Radius-Authentication / Cisco 2600 fails MiscError -1642

Similar Messages

• Radius Authentication Cisco Switch

  Hi,
  I have a cisco 2960 switch and currently trying to setup radius authentication. My microsoft guy does the server side we have matching keys and he says there is no problem on his side, but we still canno get it to work.
  Config on switch
  aaa new-model
  aaa authentication login default group radius local
  radius-server host 10.0.0.13 auth-port 1812
  radius-server key 0 test
  line vty 0 4
  login authentication default
  switch and radius server are on the same network. I have done a debug and confused on the output. Can anyone point me in the right direction.
  I have done a debug aaa authentication and debug radius
  AccessSwitch#
  RADIUS/ENCODE(00001586):Orig. component type = Exec
  RADIUS:  AAA Unsupported Attr: interface         [221] 4   92269176
  RADIUS/ENCODE(00001586): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
  RADIUS(00001586): Config NAS IP: 0.0.0.0
  RADIUS(00001586): Config NAS IPv6: ::
  RADIUS/ENCODE(00001586): acct_session_id: 20
  RADIUS(00001586): sending
  RADIUS/ENCODE: Best Local IP-Address 10.0.0.56 for Radius-Server 10.0.0.13
  RADIUS(00001586): Sending a IPv4 Radius Packet
  RADIUS(00001586): Send Access-Request to 10.0.0.13:1812 id 1645/18,len 77
  RADIUS:  authenticator 7C B1 A0 55 62 45 7B AF - F2 E2 48 4C C3 F0 72 98
  RADIUS:  User-Name           [1]   15  "james.hoggard"
  RADIUS:  User-Password       [2]   18  *
  RADIUS:  NAS-Port            [5]   6   2
  RADIUS:  NAS-Port-Id         [87]  6   "tty2"
  RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  RADIUS:  NAS-IP-Address      [4]   6   10.0.0.56
  RADIUS(00001586): Started 5 sec timeout
  RADIUS: Received from id 1645/18 10.0.0.13:1812, Access-Reject, len 20
  RADIUS:  authenticator 80 CE C9 C2 D6 30 65 A9 - 07 D8 12 4C 9E 80 A9 3C
  RADIUS(00001586): Received from id 1645/18
  AAA/AUTHEN/LOGIN (00001586): Pick method list 'default'
  RADIUS/ENCODE(00001586): ask "Password: "
  RADIUS/ENCODE(00001586): send packet; GET_PASSWORD
  Thanks
  James.

  yes, PAP always use plain text and that doesn't provide any kind of security.  However, administrative session with radius doesn't support chap/mschap.we can't configure firewall/IOS devices for aministration session like telnet/ssh to authenticate users on mschapv2 authentication method.
  If you need secure communication then you may implement TACACS.
  TACACS+ and RADIUS use a shared secret key to provide encryption for communication between the client and the server. RADIUS encrypts the user's password when the client made a request to the server. This encryption prevents someone from sniffing the user's password using a packet analyzer. However other information such as username and services that is being performed can be analyzed. TACACS+ encrypts not just only the entire payload when communicating, but it also encrypts the user's password between the client and the server. This makes it more difficult to decipher information about the communication between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Local Radius Authentication - Fails

  Hello all,
  Access Point 1230AG (c1200-k9w7-mx.123-2.JA)
  Client Adapter ABG (PCI)
  I am new to Wireless Lan configuration with Aironet products (first project). I am configuring an Access Point for a small LAN and i can not get local radius authentication working. The password always fails if I try:
  test aaa group radius xxxxx port 1812 new-code
  although the password is matching..........
  another thing is that in the configuration, it always defaults to 'nthash' mode. is this normal? in other words if i type:
  radius-server local
  user dgarnett password xxxx
  when i do a 'show run' it displays as
  user xxxx
  I also get the following during a debug:
  There is no RADIUS DB Some Radius attributes may not be stored
  any help greatly appreciated
  ap#test aaa group radius dgarnett 123456789 port 1812 new-code
  Trying to authenticate with Servergroup radius
  User rejected
  ap#
  Feb 19 20:57:44.535: RADIUS(00000000): Config NAS IP: 10.14.14.14
  Feb 19 20:57:44.535: RADIUS(00000000): Config NAS IP: 10.14.14.14
  Feb 19 20:57:44.535: RADIUS(00000000): sending
  Feb 19 20:57:44.535: RADIUS(00000000): Send Access-Request to 10.14.14.14:1812 id 21645/14, len 64
  Feb 19 20:57:44.535: RADIUS: authenticator 9C C4 E8 64 80 8B 64 8A - E7 5F 0A 64 14 2F 5D B6
  Feb 19 20:57:44.536: RADIUS: User-Password [2] 18 *
  Feb 19 20:57:44.536: RADIUS: User-Name [1] 10 "dgarnett"
  Feb 19 20:57:44.536: RADIUS: Service-Type [6] 6 Login [1]
  Feb 19 20:57:44.536: RADIUS: NAS-IP-Address [4] 6 10.14.14.14
  Feb 19 20:57:44.536: RADIUS: Nas-Identifier [32] 4 "ap"
  Feb 19 20:57:44.537: RADSRV: Client dgarnett password failed
  Feb 19 20:57:44.537: RADIUS: Received from id 21645/14 10.14.14.14:1812, Access-Reject, len 88
  Feb 19 20:57:44.538: RADIUS: authenticator 3C B3 9A 7F 61 27 3A A6 - 84 39 B6 DF 22 DF 45 26
  Feb 19 20:57:44.538: RADIUS: State [24] 50
  Feb 19 20:57:44.538: RADIUS: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF [????????????????]
  Feb 19 20:57:44.539: RADIUS: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF [????????????????]
  Feb 19 20:57:44.539: RADIUS: 6B 7C 18 EA F0 20 A4 E5 B1 28 0E BD 57 61 24 9A [k|??? ???(??Wa$?]
  Feb 19 20:57:44.539: RADIUS: Message-Authenticato[80] 18 *
  Feb 19 20:57:44.539: RADIUS(00000000): Received from id 21645/14
  Feb 19 20:57:44.539: RADIUS(00000000): Unique id not in use
  Feb 19 20:57:44.540: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored

  Just as an update.......I set this up authenticating to an external (ACSNT) Radius server and it authenticates successfully. But still will not for the local dbase. My goal is to use the Corporate ACS as primary and the local as backup. I think my problem has to do with the Radius attributes 24 (State) and 80 (Message Auth). I also think that it points back to the NTHash stuff. Please advise as I am not new security practices and wireless, but I am new to Cisco Wireless networking.

• ASA , Cisco VPN client with RADIUS authentication

  Hi,
  I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
  All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
  Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
  Thank you.
  Kind regards,
  Alex

  Hi Alex,
  It is working as it should.
  You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
  thanks
  John

• Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

  Hi,
  I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
  ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
  Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
  I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
  tacacs-server key 7 "xxxxxxxxxxxxx"
  aaa group server tacacs+ tac_admin
    server xx.xx.xx.xx
  aaa authentication login default group tac_admin local
  aaa authentication login console group tac_admin local
  aaa accounting default group tac_admin

  Hi,
  Since the ACS is receiving the request.
  Could you please ensure that In ACE on every context (including Admin and other) you have  following strings:
  tacacs-server host x.x.x.x key 7 "xxx"
  aaa group server tacacs+  tac_admin
     server x.x.x.x
  aaa authentication login default group  tac_admin local
  aaa authentication login console group  tac_admin local 
  aaa accounting default group x.x.x.x
  On ACS side for group named "Network  Administrators" you should configure in TACACS settting:
  1. Shell  (exec) enable
  2. Privilege level 15
  3. Custom attributes:
             shell:Admin*Admin default-domain
      if you have additional  context add next line
            shell:mycontext*Admin  default-domain
  After  loging to ACE and issuing sh users command you should see following
  User             Context                                                                  Line     Login Time   (Location)        Role   Domain(s)   
  *adm-x        Admin                                                                    pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.

• Cisco ISE IPEP and Non Radius Authenticator

  Is it possible for a Juniper FW or Aruba Wireless or anything else that does native AD authentication can use an IPEP for policy enforcement without converting the authenticator (juniper / aruba etc…) to a Radius request to a PDP for the IPEP to build the session from?
  Does the IPEP simply "sniff" the packets and build a session from that or does it require RADIUS authentication to pass through for the IPEP to function?
  I believe RADIUS is required but the client said he was told it is not and the authenticator can pass the traffic through the IPEP even if it authenticates clients by Native AD.
  Anyone have any exmaples or traffic flows if this is possible?
  Thanks,
  Michael Wynston

  Got my answer and it is as I thought. The iPEP only works if it sees RADIUS requests to a PDP that then provides the iPEP with the policy to enforce.
  Have a client migrating from CCA which will natively check AD inline based on seen authentication requests. They were told (not by me) ISE can do that too.
  Guess not
  Sent from Cisco Technical Support iPhone App

• Cisco 3650 Converged LAN/WLAN Design: Radius Authentication configuration example needed

  Hello Cisco-Experts,
  one of our customers would like to deploy Cisco3650-switches with integrated WLC-functionality.
  The platform is new to me and I have started to configure some basic settings.
  Unfortunately I cannot find information on how to implement 802.1x Radius authentication.
  Do You know, where I can find detail information or an example how to implement this ?
  Thank You
  Wini

  Hello Rasika,
  thank You very much for link to Your 802.1x authentication configuration
  on similar 3850 platform.
  Very useful stuff.
  Is it possible to setup the Radius -Server function on the switch itself ?
  I'm asking because I would like to test the setup in our office before rollout to customer.
  Kind regards
  Wini

• Wlc 5508 radius authentication fail

  I am trying to setup a wireless lan for the first time using 5508, all is working to a point, until i try to setup client authentication using the following
  so settings are:
  Layer Wlan settings:
  Layer 2 security:WPA+WPA2
  AES
  Auth Key mgmt:802.1x
  We have the authentication server enabled:
  Ip an port are correct
  AAA overide not enabled
  Order for authentication, radius only
  Advanced: dafault settings
  Radius authentication servers:
  Call Station ID Type: IP address
  MAC Delimiter: Colon
  Network User
  Management
  Server Index
  Server Address
  Port
  IPSec
  Admin Status
  Server Index
  Server Address
  Shared Secret Format
                   ASCII                 Hex              
  Shared Secret
  Confirm Shared Secret
  Key Wrap
    (Designed for FIPS customers and requires a key wrap compliant RADIUS server)
  Port Number
  Server Status
                   Enabled                  Disabled              
  Support for RFC 3576
                   Enabled                  Disabled              
  Server Timeout
    seconds
  Network User
  Enable
  Management
  Enable
  IPSec
  Enable
  *radiusTransportThread: Dec 21 12:07:46.488: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 115) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
  *radiusTransportThread: Dec 21 12:07:46.012: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 114) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
  *Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
  *Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:b9:d5:e1
  *radiusTransportThread: Dec 21 12:07:16.412: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 113) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
  *Dot1x_NW_MsgTask_1: Dec 21 12:06:59.741: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
  Radius server occasionally sees attempts from user "XXZZYY"

  Osvaldo,
  Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
  Quote:
  Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
  Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
  AAA server defined on WLAN takes precedence over global.

• Cisco ACS 4.2 and Radius authentication?

  Hi,
  I have a Cisco ACS 4.2 installed and using it to authenticate users that log on to switches using TACACS+, when I use local password database, everything is working. But if i try to use external database authentication using a windows 2008 radius server, I have problem that I can only use PAP, not CHAP. Anyone who know if it's possible to use CHAP with external radius authentication?

  To access network devices for administrative purpose, we have only three methods available :
  [1] Telnet : Which uses PAP authentication protocol between client and the NAS device. So the communication between Client and NAS is unencrypted,  and when this information flows from NAS to IAS server gets encrypted using the shared secret key configured on device/IAS server.
  [2] SSH : Which uses  public-key cryptography for encrypting information between client and the NAS device, i.e, information sent between client 
  and NAS is fully secure. And the communication between NAS and IAS is encrypted using shared secret same as above. Good point on SSH side is that commincation channel is secure all the time.Again the authentication type would remain same that is PAP.
  [3] Console:Which is also the same it will not allow to use MSCHAP as there is no need to secure it as you laptop is connected directly to the NAS and then if you are using TACACS it will encrypt the payload .
  Summarizing, we cannot use CHAP, MS-CHAP, MS-CHAP V2 for communication between client and NAS device or administrative access.
  And the most secure way to administer a  device is to use SSH.
  Rgds, Jatin
  Do rate helpful post~

• Radius authentication with ISE - wrong IP address

  Hello,
  We are using ISE for radius authentication.  I have setup a new Cisco switch stack at one of our locations and setup the network device in ISE.  Unfortunately, when trying to authenticate, the ISE logs show a failure of "Could not locate Network Device or AAA Client" The reason for this failure is the log shows it's coming from the wrong IP address.  The IP address of the switch is 10.xxx.aaa.241, but the logs show it is 10.xxx.aaa.243.  I have removed and re-added the radius configs on both ISE and the switch, but it still comes in as .243.  There is another switch stack at that location (same model, IOS etc), that works properly.
  The radius config on the switch:
  aaa new-model
  aaa authentication login default local
  aaa authentication login Comm group radius local
  aaa authentication enable default enable
  aaa authorization exec default group radius if-authenticated
  ip radius source-interface Vlanyy
  radius server 10.xxx.yyy.zzz
   address ipv4 10.xxx.yyy.zzz auth-port 1812 acct-port 1813
   key 7 abcdefg
  The log from ISE:
  Overview
  Event  5405 RADIUS Request dropped 
  Username  
  Endpoint Id  
  Endpoint Profile  
  Authorization Profile  
  Authentication Details
  Source Timestamp  2014-07-30 08:48:51.923 
  Received Timestamp  2014-07-30 08:48:51.923 
  Policy Server  ise
  Event  5405 RADIUS Request dropped 
  Failure Reason  11007 Could not locate Network Device or AAA Client 
  Resolution  Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices 
  Root cause  Could not find the network device or the AAA Client while accessing NAS by IP during authentication. 
  Username  
  User Type  
  Endpoint Id  
  Endpoint Profile  
  IP Address  
  Identity Store  
  Identity Group  
  Audit Session Id  
  Authentication Method  
  Authentication Protocol  
  Service Type  
  Network Device  
  Device Type  
  Location  
  NAS IP Address  10.xxx.aaa.243 
  NAS Port Id  tty2 
  NAS Port Type  Virtual 
  Authorization Profile  
  Posture Status  
  Security Group  
  Response Time  
  Other Attributes
  ConfigVersionId  107 
  Device Port  1645 
  DestinationPort  1812 
  Protocol  Radius 
  NAS-Port  2 
  AcsSessionID  ise1/186896437/1172639 
  Device IP Address  10.xxx.aaa.243 
  CiscoAVPair  
     Steps
    11001  Received RADIUS Access-Request 
    11017  RADIUS created a new session 
    11007  Could not locate Network Device or AAA Client 
    5405  
  As a test, I setup a device using the .243 address.  While ISE claims it authenticates, it really doesn't.  I have to use my local account to access the device.
  Any advice on how to resolve this issue would be appreciated.  Please let me know if more information is needed.

  Well from the debug I would say there may be an issue with the addressing of the radius server on the switch.
  radius-server host 10.xxx.xxx.xxx key******** <--- Make sure this address and Key matches what you have in ISE PSN and that switch. Watch for spaces in your key at the begining or end of the string.
  What interface should your switch be sending the radius request?
  ip radius source-interface VlanXXX vrf default
  Here is what my debug looks like when it is working correctly.
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): ask "Password: "
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265):Orig. component type = EXEC
  Aug  4 15:58:47 EST: RADIUS(00000265): Config NAS IP: 10.xxx.xxx.251
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): acct_session_id: 613
  Aug  4 15:58:47 EST: RADIUS(00000265): sending
  Aug  4 15:58:47 EST: RADIUS(00000265): Send Access-Request to 10.xxx.xxx.35:1645 id 1645/110, len 104
  Aug  4 15:58:47 EST: RADIUS:  authenticator 97 FB CF 13 2E 6F 62 5D - 5B 10 1B BD BA EB C9 E3
  Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 15:58:47 EST: RADIUS:  Reply-Message       [18]  12 
  Aug  4 15:58:47 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
  Aug  4 15:58:47 EST: RADIUS:  User-Password       [2]   18  *
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port            [5]   6   3                        
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty3"
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Aug  4 15:58:47 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
  Aug  4 15:58:47 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
  Aug  4 15:58:47 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
  Aug  4 15:58:47 EST: RADIUS(00000265): Started 5 sec timeout
  Aug  4 15:58:47 EST: RADIUS: Received from id 1645/110 10.xxx.xxx.35:1645, Access-Accept, len 127
  Aug  4 15:58:47 EST: RADIUS:  authenticator 1B 98 AB 4F B1 F4 81 41 - 3D E1 E9 DB 33 52 54 C1
  Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 15:58:47 EST: RADIUS:  State               [24]  40 
  Aug  4 15:58:47 EST: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61  [ReauthSession:0a]
  Aug  4 15:58:47 EST: RADIUS:   30 63 66 65 32 33 30 30 30 31 46 37 30 37 35 33  [0cfe230001F70753]
  Aug  4 15:58:47 EST: RADIUS:   44 46 45 35 46 37            [ DFE5F7]
  Aug  4 15:58:47 EST: RADIUS:  Class               [25]  58 
  Aug  4 15:58:47 EST: RADIUS:   43 41 43 53 3A 30 61 30 63 66 65 32 33 30 30 30  [CACS:0a0cfe23000]
  Aug  4 15:58:47 EST: RADIUS:   31 46 37 30 37 35 33 44 46 45 35 46 37 3A 50 52  [1F70753DFE5F7:PR]
  Aug  4 15:58:47 EST: RADIUS:   59 49 53 45 30 30 32 2F 31 39 33 37 39 34 36 39  [YISE002/19379469]
  Aug  4 15:58:47 EST: RADIUS:   38 2F 32 30 36 33 31 36          [ 8/206316]
  Aug  4 15:58:47 EST: RADIUS(00000265): Received from id 1645/110
  ---------------------------------------------------------------------------------------------------------------This is after I added the incorrect Radius server address.
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): ask "Password: "
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268):Orig. component type = EXEC
  Aug  4 16:05:19 EST: RADIUS(00000268): Config NAS IP: 10.xxx.xxx.251
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): acct_session_id: 616
  Aug  4 16:05:19 EST: RADIUS(00000268): sending
  Aug  4 16:05:19 EST: RADIUS(00000268): Send Access-Request to 10.xxx.xxx.55:1645 id 1645/112, len 104
  Aug  4 16:05:19 EST: RADIUS:  authenticator FC 94 BA 5D 75 1F 84 08 - E0 56 05 3A 7F BC FB BB
  Aug  4 16:05:19 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 16:05:19 EST: RADIUS:  Reply-Message       [18]  12 
  Aug  4 16:05:19 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
  Aug  4 16:05:19 EST: RADIUS:  User-Password       [2]   18  *
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port            [5]   6   7                        
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty7"
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Aug  4 16:05:19 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
  Aug  4 16:05:19 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
  Aug  4 16:05:19 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
  Aug  4 16:05:19 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:23 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:23 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:23 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:29 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:29 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:29 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:33 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
  Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
  Aug  4 16:05:33 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:33 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:38 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:38 EST: RADIUS: Fail-over to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:38 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:43 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:43 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:43 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:48 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:48 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:48 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:53 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
  Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
  Aug  4 16:05:53 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:53 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:57 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:57 EST: RADIUS: No response from (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:57 EST: RADIUS/DECODE: parse response no app start; FAIL
  Aug  4 16:05:57 EST: RADIUS/DECODE: parse response; FAIL
  This is a default template I use for all my devices routers or switches hope it helps. I have two PSN's that is why we have two radius-server host commands..
  aaa authentication login vty group radius local enable
  aaa authentication login con group radius local enable
  aaa authentication dot1x default group radius
  aaa authorization network default group radius 
  aaa accounting system default start-stop group radius
  ip radius source-interface VlanXXX vrf default
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 30 tries 3
  radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
  radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
  radius-server vsa send accounting
  radius-server vsa send authentication
  You can use this in the switch to test radius
  test aaa group radius server 10.xxx.xxx.xxx <username> <password>

• RADIUS authentication SF300-24P

  RADIUS authentication SF300-24P
  We have just purchased 20x SF300-24P switches to be installed at our remote offices and we are unable to get RADIUS authentication to work. We already use RADIUS on all our primary network CISCO switches (e.g. 4506s¸ 3560s, 3750s, AP1231Gs,etc) and these work fine so we know the RADIUS server is working.
  We are trying to use RADIUS authentication to gain management access onto these switches. Quite simply although we can see that the RADIUS server is accepting the username and password being sent, however the switch says “authentication failed” when to receives the response. We are using Microsoft NPS RADIUS Clients for authentication purposes.
  We have upgrade the switches to the latest firmware 1.1.2.0, via the console it seems to have a very cut down IOS version so we cannot use the typical CISCO command set to configure the RADIUS as we normally would. Looking at the web GUI there seems to be a number of options missing including the Accounting port. When debugging is switch on there is no indication to say that any of the settings have been misconfigured.
  Any advice you could offer would be gratefully received.
  Mike Lewis

  Here is the documentation excerpt-
  For the RADIUS server to grant access to the web-based switch configuration
  utility, the RADIUS server must return cisco-avpair = shell:priv-lvl=15.
  User authentication occurs in the order that the authentication methods are
  selected. If the first authentication method is not available, the next selected
  method is used. For example, if the selected authentication methods are RADIUS
  and Local, and all configured RADIUS servers are queried in priority order and do
  not reply, the user is authenticated locally.
  If an authentication method fails or the user has insufficient privilege level, the user
  is denied access to the switch. In other words, if authentication fails at an
  authentication method, the switch stops the authentication attempt; it does not
  continue and does not attempt to use the next authentication method.
  Of course the point of interest here is the second paragraph. The initial wording is the behavior you want. The second portion is very open for interpretation (I do agree it is somewhat ambiguous but consistent with the switch behavior). When I read the example and it says the Radius is busy or not responding then you will authenticate locally. Which seems fair enough. But what it doesn't say, is if you can use one or the other, but instead it seems based on preference failure.
  -Tom
  Please rate helpful posts

• RADIUS Authentication

  Hi Everyone,
  I would like to implement RADIUS authentication for my companies Cisco devices. Could anybody give me some configuration examples of how to point my switches and routers at a RADIUS server, and also to attempt authentication against RADIUS. Only using a locally configured account if RADIUS fails?
  My undertsnading would be to use the following configuration;
  aaa new-model
  aaa authentication login default group radius local
  aaa accounting network default start-stop group radius
  radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key radius
  radius-server retransmit 3
  Thanks in advance,
  Dan

  Hello Dan,
  yours configuration seems to be OK..
  more info you can find here
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7ab.html

• Configuring a 1230 AP as a "Local Radius Authenticator"

  Configuring a 1230 AP as a "Local Radius Authenticator"
  CCO-URL: Configuring an Access Point as a Local Authenticator
  http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080184a9b.html
  this is the minimal config, i think:
  AP# configure terminal
  AP(config)# radius-server local
  AP(config-radsrv)# nas 1.1.1.1 key 111
  AP(config-radsrv)# group clerks
  AP(config-radsrv-group)# vlan 2
  AP(config-radsrv-group)# ssid batman
  AP(config-radsrv-group)# reauthentication time 1800
  AP(config-radsrv-group)# lockout count 2 time 600
  AP(config-radsrv-group)# exit
  AP(config-radsrv)# user jsmith password twain74 group clerks
  AP(config-radsrv)# end
  whereas 1.1.1.1 is the IP of the AP himself ?
  is there a must for additional config commands like this:
  radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key 111
  aaa group server radius rad_eap
  server 1.1.1.1 auth-port 1812 acct-port 1813
  aaa group server radius rad_admin
  server 1.1.1.1 auth-port 1812 acct-port 1813
  all attempts didn't work
  "station <MAC> authentication failed"
  is there anything else nessecary ???

  You seem to be missing the following commands;
  authentication network-eap eap_methods
  authentication key-management cckm optional
  The following commands are useful for diagnosis;
  • Show radius local statistics
  • show interface dot11Radio 0 aaa client
  • Debug dot11 aaa dot1x state
  • Debug dot11 mgmt interface
  Local authentication is designed as a fall-back service for when the primary RADIUS server fails. We not encourage the use of Local authentication as a replacement for a radius server.
  * With an ACS you get Authentication, Authorization and Accounting. With Local authentication you only get Authentication.
  * ACS scales, supports external user-databases, supports multiple authentication types, supports database backup and replication, etc, etc... Local authentication supports a maximum of 50 users, internal static configuration only, and LEAP only.
  Following is an IOS configuration, that I have tested, and works on an AP1200 (should work on an 1100 too, I just haven’t tested it);
  · This configuration enables a single AP to do local authentication. No WDS is included for fast roaming.
  · This configuration can be cut-and-pasted into an AP that has been write-erased (blank config), and it will configure all the parameters to allow a client to LEAP authenticate to it (even if no Ethernet cable is connected to it)
  · Replace usernames/passwords with your own usernames/passwords
  · Replace ip-addresseswith the APs IP address
  · I added DHCP configuration so you can connect to a stand-alone AP with your DHCP-enabled laptop (with a profile that matches the test APs SSID and LEAP settings).
  conf t
  host loc-auth-ap-name
  enable secret cisco
  no ip domain-lookup
  line vty 0 4
  password cisco
  exec-timeout 0 0
  login
  int bvi 1
  ip address 10.11.12.13 255.255.255.0
  Interface dot11 0
  no ssid tsunami
  encryption mode ciphers ckip-cmic
  ssid test-loc-auth
  authentication network-eap eap_methods
  authentication key-management cckm optional
  ip dhcp excluded-address 10.11.12.13
  ip dhcp pool temp
  network 10.11.12.0 255.255.255.0
  interface BVI1
  ip address 10.11.12.13 255.255.255.0
  no ip route-cache
  aaa new-model
  aaa group server radius rad_eap
  ! add a real AAA server (with auth-port 1645) before
  ! the following statement if you are configuring a
  ! fallback authentication service instead of a
  ! standalone service
  server 10.11.12.13 auth-port 1812 acct-port 1646
  aaa authentication login eap_methods group rad_eap
  ! add a real AAA server (with auth-port 1645) before
  ! the following statement if you are configuring a
  ! fallback authentication service instead of a
  ! standalone service
  radius-server host 10.11.12.13 auth-port 1812 acct-port 1646 key 0 l0cal-key-secret
  radius-server deadtime 10
  dot11 holdoff-time 1
  ip radius source-interface BVI1
  radius-server local
  nas 10.11.12.13 key 0 l0cal-key-secret
  user testuser password 0 testuser-key-secret
  exit
  exit
  wri

• FreeRadius and Cisco 2600 Terminal Server [IOS 12.1(3)T]

  Hi Cisco People
  I'm using FreeRadius 2 and Cisco 2600 Terminal server to coordinate access to cisco routers based on time‏ ranges.
  Basically we are an education/training environment where we have some students accessing the routers and switches for practise, terminal server are used to consolidate the console access, and these terminal servers authenticate the users through a Radius server (as shown in the following figure). Additionally, the students are categorized into few groups. We want to implement policy on the radius server so that only a certain group can access the resources in a given duration of time (the user should be dropped from the terminal when the subscribed time is reached and cannot access thereafter .) 
  +++++++++++++++                                           +++++++++++++++++                                      +++++++++++++
  +         User          +++++++++++++++++++++++   Cisco 2600          +++++++++++++++++++++   Network      +
  +                          +                                           +   Terminal Serv     +                                      +    Devices      +
  +++++++++++++++                                           +++++++++++++++++                                      +++++++++++++
                                                                                          (NAS)
                                                                                              +
                                                                                              +
                                                                                 +++++++++++++++     
                                                                                +   FreeRadius      +
                                                                                +++++++++++++++
  Right now I'm able to do the "hello-world" setup with the following users and clients.conf. On the terminal server side, aaa new-model is enabled on the cisco terminal server to communicate with this radius server.
  users
  =============
  cisco Auth-Type := System
    Service-Type = NAS-Prompt-User,
    cisco-avpair = "shell:priv-lvl=15"
  clients.conf
  ==============
  client 192.168.1.1 {
    secret = SECRET_KEY
    shortname = termserver
    nastype = cisco
  A typical transaction would be :
  Access-Request
  =======
          NAS-IP-Address = 192.168.1.1
          NAS-Port = 35
          NAS-Port-Type = Async
          User-Name = "cisco"
          Calling-Station-Id = "1.1.1.1"
          User-Password = "cisco"
  Access-Accept
  =======
          Service-Type = NAS-Prompt-User
          Cisco-AVPair = "shell:priv-lvl=15"
  This works fine but doesn't provide any timing limitations. So I have modified the FreeRadius config to be :
  users
  =============
  cisco Auth-Type := System
    Service-Type = NAS-Prompt-User,
    cisco-avpair = "shell:priv-lvl=15",
    Session-Timeout = 20
  Cisco Terminal Server
  ==============
  aaa new-model
  aaa authentication login default group radius local none
  aaa authorization exec default group radius if-authenticated 
  aaa accounting exec default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa accounting connection default start-stop group radius
  After this, I am able to see that the terminal server actually receives an Access-Accept including the Session-Timeout attributes like the following :
          Service-Type = NAS-Prompt-User
          Cisco-AVPair = "shell:priv-lvl=15"
          Session-Timeout = 20
  But the problem is that it doesn't really terminate the session after the 20 seconds are reached . My questions is that :
  1. Is the terminal server really able to enforce such time limit after receiving the attribute ?
  2. Is the 2600 terminal server  with [IOS 12.1(3)T] compliant with RFC 2865?
  3. What can I do so that the terminal server forces the user to be logged out after the session time limit is reached ?
  Thanks
  Frank

  Frank,
  I think you should use the login time s well:
  Login-Time
  Login-Time is a very powerful internal check AVP. It allows flexible authorization and its value is used by the logintime (rlm_logintime) module to determine if a person is allowed to authenticate to the FreeRADIUS server or not. This value is also used to calculate the Session-Timeout reply value. Session-Timeout is subsequently used by the NAS to limit access time.
  The following line will grant Alice access only between 08:00 and 18:00 each day.
  "alice" Cleartext-Password := "passme", Login-Time := 'Al0800-1800'
  The logintime module will calculate the reply value of Session-Timeout if Alice has logged in within the permitted timeslots to inform the NAS how long she is allowed to stay connected. If Alice tries to access the network when she is not permitted, the request will be rejected.
  http://www.packtpub.com/article/getting-started-with-freeradius
  http://wiki.freeradius.org/config/Users
  yes, the terminal server is RFC 2865 compliant.
  Rate if Useful :)
  Sharing knowledge makes you Immortal.
  Regards,
  Ed

• ACS 5.3 Radius authentication with ASA and DACL

  Hi,
  I am trying to do Radius authentication on the ACS 5.3 for VPN access (cisco client) using a downloadable ACL with AD identity
  Clients are connecting to an ASA 5510 with image asa843-K8.bin
  I followed the configuration example on the Cisco site, but I am having some problems
  First : AD identity is not triggered, I put a profile  :
  Status
  Name
  Conditions
  Results
  Hit Count
  NDG:Location
  Time And   Date
  AD1:memberOf
  Authorization   Profiles
  1
  TestVPNDACL
  -ANY-
  -ANY-
  equals Network Admin
  TEST DACL
  0
  But if I am getting no hits on it, Default Access is being used (Permit Access)
  So I tried putting the DACL in the default profile, but when connecting I am immediately disconnected.
  I can see the DACL/ASA being authenticated in the ACS log but no success
  I am using my user which is member of the Network Admin Group.
  Am I missing something?
  Any help greatly appreciated!
  Wim

  Hello Stephen,
  As per the IP Pools feature, the ACS 5.x does not include such functionality. It is not on the ACS 5.x roadmap either as the recommended scenario would be to use a dedicated DHCP server.
  ACS 4.x included that functionality, however, it was not the best solution as the ACS returned the IP Address value as a RADIUS Attribute instead of acting as a real DCHP server.
  As per the IMEI and MISDN I am assuming you are referring to International Mobile Equipment Identity and Mobile Subscriber ISDN. Correct me if I am wrong.
  In that case it seems that the ACS 5.x should be able to Allow or Deny access based on Radius Attribute 30 (Called-Station-Id) and 31 (Calling-Station-Id).
  In that case you might want to use the End-Station Filters feature and use it as the condition for the Rule. The End-Station Filter feature uses CLI/DNIS where CLI is Radius Attribute 31 and DNIS is Attribute 30.
  I am assuming a Generic Username will be embedded on the devices request. In that case you will define which end-user devices will be granted access based on the above attributes.
  Here is a snapshot of the section: