my authorization condition using internaluser:Name Equal vendor1
while if I configure the condition using the identity group condition IdentityGroup:Name Equal VENDOR , it works .
The same configuration is working on 3750 switch with no issue .
Here is my Switch config:
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update periodic 5
username admin password
username radius-test password
aaa server radius dynamic-author
client 172.16.2.20 server-key 7 04490A0206345F450C00
client 172.16.2.21 server-key 7 03165A0F0F1A32474B10
radius server ISE-RADIUS-1
address ipv4 172.16.2.20 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key 7 111B18011E0718070133
radius server ISE-RADIUS-2
address ipv4 172.16.2.21 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key 7 0214055F02131C2A4957
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
any help !!!

Thanks for your reply , I know what's MAB , if you read my explanation again , i mentioned that the user is authenticated in the guest portal which mean that I have web authentication , and it is working fine .. The only issue is that I can not use the vendor1 username as part of authorization condition and this is because the switch is not sending the radius attribute type 1 to the ISE , thus , on the ise authentication log the MAC address of the client machine is shown as a username not the actual username ( vendor1)
as I mentioned also , I have exactly the same setup with ise 1.2 and 3750 switch and I do not have this issue .I experience this with 2960x only .

Looking for a reference manual that actually describes in detail all attributes for a command

I am using CS5. I am teaching myself Photoshop using their book, "Classroom in a book".
Thought the lessons, they will suggest specific setting for command attributes without describing exacting what these values mean.. For example, on page 88 they give the student specific settings for the Refine Edge dialog bog under the Quick Selection tool. They say, "To prepare the edge for a drop shadow, set Smooth to 24, Feather to 0.5, Contrast to 12, and Shift Edge to -21". Note: I am calling things like Smooth, Feather, Contrast, etc command attributes.
My question is not about this specific example, but all these attribute values for all the commands. For example, what does Shift Edge really do when negative or positive. My question is: does a reference, either a book, pdf, or a non-Adobe product (probably a book) exist that actually explains when each attribute actually does for every command? Basically looking for a boring detailed reference guide so when I am using a specific command, I can read about the attributes for the specific command and understand what the values really mean and not guess my trial and error.
Thanks in Advance,
LouF

Lou Fuchs wrote:
For example, I just happen to have my book open to page 113 and it is showing me (at the bottom of the page) the dialog box for Layer Style. I was hoping for a reference manual that explains every option in the that dialog box in detail and tells you what each option means and how it effects the image.
I hope this clarifies what I am looking for.
Here's a little snippet from the info about Layer Styles in the Adobe manual.
Layer style options
To the top
Altitude For the Bevel and Emboss effect, sets the height of the light source. A setting of 0 is equivalent to ground level, 90 is directly above the layer. Angle Determines the lighting angle at which the effect is applied to the layer. You can drag in the document window to adjust the angle of a Drop Shadow, Inner Shadow, or Satin effect.
Anti-alias Blends the edge pixels of a contour or gloss contour. This option is most useful on small shadows with complicated contours. Blend Mode Determines how the layer style blends with the underlying layers, which may or may not include the active layer. For example, an inner shadow blends with the active layer because the effect is drawn on top of that layer, but a drop shadow blends only with the layers beneath the active layer. In most cases, the default mode for each effect produces the best results. See Blending modes. Choke Shrinks the boundaries of the matte of an Inner Shadow or Inner Glow prior to blurring. Color Specifies the color of a shadow, glow, or highlight. You can click the color box and choose a color. Contour With solid-color glows, Contour allows you to create rings of transparency. With gradient-filled glows, Contour allows you to create variations in the repetition of the gradient color and opacity. In beveling and embossing, Contour allows you to sculpt the ridges, valleys, and bumps that are shaded in the embossing process. With shadows, Contour allows you to specify the fade. For more information, see Modify layer effects with contours. Distance Specifies the offset distance for a shadow or satin effect. You can drag in the document window to adjust the offset distance. Depth Specifies the depth of a bevel. It also specifies the depth of a pattern. Use Global Light This setting allows you to set one “master” lighting angle that is then available in all the layer effects that use shading: Drop Shadow, Inner Shadow, and Bevel and Emboss. In any of these effects, if Use Global Light is selected and you set a lighting angle, that angle becomes the global lighting angle. Any other effect that has Use Global Light selected automatically inherits the same angle setting. If Use Global Light is deselected, the lighting angle you set is “local” and applies only to that effect. You can also set the global lighting angle by choosing Layer Style > Global Light. Gloss Contour Creates a glossy, metallic appearance. Gloss Contour is applied after shading a bevel or emboss. Gradient Specifies the gradient of a layer effect. Click the gradient to display the Gradient Editor, or click the inverted arrow and choose a gradient from the pop-up panel. You can edit a gradient or create a new gradient using the Gradient Editor. You can edit the color or opacity in the Gradient Overlay panel the same way you edit them in the Gradient Editor. For some effects, you can specify additional gradient options. Reverse flips the orientation of the gradient, Align With Layer uses the bounding box of the layer to calculate the gradient fill, and Scale scales the application of the gradient. You can also move the center of the gradient by clicking and dragging in the image window. Style specifies the shape of the gradient. Highlight or Shadow Mode Specifies the blending mode of a bevel or emboss highlight or shadow. Jitter Varies the application of a gradient’s color and opacity. Layer Knocks Out Drop Shadow Controls the drop shadow’s visibility in a semitransparent layer. Noise Specifies the number of random elements in the opacity of a glow or shadow. Enter a value or drag the slider. Opacity Sets the opacity of the layer effect. Enter a value or drag the slider. Pattern Specifies the pattern of a layer effect. Click the pop-up panel and choose a pattern. Click the New Preset button to create a new preset pattern based on the current settings. Click Snap To Origin to make the origin of the pattern the same as the origin of the document (when Link With Layer is selected), or to place the origin at the upper-left corner of the layer (if Link With Layer is deselected). Select Link With Layer if you want the pattern to move along with the layer as the layer moves. Drag the Scale slider or enter a value to specify the size of the pattern. Drag a pattern to position it in the layer; reset the position by using the Snap To Origin button. The Pattern option is not available if no patterns are loaded. Position Specifies the position of a stroke effect as Outside, Inside, or Center. Range Controls which portion or range of the glow is targeted for the contour. Size Specifies the radius and size of blur or the size of the shadow. Soften Blurs the results of shading to reduce unwanted artifacts. Source Specifies the source for an inner glow. Choose Center to apply a glow that emanates from the center of the layer’s content, or Edge toapply a glow that emanates from the inside edges of the layer’s content. Spread Expands the boundaries of the matte prior to blurring.
Style Specifies the style of a bevel: Inner Bevel creates a bevel on the inside edges of the layer contents; Outer Bevel creates a bevel on the outside edges of the layer contents; Emboss simulates the effect of embossing the layer contents against the underlying layers; Pillow Emboss simulates the effect of stamping the edges of the layer contents into the underlying layers; and Stroke Emboss confines embossing to the boundaries of a stroke effect applied to the layer. (The Stroke Emboss effect is not visible if no stroke is applied to the layer.)
Technique Smooth, Chisel Hard, and Chisel Soft are available for bevel and emboss effects; Softer and Precise apply to Inner Glow and Outer Glow effects.
Smooth Blurs the edges of a matte slightly and is useful for all types of mattes, whether their edges are soft or hard. It does not preserve detailed features at larger sizes. Chisel Hard Uses a distance measurement technique and is primarily useful on hard-edged mattes from anti-aliased shapes such as type. It preserves detailed features better than the Smooth technique.
Chisel Soft Uses a modified distance measurement technique and, although not as accurate as Chisel Hard, is more useful on a larger range of mattes. It preserves features better than the Smooth technique. Softer Applies a blur and is useful on all types of mattes, whether their edges are soft or hard. At larger sizes, Softer does not preserve detailed features.
Precise Uses a distance measurement technique to create a glow and is primarily useful on hard-edged mattes from anti-aliased shapes
such as type. It preserves features better than the Softer technique. Texture Applies a texture. Use Scale to scale the size of the texture. Select Link With Layer if you want the texture to move along with the layer as the layer moves. Invert inverts the texture. Depth varies the degree and direction (up/down) to which the texturing is applied. Snap To Origin makes the origin of the pattern the same as the origin of the document (if Link With Layer is deselected) or places the origin in the upper-left corner of the layer (if Link With Layer is selected). Drag the texture to position it in the layer.

Radius authentication for the browser-based webtop

Hiya all,
With help of the radius-authentication module for apache (http://www.freeradius.org/mod_auth_radius/) and web-authentication it is possible to use radius-authentication for the classic-webtop. Has anyone got Radius authentication working for the browser-basedwebtop?
SSGD version:
Sun Secure Global Desktop Software for Intel Solaris 10+ (4.30.915)
Architecture code: i3so0510
This host: SunOS sgd1.<removed> 5.10 Generic_118855-36 i86pc i386 i86pc
I have the radius-module running for authentication of a single directory with the apache-config-lines:
SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
<LocationMatch "/secure">
Order Allow,Deny
Allow from env=sgd_noauth_ok
AuthName "Radius authentication for SGD"
Authtype Basic
AuthRadiusAuthoritative on
AuthRadiusCookieValid 540
AuthRadiusActive On
Require valid-user
Satisfy any
</LocationMatch>
When changing the line <LocationMatch "/secure"> to <LocationMatch "/sgd"> the browser asks for a authentication and then a 'Not Found' page is being displayed.
When using the config-lines from http://docs.sun.com/source/819-6255/webauth_config_browser.html the login-page is being displayed normally and SSGD works.
The main difference I can find between the location /secure and /sgd is: /secure is a simple directory and /sgd is a JkMount to Tomcat.
Changing the JkLogLevel to debug gives the following info in the JkLogFile:
Radius authentication:
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd' from 5 maps
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (486): Found an exact match tta -> /sgd
With the password-authentication file:
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd/' from 5 maps
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (475): Found a wildchar match tta -> /sgd/*
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_get_worker_for_name::jk_worker.c (111): found a worker tta
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker axis
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker tta
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker examples
It seems that the JkMount is not being evaluated correctly after using the radius-authentication.
Any help will be usefull since I am allready stuck on this problem for a couple of days :(
Thanks,
Remold | Everett

I got response from the Fat Bloke on the mailing list.
Adding the following line in the apache httpd.conf seams to help and resolved my problem:
Alias /sgd "/opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
Thanks The Fat Bloke !!
- Remold
These instructions are for a 4.2 SGD installation using SGD's third
party web authentication with mod_auth_radius.so (www.freeradius.org).
With 4.2 Sun didn't distribute enough of the Apache configured tree
to enable the use of axps to build the mod_auth_radius module, 4.3 is
better - Sun now install a modified axps and include files, I haven't
tried this with 4.3 yet though.
I built the mod_auth_radius module for Apache 1.3.33 (shipped with 4.2)
So, this is how we got this working with Radius (tested with SBR
server and freeradius.org server.)
Install SGD in the usual way.
Enable 3rd party authentication:
According to:
http://docs.sun.com/source/819-4309-10/en-us/base/standard/
webauth_config_browser.html
Configure the Tomcat component of the Secure Global Desktop Web
Server to
trust the web server authentication. On each array member, edit the
/opt/tarantella/webserver/tomcat/version/conf/server.xml file. Add the
following attribute to the connector element (<Connector>) for the
Coyote/JK2 AJP 1.3 Connector:
tomcatAuthentication="false"
# cat /opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/
conf/server.xml

<Connector port="8009" minProcessors="5" maxProcessors="75"
tomcatAuthentication="false"
enableLookups="true" redirectPort="8443"
acceptCount="10" debug="0" connectionTimeout="0"
useURIValidationHack="false"
protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
"By default, for security reasons, Secure Global Desktop
Administrators can't
log in to the browser-based webtop with web server authentication.
The standard
login page always displays for these users even if they have been
authenticated
by the web server. To change this behavior, run the following command:"
# tarantella config edit --tarantella-config-login-thirdparty-
allowadmins 1
Without this, after authenticating via webauth, the user will be
prompted for a
second username and password combination.
# /opt/tarantella/bin/tarantella objectmanager &
# /opt/tarantella/bin/tarantella arraymanager &
In Array Manager:
Select "Secure Global Desktop Login" on left side and click
"Properites" at bottom
Under "Secure Global Desktop Login Properties"
cd /opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/conf
edit httpd.conf:
### For SGD Apache based authentication
Include conf/httpd4radius.conf
at the end of httpd.conf add:
Alias /sgd "/opt/tarantella/webserver/tomcat/
5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
# cat httpd4radius.conf
LoadModule radius_auth_module libexec/mod_auth_radius.so
AddModule mod_auth_radius.c
# Add to the BOTTOM of httpd.conf
# If we're using mod_auth_radius, then add it's specific
# configuration options.
<IfModule mod_auth_radius.c>
# AddRadiusAuth server[:port] <shared-secret> [ timeout [ : retries ]]
# Use localhost, the old RADIUS port, secret 'testing123',
# time out after 5 seconds, and retry 3 times.
AddRadiusAuth radiusserver:1812 testing123 5:3
# AuthRadiusBindAddress <hostname/ip-address>
# Bind client (local) socket to this local IP address.
# The server will then see RADIUS client requests will come from
# the given IP address.
# By default, the module does not bind to any particular address,
# and the operating system chooses the address to use.
# AddRadiusCookieValid <minutes-for-which-cookie-is-valid>
# the special value of 0 (zero) means the cookie is valid forever.
AddRadiusCookieValid 5
</IfModule>
<LocationMatch /radius >
Order Allow,Deny
AuthType Basic
AuthName "RADIUS Authentication"
AuthAuthoritative off
AuthRadiusAuthoritative on
AuthRadiusCookieValid 5
AuthRadiusActive On
Require valid-user
Satisfy any
</LocationMatch>
SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
<LocationMatch /sgd >
Order Allow,Deny
Allow from env=sgd_noauth_ok
AuthType Basic
AuthName "RADIUS Authentication"
AuthAuthoritative off
AuthRadiusAuthoritative on
AuthRadiusCookieValid 5
AuthRadiusActive On
Require valid-user
Satisfy any
</LocationMatch>
Put appropriate mod_auth_radius.so into
/opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/libexec
# mkdir /opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/radius/
# cat /opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/htpasswd/index.html
<HTML>
<HEAD>
<TITLE> Test Page for RADIUS authentication </TITLE>
</HEAD>
<BODY>
<B> You have reached the test page for RADIUS authentication.
</BODY>
</HTML>
I hope this helps!
-FB

RADIUS Authentication for PI 2.1 with Windows Server 2008 (Windows NPS)

Hello Community,
can someone please provide a step-by-step guide (or at least the VSA part) for RADIUS configuration on a Windows 2008 R2 server for Prime Infrastructure 2.1 please?
We already tried several setups with guides for PI 1.4 without success. The NPS itself authenticates and grants access, but on PI the login always fails.
Thank you in advance,
Benjamin

I'm having the same issue and have a few questions/comments.
I can get root/admin access working via NPS/radius by justing telling NPS to send PI the NCS:role0=Root (or Admin) and NCS:virtual-domain0=ROOT-DOMAIN radius attributes.
But I also have some users who I just want to give read only access. I cannot seem to get this to work. At first I configured NPS to send PI the NCS:role0=Monitor Lite and NCS:virtual-domain0=ROOT_DOMAIN attributes. A user could login, but would immediate get a "You do not have access to the page Monitoring Dashboards" error. Not to mention almost nothing shows in the menu. So I tried adding all of the individual tasks related to the "Monitor Lite" role into the radius policy:
NCS:role0=Monitor Lite
NCS:task0=Services Menu Access
NCS:task1=Alarm Stat Panel Access
NCS:task2=Automated Feedback
NCS:task3=Monitor Menu Access
NCS:task4=Theme Changer Access
NCS:task5=Maps Read Only
NCS:task6=Help Menu Access
NCS:task7=License Check
NCS:task8=Rogue Location
NCS:task9=Reports Menu Access
NCS:task10=Monitor Tags
NCS:task11=Alarm Browser Access
NCS:task12=Configure Menu Access
NCS:task13=Search Access
NCS:task14=Tools Menu Access
NCS:task15=Administration Menu Access
NCS:task16=Monitor Clients
NCS:task17=Home Menu Access
NCS:task18=Client Location
NCS:task19=OnlineHelp
NCS:task20=TAC Case Management Tool
but I'm not having any luck. The NPS radius logs always show success, but the read-only users always get the same error and almost nothing visible in the menus.
Has anyone successfully configured radius with something other than Admin or Root privileges?
Thanks!

Cisco ISE throws "11036 The Message-Authenticator RADIUS attribute is invalid "

Hello,
I am trying to authenticate my server(running an NMS) with an Cisco ISE with EAP-TLS protocol.
I am seeing "11036 The Message-Authenticator RADIUS attribute is invalid " in the ISE when the ACCESS-REQUEST is sent from NMSServer to ISE. The RADIUS shared secret key is same in both the NMS server and the ISE server .
Is the some java samples for Message authenticator attribute which I can refer. I think, I am missing something in Message authenticator attribute.
Any pointers or suggestions to overcome this ?

To login to Prime GUI, the authentication will be done by ISE.
The flow goes like this, Admins will login to Prime GUI with default username/pwd and add the RADIUS/ISE details to it which will be used by prime for authentication/authorization.
Once its done, any other user who tries to login to Prime GUI with their own credentials will be validated against the Identity details in ISE. So even to login to Prime GUI, authentication should be successful in ISE.

ACS 5.1 RADIUS Proxy - Adding RADIUS attributes

Is there anyway under ACS 5.1 to add RADIUS attributes to outgoing RADIUS proxy auth requests or failing this to RADIUS proxy accounting updates?
As soon as I configure a RADIUS proxy services, there is little config I can do other than to say whether or not the prefix and suffix is to be stripped.
I can add these attributes if using an external RADIUS box as an identity store, but I cannot do this for this particular service and instead I need to use RADIUS proxying.
Thanks
Paul

Hi Steve,
The shared secret is 100% correct.
Finally I find out that there may be some white lists for attributes.
If I keep NAS-Identifier , it will work.
But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
The RADIUS Server gets the message from NSA.
Of course, there is the Proxy-State attribute.
In this condition, the ACS has incorrect output in the sub-attribute.
Now I try 5.2 to see the problem exist or not.

Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication. I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user" along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
Any ideas of what might be the issue or misconfiguration?

Jim,
I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
May need to open a TAC case to see if this issue is on the 550x controllers also.
Thanks,
Tarik

Cannot get SG300 switch to send RADIUS messages for 802.1x

I want to eventually configure the SG300 to authenticate wired clients with 802.1x and Microsoft NPS (RADIUS). I am currently testing this setup using a single port (Port 7) on my SG300, a test machine, and an AD based Network Policy Server.
The problem I have is that when I change the Administrative Port Control for Port 7 to Force Authorized, I see this log entry:
Informational %SEC-I-PORTAUTHORIZED: Port gi7 is Authorized
And then when I change the port control to Auto the port immediately changes to Unauthorized and I see this log entry:
Warning %SEC-W-PORTUNAUTHORIZED: Port gi7 is unAuthorized
However I never see any RADIUS messages being sent from the SG300 to my RADIUS server or from the SG300 to the test machine plugged into port 7. I am using WireShark on my RADIUS server to watch for messages from the SG300 IP Address and I'm using WireShark on a second test machine that is configured to monitor the NIC card in the test machine plugged into port 7 (I'm using Hyper-V and its facilities for this NIC monitoring setup.)
Here is my configuration:
Switch - 10.1.1.3
RADIUS (Microsoft NPS)- 10.1.1.15
Switch Usage Type - All (Login and 802.1x)
Port 7 configuration:
VLAN Mode is General
Host Authentication is Single Host Authentication
Administrative Port Control is Auto
RADIUS VLAN Assignment is Disabled
Guest VLAN is Enabled
802.1x Based Authentication is Enabled
Additional Configurations under Security - 802.1x/MAC/Web Authentication:
Port Based Authentication is Enabled
Authentication Method is RADIUS
Guest VLAN is Enabled
Guest VLAN ID is 2
All of my VLANs are enabled for Authentication
I've got to be missing something but I do not know what that something is.
One last note:
The SG300 uses the same RADIUS server for management console access and it works without problem. When I log into the switch, WireShark shows the RADIUS messages from the switch to the RADIUS server and back. So I know RADIUS is configured correctly on the switch.

Hi,
This is my working configuration where port gi3 has DVA configured as well. You might skip port gi3 but please compare to your config:
interface gi3
dot1x host-mode multi-sessions
exit
vlan database
vlan 30,100
exit
interface vlan 100
dot1x guest-vlan
exit
dot1x system-auth-control
interface range gi1,gi3
dot1x reauthentication
exit
interface range gi1,gi3
dot1x mac-authentication mac-only
exit
interface gi3
dot1x radius-attributes vlan
exit
interface range gi1,gi3
dot1x guest-vlan enable
exit
interface gigabitethernet1
dot1x port-control auto
exit
interface gigabitethernet3
dot1x port-control auto
exit
radius-server host 192.168.1.122 priority 1
radius-server key testing123
aaa authentication dot1x default radius
switch3ba5e1#
Regards,
Aleksandra

NAC guest server with RADIUS authentication for guests issue.

Hi all,
We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
-----START QUOTE-----
Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
•Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
•Self Service—This option allows guest self service. After selection proceed to Step 8.
•Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
----- END QUOTE-----
Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
Regards
Kevin Woodhouse

Well I will try to answer your 2nd questions.... will it work... yes. It is like any other radius server (high end:)) But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD. Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right. Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that. That is my opinion.

RADIUS Authentication for Enable PW

Hi Everyone,
I have my RADIUS authentication working for login passwords but not for the enable password. My config is below;
aaa new-model
aaa authentication login default group radius local
aaa accounting network default start-stop group radius
When I add the command;
aaa authentication enable default group radius enable
I would expect it to allow me to enter my RADIUS pw for the enable one to, but it doesnt. Nor does it allow me to enter the locally configured one?
Any help would be great,
Thanks,
Dan

Thanks for your reply Rick,
The debug output is below;
L2-SW01>
00:03:02: RADIUS: Authenticating using $enab15$
00:03:02: RADIUS: ustruct sharecount=1
00:03:02: RADIUS: Initial Transmit tty0 id 3 x.x.x.x:1812, Access-Request,
len 72
00:03:02: Attribute 4 6 AC14024F
00:03:02: Attribute 5 6 00000000
00:03:02: Attribute 61 6 00000000
00:03:02: Attribute 1 10 24656E61
00:03:02: Attribute 2 18 524FB069
00:03:02: Attribute 6 6 00000006
00:03:02: RADIUS: Received from id 3
x.x.x.x:1812, Access-Reject, len 20
00:03:02: RADIUS: saved authorization data for user E49424 at 93C6DC
L2-SW01>
L2-SW01>
I am using IAS for RADIUS authentication and I cannot find any option to say "allow enable access".
Any ideas?
Cheers,
Dan

Radius Attributes for WAP321 AP

Similar Messages

Maybe you are looking for