Radius Authentication Cisco Switch
Hi,
I have a cisco 2960 switch and currently trying to setup radius authentication. My microsoft guy does the server side we have matching keys and he says there is no problem on his side, but we still canno get it to work.
Config on switch
aaa new-model
aaa authentication login default group radius local
radius-server host 10.0.0.13 auth-port 1812
radius-server key 0 test
line vty 0 4
login authentication default
switch and radius server are on the same network. I have done a debug and confused on the output. Can anyone point me in the right direction.
I have done a debug aaa authentication and debug radius
AccessSwitch#
RADIUS/ENCODE(00001586):Orig. component type = Exec
RADIUS: AAA Unsupported Attr: interface [221] 4 92269176
RADIUS/ENCODE(00001586): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
RADIUS(00001586): Config NAS IP: 0.0.0.0
RADIUS(00001586): Config NAS IPv6: ::
RADIUS/ENCODE(00001586): acct_session_id: 20
RADIUS(00001586): sending
RADIUS/ENCODE: Best Local IP-Address 10.0.0.56 for Radius-Server 10.0.0.13
RADIUS(00001586): Sending a IPv4 Radius Packet
RADIUS(00001586): Send Access-Request to 10.0.0.13:1812 id 1645/18,len 77
RADIUS: authenticator 7C B1 A0 55 62 45 7B AF - F2 E2 48 4C C3 F0 72 98
RADIUS: User-Name [1] 15 "james.hoggard"
RADIUS: User-Password [2] 18 *
RADIUS: NAS-Port [5] 6 2
RADIUS: NAS-Port-Id [87] 6 "tty2"
RADIUS: NAS-Port-Type [61] 6 Virtual [5]
RADIUS: NAS-IP-Address [4] 6 10.0.0.56
RADIUS(00001586): Started 5 sec timeout
RADIUS: Received from id 1645/18 10.0.0.13:1812, Access-Reject, len 20
RADIUS: authenticator 80 CE C9 C2 D6 30 65 A9 - 07 D8 12 4C 9E 80 A9 3C
RADIUS(00001586): Received from id 1645/18
AAA/AUTHEN/LOGIN (00001586): Pick method list 'default'
RADIUS/ENCODE(00001586): ask "Password: "
RADIUS/ENCODE(00001586): send packet; GET_PASSWORD
Thanks
James.
yes, PAP always use plain text and that doesn't provide any kind of security. However, administrative session with radius doesn't support chap/mschap.we can't configure firewall/IOS devices for aministration session like telnet/ssh to authenticate users on mschapv2 authentication method.
If you need secure communication then you may implement TACACS.
TACACS+ and RADIUS use a shared secret key to provide encryption for communication between the client and the server. RADIUS encrypts the user's password when the client made a request to the server. This encryption prevents someone from sniffing the user's password using a packet analyzer. However other information such as username and services that is being performed can be analyzed. TACACS+ encrypts not just only the entire payload when communicating, but it also encrypts the user's password between the client and the server. This makes it more difficult to decipher information about the communication between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.
~BR
Jatin Katyal
**Do rate helpful posts**
Similar Messages
-
Radius-Authentication / Cisco 2600 fails MiscError -1642
Hi,
Im trying to configure BM 3.8 SP3ir3, Radius (NMAS 2.3) to
authenticate a Cisco 2600 against my BM. Under BM 3.7 this
setup is working fine, but now with 3.8 I get the following
error:
Access rejected, Miscellaneous error (-1642)
Ive configured the LPO with the following sequences:
NDS acceptable, simple acceptable
A test with NTRADPING:
with CHAP disabled, it works fine (LPO sequence is NDS)
with CHAP enabled, Ive got the error above
I tried the simple login sequence also (like a posting
in this newsgroup), but no change.
Hope you can help me, I need chap-authentication...
From Radius-Debug:
This one works (without CHAP):
[2005-07-28 05:52:43 PM] (->)Cacher:
NWDSReadObjectInfo(das01.radius.bmanager.informati k.kli_pa),
succeeded, time:7
[2005-07-28 05:52:43 PM] 31) [(ip) 172.24.4.2:2642], Received 46 Bytes
(Access-Request (1))
[2005-07-28 05:52:43 PM] [(total=31) (p=30) (d=0) (r=0) (acc=0)
(rej=0)]
[2005-07-28 05:52:43 PM] <2> Done GetNextMessage [(ip)
172.24.4.2:2642]: time:2611012
[2005-07-28 05:52:43 PM] -------- START : (Access-Request (1)) [(ip)
172.24.4.2:2642]: time:640356694---
[2005-07-28 05:52:43 PM] CACHE:
CacheDomainListExist(das01.radius.bmanager.informa tik.kli_pa), using cache
[2005-07-28 05:52:43 PM] AuthRequestHandler(), Calling
NewRequestHandler.
[2005-07-28 05:52:43 PM] CACHE:
CacheGetEnableCNLogin(das01.radius.bmanager.inform atik.kli_pa), using
cache
[2005-07-28 05:52:43 PM]
(->)CacheGetDNForName:NWDSReadObjectInfo(NAS2-1), succeeded, time:72
[2005-07-28 05:52:43 PM] CacheFindContext - GetParentDN(userDN)
(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
[2005-07-28 05:52:43 PM] CacheFindContext - tmpContext
(RADIUS.BMANAGER.INFORMATIK.KLI_PA),
contextName(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
[2005-07-28 05:52:43 PM] Handling local authentication request.
[2005-07-28 05:52:43 PM] CACHE:
CacheReadSecretForNASAddress(das01.radius.bmanager .informatik.kli_pa),
using cache
[2005-07-28 05:52:43 PM]
(->)NDSVerifyAttr:NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS:Dial
Access Group) succeeded, time:47
[2005-07-28 05:52:43 PM]
(->)NWDSCompare:(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA) succeeded,
time:42
[2005-07-28 05:52:43 PM]
(->)NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS Enable
Attr) succeeded, time:45
[2005-07-28 05:52:43 PM] User Name: NAS2-1, User DN:
NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA, Domain: , Service Tag:
[2005-07-28 05:52:43 PM] (->)NADMAuthRequest()
[2005-07-28 05:52:43 PM]
(->)NADMAuthRequest(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA)
succeeded, time:961
[2005-07-28 05:52:43 PM] (->)Authenticate (0 policy, NDS pswd) (for
NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA), succeeded
[2005-07-28 05:52:43 PM]
(->)NDSReadData:NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS:Concurr ent
Limit) failed, no such attribute (-603), time:50
[2005-07-28 05:52:43 PM] CACHE:
CacheGetConcurrentLimit(das01.radius.bmanager.info rmatik.kli_pa),
using cache
[2005-07-28 05:52:43 PM]
User:NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA, Current Login:0, Login
Limit:-1, succeeded
[2005-07-28 05:52:43 PM] (->)Authentication SUCCEEDED
[2005-07-28 05:52:43 PM] Tag "DIALIN" uses profile
"DIALIN.RADIUS.BMANAGER.INFORMATIK.KLI_PA"
[2005-07-28 05:52:43 PM] FDN:
CN=NAS2-1.OU=RADIUS.OU=BMANAGER.OU=INFORMATIK.O=KLI_PA
[2005-07-28 05:52:43 PM] PutAttributesInBuffer, calling FilterAttribute
[2005-07-28 05:52:43 PM] Filter attribute, vendorID: 0, attribute: 6
[2005-07-28 05:52:43 PM] PutAttributesInBuffer, calling FilterAttribute
[2005-07-28 05:52:43 PM] Filter attribute, vendorID: 0, attribute: 7
[2005-07-28 05:52:43 PM] ->Sending Access-Accept (2) [(ip)
172.24.4.2(2642)] count=32
[2005-07-28 05:52:43 PM] ->Inserting into RespQ , code(2) id(7).
[2005-07-28 05:52:43 PM] -------- END : (Access-Request (1)) [(ip)
172.24.4.2:2642]: time:640358122---
This one dont work (chap enabled):
[2005-07-28 05:52:55 PM] 32) [(ip) 172.24.4.2:2647], Received 47 Bytes
(Access-Request (1))
[2005-07-28 05:52:55 PM] [(total=32) (p=31) (d=0) (r=0) (acc=0)
(rej=0)]
[2005-07-28 05:52:55 PM] <4> Done GetNextMessage [(ip)
172.24.4.2:2647]: time:2426593
[2005-07-28 05:52:55 PM] -------- START : (Access-Request (1)) [(ip)
172.24.4.2:2647]: time:640481075---
[2005-07-28 05:52:55 PM] CACHE:
CacheDomainListExist(das01.radius.bmanager.informa tik.kli_pa), using cache
[2005-07-28 05:52:55 PM] AuthRequestHandler(), Calling
NewRequestHandler.
[2005-07-28 05:52:55 PM] CACHE:
CacheGetEnableCNLogin(das01.radius.bmanager.inform atik.kli_pa), using
cache
[2005-07-28 05:52:55 PM]
(->)CacheGetDNForName:NWDSReadObjectInfo(NAS2-1), succeeded, time:72
[2005-07-28 05:52:55 PM] CacheFindContext - GetParentDN(userDN)
(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
[2005-07-28 05:52:55 PM] CacheFindContext - tmpContext
(RADIUS.BMANAGER.INFORMATIK.KLI_PA),
contextName(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
[2005-07-28 05:52:55 PM] Handling local authentication request.
[2005-07-28 05:52:55 PM] HandleCHAPRequest(NAS2-1)
[2005-07-28 05:52:55 PM] CACHE:
CacheReadSecretForNASAddress(das01.radius.bmanager .informatik.kli_pa),
using cache
[2005-07-28 05:52:55 PM] CHAP chapCSize: 16
[2005-07-28 05:52:55 PM] [CHAP]User Name: NAS2-1, User DN:
NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA, Domain: , Service Tag:
[2005-07-28 05:52:55 PM]
(->)NDSVerifyAttr:NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS:Dial
Access Group) succeeded, time:53
[2005-07-28 05:52:55 PM]
(->)NWDSCompare:(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA) succeeded,
time:42
[2005-07-28 05:52:55 PM]
(->)NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS Enable
Attr) succeeded, time:44
[2005-07-28 05:52:55 PM] (->)NADMAuthRequest()
[2005-07-28 05:52:59 PM] ->Sending Access-Reject (3) [(ip)
172.24.4.2(2647)] count=20
[2005-07-28 05:52:59 PM] ->Inserting into RespQ , code(3) id(8).
[2005-07-28 05:52:59 PM] -------- END : (Access-Request (1)) [(ip)
172.24.4.2:2647]: time:640512029---
I cannt see an error with chap enabled..
Regards
GuentherI'm having the same problem. radping works with chap and simple passwords
but gives the -1642 error when I'm authenticating from my cisco vpn router.
BTW, I had everything working for YEARS with nds passwords and earlier
versions of bordermanager. BM 3.8 broke it.
Thanks
David
> Hi Jake,
>
> yes, its a cisco-issue. For downloading dynamic routes with
> radius you need the cisco-default-pw called "cisco". Strange
> and a big security leak....
>
> The authentication with ppp-user and chap / simple password
> works fine now.
>
> Regards
> Guenther
>
> Jake Speed schrieb:
> > Hi,
> > yes it's woking fine !
> > Working with a 3640, and 8 Bri/40 Async Interaces. With Chap enabeld,
> > and simple password used.
> > Seems to be a problem on the cisco site, so if radping works NW Radius
> > and the objects are ok.
> >
> > by
> > Jake
> >
> > Guenther Rasch wrote:
> >
> >> Hi Craig,
> >>
> >> I dont know why, but now CHAP works with ntradping.exe
> >> - Cisco router still doesnt work. Ive configured
> >> "simple password" in the lp-object...
> >>
> >> Does anyone have a working configuration nmas radius /
> >> cisco nas-router?
> >>
> >> Regards
> >> Guenther
> >>
> >> Craig Johnson schrieb:
> >>
> >>> In article <Yg0He.13962$[email protected]>,
> >>> Guenther Rasch wrote:
> >>>
> >>>> is it possible in BM 3.8? Which password / login sequence do I need
to
> >>>> get CHAP working?
> >>>>
> >>>
> >>> As far as I know, you cannot make CHAP work against an NDS password,
> >>> in any version of Novell RADIUS.
> >>> I don't really know about getting the dial access system password
> >>> working 3.8 (NMAS) RADIUS. I would assume there would be a login
> >>> policy object rule for it.
> >>>
> >>> Craig Johnson
> >>> Novell Support Connection SysOp
> >>> *** For a current patch list, tips, handy files and books on
> >>> BorderManager, go to http://www.craigjconsulting.com ***
> >>>
> >>> -
NPS Discarding RADIUS request from Cisco switch (802.1x)
Last few weeks I've been busy to get the following to work:
- Cisco 2960 switch as the suppliant
- Another Cisco 2960 as the authenticator switch
- The supplicant is only able to send MS-EAP MS-ChapV2 requests
- The NPS server is Windows 2008 R2 (and also tested on 2012 R2)
This is called "NEAT" by Cisco; which does seem to work with Cisco ISE (http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html)
but I'd like to get it to work with Windows NPS.
Within NPS I've setup the following Connection Request policy:
- NAS Port Type: Ethernet
I'm using the following Network Policy:
- User Group: DOMAIN\Switches (the useraccount used by the switch is part of this group)
- NAS Port Type: Ethernet
- Autehntcation Type: EAP
Now the request sent by the switch is discarded. The actual error is the following (excluded irrelevant information):
User:
Account Name: Rotterdam-Switch-8-1
Account Domain: DOMAIN
Authentication Details:
Connection Request Policy Name: Secure Wired Connections
Network Policy Name: Switches Allowed
Authentication Provider: Windows
Authentication Server: SERVER.DOMAIN.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
Wireshark on the NPS server shows:
1. The RADIUS Access-Request (1) being received by the NPS Server
2. The NPS Server sending out a RADIUS Access-Challenge (11) to the authenticator switch
3. Another RADIUS Access-Request (1) is beging received by the NPS Server
Packet 2 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 1 (Challange)
Packet 3 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 2 (Response)
I've also tried the following:
- I've also tested with an invalid username/password. The request is correctly denied
- I've also tested by added ALL EAP Types as condition to the Network Policy. The request isn't pickup by this policy anymore.
Any help would be greatly appriciated ofcourse.
Kind regards,
PeterIt only took like.. uhm.. forever.. but there's an answer which is "OK ish..".
Cisco 2960 switches support EAP-MSCHAP; but it seems that NPS only supports EAP-MSCHAP for VPN Connections and not for Wired/Wirelss authentication. Something to do with inner and outer methods and NPS requireing PEAP as an outer method for Wired/Wirelss
authentication.
End result is that both the Cisco switches and NPS do support EAP-MD5. Though it's definitly not as secure (at all), it's definitly a step in the right direction and it's something that we'll be implementing.
Now it seems that NPS doesn't support EAP-MD5 (which is supposidly depricated), it's possible to re-enable it. Using the following articles.
http://support.microsoft.com/kb/922574/en-us
Microsft mentioned me that "Though this article says it applies to Windows Vista only, it does apply to Server 2008R2 as well. Also I would suggest you the following link:
http://support.microsoft.com/kb/981190"
Please note that you'll have to enable 'Store password using reversible encryption’ on the accounts that will be used for NEAT authentication.
All though I would have hoped EAP-MSCHAPv2 would work, I feel I do need to clarify that I understand Microsoft's point of view on this as well. They feel EAP methods without PEAP are simply not safe; which is understandable, espcially for EAP-MD5 which
could be sniffer using a hub/repeater/etc.
Kind regards,
Peter -
RADIUS authentication for SGE2010 switch
I am trying to configure a SGE2010 switch to use RADIUS authentication. At the moment, the NPS (Windows Server 2008r2 RADIUS) server is receiving the access request and is returning an access accept.
The switch does not let us log in.
Cisco-sw1(config)# 09-Nov-2009 21:10:35 %AAA-W-REJECT: New telnet connection for
user P@ssw0rd, source 192.168.10.213 destination REJECTED
Note: It is printing the user's password instead of the username.
I suspect it is something to do with the cisco-AV-pair attribute. I have tried the following values but nothing works:
Shell:priv-lvl=15
Shell = 15
Level = 15
Relevant lines from switch configuration:
radius-server host 192.168.1.23 key P@llssw0rd88
aaa authentication enable default none
aaa authentication login default radius
Any help would be more than greatly appreciated.The problem isn't that it is rejecting me. Using network monitor I can see it is accepting the request but for some reason just won't log me in.
A link was sent to me to another website where it show that you have to go into the settings tab of the policy and change the radius attribute
to Service-Type Administrative.
After doing that, I was able to log into the switch with any of the windows domain users I had specified.
This is the link that gave me the answer
http://wiki.freeradius.org/Linksys -
Cisco 3650 Converged LAN/WLAN Design: Radius Authentication configuration example needed
Hello Cisco-Experts,
one of our customers would like to deploy Cisco3650-switches with integrated WLC-functionality.
The platform is new to me and I have started to configure some basic settings.
Unfortunately I cannot find information on how to implement 802.1x Radius authentication.
Do You know, where I can find detail information or an example how to implement this ?
Thank You
WiniHello Rasika,
thank You very much for link to Your 802.1x authentication configuration
on similar 3850 platform.
Very useful stuff.
Is it possible to setup the Radius -Server function on the switch itself ?
I'm asking because I would like to test the setup in our office before rollout to customer.
Kind regards
Wini -
Cisco switch/router authentication
hi! is there anyway that i can authenticate user login thru Microsoft AD/IAS to the cisco switch/router without using Cisco ACS or any paid solution? Thx
Hello,
IOS configuration:
Switch(config)#radius-server host 192.168.250.20 key cisco123
Switch(config)#aaa authentication login default group radius local
Switch(config)#aaa authorization exec default group radius local
IAS configuration:
1) Define the RADIUS client entry:
2) Define the IAS Policies: -
Cisco ACS 4.2 and Radius authentication?
Hi,
I have a Cisco ACS 4.2 installed and using it to authenticate users that log on to switches using TACACS+, when I use local password database, everything is working. But if i try to use external database authentication using a windows 2008 radius server, I have problem that I can only use PAP, not CHAP. Anyone who know if it's possible to use CHAP with external radius authentication?To access network devices for administrative purpose, we have only three methods available :
[1] Telnet : Which uses PAP authentication protocol between client and the NAS device. So the communication between Client and NAS is unencrypted, and when this information flows from NAS to IAS server gets encrypted using the shared secret key configured on device/IAS server.
[2] SSH : Which uses public-key cryptography for encrypting information between client and the NAS device, i.e, information sent between client
and NAS is fully secure. And the communication between NAS and IAS is encrypted using shared secret same as above. Good point on SSH side is that commincation channel is secure all the time.Again the authentication type would remain same that is PAP.
[3] Console:Which is also the same it will not allow to use MSCHAP as there is no need to secure it as you laptop is connected directly to the NAS and then if you are using TACACS it will encrypt the payload .
Summarizing, we cannot use CHAP, MS-CHAP, MS-CHAP V2 for communication between client and NAS device or administrative access.
And the most secure way to administer a device is to use SSH.
Rgds, Jatin
Do rate helpful post~ -
ASA , Cisco VPN client with RADIUS authentication
Hi,
I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
Thank you.
Kind regards,
AlexHi Alex,
It is working as it should.
You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
thanks
John -
Cisco ISE IPEP and Non Radius Authenticator
Is it possible for a Juniper FW or Aruba Wireless or anything else that does native AD authentication can use an IPEP for policy enforcement without converting the authenticator (juniper / aruba etc…) to a Radius request to a PDP for the IPEP to build the session from?
Does the IPEP simply "sniff" the packets and build a session from that or does it require RADIUS authentication to pass through for the IPEP to function?
I believe RADIUS is required but the client said he was told it is not and the authenticator can pass the traffic through the IPEP even if it authenticates clients by Native AD.
Anyone have any exmaples or traffic flows if this is possible?
Thanks,
Michael WynstonGot my answer and it is as I thought. The iPEP only works if it sees RADIUS requests to a PDP that then provides the iPEP with the policy to enforce.
Have a client migrating from CCA which will natively check AD inline based on seen authentication requests. They were told (not by me) ISE can do that too.
Guess not
Sent from Cisco Technical Support iPhone App -
SMB 300 switch - RADIUS authentication
Did anybody have any luck configuring radius authentication with SMB 300 managed switches? I just deployed one and struggling with radius authentication with AD. Radius server works because there are 10 other Catalyst switches and routers working fine.
Any pointers on how to setup radius authentication for administrative connection? I need it for http, telnet and ssh management session to the switch.
Thanks in advance,
Samyes, PAP always use plain text and that doesn't provide any kind of security. However, administrative session with radius doesn't support chap/mschap.we can't configure firewall/IOS devices for aministration session like telnet/ssh to authenticate users on mschapv2 authentication method.
If you need secure communication then you may implement TACACS.
TACACS+ and RADIUS use a shared secret key to provide encryption for communication between the client and the server. RADIUS encrypts the user's password when the client made a request to the server. This encryption prevents someone from sniffing the user's password using a packet analyzer. However other information such as username and services that is being performed can be analyzed. TACACS+ encrypts not just only the entire payload when communicating, but it also encrypts the user's password between the client and the server. This makes it more difficult to decipher information about the communication between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.
~BR
Jatin Katyal
**Do rate helpful posts** -
Radius authentication with ISE - wrong IP address
Hello,
We are using ISE for radius authentication. I have setup a new Cisco switch stack at one of our locations and setup the network device in ISE. Unfortunately, when trying to authenticate, the ISE logs show a failure of "Could not locate Network Device or AAA Client" The reason for this failure is the log shows it's coming from the wrong IP address. The IP address of the switch is 10.xxx.aaa.241, but the logs show it is 10.xxx.aaa.243. I have removed and re-added the radius configs on both ISE and the switch, but it still comes in as .243. There is another switch stack at that location (same model, IOS etc), that works properly.
The radius config on the switch:
aaa new-model
aaa authentication login default local
aaa authentication login Comm group radius local
aaa authentication enable default enable
aaa authorization exec default group radius if-authenticated
ip radius source-interface Vlanyy
radius server 10.xxx.yyy.zzz
address ipv4 10.xxx.yyy.zzz auth-port 1812 acct-port 1813
key 7 abcdefg
The log from ISE:
Overview
Event 5405 RADIUS Request dropped
Username
Endpoint Id
Endpoint Profile
Authorization Profile
Authentication Details
Source Timestamp 2014-07-30 08:48:51.923
Received Timestamp 2014-07-30 08:48:51.923
Policy Server ise
Event 5405 RADIUS Request dropped
Failure Reason 11007 Could not locate Network Device or AAA Client
Resolution Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices
Root cause Could not find the network device or the AAA Client while accessing NAS by IP during authentication.
Username
User Type
Endpoint Id
Endpoint Profile
IP Address
Identity Store
Identity Group
Audit Session Id
Authentication Method
Authentication Protocol
Service Type
Network Device
Device Type
Location
NAS IP Address 10.xxx.aaa.243
NAS Port Id tty2
NAS Port Type Virtual
Authorization Profile
Posture Status
Security Group
Response Time
Other Attributes
ConfigVersionId 107
Device Port 1645
DestinationPort 1812
Protocol Radius
NAS-Port 2
AcsSessionID ise1/186896437/1172639
Device IP Address 10.xxx.aaa.243
CiscoAVPair
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11007 Could not locate Network Device or AAA Client
5405
As a test, I setup a device using the .243 address. While ISE claims it authenticates, it really doesn't. I have to use my local account to access the device.
Any advice on how to resolve this issue would be appreciated. Please let me know if more information is needed.Well from the debug I would say there may be an issue with the addressing of the radius server on the switch.
radius-server host 10.xxx.xxx.xxx key******** <--- Make sure this address and Key matches what you have in ISE PSN and that switch. Watch for spaces in your key at the begining or end of the string.
What interface should your switch be sending the radius request?
ip radius source-interface VlanXXX vrf default
Here is what my debug looks like when it is working correctly.
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265): ask "Password: "
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265):Orig. component type = EXEC
Aug 4 15:58:47 EST: RADIUS(00000265): Config NAS IP: 10.xxx.xxx.251
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265): acct_session_id: 613
Aug 4 15:58:47 EST: RADIUS(00000265): sending
Aug 4 15:58:47 EST: RADIUS(00000265): Send Access-Request to 10.xxx.xxx.35:1645 id 1645/110, len 104
Aug 4 15:58:47 EST: RADIUS: authenticator 97 FB CF 13 2E 6F 62 5D - 5B 10 1B BD BA EB C9 E3
Aug 4 15:58:47 EST: RADIUS: User-Name [1] 9 "admin"
Aug 4 15:58:47 EST: RADIUS: Reply-Message [18] 12
Aug 4 15:58:47 EST: RADIUS: 50 61 73 73 77 6F 72 64 3A 20 [ Password: ]
Aug 4 15:58:47 EST: RADIUS: User-Password [2] 18 *
Aug 4 15:58:47 EST: RADIUS: NAS-Port [5] 6 3
Aug 4 15:58:47 EST: RADIUS: NAS-Port-Id [87] 6 "tty3"
Aug 4 15:58:47 EST: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Aug 4 15:58:47 EST: RADIUS: Calling-Station-Id [31] 15 "10.xxx.xxx.100"
Aug 4 15:58:47 EST: RADIUS: Service-Type [6] 6 Login [1]
Aug 4 15:58:47 EST: RADIUS: NAS-IP-Address [4] 6 10.xxx.xxx.251
Aug 4 15:58:47 EST: RADIUS(00000265): Started 5 sec timeout
Aug 4 15:58:47 EST: RADIUS: Received from id 1645/110 10.xxx.xxx.35:1645, Access-Accept, len 127
Aug 4 15:58:47 EST: RADIUS: authenticator 1B 98 AB 4F B1 F4 81 41 - 3D E1 E9 DB 33 52 54 C1
Aug 4 15:58:47 EST: RADIUS: User-Name [1] 9 "admin"
Aug 4 15:58:47 EST: RADIUS: State [24] 40
Aug 4 15:58:47 EST: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61 [ReauthSession:0a]
Aug 4 15:58:47 EST: RADIUS: 30 63 66 65 32 33 30 30 30 31 46 37 30 37 35 33 [0cfe230001F70753]
Aug 4 15:58:47 EST: RADIUS: 44 46 45 35 46 37 [ DFE5F7]
Aug 4 15:58:47 EST: RADIUS: Class [25] 58
Aug 4 15:58:47 EST: RADIUS: 43 41 43 53 3A 30 61 30 63 66 65 32 33 30 30 30 [CACS:0a0cfe23000]
Aug 4 15:58:47 EST: RADIUS: 31 46 37 30 37 35 33 44 46 45 35 46 37 3A 50 52 [1F70753DFE5F7:PR]
Aug 4 15:58:47 EST: RADIUS: 59 49 53 45 30 30 32 2F 31 39 33 37 39 34 36 39 [YISE002/19379469]
Aug 4 15:58:47 EST: RADIUS: 38 2F 32 30 36 33 31 36 [ 8/206316]
Aug 4 15:58:47 EST: RADIUS(00000265): Received from id 1645/110
---------------------------------------------------------------------------------------------------------------This is after I added the incorrect Radius server address.
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268): ask "Password: "
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268):Orig. component type = EXEC
Aug 4 16:05:19 EST: RADIUS(00000268): Config NAS IP: 10.xxx.xxx.251
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268): acct_session_id: 616
Aug 4 16:05:19 EST: RADIUS(00000268): sending
Aug 4 16:05:19 EST: RADIUS(00000268): Send Access-Request to 10.xxx.xxx.55:1645 id 1645/112, len 104
Aug 4 16:05:19 EST: RADIUS: authenticator FC 94 BA 5D 75 1F 84 08 - E0 56 05 3A 7F BC FB BB
Aug 4 16:05:19 EST: RADIUS: User-Name [1] 9 "admin"
Aug 4 16:05:19 EST: RADIUS: Reply-Message [18] 12
Aug 4 16:05:19 EST: RADIUS: 50 61 73 73 77 6F 72 64 3A 20 [ Password: ]
Aug 4 16:05:19 EST: RADIUS: User-Password [2] 18 *
Aug 4 16:05:19 EST: RADIUS: NAS-Port [5] 6 7
Aug 4 16:05:19 EST: RADIUS: NAS-Port-Id [87] 6 "tty7"
Aug 4 16:05:19 EST: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Aug 4 16:05:19 EST: RADIUS: Calling-Station-Id [31] 15 "10.xxx.xxx.100"
Aug 4 16:05:19 EST: RADIUS: Service-Type [6] 6 Login [1]
Aug 4 16:05:19 EST: RADIUS: NAS-IP-Address [4] 6 10.xxx.xxx.251
Aug 4 16:05:19 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:23 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:23 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:23 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:29 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:29 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:29 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:33 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:33 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
Aug 4 16:05:33 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
Aug 4 16:05:33 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:33 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:38 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:38 EST: RADIUS: Fail-over to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:38 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:43 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:43 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:43 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:48 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:48 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:48 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:53 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:53 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
Aug 4 16:05:53 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
Aug 4 16:05:53 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:53 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:57 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:57 EST: RADIUS: No response from (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:57 EST: RADIUS/DECODE: parse response no app start; FAIL
Aug 4 16:05:57 EST: RADIUS/DECODE: parse response; FAIL
This is a default template I use for all my devices routers or switches hope it helps. I have two PSN's that is why we have two radius-server host commands..
aaa authentication login vty group radius local enable
aaa authentication login con group radius local enable
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting system default start-stop group radius
ip radius source-interface VlanXXX vrf default
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
radius-server vsa send accounting
radius-server vsa send authentication
You can use this in the switch to test radius
test aaa group radius server 10.xxx.xxx.xxx <username> <password> -
CSS - Radius authentication problem
Hi,
for a customer we need to configure Radius authentication working like this:
- CSS administrator login to device at user level
- then switch to "enable" mode using a superuser level account.
First login to CSS with a Radius account at user level works fine, but (after enable command) the login at superuser level doesn't work neighter with Radius account nor with local superuser account.
Ver.: 08.10.4.01
This is the configuration:
radius-server primary 10.113.212.17 secret XXX auth-port 1645
radius-server source-interface 10.113.212.32
sntp primary-server 10.113.205.1 version 3
date european-date
radius-server secondary 10.113.197.24 secret XXX auth-port 1645
radius-server dead-time 15
radius-server retransmit 15
radius-server timeout 15
virtual authentication primary radius
virtual authentication secondary local
username ZZZ des-password ZZZ superuser
Any idea?
Thanks in advance.is your server correctly configured as described at :
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/security/guide/Radius.html#wp1108380
"From the Group Settings section of the Cisco Secure ACS HTML interface, click the IETF RADIUS Attributes, [006] Service-Type checkbox. Then select Administrative. Administrative is required to enable RADIUS authentication for privileged user (SuperUser) connection with the CSS. "
Gilles. -
RADIUS authentication SF300-24P
RADIUS authentication SF300-24P
We have just purchased 20x SF300-24P switches to be installed at our remote offices and we are unable to get RADIUS authentication to work. We already use RADIUS on all our primary network CISCO switches (e.g. 4506s¸ 3560s, 3750s, AP1231Gs,etc) and these work fine so we know the RADIUS server is working.
We are trying to use RADIUS authentication to gain management access onto these switches. Quite simply although we can see that the RADIUS server is accepting the username and password being sent, however the switch says “authentication failed” when to receives the response. We are using Microsoft NPS RADIUS Clients for authentication purposes.
We have upgrade the switches to the latest firmware 1.1.2.0, via the console it seems to have a very cut down IOS version so we cannot use the typical CISCO command set to configure the RADIUS as we normally would. Looking at the web GUI there seems to be a number of options missing including the Accounting port. When debugging is switch on there is no indication to say that any of the settings have been misconfigured.
Any advice you could offer would be gratefully received.
Mike LewisHere is the documentation excerpt-
For the RADIUS server to grant access to the web-based switch configuration
utility, the RADIUS server must return cisco-avpair = shell:priv-lvl=15.
User authentication occurs in the order that the authentication methods are
selected. If the first authentication method is not available, the next selected
method is used. For example, if the selected authentication methods are RADIUS
and Local, and all configured RADIUS servers are queried in priority order and do
not reply, the user is authenticated locally.
If an authentication method fails or the user has insufficient privilege level, the user
is denied access to the switch. In other words, if authentication fails at an
authentication method, the switch stops the authentication attempt; it does not
continue and does not attempt to use the next authentication method.
Of course the point of interest here is the second paragraph. The initial wording is the behavior you want. The second portion is very open for interpretation (I do agree it is somewhat ambiguous but consistent with the switch behavior). When I read the example and it says the Radius is busy or not responding then you will authenticate locally. Which seems fair enough. But what it doesn't say, is if you can use one or the other, but instead it seems based on preference failure.
-Tom
Please rate helpful posts -
DACL does not get downloaded to Cisco Switch from ISE
Hello,
I have a cisco switch with ios: c3550-ipbasek9-mz.122-44.SE6.bin
I am trying to push dACL fro my ISE device into the switch, but it is not getting applied to switch. dynamic vlan assignment workds fine, but dACL doesnot apply
Any instruction plz?Hi Jatin,
ISE is properly configured for dACL, i think there is some compatibility issue on cisco switch ios.
following is the debug output>>
06:36:43: dot1x-packet:Received an EAP packet on interface FastEthernet0/11
06:36:43: EAPOL pak dump rx
06:36:43: EAPOL Version: 0x1 type: 0x0 length: 0x0006
06:36:43: dot1x-packet:Received an EAP packet on the FastEthernet0/11 from mac 0019.b981.e812
06:36:43: dot1x-sm:Posting EAPOL_EAP on Client=1D68028
06:36:43: dot1x_auth_bend Fa0/11: during state auth_bend_request, got event 6(eapolEap)
06:36:43: @@@ dot1x_auth_bend Fa0/11: auth_bend_request -> auth_bend_response
06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_enter called
06:36:43: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from 0019.b981.e812
06:36:43: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_response_action called
06:36:43: RADIUS/ENCODE(00000049):Orig. component type = DOT1X
06:36:43: RADIUS(00000049): Config NAS IP: 192.168.2.250
06:36:43: RADIUS/ENCODE(00000049): acct_session_id: 73
06:36:43: RADIUS(00000049): sending
06:36:43: RADIUS(00000049): Send Access-Request to 192.168.2.231:1812 id 1645/99, len 267
06:36:43: RADIUS: authenticator 5B 61 1D 64 D3 D5 9F AD - 23 E0 11 11 B3 C3 5C 81
06:36:43: RADIUS: User-Name [1] 6 "test"
06:36:43: RADIUS: Service-Type [6] 6 Framed [2]
06:36:43: RADIUS: Framed-MTU [12] 6 1500
06:36:43: RADIUS: Called-Station-Id [30] 19 "00-11-5C-6E-5E-0B"
06:36:43: RADIUS: Calling-Station-Id [31] 19 "00-19-B9-81-E8-12"
06:36:43: RADIUS: EAP-Message [79] 8
06:36:43: RADIUS: 02 7A 00 06 0D 00 [ z]
06:36:43: RADIUS: Message-Authenticato[80] 18
06:36:43: RADIUS: A6 AB 5A CA ED B8 B4 1E 36 00 9D AB 1A F6 B9 E0 [ Z6]
06:36:43: RADIUS: Vendor, Cisco [26] 49
06:36:43: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A802FA0000006F016B36D8"
06:36:43: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
06:36:43: RADIUS: NAS-Port [5] 6 50011
06:36:43: RADIUS: NAS-Port-Id [87] 18 "FastEthernet0/11"
06:36:43: RADIUS: State [24] 80
06:36:43: RADIUS: 33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43 [37CPMSessionID=C]
06:36:43: RADIUS: 30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30 [0A802FA0000006F0]
06:36:43: RADIUS: 31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F [16B36D8;35Sessio]
06:36:43: RADIUS: 6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31 [nID=ise-server-1]
06:36:43: RADIUS: 2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B [ /171025988/24;]
06:36:43: RADIUS: NAS-IP-Address [4] 6 192.168.2.250
06:36:43: %LINK-3-UPDOWN: Interface FastEthernet0/11, changed state to up
06:36:43: RADIUS: Received from id 1645/99 192.168.2.231:1812, Access-Challenge, len 1134
06:36:43: RADIUS: authenticator 78 36 A3 38 30 1C F0 7A - 19 83 93 81 B4 6B FF 9E
06:36:43: RADIUS: State [24] 80
06:36:43: RADIUS: 33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43 [37CPMSessionID=C]
06:36:43: RADIUS: 30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30 [0A802FA0000006F0]
06:36:43: RADIUS: 31 36 42 33 36 44 38 3B 33 35 53 65 73 73 69 6F [16B36D8;35Sessio]
06:36:43: RADIUS: 6E 49 44 3D 69 73 65 2D 73 65 72 76 65 72 2D 31 [nID=ise-server-1]
06:36:43: RADIUS: 2F 31 37 31 30 32 35 39 38 38 2F 32 34 3B [ /171025988/24;]
06:36:43: RADIUS: EAP-Message [79] 255
06:36:43: RADIUS: 4D 5D 13 47 FC 46 16 EE 62 76 40 09 77 48 31 B6 01 6B 5E 52 33 56 A2 1E 34 [M]GFbv@wH1k^R3V4]
06:36:43: RADIUS: 02 32 39 FA 4D CA 79 18 4A 42 A2 4E 5C BD AE 29 D2 3D D1 5A FC C2 ED 3E E5 FB C6 B8 D8 DE A8 75 EB 3A A5 7D 02 03 01 00 01 A3 81 CD 30 [29MyJBN\)=Z>u:}0]
06:36:43: RADIUS: 81 CA 30 0B 06 03 55 1D 0F 04 04 03 02 01 86 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 1D 06 03 55 1D 0E 04 16 04 14 C4 56 80 A7 C9 18 50 92 EE CC 91 D4 E1 EC DB AD E7 1E 70 A8 30 79 06 03 55 1D 1F 04 72 30 70 [0U0U00UVPp0yUr0p]
06:36:43: RADIUS: 30 6E A0 6C A0 6A 86 32 68 74 74 70 3A 2F 2F 73 79 73 6C [0nlj2http://sysl]
06:36:43: RADIUS: 6F 67 2D 73 65 72 76 65 72 2F 43 65 72 74 45 6E [og-server/CertEn]
06:36:43: RADIUS: 72 6F 6C 6C 2F 46 4D 46 42 5F 54 72 75 73 74 65 [roll/FMFB_Truste]
06:36:43: RADIUS: 64 43 41 2E 63 72 6C 86 34 66 69 6C 65 3A 2F 2F 5C [dCA.crl4file://\]
06:36:43: RADIUS: 5C 73 79 73 6C 6F 67 2D 73 65 72 76 65 72 5C 43 [\syslog-server\C]
06:36:43: RADIUS: 65 72 74 45 6E 72 6F 6C 6C 5C 46 4D 46 42 5F 54 [ertEnroll\FMFB_T]
06:36:43: RADIUS: 72 75 73 74 65 64 43 41 2E [ rustedCA.]
06:36:43: RADIUS: EAP-Message [79] 251
06:36:43: RADIUS: 63 72 6C 30 10 06 09 2B 06 01 04 01 82 37 15 01 04 03 02 01 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 82 01 01 00 63 BA F8 CE D5 8B 0E 94 77 AE 86 6C 37 AB 2F 36 9A B2 85 D5 4A [crl0+70*Hcwl7/6J]
06:36:43: RADIUS: 74 8C 33 F5 93 06 A6 57 8D 39 56 8F 02 08 97 CB C6 08 70 8C 22 1E 5D 1F A8 26 6D 60 1F 05 62 D1 24 AB 03 8C 41 F8 1C F1 F8 C2 87 8B 97 02 71 FC 6A [t3W9Vp"]&m`b$Aqj]
06:36:43: RADIUS: EB 12 FC DD 8C 5C 9C 2D AF D2 C4 1C 18 1B 40 BE 78 B0 54 55 59 89 03 1B B7 FB 91 85 EE CA C0 18 1C 78 5D 4D BA FA 9E 44 D3 45 53 A3 BE 46 8A FB 81 BD F1 4C B3 3B [\-@xTUYx]MDESFL;]
06:36:43: RADIUS: D6 66 7E 5B 79 9F 83 53 5E 49 92 B5 7F E5 1A E2 86 8C 83 96 7D 75 A5 1D 08 4E 32 C3 5E EC BF 28 53 EC 53 8A C3 E0 36 [f~[yS^I}uN2^(SS6]
06:36:43: RADIUS: 82 EE AA 0D 38 3E BA 9C 1D D9 24 BD 48 A6 EE 44 BD 95 68 85 CA 8C 44 F8 E8 A2 FB 94 BC 6F 7C F2 06 91 6C A0 A6 BB 7B 7F 56 BD 15 32 A4 [ 8>$HDhDo|l{V2]
06:36:43: RADIUS: Message-Authenticato[80] 18
06:36:43: RADIUS: DD 82 F7 10 3F C7 B5 62 9B 2A BB 24 16 A7 59 33 [ ?b*$Y3]
06:36:44: RADIUS(00000049): Received from id 1645/99
06:36:44: RADIUS/DECODE: EAP-Message fragments, 253+253+253+249, total 1008 bytes
06:36:44: dot1x-packet:Received an EAP request packet from EAP for mac 0019.b981.e812
06:36:44: dot1x-sm:Posting EAP_REQ on Client=1D68028
06:36:44: dot1x_auth_bend Fa0/11: during state auth_bend_response, got event 7(eapReq)
06:36:44: @@@ dot1x_auth_bend Fa0/11: auth_bend_response -> auth_bend_request
06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_exit called
06:36:44: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_request_enter called
06:36:44: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x7B length: 0x03F0 type: 0xD data: @Cfui[ab2,Jt1){ 2]g&GZ1pIbu;+Ga;iF"jy#
oohuV.aFZ4_|
P0`At )B
06:36:44: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
06:36:44: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
06:36:44: RADIUS: Message-Authenticato[80] 18
06:36:44: RADIUS: F5 B0 56 D3 C6 87 BD 10 6E C7 4A 72 5B 5C 60 C5 [ VnJr[\`]
06:36:44: RADIUS: Vendor, Cisco [26] 49
06:36:44: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A802FA0000006F016B36D8"
06:36:44: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
06:36:44: RADIUS: NAS-Port [5] 6 50011
06:36:44: RADIUS: NAS-Port-Id [87] 18 "FastEthernet0/11"
06:36:44: RADIUS: State [24] 80
06:36:44: RADIUS: 33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 43 [37CPMSessionID=C]
06:36:44: RADIUS: 30 41 38 30 32 46 41 30 30 30 30 30 30 36 46 30 [0A802FA0000006F0]
06:36:45: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address
06:36:45: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
06:36:45: dot1x-registry:registry:dot1x_ether_macaddr called
06:36:45: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/11
06:36:45: EAPOL pak dump Tx
06:36:45: EAPOL Version: 0x2 type: 0x0 length: 0x0039
06:36:45: EAP code: 0x1 id: 0x7E length: 0x0039 type: 0xD
06:36:45: dot1x-packet:dot1x_txReq: EAPOL packet sent to client (0019.b981.e812)
06:36:45: dot1x-sm:Fa0/11:0019.b981.e812:auth_bend_response_request_action called
06:36:46: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.
06:36:46: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
06:36:46: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
06:36:46: EAPOL pak dump rx
06:36:46: EAPOL Version: 0x1 type: 0x0 length: 0x0006
06:36:46: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/11 CODE= 2,TYPE= 13,LEN= 6
06:36:46: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/11
06:36:46: dot1x-ev:Received pkt saddr =0019.b981.e812 , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0006
06:36:46: dot1x-ev:dot1x_auth_process_eapol: EAPOL flag status of the port Fa0/11 is TRUE -
SG 300-10 802.1x radius authentication slowness
We have 802.1x authentication via radius and vlan-id tagging with guest vlan fallback working successfully, but we've noticed that no matter what settings we try for the port, it seems that the switch takes about 20 seconds after the port comes up before it sends the authentication request to the radius server.
We tried enabling portfast under stp and when the port is connected, it does immediately come up, and the user is pushed to the guest vlan, and then after about 20 seconds the prompt comes up and credentials can be entered and then it will send the request to the radius server. If the credentials are saved, it still takes the same amount of time before it sends those saved credentials.
I'm curious if this intended behavior, a limitation of hardware, or a setting on the port I'm missing. We tried lowering the various quiet-period, silence-period, etc timeouts, and are still seeing the same results. All tested os's (OSX, Windows 7+8, Ubuntu + Arch nix) experienced the same results.
Any advice would be appreciated, thank you!
See below for our conf:
net055#show running-config
config-file-header
net055
v1.3.7.18 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
dot1x guest-vlan timeout 30
vlan database
default-vlan vlan 3333
exit
vlan database
vlan 1,100,102,104,111
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
hostname net055
line console
exec-timeout 30
exit
line ssh
exec-timeout 0
exit
encrypted radius-server host 172.16.200.57 key REMOVED= usage dot1.x
radius-server host source-interface vlan 100
management access-list mlist2
permit ip-source 172.16.202.0 mask 255.255.255.0
permit ip-source 172.16.200.0 mask 255.255.255.0
exit
management access-class mlist2
aaa authentication enable default enable none
aaa accounting dot1x start-stop group radius
enable password level 15 encrypted REMOVED
no service password-recovery
no passwords complexity enable
passwords aging 0
username REMOVED privilege 15
username REMOVED privilege 15
ip ssh server
ip ssh password-auth
ip http timeout-policy 1800 https-only
no ip http server
tacacs-server timeout 10
clock timezone EST -5
clock source sntp
sntp unicast client enable
sntp server 172.16.100.95
ip name-server 8.8.4.4
interface vlan 100
ip address 172.16.200.21 255.255.255.0
no ip address dhcp
interface vlan 102
name dev-0-Gnv-202.0
interface vlan 104
name gen-0-Gnv-204.0
interface vlan 111
name guest-0-Gnv-10-66-61.0
dot1x guest-vlan
interface gigabitethernet1
switchport trunk allowed vlan add 100,102,104,111
interface gigabitethernet2
dot1x guest-vlan enable
dot1x reauthentication
dot1x timeout supp-timeout 5
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree portfast
interface gigabitethernet3
dot1x guest-vlan enable
dot1x reauthentication
dot1x radius-attributes vlan static
dot1x port-control auto
interface gigabitethernet4
dot1x guest-vlan enable
dot1x reauthentication
dot1x radius-attributes vlan static
dot1x port-control auto
interface gigabitethernet5
dot1x guest-vlan enable
dot1x reauthentication
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree portfast
interface gigabitethernet6
dot1x guest-vlan enable
dot1x reauthentication
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree portfast
interface gigabitethernet7
dot1x guest-vlan enable
dot1x max-req 10
dot1x reauthentication
dot1x timeout quiet-period 5
dot1x radius-attributes vlan static
dot1x port-control auto
interface gigabitethernet8
dot1x guest-vlan enable
dot1x reauthentication
dot1x radius-attributes vlan static
dot1x port-control auto
interface gigabitethernet9
dot1x guest-vlan enable
dot1x reauthentication
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree portfast
interface gigabitethernet10
dot1x guest-vlan enable
dot1x reauthentication
dot1x radius-attributes vlan static
dot1x port-control auto
exit
ip default-gateway 172.16.200.1Forgot to follow up here.
This is a known deficiency of how the SG300 line implements 802.1x vs how all other cisco switches implement it (and how other vendors implement it). The support tech said Cisco was unwilling to fix this deficiency (he would never provide a reason why).
If you have OSX and 802.1x and dont want it to take >30 seconds for users to get auth'd I would suggest going to another vendor since Cisco has said they will not fix this issue.
Maybe you are looking for
-
Invoking web service through apex.
Apex 4.1, I'm trying to bind a simple web service to my apex page. Web service is hosted in a different server. When i try to add the path reference of WSDL file i'm getting the error message. Obviously its expecting a proxy server address to be conf
-
Exception Message for Lower Level
Hi everyone... I get this message: "Exception Message for Lower Level" after of one MD02, for my FERT Material. This FERT material has 2 lower levels, for a couple HALBs material in the next level and other HALB material into the level 3. I don't get
-
Digest authentication in WL7.0
Hi, Does anybody know if Weblogic Server 7.0 supports HTTP digest authentication method ? I created my own authenticator, but I want Weblogic to check the authentication method (but not the username/password). When I try to set a security constraint
-
My Time Capsule reported Full the other day. I now have only 26.8MB of 497.96 GB available. Since then it seems to backing up continuously. The Time machine preferences window shows "Preparing Backup" andnothing else, and it has been doing so for at
-
April 2006 macbook pro core2duo wakes up from sleep with in sleeve
The title pretty much sums it up, The past couple of days I've gotten home from work and my macbook pro will have the screen on, and running. I have no open programs, I have reset the pram and the cmu to no avail. This really concerns me, I'm wonderi