Radius authentication with MSCHAP

Hi,
I have a few 2960 and 3650 switches in my network. I have the aaa authentication login configured for RADIUS but it is only using PAP which is unencrypted.
The 2960 switches are running version 15.2 and the 3650 are on 3.02. The RADIUS server I am using is Microsoft NPS which can do other methods of encryption.
Is it possible to do mschap or any other type of encryption with the switches to authenticate management access?
Regards,
Waqas

This sample configuration shows how to set up a remote access VPN connection between a Cisco VPN Client (4.x for Windows) and the PIX 500 Series Security Appliance 7.x using a Cisco Secure Access Control Server (ACS version 3.2) for extended authentication (Xauth).
http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml

Similar Messages

ACS 5.3 Radius authentication with ASA and DACL

Hi,
I am trying to do Radius authentication on the ACS 5.3 for VPN access (cisco client) using a downloadable ACL with AD identity
Clients are connecting to an ASA 5510 with image asa843-K8.bin
I followed the configuration example on the Cisco site, but I am having some problems
First : AD identity is not triggered, I put a profile :
Status
Name
Conditions
Results
Hit Count
NDG:Location
Time And Date
AD1:memberOf
Authorization Profiles
1
TestVPNDACL
-ANY-
-ANY-
equals Network Admin
TEST DACL
0
But if I am getting no hits on it, Default Access is being used (Permit Access)
So I tried putting the DACL in the default profile, but when connecting I am immediately disconnected.
I can see the DACL/ASA being authenticated in the ACS log but no success
I am using my user which is member of the Network Admin Group.
Am I missing something?
Any help greatly appreciated!
Wim

Hello Stephen,
As per the IP Pools feature, the ACS 5.x does not include such functionality. It is not on the ACS 5.x roadmap either as the recommended scenario would be to use a dedicated DHCP server.
ACS 4.x included that functionality, however, it was not the best solution as the ACS returned the IP Address value as a RADIUS Attribute instead of acting as a real DCHP server.
As per the IMEI and MISDN I am assuming you are referring to International Mobile Equipment Identity and Mobile Subscriber ISDN. Correct me if I am wrong.
In that case it seems that the ACS 5.x should be able to Allow or Deny access based on Radius Attribute 30 (Called-Station-Id) and 31 (Calling-Station-Id).
In that case you might want to use the End-Station Filters feature and use it as the condition for the Rule. The End-Station Filter feature uses CLI/DNIS where CLI is Radius Attribute 31 and DNIS is Attribute 30.
I am assuming a Generic Username will be embedded on the devices request. In that case you will define which end-user devices will be granted access based on the above attributes.
Here is a snapshot of the section:

Radius authentication with ISE - wrong IP address

Hello,
We are using ISE for radius authentication. I have setup a new Cisco switch stack at one of our locations and setup the network device in ISE. Unfortunately, when trying to authenticate, the ISE logs show a failure of "Could not locate Network Device or AAA Client" The reason for this failure is the log shows it's coming from the wrong IP address. The IP address of the switch is 10.xxx.aaa.241, but the logs show it is 10.xxx.aaa.243. I have removed and re-added the radius configs on both ISE and the switch, but it still comes in as .243. There is another switch stack at that location (same model, IOS etc), that works properly.
The radius config on the switch:
aaa new-model
aaa authentication login default local
aaa authentication login Comm group radius local
aaa authentication enable default enable
aaa authorization exec default group radius if-authenticated
ip radius source-interface Vlanyy
radius server 10.xxx.yyy.zzz
address ipv4 10.xxx.yyy.zzz auth-port 1812 acct-port 1813
key 7 abcdefg
The log from ISE:
Overview
Event 5405 RADIUS Request dropped
Username
Endpoint Id
Endpoint Profile
Authorization Profile
Authentication Details
Source Timestamp 2014-07-30 08:48:51.923
Received Timestamp 2014-07-30 08:48:51.923
Policy Server ise
Event 5405 RADIUS Request dropped
Failure Reason 11007 Could not locate Network Device or AAA Client
Resolution Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices
Root cause Could not find the network device or the AAA Client while accessing NAS by IP during authentication.
Username
User Type
Endpoint Id
Endpoint Profile
IP Address
Identity Store
Identity Group
Audit Session Id
Authentication Method
Authentication Protocol
Service Type
Network Device
Device Type
Location
NAS IP Address 10.xxx.aaa.243
NAS Port Id tty2
NAS Port Type Virtual
Authorization Profile
Posture Status
Security Group
Response Time
Other Attributes
ConfigVersionId 107
Device Port 1645
DestinationPort 1812
Protocol Radius
NAS-Port 2
AcsSessionID ise1/186896437/1172639
Device IP Address 10.xxx.aaa.243
CiscoAVPair
   Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11007 Could not locate Network Device or AAA Client
5405
As a test, I setup a device using the .243 address. While ISE claims it authenticates, it really doesn't. I have to use my local account to access the device.
Any advice on how to resolve this issue would be appreciated. Please let me know if more information is needed.

Well from the debug I would say there may be an issue with the addressing of the radius server on the switch.
radius-server host 10.xxx.xxx.xxx key******** <--- Make sure this address and Key matches what you have in ISE PSN and that switch. Watch for spaces in your key at the begining or end of the string.
What interface should your switch be sending the radius request?
ip radius source-interface VlanXXX vrf default
Here is what my debug looks like when it is working correctly.
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265): ask "Password: "
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265):Orig. component type = EXEC
Aug 4 15:58:47 EST: RADIUS(00000265): Config NAS IP: 10.xxx.xxx.251
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265): acct_session_id: 613
Aug 4 15:58:47 EST: RADIUS(00000265): sending
Aug 4 15:58:47 EST: RADIUS(00000265): Send Access-Request to 10.xxx.xxx.35:1645 id 1645/110, len 104
Aug 4 15:58:47 EST: RADIUS: authenticator 97 FB CF 13 2E 6F 62 5D - 5B 10 1B BD BA EB C9 E3
Aug 4 15:58:47 EST: RADIUS: User-Name           [1]   9   "admin"
Aug 4 15:58:47 EST: RADIUS: Reply-Message       [18] 12
Aug 4 15:58:47 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
Aug 4 15:58:47 EST: RADIUS: User-Password       [2]   18 *
Aug 4 15:58:47 EST: RADIUS: NAS-Port            [5]   6   3
Aug 4 15:58:47 EST: RADIUS: NAS-Port-Id         [87] 6   "tty3"
Aug 4 15:58:47 EST: RADIUS: NAS-Port-Type       [61] 6   Virtual                   [5]
Aug 4 15:58:47 EST: RADIUS: Calling-Station-Id [31] 15 "10.xxx.xxx.100"
Aug 4 15:58:47 EST: RADIUS: Service-Type        [6]   6   Login                     [1]
Aug 4 15:58:47 EST: RADIUS: NAS-IP-Address      [4]   6   10.xxx.xxx.251
Aug 4 15:58:47 EST: RADIUS(00000265): Started 5 sec timeout
Aug 4 15:58:47 EST: RADIUS: Received from id 1645/110 10.xxx.xxx.35:1645, Access-Accept, len 127
Aug 4 15:58:47 EST: RADIUS: authenticator 1B 98 AB 4F B1 F4 81 41 - 3D E1 E9 DB 33 52 54 C1
Aug 4 15:58:47 EST: RADIUS: User-Name           [1]   9   "admin"
Aug 4 15:58:47 EST: RADIUS: State               [24] 40
Aug 4 15:58:47 EST: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61 [ReauthSession:0a]
Aug 4 15:58:47 EST: RADIUS:   30 63 66 65 32 33 30 30 30 31 46 37 30 37 35 33 [0cfe230001F70753]
Aug 4 15:58:47 EST: RADIUS:   44 46 45 35 46 37            [ DFE5F7]
Aug 4 15:58:47 EST: RADIUS: Class               [25] 58
Aug 4 15:58:47 EST: RADIUS:   43 41 43 53 3A 30 61 30 63 66 65 32 33 30 30 30 [CACS:0a0cfe23000]
Aug 4 15:58:47 EST: RADIUS:   31 46 37 30 37 35 33 44 46 45 35 46 37 3A 50 52 [1F70753DFE5F7:PR]
Aug 4 15:58:47 EST: RADIUS:   59 49 53 45 30 30 32 2F 31 39 33 37 39 34 36 39 [YISE002/19379469]
Aug 4 15:58:47 EST: RADIUS:   38 2F 32 30 36 33 31 36          [ 8/206316]
Aug 4 15:58:47 EST: RADIUS(00000265): Received from id 1645/110
---------------------------------------------------------------------------------------------------------------This is after I added the incorrect Radius server address.
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268): ask "Password: "
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268):Orig. component type = EXEC
Aug 4 16:05:19 EST: RADIUS(00000268): Config NAS IP: 10.xxx.xxx.251
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268): acct_session_id: 616
Aug 4 16:05:19 EST: RADIUS(00000268): sending
Aug 4 16:05:19 EST: RADIUS(00000268): Send Access-Request to 10.xxx.xxx.55:1645 id 1645/112, len 104
Aug 4 16:05:19 EST: RADIUS: authenticator FC 94 BA 5D 75 1F 84 08 - E0 56 05 3A 7F BC FB BB
Aug 4 16:05:19 EST: RADIUS: User-Name           [1]   9   "admin"
Aug 4 16:05:19 EST: RADIUS: Reply-Message       [18] 12
Aug 4 16:05:19 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
Aug 4 16:05:19 EST: RADIUS: User-Password       [2]   18 *
Aug 4 16:05:19 EST: RADIUS: NAS-Port            [5]   6   7
Aug 4 16:05:19 EST: RADIUS: NAS-Port-Id         [87] 6   "tty7"
Aug 4 16:05:19 EST: RADIUS: NAS-Port-Type       [61] 6   Virtual                   [5]
Aug 4 16:05:19 EST: RADIUS: Calling-Station-Id [31] 15 "10.xxx.xxx.100"
Aug 4 16:05:19 EST: RADIUS: Service-Type        [6]   6   Login                     [1]
Aug 4 16:05:19 EST: RADIUS: NAS-IP-Address      [4]   6   10.xxx.xxx.251
Aug 4 16:05:19 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:23 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:23 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:23 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:29 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:29 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:29 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:33 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:33 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
Aug 4 16:05:33 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
Aug 4 16:05:33 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:33 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:38 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:38 EST: RADIUS: Fail-over to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:38 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:43 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:43 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:43 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:48 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:48 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:48 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:53 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:53 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
Aug 4 16:05:53 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
Aug 4 16:05:53 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:53 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:57 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:57 EST: RADIUS: No response from (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:57 EST: RADIUS/DECODE: parse response no app start; FAIL
Aug 4 16:05:57 EST: RADIUS/DECODE: parse response; FAIL
This is a default template I use for all my devices routers or switches hope it helps. I have two PSN's that is why we have two radius-server host commands..
aaa authentication login vty group radius local enable
aaa authentication login con group radius local enable
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting system default start-stop group radius
ip radius source-interface VlanXXX vrf default
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
radius-server vsa send accounting
radius-server vsa send authentication
You can use this in the switch to test radius
test aaa group radius server 10.xxx.xxx.xxx <username> <password>

WLC 4402 RADIUS Authentication with IAS

Hello
I configured a WLAN with PEAP (CHAP v2)and Radius authentication to a Win 2003 IAS Radius Server.
On the controller 4402 the layer 2 security is set to WPA1+WPA2 with 802.1x authentication.
The IAS server don't use the configured policy when a authentication reguest arrive.
I there an issue with special RADIUS attributes or configuration items on the IAS Server?
The following event appear in the windows logs:
User STANS\kaesmr was denied access.
Fully-Qualified-User-Name = STANS\kaesmr
NAS-IP-Address = 172.17.25.6
NAS-Identifier = keynet-01
Called-Station-Identifier = 00-18-74-FB-CA-20:keynet
Calling-Station-Identifier = 00-16-CE-52-C8-EB
Client-Friendly-Name = Wireless-Controller
Client-IP-Address = 172.17.25.6
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Windows-Authentifizierung f?r alle Benutzer verwenden
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = Extension
EAP-Type = <undetermined>
Reason-Code = 21
Reason = The request was rejected by a third-party extension DLL file.

What I understand from your post is that the authentication is not handled by your IAS server. IF I am correct, the problem might be with the "Allow AA override" option disabled in your WLAN. If it is enabled, then the AAA server or your IAS server will override the security parameters set locally on the controller.
So, first ensure whether "Allow AAA override" is enabled under Controller--->WLAN field.
Also, chek out the logs of the IAS server for obtaining more info on this.

APC (UPS) RADIUS authentication with ACS 5.X

I am trying to do RADIUS authentication for APC (UPS) using ACS 5.2 Appliance. It is working fine with ACS 4.2, but unfortunately not with ACS 5.2. I tried creating RADIUS VSA (Vendor Specific Attributes) for APC in ACS 5.2.
According to the APC dictionary file
VENDOR APC 318
# Attributes
ATTRIBUTE APC-Service-Type 1 integer APC
ATTRIBUTE APC-Outlets 2 string APC
VALUE APC-Service-Type Admin 1
VALUE APC-Service-Type Device 2
VALUE APC-Service-Type ReadOnly 3
# For devices with outlet users only
VALUE APC-Service-Type Outlet 4
I have added the attributes in blue(attached), how do I add the VALUE's (shown red) in ACS 5.2? What else should I do to get this working?
The hit count on the ACS shows that it is getting authentication request from the APC appliance.
Thanks in advance.

Hi,
I am working on the same issue and i manage to login (using Ldap A/D backend authentication). When using the standard Radius attribute Service-Type (1 for read-only and 6 for admin) i manage to get this working. I am however trying to use the APC VSAs (as above) without any success. The objective is to have outlet management for specific users, admin or read-only others. Did u manage to get this working and how?
./G

Integrating RADIUS authentication with JAAS ???

Hi,
I have username/password JAAS authentication in my application.
Now I have to support RADIUS authentication on top of the existing username/password authenticaiton.
I am in the process of defining a login module for RADIUS.
Is there any opensource login module existing for RADIUS ??
After defining the RADIUS login module where to configure the multiple authentication policies ??
Thanks,
Dyanesh.

This sample configuration shows how to set up a remote access VPN connection between a Cisco VPN Client (4.x for Windows) and the PIX 500 Series Security Appliance 7.x using a Cisco Secure Access Control Server (ACS version 3.2) for extended authentication (Xauth).
http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml

Wirelss AP1140 Radius authentication with Microsoft IAS

Hi,
I have a Cisco C1140 Ap. I have cnfigured the device. Initially for testing i used WPA and authenticated locally. I have now setup a radius server and added my AP in as a client etc. I have changed my SSID's to authenticate with the radius server and i am having issues authenticating.
I can connect via a PC and an iphone. They say that i am connected but i get no ip address and the debugs state that the authentication fails:
000466: Sep 5 14:33:07.074 AEST: %DOT11-7-AUTH_FAILED: Station 40a6.d967.8b13 Authentication failed
000467: Sep 5 14:33:28.368 AEST: %DOT11-7-AUTH_FAILED: Station bc77.3771.b15f Authentication failed
000468: Sep 5 14:33:39.837 AEST: %DOT11-7-AUTH_FAILED: Station 40a6.d967.8b13 Authentication failed
I can see the Radius server as connected
imc-syd-ap1#show aaa servers
RADIUS: id 4, priority 1, host 10.10.0.2, auth-port 1645, acct-port 1646
State: current UP, duration 4337s, previous duration 0s
Dead: total time 0s, count 0
Authen: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Author: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Account: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Elapsed time since counters last cleared: 1h12m
The debugs show:
000474: Sep 5 14:36:00.969 AEST: %DOT11-7-AUTH_FAILED: Station bc77.3771.b15f Authentication failed
000475: Sep 5 14:36:01.485 AEST: AAA/BIND(00000109
show dot11 associations:
imc-syd-ap1#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [IMC-Wireless-Data] :
MAC Address IP address Device Name Parent State
bc77.3771.b15f 0.0.0.0 ccx-client DAVID self AAA_Auth
Any ideas or recomendations would be greatly appreciated
Thanks
Below is a copy of my wireless config:
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname xxxxxxxxxxxxxx
logging buffered 40960 debugging
enable secret 5 xxxxxxxxxxxxx
aaa new-model
aaa group server tacacs+ IMC
server 172.16.100.3
aaa group server radius AUTHVPN
server 10.10.0.2 auth-port 1645 acct-port 1646
server 10.11.0.24 auth-port 1645 acct-port 1646
aaa authentication login default group IMC local enable
aaa authorization exec default group IMC local if-authenticated
aaa session-id common
clock timezone AEST 10
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
no ip domain lookup
ip domain name imc.net.au
dot11 syslog
dot11 ssid IMC-Wireless-Data
vlan 10
authentication open eap AUTHVPN
authentication network-eap AUTHVPN
guest-mode
mbssid guest-mode
infrastructure-ssid optional
information-element ssidl
dot11 ssid IMC-Wireless-Voice
vlan 14
authentication open eap AUTHVPN
authentication network-eap AUTHVPN
mbssid guest-mode
information-element ssidl
dot11 aaa authentication attributes service login-only
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode wep mandatory
ssid IMC-Wireless-Data
ssid IMC-Wireless-Voice
antenna gain 0
mbssid
station-role root
interface Dot11Radio0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.14
encapsulation dot1Q 14
no ip route-cache
bridge-group 14
bridge-group 14 subscriber-loop-control
bridge-group 14 block-unknown-source
no bridge-group 14 source-learning
no bridge-group 14 unicast-flooding
bridge-group 14 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
encryption mode wep mandatory
ssid IMC-Wireless-Data
ssid IMC-Wireless-Voice
antenna gain 0
no dfs band block
mbssid
channel dfs
station-role root
interface Dot11Radio1.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1.14
encapsulation dot1Q 14
no ip route-cache
bridge-group 14
bridge-group 14 subscriber-loop-control
bridge-group 14 block-unknown-source
no bridge-group 14 source-learning
no bridge-group 14 unicast-flooding
bridge-group 14 spanning-disabled
interface GigabitEthernet0
description IMC-Wireless-Data
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
interface GigabitEthernet0.10
description IMC-Wireless-Data
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.14
description IMC-Wireless-Voice
encapsulation dot1Q 14
no ip route-cache
bridge-group 14
no bridge-group 14 source-learning
bridge-group 14 spanning-disabled
interface BVI1
description IMC-Wireless-Data
ip address 10.10.0.245 255.255.255.0
no ip route-cache
ip default-gateway 10.10.0.254
ip http server
ip http authentication local
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any eq telnet
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq 22
snmp-server community public RO
snmp-server enable traps tty
tacacs-server host 172.16.100.3 key 7 xxxxxxxxxxxxxxxxxxx
tacacs-server directed-request
radius-server host 10.10.0.2 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxx
bridge 1 route ip
wlccp wds aaa authentication attributes service login-only
line con 0
line vty 0 4
access-class 111 in
exec-timeout 5 0
line vty 5 15
access-class 111 in
exec-timeout 5 0
sntp server 10.10.0.254
end

Inside the ssid, when you put "authentication open" it's an eap_method that follows. You put your AUTHVPN aaa server group name. that's wrong.
aaa authentication login group AUTHVPN
and adjust your "authentication open eap " to match with that method name.
Also your group authvpn contains a 2nd server that is undefined in yoru global config ...
Nicolas

WAP200 and .1x/radius authentication with multiple SSIDs

Apparently it's not possible to define more than a single radius server when using multiple SSIDs with WAP200. Unfortunately WAP200 doesn't add the name of the SSID as a radius attribute, so it's not possible to make distinction whether the user is trying to log in to SSID A or B. Does anyone have any ideas or workarounds for this limitation? Of course the best solution would be if Cisco/Linksys fixed the firmware so that the SSID of the logging in user would be sent to the radius server as an extra attribute or appended to the client mac address.

Security option for an SSID can be unique and can be configured when you configure a SSID or under VLAN . Note that each vlan is uniquely mapped to induvidual SSID.

SMB 300 switch - RADIUS authentication

Did anybody have any luck configuring radius authentication with SMB 300 managed switches? I just deployed one and struggling with radius authentication with AD. Radius server works because there are 10 other Catalyst switches and routers working fine.
Any pointers on how to setup radius authentication for administrative connection? I need it for http, telnet and ssh management session to the switch.
Thanks in advance,
Sam

yes, PAP always use plain text and that doesn't provide any kind of security. However, administrative session with radius doesn't support chap/mschap.we can't configure firewall/IOS devices for aministration session like telnet/ssh to authenticate users on mschapv2 authentication method.
If you need secure communication then you may implement TACACS.
TACACS+ and RADIUS use a shared secret key to provide encryption for communication between the client and the server. RADIUS encrypts the user's password when the client made a request to the server. This encryption prevents someone from sniffing the user's password using a packet analyzer. However other information such as username and services that is being performed can be analyzed. TACACS+ encrypts not just only the entire payload when communicating, but it also encrypts the user's password between the client and the server. This makes it more difficult to decipher information about the communication between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.
~BR
Jatin Katyal
**Do rate helpful posts**

VPN 3000 and Radius authentication/authorization

hello.
I have to configure RADIUS authentication
with a VPN 3000 concentrator.
I'm completely new with this product
(the concentrator).
It seems that, if I want to perform authentication
of username and password with Radius, then I also have to download the entire VPN configuration from the same Radius, using the attibute set loaded with the appropriate dictionary.
am I rigth with this supposition?
I mean: should be possible to authenticate only an username and password externally on RADIUS, while continuing to mantain the user (or group) VPN configuration locally in the concentrator?
thank you.
Davide

No, downloading the entire VPN configuration from the RADIUS server is not necessary. If you are new to configuring VPN's on concentrators or the Concentrator iself, having a look at the support page will be agood idea. It is accessible at http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:Cisco_VPN_3000_Concentrator

Trying to setup a RADIUS connection with challenge response

I need to test a RADIUS authentication and I've read note id 272804.1 and http://download.oracle.com/docs/cd/B19306_01/network.102/b14268/asoradus.htm.
I'm trying to connect from DEVDB machine using sqlplus as client and connect to the local database server 10gr2 which then should act as RADIUS client to finally try to reach another machine with hostname DEVRADIUS.
I'm using freeRadius which delegate authentication and authorization phases to a OTP service. Other middleware services are able to use this kind of RADIUS authentication with no problem: so this radius configuration is perfectly working for other clients.
I've done some tests, but I'm not able to connect to DEVRADIUS from the Oracle database.
Executing ./adapters and ./adapters ./oracle showed me the RADIUS authentication is available.
When I try to connect using my external user I'm receiving the following error:
ORA-12638: Credential retrieval failed
A firewall exists between the database server and clients, but the port 1812 used to connect my database DEVDB to radius server DEVRADIUS has been open (UDP)
My sqlnet.ora
# sqlnet.ora Network Configuration File: /u01/app/oracle/product/10.2.0/db_1/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.
SQLNET.AUTHENTICATION_SERVICES= (RADIUS)
SQLNET.RADIUS_PORT= (1812)
SQLNET.RADIUS_AUTHENTICATION_PORT = 1812
SQLNET.RADIUS_SECRET = (/u01/app/oracle/product/10.2.0/db_1/network/security/radius.key)
SQLNET.RADIUS_AUTHENTICATION_TIMEOUT = 10
SQLNET.RADIUS_AUTHENTICATION = DEVRADIUS
SQLNET.RADIUS_CHALLENGE_RESPONSE = (ON)
SQLNET.RADIUS_CHALLENGE_KEYWORD = (CHALLENGE)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)Into /u01/app/oracle/product/10.2.0/db_1/network/security/radius.key there's only the shared secret RADIUS key.
Previously I've created this user:
SQL> create user rad_user identified externally;
SQL> grant connect, resource to rad_user;
SQL> show parameter OS_A
NAME TYPE VALUE
os_authent_prefix string
remote_os_authent boolean FALSE
SQL> show parameter OS_RO
NAME TYPE VALUE
os_roles boolean FALSE
remote_os_roles boolean FALSEThis is the error I receive:
sqlplus /nolog;
SQL> connect /@DEVDB;
ERROR:
ORA-12638: Credential retrieval failedOn RADIUS server started in debug mode, I don't see any attempt to connect.
Any suggestions?

loqs wrote:You built the package (using --asroot with makepkg is not a good idea ) but you did missed Install_the_package
Also see Kernel_Modules so the module is loaded automatically at boot.
Seriously? I spent that many hours searching for my several error messages, trying to solve them, not wanting to ask for help without putting too much of my own effort into it and when I finally decide to ask for help it is when I didn't get a super essential thing like makepkg doesn't install and is merely to create .pkg.tar.xz?? Oh gosh... (;
Well, thank you! I guess I'll take my next change to use Google to find out how to use makepkg without --asroot. Yes, wl is loaded now and it's set as the kernel driver in use!
Unfortunately, after ip link set wlp2s0 up and typing dmesg | grep wl I get:
wl: module license 'Mixed/Proprietary' taints kernel.
wlan0: Broadcom BCM4727 802.11 Hybrid Wireless Controller 6.30.223.248 (r487574)
systemd-udevd[148]: renamed network interface wlan0 to wlp2s0
wl 0000:02:00.0: no hotplug settings from platform
wl 0000:02:00.0: no hotplug settings from platform
wl 0000:02:00.0: no hotplug settings from platform
wl 0000:02:00.0: no hotplug settings from platform
And therefor: No firmware loaded. Google doesn't give much about this message but hints to PCI or PCI-Express not working as it should. I found this and tried starting with pciehp.pciehp_force=1 and ordered a modprobe acpiphp but nothing changed.

Authentication with MS-IAS / AD

I'm trying to control the access of my LAN by authenticate user with EAP / MSIAS + AD.
The IAS denied the access with error 112: The remote RADIUS server did not process the authentication request.
I setup the IAS policy to answer with vendor specific 64:"VLAN", 65:802, 81:10
Is somebody already acheive to use MS-IAS Radius authentication with a Cisco switch 2960
Mon Jun 28 12:22:49 2010: <191>4105: Jun 28 12:22:49.122 UTC+1: RADIUS(00000098): Send Access-Request to 10.221.136.14:1645 id 1645/56, len 211
Mon Jun 28 12:22:49 2010: <191>4106: Jun 28 12:22:49.122 UTC+1: RADIUS: authenticator 91 EC 87 87 89 0E AF 79 - 76 CE 5A 61 ED 1A D7 AC
Mon Jun 28 12:22:49 2010: <191>4107: Jun 28 12:22:49.122 UTC+1: RADIUS: User-Name           [1]   17 "EUROPE\ParisAdm"
Mon Jun 28 12:22:49 2010: <191>4108: Jun 28 12:22:49.122 UTC+1: RADIUS: Service-Type        [6]   6   Framed                    [2]
Mon Jun 28 12:22:49 2010: <191>4109: Jun 28 12:22:49.122 UTC+1: RADIUS: Framed-MTU          [12] 6   1500
Mon Jun 28 12:22:49 2010: <191>4110: Jun 28 12:22:49.122 UTC+1: RADIUS: Called-Station-Id   [30] 19 "00-24-51-55-47-84"
Mon Jun 28 12:22:49 2010: <191>4111: Jun 28 12:22:49.122 UTC+1: RADIUS: Calling-Station-Id [31] 19 "00-14-22-BF-46-40"
Mon Jun 28 12:22:49 2010: <191>4112: Jun 28 12:22:49.122 UTC+1: RADIUS: EAP-Message         [79] 22
Mon Jun 28 12:22:49 2010: <191>4113: Jun 28 12:22:49.122 UTC+1: RADIUS:   02 02 00 14 01 45 55 52 4F 50 45 5C 50 61 72 69 73 41 64 6D   [ EUROPE\ParisAdm]
Mon Jun 28 12:22:49 2010: <191>4114: Jun 28 12:22:49.122 UTC+1: RADIUS: Message-Authenticato[80] 18
Mon Jun 28 12:22:49 2010: <191>4115: Jun 28 12:22:49.122 UTC+1: RADIUS:   27 E9 35 4C C3 69 99 B0 1B D9 3A 08 84 C0 71 E4            [ '5Li:q]
Mon Jun 28 12:22:49 2010: <191>4116: Jun 28 12:22:49.122 UTC+1: RADIUS: Vendor, Cisco       [26] 49
Mon Jun 28 12:22:49 2010: <191>4117: Jun 28 12:22:49.122 UTC+1: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=C0A8FE030000006B13A4833C"
Mon Jun 28 12:22:49 2010: <191>4118: Jun 28 12:22:49.122 UTC+1: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Mon Jun 28 12:22:49 2010: <191>4119: Jun 28 12:22:49.122 UTC+1: RADIUS: NAS-Port            [5]   6   50004
Mon Jun 28 12:22:49 2010: <191>4120: Jun 28 12:22:49.122 UTC+1: RADIUS: NAS-Port-Id         [87] 17 "FastEthernet0/4"
Mon Jun 28 12:22:49 2010: <191>4121: Jun 28 12:22:49.122 UTC+1: RADIUS: NAS-IP-Address      [4]   6   192.168.254.3
Mon Jun 28 12:22:50 2010: <191>4122: Jun 28 12:22:49.206 UTC+1: RADIUS: Received from id 1645/56 10.221.136.14:1645, Access-Reject, len 20
Mon Jun 28 12:22:50 2010: <191>4123: Jun 28 12:22:49.206 UTC+1: RADIUS: authenticator CC 28 1A 22 28 32 F2 27 - 79 1F 2B 01 32 C5 AD BC
Mon Jun 28 12:22:50 2010: <191>4124: Jun 28 12:22:49.206 UTC+1: RADIUS(00000098): Received from id 1645/56
Mon Jun 28 12:22:52 2010: <187>4125: Jun 28 12:22:50.842 UTC+1: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to up
Thx for your help
Pascal

You need to have 3 policies create in IAS. Each will define the ssid and the AD group the user belongs to. So on the wlc, do you have 3 ssids and each has it own vlan?
Sent from Cisco Technical Support iPad App

Radius authentication for privileged access

Hello,
          I have configured Cisco 6513 for radius authentication with following commands.
aaa new-model
aaa authentication login authradius group radius line
aaa accounting exec acctradius start-stop group radius
radius-server host <radius-ip> auth-port 1812 acct-port 1646 key 6912911
line vty 0 4
accounting exec acctradius
login authentication authradius
     This is working pretty fine. I want to configure radius authentication for priviledged access / for enable access.
     I am using TeKRadius as Radius server.
     Please help.
Thanks and Regards,
Pratik

Hi Pratik
Sorry I mostly use only TACACS+ for AAA as it provides better granularity of access controls.
You'll need to make some specific changes to your RADIUS config so that nominated users ( the ones you want to be able to go to enable mode ) get put straight into enable mode upon login.
There's a guide here http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ which details the steps if you're using the Microsoft IAS radius server - you should be able to figure out that changes you need to make to your own server from there.
Nick
Message was edited by: NickNac79 - Spelt the OP's name wrong, sorry.

PPTP VPN works with local but not RADIUS authentication

iPhone OS v3.1
My VPN server is a Draytek 3300v. The iPhone connects OK when an account is set up locally on the server, but as soon as I switch it to use a RADIUS server (no other settings changed), authentication fails. I have tried 2 different RADIUS servers, with the same result. Immediately after successful authentication comes back from RADIUS, the VPN server log shows:
pppd: peer 'john.smith' authenticate succeed, protocol:49699
MSCHAP-v2 peer authentication succeeded for john.smith
rcvd [LCP TermReq id=0x2]
LCP terminated by peer
pptpd: EOF or bad error reading ctrl packet length
pptpd: cannot read packet header, exit
pptpd: read pptp packet failed
Clients using various versions of Windows all connect OK, but the iPhone fails authentication both over the carrier network and wireless.
Any ideas anyone?

Have you checked the Enterprise Deployment Guide for 3.1? It's at http://www.apple.com/support/iphone/enterprise

ASA , Cisco VPN client with RADIUS authentication

Hi,
I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
Thank you.
Kind regards,
Alex

Hi Alex,
It is working as it should.
You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
thanks
John

Radius authentication with MSCHAP

Similar Messages

Maybe you are looking for