Radius Authentication for FWSM

Similar Messages

• Radius authentication for the browser-based webtop

  Hiya all,
  With help of the radius-authentication module for apache (http://www.freeradius.org/mod_auth_radius/) and web-authentication it is possible to use radius-authentication for the classic-webtop. Has anyone got Radius authentication working for the browser-basedwebtop?
  SSGD version:
  Sun Secure Global Desktop Software for Intel Solaris 10+ (4.30.915)
  Architecture code: i3so0510
  This host: SunOS sgd1.<removed> 5.10 Generic_118855-36 i86pc i386 i86pc
  I have the radius-module running for authentication of a single directory with the apache-config-lines:
  SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
  <LocationMatch "/secure">
  Order Allow,Deny
  Allow from env=sgd_noauth_ok
  AuthName "Radius authentication for SGD"
  Authtype Basic
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 540
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  When changing the line <LocationMatch "/secure"> to <LocationMatch "/sgd"> the browser asks for a authentication and then a 'Not Found' page is being displayed.
  When using the config-lines from http://docs.sun.com/source/819-6255/webauth_config_browser.html the login-page is being displayed normally and SSGD works.
  The main difference I can find between the location /secure and /sgd is: /secure is a simple directory and /sgd is a JkMount to Tomcat.
  Changing the JkLogLevel to debug gives the following info in the JkLogFile:
  Radius authentication:
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd' from 5 maps
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd'
  [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (486): Found an exact match tta -> /sgd
  With the password-authentication file:
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI '/sgd/' from 5 maps
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/examples/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/axis/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map context URI '/sgd/*'
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] map_uri_to_worker::jk_uri_worker_map.c (475): Found a wildchar match tta -> /sgd/*
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_get_worker_for_name::jk_worker.c (111): found a worker tta
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker axis
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker tta
  [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] wc_maintain::jk_worker.c (301): Maintaining worker examples
  It seems that the JkMount is not being evaluated correctly after using the radius-authentication.
  Any help will be usefull since I am allready stuck on this problem for a couple of days :(
  Thanks,
  Remold | Everett

  I got response from the Fat Bloke on the mailing list.
  Adding the following line in the apache httpd.conf seams to help and resolved my problem:
  Alias /sgd "/opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
  Thanks The Fat Bloke !!
  - Remold
  These instructions are for a 4.2 SGD installation using SGD's third
  party web authentication with mod_auth_radius.so (www.freeradius.org).
  With 4.2 Sun didn't distribute enough of the Apache configured tree
  to enable the use of axps to build the mod_auth_radius module, 4.3 is
  better - Sun now install a modified axps and include files, I haven't
  tried this with 4.3 yet though.
  I built the mod_auth_radius module for Apache 1.3.33 (shipped with 4.2)
  So, this is how we got this working with Radius (tested with SBR
  server and freeradius.org server.)
  Install SGD in the usual way.
  Enable 3rd party authentication:
  According to:
  http://docs.sun.com/source/819-4309-10/en-us/base/standard/
  webauth_config_browser.html
  Configure the Tomcat component of the Secure Global Desktop Web
  Server to
  trust the web server authentication. On each array member, edit the
  /opt/tarantella/webserver/tomcat/version/conf/server.xml file. Add the
  following attribute to the connector element (<Connector>) for the
  Coyote/JK2 AJP 1.3 Connector:
  tomcatAuthentication="false"
  # cat /opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/
  conf/server.xml
  <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
  <Connector port="8009" minProcessors="5" maxProcessors="75"
  tomcatAuthentication="false"
  enableLookups="true" redirectPort="8443"
  acceptCount="10" debug="0" connectionTimeout="0"
  useURIValidationHack="false"
  protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
  "By default, for security reasons, Secure Global Desktop
  Administrators can't
  log in to the browser-based webtop with web server authentication.
  The standard
  login page always displays for these users even if they have been
  authenticated
  by the web server. To change this behavior, run the following command:"
  # tarantella config edit --tarantella-config-login-thirdparty-
  allowadmins 1
  Without this, after authenticating via webauth, the user will be
  prompted for a
  second username and password combination.
  # /opt/tarantella/bin/tarantella objectmanager &
  # /opt/tarantella/bin/tarantella arraymanager &
  In Array Manager:
  Select "Secure Global Desktop Login" on left side and click
  "Properites" at bottom
  Under "Secure Global Desktop Login Properties"
  cd /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/conf
  edit httpd.conf:
  ### For SGD Apache based authentication
  Include conf/httpd4radius.conf
  at the end of httpd.conf add:
  Alias /sgd "/opt/tarantella/webserver/tomcat/
  5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
  # cat httpd4radius.conf
  LoadModule radius_auth_module libexec/mod_auth_radius.so
  AddModule mod_auth_radius.c
  # Add to the BOTTOM of httpd.conf
  # If we're using mod_auth_radius, then add it's specific
  # configuration options.
  <IfModule mod_auth_radius.c>
  # AddRadiusAuth server[:port] <shared-secret> [ timeout [ : retries ]]
  # Use localhost, the old RADIUS port, secret 'testing123',
  # time out after 5 seconds, and retry 3 times.
  AddRadiusAuth radiusserver:1812 testing123 5:3
  # AuthRadiusBindAddress <hostname/ip-address>
  # Bind client (local) socket to this local IP address.
  # The server will then see RADIUS client requests will come from
  # the given IP address.
  # By default, the module does not bind to any particular address,
  # and the operating system chooses the address to use.
  # AddRadiusCookieValid <minutes-for-which-cookie-is-valid>
  # the special value of 0 (zero) means the cookie is valid forever.
  AddRadiusCookieValid 5
  </IfModule>
  <LocationMatch /radius >
  Order Allow,Deny
  AuthType Basic
  AuthName "RADIUS Authentication"
  AuthAuthoritative off
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 5
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
  <LocationMatch /sgd >
  Order Allow,Deny
  Allow from env=sgd_noauth_ok
  AuthType Basic
  AuthName "RADIUS Authentication"
  AuthAuthoritative off
  AuthRadiusAuthoritative on
  AuthRadiusCookieValid 5
  AuthRadiusActive On
  Require valid-user
  Satisfy any
  </LocationMatch>
  Put appropriate mod_auth_radius.so into
  /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/libexec
  # mkdir /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/radius/
  # cat /opt/tarantella/webserver/apache/
  1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/htpasswd/index.html
  <HTML>
  <HEAD>
  <TITLE> Test Page for RADIUS authentication </TITLE>
  </HEAD>
  <BODY>
  <B> You have reached the test page for RADIUS authentication.
  </BODY>
  </HTML>
  I hope this helps!
  -FB

• NAC guest server with RADIUS authentication for guests issue.

  Hi all,
  We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
  The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
  https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
  -----START QUOTE-----
  Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
  •Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
  •Self Service—This option allows guest self service. After selection proceed to Step 8.
  •Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
  ----- END QUOTE-----
  Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
  Regards
  Kevin Woodhouse

  Well I will try to answer your 2nd questions.... will it work... yes.  It is like any other radius server (high end:))  But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD.  Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
  Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right.  Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that.  That is my opinion.

• Radius authentication for privileged access

  Hello,
            I have configured Cisco 6513 for radius authentication with following commands.
  aaa new-model
  aaa authentication login authradius group radius line
  aaa accounting exec acctradius start-stop group radius
  radius-server host <radius-ip> auth-port 1812 acct-port 1646 key 6912911
  line vty 0 4
  accounting exec acctradius
  login authentication authradius
       This is working pretty fine. I want to configure radius authentication for priviledged access / for enable access.
       I am using TeKRadius as Radius server.
       Please help.
  Thanks and Regards,
  Pratik

  Hi Pratik
  Sorry I mostly use only TACACS+ for AAA as it provides better granularity of access controls.
  You'll need to make some specific changes to your RADIUS config so that nominated users ( the ones you want to be able to go to enable mode ) get put straight into enable mode upon login.
  There's a guide here http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ which details the steps if you're using the Microsoft IAS radius server - you should be able to figure out that changes you need to make to your own server from there.
  Nick
  Message was edited by: NickNac79 - Spelt the OP's name wrong, sorry.

• RADIUS Authentication for Guest users

  Hi,
  I currently use a 4402 WLC located in our DMZ to authenticate Guest users - local authentication is in place.  I would not like to setup RADIUS authentication via a Cisco NAC server.  In order not to affect current guest users, I created a new WLAN and configured with RADIUS server details under WLANs->Edit->Security.  I can associate to new WLAN and obtain a DHCP address no problem, but when I browse to an external website, I do not get prompted for authentication from the RADIUS server.  I don't see any auth requests hitting our firewal, so am assuming the problem is with the WLC config.
  Can anyone provide any details of what config is required?
  Security Policy - Web-Auth
  Security-> L2 - None
  Security-> L3 - Authentication
  Security-> AAA Servers - Auth and Acc server set
  Many thanks
  Liam

  your setup sounds pretty okay. have you got local user accounts set up on the WLC for the test WLAN? if you do, check to see that the priority order for web authentication for the test WLAN prefers the AAA account. you will have to do it directly on your controller as i do not think you have that option in WCS.
  hope that helps

• Mac OS X Server 10.5 Radius authentication for non airport devices

  We have an Astaro Security Gateway 220 that we are planning to use for VPN and other services, we would like to use our Xserve to do authentication for our VPN like we already do for our other services on the device. To do so requires that we use Radius as the communication protocol between the server and the gateway, it works just fine to test authenticate as long as I don't set a Nas-Identifier for the test but as soon as I do it fails. The Nas-Identifiers are used to determine which services the account has access to and are named logically for that, things like http, pptp, etc. are used. I can't figure out how to get the gateway to be able to authenticate users, I don't need to be able to limit based on user which services they can access, any service that has a restricted set of users other than just valid users will be handled separately outside this system. If anyone can give me any good ideas on how to solve this it would be appreciated, we currently are only looking at radius fore this, while we use airports for our wireless we don't link them into the server currently though there is a slight chance it will happen in the future.
  Thanks,
  Glenn McGurrin

  I found the problem. When turning off ClamAv virus scanning and Spam filtering everything runs fine again. So now we only have to repair those functions...

• RADIUS authentication for IDS admin

  Hi,
  We've decided to centralize our accounts and are using ACS to authenticate admin access to switches, firewalls and to the CS-MARS by RADIUS. I'd like to extend that authentication also to the IDSMs running on our switches and to our CSS1100 boxes. Can this be done? how about network sensor appliances (i.e. 4200)? I've looked into the documentation but haven't found what I'm looking for. Any help is appreciated.
  Thanks, Joe

  The current released versions of IPS does not support RADIUS authentication. However the support is being introduced in later versions like 7.1.x
  Madhu

• RADIUS Authentication for Enable PW

  Hi Everyone,
  I have my RADIUS authentication working for login passwords but not for the enable password. My config is below;
  aaa new-model
  aaa authentication login default group radius local
  aaa accounting network default start-stop group radius
  When I add the command;
  aaa authentication enable default group radius enable
  I would expect it to allow me to enter my RADIUS pw for the enable one to, but it doesnt. Nor does it allow me to enter the locally configured one?
  Any help would be great,
  Thanks,
  Dan

  Thanks for your reply Rick,
  The debug output is below;
  L2-SW01>
  00:03:02: RADIUS: Authenticating using $enab15$
  00:03:02: RADIUS: ustruct sharecount=1
  00:03:02: RADIUS: Initial Transmit tty0 id 3 x.x.x.x:1812, Access-Request,
  len 72
  00:03:02: Attribute 4 6 AC14024F
  00:03:02: Attribute 5 6 00000000
  00:03:02: Attribute 61 6 00000000
  00:03:02: Attribute 1 10 24656E61
  00:03:02: Attribute 2 18 524FB069
  00:03:02: Attribute 6 6 00000006
  00:03:02: RADIUS: Received from id 3
  x.x.x.x:1812, Access-Reject, len 20
  00:03:02: RADIUS: saved authorization data for user E49424 at 93C6DC
  L2-SW01>
  L2-SW01>
  I am using IAS for RADIUS authentication and I cannot find any option to say "allow enable access".
  Any ideas?
  Cheers,
  Dan

• Radius authentication for wifi users

  Hi all,
  I have a aeronet 1250 access point and i have a windows 2003  radius server configured to authenticate users.
  I need to configure the access point for radius authentication .
  Can anyone please help me to configure the access point .
  thanks in advance ,
  Selva

  See here for configuration examples, look for the autonomous examples:
  http://www.cisco.com/en/US/products/ps6087/prod_configuration_examples_list.html
  Thanks
  Chris

• RADIUS authentication for SGE2010 switch

  I am trying to configure a SGE2010 switch to use RADIUS authentication. At the moment, the NPS (Windows Server 2008r2 RADIUS) server is receiving the access request and is returning an access accept.
  The switch does not let us log in.
  Cisco-sw1(config)# 09-Nov-2009 21:10:35 %AAA-W-REJECT: New telnet connection for
  user P@ssw0rd, source 192.168.10.213 destination   REJECTED
  Note: It is printing the user's password instead of the username.
  I suspect it is something to do with the cisco-AV-pair attribute. I have tried the following values but nothing works:
  Shell:priv-lvl=15
  Shell = 15
  Level = 15
  Relevant lines from switch configuration:
  radius-server host 192.168.1.23 key P@llssw0rd88
  aaa authentication enable default none
  aaa authentication login default radius
  Any help would be more than greatly appreciated.

  The problem isn't that it is rejecting me. Using network monitor I can see it is accepting the request but for some reason just won't log me in.
  A link was sent to me to another website where it show that you have to go into the settings tab of the policy and change the radius attribute
  to Service-Type Administrative.
  After doing that, I was able to log into the switch with any of the windows domain users I had specified.
  This is the link that gave me the answer
  http://wiki.freeradius.org/Linksys

• AAA Radius Authentication for Calling Card Platform

  Hi,
  I am using AS5350 and I am using it for calling card application using Clear Box as my RADIUS Server for AAA. My question now, how would I know if cisco is sending the dtmf for "enter card number.au" on the RADIUS server ? Does the card number included on the VSA ? below are my configurations and the debug info. The problem here is that the card number that I entered doesn't able to match against the configuration on my Clear Box/SQL Database. I want to know what should I expect from CiscoAS5350 to send a vsa for enter_card_number ?
  aaa new-model
  aaa group server radius ClearBox
  server 192.168.1.1 auth-port 1812 acct-port 1813
  aaa authentication login default local
  aaa authentication login h323 group ClearBox
  aaa authorization exec h323 group ClearBox
  aaa accounting exec default start-stop group ClearBox
  aaa accounting network default start-stop group ClearBox
  aaa accounting connection h323 start-stop group ClearBox
  aaa session-id unique
  radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
  radius-server key 7 0355481F031F761D
  radius-server vsa send accounting
  radius-server vsa send authentication
  call application voice prepaid tftp://192.168.1.2/debitcard-multi-lang-Cisco.1.1.0.2.tcl
  call application voice prepaid pin-len 10
  call application voice prepaid warning-time 300
  call application voice prepaid redirect-number 8662195822
  call application voice prepaid language 1 en
  call application voice prepaid language 2 sp
  call application voice prepaid language 3 ch
  call application voice prepaid set-location en 0 tftp://192.168.1.2/prompts/
  call application voice prepaid set-location sp 0 tftp://192.168.1.2/prompts/
  call application voice prepaid set-location ch 0 tftp://192.168.1.2/prompts/
  gw-accounting aaa
  ==================================================
  Getting session id for NET(00003600) : db=6418E654
  AA/ACCT/NET(00003600): add, count 1
  Getting session id for NET(00003601) : db=6410D098
  AAA/ACCT/NET(00003601): add, count 1
  AAA/ACCT/CONN(00003601): Pick method list 'h323'
  AAA/ACCT/SETMLIST(00003601): Handle 94000002, mlist 62D3B124, Name h323
  Getting session id for CONN(00003601) : db=6410D098
  AAA/ACCT/CONN(00003601): Queueing record is START
  AAA/ACCT(00003601): Accouting method=ClearBox (RADIUS)
  AAA/ACCT/EVENT/(00003601): ATTR ADD
  AAA/ACCT/CONN(00003601): START protocol reply PASS
  AAA/ACCT/EVENT/(00003601): VOICE DOWN
  AAA/ACCT/HC(00003601): Update VOICE/000020D3
  AAA/ACCT/HC(00003601): VOICE/000020D3 [sess] (rx/tx) base 0/0 pre 0/0 call 0/0
  AAA/ACCT/HC(00003601): VOICE/000020D3 [sess] (rx/tx) adjusted, pre 0/0 call 0/0
  AAA/ACCT/CONN(00003601): Queueing record is STOP osr 1
  AAA/ACCT(00003601): del node, session 174133
  AAA/ACCT/CONN(00003601): free_rec, count 1
  AAA/ACCT/CONN(00003601): Setting session id 174144 : db=6410D098
  AAA/ACCT/HC(00003601): Update VOICE/000020D3
  AAA/ACCT/HC(00003601): Deregister VOICE/000020D3
  AAA/ACCT/EVENT/(00003601): CALL STOP
  AAA/ACCT/CALL STOP(00003601): Sending stop requests
  AAA/ACCT(00003601): Send all stops
  AAA/ACCT/NET(00003601): STOP
  AAA/ACCT/NET(00003601): Method list not found
  AAA/ACCT/CONN(00003601): STOP protocol reply PASS
  AAA/ACCT/CONN(00003601) Record not present

  VSAs are collected by the RADIUS server during the accounting process when AAA is configured with the Debit Card feature. Data items are collected for each call leg created on the gateway. A call leg is the internal representation of a connection on the gateway. Each call made through the gateway consists of two call legs: incoming and outgoing. The call leg information emitted by the gateways can be correlated by the connection ID, which is the same for all call legs of a connection.
  Use the H.323 VSA method of accounting when configuring the AAA application.
  There are two modes:
  •Overloaded Session-ID
  Use the gw-accounting h323 syslog command to configure this mode.
  •VSA
  Use the gw-accounting h323 vsa command to configure this mode.

• ISE - AAA radius authentication for NAD access

  Hi ,
  I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
  for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
  While testing the login access to the switches we've come up with 2 results :
  1.A domain user can indeed login to the switch as intended.
  2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
  So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
  of the IT_department only .
  I haven't been successfull , would appreciate any ideas on how to accomplish this .
  Switch configurations :
  =================
  aaa new-model
  aaa authentication login default group radius local
  ISE Authentication policy
  ==================
  Policy Name : NADs Authentication
  Condition:  "DEVICE:Device Type Equals :All Device Types#Wired"
  Allowed Protocol : Default Network Access
  use identity source : AD1

  Thank you for the quick replys , and now  ok , I've configured the following authorization policy :
  Rule Name : Nad Auth
  Conditions
  if: Any
  AND : AD1:ExternalGroups EQUALS IT_Departments
  Permissions , then PermitAccess
  What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
  How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?

• Radius authentication for the enable password

  Dear Sir
  I have an ACS and I have many switches in the network. I used to secure the telnet and
  enable access to these switches with tacacas+ authentication protocol. so the username and
  password is taken form the ACS internal database. Also the enable password is taken from
  the ACS. Today we changed the tacacas+ to Radius because we use the 802.1x framework on
  the wired network. Dot1x authentication worked fine and when you try to telnet to the
  switch the username and password is taken but the enable password isnot taken from the
  ACS. When I check the configuration on the ACS under the user page I found a checkmark to
  use the enable password as the PAP password of the user but this is only under tacacs+
  settings how can I make this for Radius This is my question. Please answer me asap. It is
  urgent.
  Thanks,

  Dear iqambhir
  Thank you very much for your help.
  I already did that but this makes the enable pasword shared with all users and we don't want that.
  I want the enable password to be taken as the PAP password of the user who tries to login but I didn't find that with radius. This option is there with tacacas+.
  I want to know why the router or the switch sends that user " $enab15$ ". Is this bug on the system?
  Pleae, If there is any other way to authenticate the enable password with the radius submit it.
  Thanks alot,

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

• RADIUS Authentication for PI 2.1 with Windows Server 2008 (Windows NPS)

  Hello Community,
  can someone please provide a step-by-step guide (or at least the VSA part) for RADIUS configuration on a Windows 2008 R2 server for Prime Infrastructure 2.1 please?
  We already tried several setups with guides for PI 1.4 without success. The NPS itself authenticates and grants access, but on PI the login always fails.
  Thank you in advance,
  Benjamin

  I'm having the same issue and have a few questions/comments.
  I can get root/admin access working via NPS/radius by justing telling NPS to send PI the  NCS:role0=Root (or Admin) and NCS:virtual-domain0=ROOT-DOMAIN radius attributes.
  But I also have some users who I just want to give read only access.  I cannot seem to get this to work.  At first I configured NPS to send PI the NCS:role0=Monitor Lite and NCS:virtual-domain0=ROOT_DOMAIN attributes.  A user could login, but would immediate get a "You do not have access to the page Monitoring Dashboards" error.  Not to mention almost nothing shows in the menu.  So I tried adding all of the individual tasks related to the "Monitor Lite" role into the radius policy:
  NCS:role0=Monitor Lite
  NCS:task0=Services Menu Access
  NCS:task1=Alarm Stat Panel Access
  NCS:task2=Automated Feedback
  NCS:task3=Monitor Menu Access
  NCS:task4=Theme Changer Access
  NCS:task5=Maps Read Only
  NCS:task6=Help Menu Access
  NCS:task7=License Check
  NCS:task8=Rogue Location
  NCS:task9=Reports Menu Access
  NCS:task10=Monitor Tags
  NCS:task11=Alarm Browser Access
  NCS:task12=Configure Menu Access
  NCS:task13=Search Access
  NCS:task14=Tools Menu Access
  NCS:task15=Administration Menu Access
  NCS:task16=Monitor Clients
  NCS:task17=Home Menu Access
  NCS:task18=Client Location
  NCS:task19=OnlineHelp
  NCS:task20=TAC Case Management Tool
  but I'm not having any luck.  The NPS radius logs always show success, but the read-only users always get the same error and almost nothing visible in the menus.
  Has anyone successfully configured radius with something other than Admin or Root privileges?
  Thanks!