RADIUS CoA Port Bounce query
Hello
I have a question relating to RADIUS CoA Port Bounce.
I'm planning to deploy 802.1x with ISE 1.3 to:
802.1x authenticate corporate desktop PCs (with anyconnect client installed for user and machine authentication) - on successful machine authentication, ISE will dynamically assign a VLAN
Profile Cisco IP phones
In order for an authenticated corporate desktop to pick up an IP address on its dynamically assigned VLAN I was thinking of using CoA Port Bounce. If this desktop was connecting through a successfully profiled Cisco IP phone, am I right in saying that the resulting Port Bounce will also affect the phone (phone will de-register from callmanager)?
Thanks
Andy
Hi Andy, if you are using PoE then a port-bounce the phone would definitely drop from the network and Call Manager. The phone would basically power down and then power back up.
Now with that being said you should keep in mind that a port-bounce would remove the existing dot1x session and will a new session would be initialized. Thus, the endpoint would end up starting at the original VLAN again and then getting the new VLAN after authorization :) So I guess what I am trying to say is that port-bounce is not the solution for this. Instead, you should consider:
1. Using dACLs instead of dynamic VLANs. That way you can have everyone in the same VLAN but use different dACLs to define network access
2. Continue to use dynamic VLANs but keep in mind that some "dumb" devices won't detect the VLAN change, thus not grabbing a new IP address. The good news is that most modern devices will detect the VLAN change and should grab a new IP. For instance, you should not have any issues with Windows 7 and newer devices
My recommendation is to go with option #1 though as that has always worked for me.
I hope this helps!
Thank you for rating helpful posts!
Similar Messages
-
ISE and CoA 'port bounce' on WLC 7.2
Hi,
Im trying to get a vlan change done with CoA and MAB on a WLC 7.2 but it looks like it doese't disconnect the client, hence no new dhcp request.
Everything is working except 'port bounce'. I can see the new vlan in the controller, if i do a ifconfig /renew on the client it gets the new subnet and everything works as it should. If i remove the endpoint in ISE it swaps the vlan again on the controller, but no port bounce...
Is it possible to do this at all?
Page 244/245 in the Configuration guide - RADISUS NAC -Guidelines and Limitations says:
VLAN select is not supported
ISE 1.1.1
WLC 7.2
Thanks
Message was edited by: Mikael GustafssonHi,
So in general there is no easy solution to do a vlan change for guest users on a wireless?
What Im trying to do is to separate the guest vlan from the rest of the network.
Were the user first get the vlan with the ISE interface in, with ACL for DNS and guest portal. And DHCP proxy from WLC.
After authentication he would get the guest vlan with only DHCP proxy and a default gw at the fw
I did try the CoA DHCP option on the guest portal and it's not a good solution, the user needs interact to accept an applet install , and it's (from what I understand from the UG) only working on windows. (and I didnt get it to work)
Thanks
Message was edited by: Mikael Gustafsson -
RADIUS COA on software version 12.4 using 3845 router
We working to provide dynamic badwidth control by using RADIUS COA to 3845 router.
When we issue the COA 3845 rejects the message with invalid session id message.
We are using following instructions to craft RADIUS COA message.
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/htipmaaa.htmlHi Manuel,
I have PPPOE client running directly against 3845 and terminating PPOE. Authentication, authorization and accounting work against FreeRADIUS.
Next step for us is to manage subscriber connections by sending COA to change service parameters.
Our system sends RADIUS COA as in below.
You can find the packet dumps, configuration and Cisco log below.
Thank you for responding and looking forware to your next response.
Igor
*** Example with Shaping ***
policy-map SHAPE-TEST
class class-default
shape average 48000
Using: cisco-avpair = "ip:sub-qos-policy-out=SHAPE-TEST"
======================== Packet capture =================================
No. Time Source Destination Protocol Info
1 2000-01-01 08:46:03.257911000 172.16.2.218 172.20.2.55 RADIUS CoA-Request(43) (id=1, l=49)
Frame 1: 91 bytes on wire (728 bits), 91 bytes captured (728 bits)
Arrival Time: Jan 1, 2000 08:46:03.257911000 Eastern Standard Time
Epoch Time: 946734363.257911000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 91 bytes (728 bits)
Capture Length: 91 bytes (728 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:radius]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: HewlettP_af:82:b5 (2c:27:d7:af:82:b5), Dst: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
Destination: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
Address: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
Address: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 172.16.2.218 (172.16.2.218), Dst: 172.20.2.55 (172.20.2.55)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 77
Identification: 0x5b26 (23334)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (17)
Header checksum: 0x8244 [correct]
[Good: True]
[Bad: False]
Source: 172.16.2.218 (172.16.2.218)
Destination: 172.20.2.55 (172.20.2.55)
User Datagram Protocol, Src Port: 57459 (57459), Dst Port: radius-dynauth (3799)
Source port: 57459 (57459)
Destination port: radius-dynauth (3799)
Length: 57
Checksum: 0x6ec3 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Radius Protocol
Code: CoA-Request (43)
Packet identifier: 0x1 (1)
Length: 49
Authenticator: f8ce880960a402b9809f0c173c6c8530
[The response to this request is in frame 2]
Attribute Value Pairs
AVP: l=10 t=Acct-Session-Id(44): 000000C3
Acct-Session-Id: 000000C3
AVP: l=19 t=Vendor-Specific(26) v=Cisco(9)
VSA: l=13 t=Cisco-Policy-Down(38): POLICE-TEST
Cisco-Policy-Down: POLICE-TEST
0000 00 1b 21 b3 18 58 2c 27 d7 af 82 b5 08 00 45 00 ..!..X,'......E.
0010 00 4d 5b 26 00 00 80 11 82 44 ac 10 02 da ac 14 .M[&.....D......
0020 02 37 e0 73 0e d7 00 39 6e c3 2b 01 00 31 f8 ce .7.s...9n.+..1..
0030 88 09 60 a4 02 b9 80 9f 0c 17 3c 6c 85 30 2c 0a ..`.......
0040 30 30 30 30 30 30 43 33 1a 13 00 00 00 09 26 0d 000000C3......&.
0050 50 4f 4c 49 43 45 2d 54 45 53 54 POLICE-TEST
No. Time Source Destination Protocol Info
2 2000-01-01 08:46:03.259029000 172.20.2.55 172.16.2.218 RADIUS CoA-NAK(45) (id=1, l=47)
Frame 2: 89 bytes on wire (712 bits), 89 bytes captured (712 bits)
Arrival Time: Jan 1, 2000 08:46:03.259029000 Eastern Standard Time
Epoch Time: 946734363.259029000 seconds
[Time delta from previous captured frame: 0.001118000 seconds]
[Time delta from previous displayed frame: 0.001118000 seconds]
[Time since reference or first frame: 0.001118000 seconds]
Frame Number: 2
Frame Length: 89 bytes (712 bits)
Capture Length: 89 bytes (712 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:radius]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: IntelCor_b3:18:58 (00:1b:21:b3:18:58), Dst: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
Destination: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
Address: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
Address: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 172.20.2.55 (172.20.2.55), Dst: 172.16.2.218 (172.16.2.218)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 75
Identification: 0xe66e (58990)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 254
Protocol: UDP (17)
Header checksum: 0x78fd [correct]
[Good: True]
[Bad: False]
Source: 172.20.2.55 (172.20.2.55)
Destination: 172.16.2.218 (172.16.2.218)
User Datagram Protocol, Src Port: radius-dynauth (3799), Dst Port: 57459 (57459)
Source port: radius-dynauth (3799)
Destination port: 57459 (57459)
Length: 55
Checksum: 0xa044 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Radius Protocol
Code: CoA-NAK (45)
Packet identifier: 0x1 (1)
Length: 47
Authenticator: 8edb97b90c05e6ed7c1ce06688723520
[This is a response to a request in frame 1]
[Time from request: 0.001118000 seconds]
Attribute Value Pairs
AVP: l=21 t=Reply-Message(18): No Matching Session
Reply-Message: No Matching Session
AVP: l=6 t=Error-Cause(101): Session-Context-Not-Found(503)
Error-Cause: Session-Context-Not-Found (503)
0000 2c 27 d7 af 82 b5 00 1b 21 b3 18 58 08 00 45 00 ,'......!..X..E.
0010 00 4b e6 6e 00 00 fe 11 78 fd ac 14 02 37 ac 10 .K.n....x....7..
0020 02 da 0e d7 e0 73 00 37 a0 44 2d 01 00 2f 8e db .....s.7.D-../..
0030 97 b9 0c 05 e6 ed 7c 1c e0 66 88 72 35 20 12 15 ......|..f.r5 ..
0040 4e 6f 20 4d 61 74 63 68 69 6e 67 20 53 65 73 73 No Matching Sess
0050 69 6f 6e 65 06 00 00 01 f7 ione.....
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.21 10:00:43 =~=~=~=~=~=~=~=~=~=~=~=
ABN-3845#
ABN-3845#sho run
Building configuration...
Current configuration : 2831 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname ABN-3845
boot-start-marker
boot-end-marker
enable password ipdradm
aaa new-model
aaa authentication ppp default local group radius
aaa authentication ppp mounir group radius local
aaa authorization network default local group radius
aaa authorization network mounir group radius
aaa accounting update periodic 1
--More--
aaa accounting exec mounir start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting network mounir start-stop group radius
aaa server radius dynamic-author
client 172.16.2.183
client 172.20.2.234
client 172.20.2.204
client 172.16.2.218
server-key ipdradm
port 3799
auth-type session-key
aaa session-id common
dot11 syslog
ip cef
ip domain name a-bb.net
ip name-server 172.16.0.25
multilink bundle-name authenticated
--More--
vpdn-group mounir
! Default L2TP VPDN group
accept-dialin
protocol pppoe
virtual-template 11
l2tp tunnel receive-window 1024
voice-card 0
no dspfarm
--More--
archive
log config
hidekeys
policy-map POLICE-TEST
class class-default
police 48000 9000 18000 conform-action transmit exceed-action drop violate
-action drop
bba-group pppoe global
--More--
virtual-template 11
interface Loopback0
ip address 172.29.1.5 255.255.255.255
interface GigabitEthernet0/0
ip address 172.20.2.55 255.255.255.0
duplex auto
speed auto
media-type rj45
interface GigabitEthernet0/1
ip address 10.30.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
pppoe enable group global
interface GigabitEthernet0/1.1
encapsulation dot1Q 2
interface Virtual-Template11
--More--
ip unnumbered GigabitEthernet0/1
ppp authentication pap mounir
ppp authorization mounir
ppp accounting mounir
interface Virtual-Template15
ip unnumbered Loopback0
no peer default ip address
ppp authentication pap mounir
ppp authorization mounir
ppp accounting mounir
router ospf 1
router-id 172.29.1.5
log-adjacency-changes
redistribute connected subnets
network 172.20.2.0 0.0.0.255 area 0
network 172.29.1.5 0.0.0.0 area 0
ip forward-protocol nd
no ip http server
--More--
no ip http secure-server
logging 172.20.2.150
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 25 access-request include
radius-server attribute nas-port format d
radius-server host 172.20.2.204 auth-port 1812 acct-port 1813 key ipdradm
radius-server key ipdradm
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
--More--
line con 0
line aux 0
line vty 0 4
password ipdradm
scheduler allocate 20000 1000
end
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#debug aaa coa
AAA CoA packet processing debugging is on
ABN-3845#debug radius
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol debugging is on
Radius elog debugging debugging is off
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Radius elog debugging debugging is off
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
*Sep 21 13:59:05.380: RADIUS/ENCODE(000000BA):Orig. component type = PPoE
*Sep 21 13:59:05.380: RADIUS/ENCODE(000000BA): Acct-session-id pre-pended with N
as Port = 0/0/1/1
*Sep 21 13:59:05.380: RADIUS(000000BA): Config NAS IP: 0.0.0.0
*Sep 21 13:59:05.380: RADIUS(000000BA): Config NAS IP: 0.0.0.0
*Sep 21 13:59:05.380: RADIUS(000000BA): sending
*Sep 21 13:59:05.380: RADIUS/ENCODE: Best Local IP-Address 172.20.2.55 for Radiu
s-Server 172.20.2.204
*Sep 21 13:59:05.380: RADIUS(000000BA): Send Accounting-Request to 172.20.2.204:
1813 id 1646/40, len 322
*Sep 21 13:59:05.380: RADIUS: authenticator 65 F4 15 61 6F AD B1 76 - 45 35 D5
42 9A 3E 2F C7
*Sep 21 13:59:05.380: RADIUS: Acct-Session-Id [44] 18 "0/0/1/1_000000C3"
*Sep 21 13:59:05.380: RADIUS: Vendor, Cisco [26] 41
*Sep 21 13:59:05.380: RADIUS: Cisco AVpair [1] 35 "client-mac-address
=f8d1.11a7.167a"
*Sep 21 13:59:05.380: RADIUS: Framed-Protocol [7] 6 PPP
[1]
*Sep 21 13:59:05.380: RADIUS: Framed-IP-Address [8] 6 10.30.1.2
*Sep 21 13:59:05.380: RADIUS: User-Name [1] 9 "ipdradm"
*Sep 21 13:59:05.380: RADIUS: Vendor, Cisco [26] 35
*Sep 21 13:59:05.380: RADIUS: Cisco AVpair [1] 29 "connect-progress=L
AN Ses Up"
*Sep 21 13:59:05.380: RADIUS: Vendor, Cisco [26] 31
*Sep 21 13:59:05.380: RADIUS: Cisco AVpair [1] 25 "nas-tx-speed=10000
00000"
*Sep 21 13:59:05.380: RADIUS: Vendor, Cisco [26] 31
*Sep 21 13:59:05.380: RADIUS: Cisco AVpair [1] 25 "nas-rx-speed=10000
00000"
*Sep 21 13:59:05.380: RADIUS: Acct-Session-Time [46] 6 143522
*Sep 21 13:59:05.380: RADIUS: Acct-Input-Octets [42] 6 6382156
*Sep 21 13:59:05.380: RADIUS: Acct-Output-Octets [43] 6 2559911
*Sep 21 13:59:05.380: RADIUS: Acct-Input-Packets [47] 6 224941
*Sep 21 13:59:05.380: RADIUS: Acct-Output-Packets [48] 6 161500
*Sep 21 13:59:05.380: RADIUS: Acct-Authentic [45] 6 RADIUS
[1]
*Sep 21 13:59:05.380: RADIUS: Acct-Status-Type [40] 6 Watchdog
[3]
*Sep 21 13:59:05.380: RADIUS: NAS-Port-Type [61] 6 Ethernet
[15]
*Sep 21 13:59:05.380: RADIUS: Vendor, Cisco [26] 15
*Sep 21 13:59:05.380: RADIUS: cisco-nas-port [2] 9 "0/0/1/1"
*Sep 21 13:59:05.380: RADIUS: NAS-Port [5] 6 16777217
*Sep 21 13:59:05.380: RADIUS: NAS-Port-Id [87] 9 "0/0/1/1"
*Sep 21 13:59:05.380: RADIUS: Service-Type [6] 6 Framed
[2]
*Sep 21 13:59:05.380: RADIUS: NAS-IP-Address [4] 6 172.20.2.55
*Sep 21 13:59:05.380: RADIUS: Unsupported [151] 10
*Sep 21 13:59:05.380: RADIUS: 44 36 34 41 36 36 31 33
[D64A6613]
*Sep 21 13:59:05.380: RADIUS: Nas-Identifier [32] 19 "ABN-3845.a-bb.net"
*Sep 21 13:59:05.380: RADIUS: Acct-Delay-Time [41] 6 0
*Sep 21 13:59:09.804: RADIUS: acct-timeout for 2DC0CAF4 now 5, acct-jitter -1, a
cct-delay-time (at 2DC0CC30) now 4
ABN-3845#
ABN-3845#
*Sep 21 13:59:32.708: RADIUS: COA received from id 1 172.16.2.218:50186, CoA Re
quest, len 49
*Sep 21 13:59:32.708: COA: 172.16.2.218 request queued
*Sep 21 13:59:32.708: ++++++ CoA Attribute List ++++++
*Sep 21 13:59:32.708: 65F0A840 0 00000009 string-session-id(337) 8 000000C3
*Sep 21 13:59:32.708: 670B2A10 0 00000009 sub-policy-Out(345) 11 POLICE-TEST
*Sep 21 13:59:32.708:
*Sep 21 13:59:32.708: COA: No matching entry found
*Sep 21 13:59:32.708: COA: Added Reply Message: No Matching Session
*Sep 21 13:59:32.708: COA: Added NACK Error Cause: Session Context Not Found
*Sep 21 13:59:32.708: COA: Sending NAK from port 3799 to 172.16.2.218/50186
*Sep 21 13:59:32.708: RADIUS: 18 21 4E6F204D61746368696E672053657373696F6E
*Sep 21 13:59:32.708: RADIUS: 101 6 000001F7
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
===================A -
Guys, would like to know the support for NAC to cisco IOS 12.2(50)SE1 IPBase version (3750).
We have the port bounce feature in test enviroment on switch 3560 with advance IP services IOS 12.2(46)SE and it was working fine, but now we are facing problem with 3750.
Any clues...Hi Tarik,
Thanks for your reply, SNMP settings are perfect since am able to manage the switch from CAM, i can change the port settings as well and yes mac-notification change is added automatically except bouncing the ports between vlans.
Am not sure but i suspect this could be the problem with IOS as it is IPBase, but in the test environment it was AdvanceIPservices and everything was perfect. -
ACS 4.1 change Radius listen port
In ACS 3.3 it was possible to specify the radius listen port with registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.3\CSRadius]
"AuthenticationPort"=dword:0000064e
"AccountingPort"=dword:0000064f
"AuthenticationPortNew"=dword:0000064c
"AccountingPortNew"=dword:0000064d
This does not work anymore in version 4.1.
Does anyone know how to change the radius listen port in version 4.1 ?
Thanks,
Gerard van BonIn 4.x all registry config was moved into the sql anywhere db.
If you can get hold the Sql Anywhere dev kit to get the Db edit app AND know your ACS database password and then can find the value in the table structure.. then yes you could change the RADIUS listen port. -
WAP 121 support for RADIUS COA
Hi,
I am looking into purchasing WAP121 AP product and understand it supports 802.1x RADIUS.
For an intergration with NAC product from Bradford, I need to know if WAP121 supports RADIUS COA standard or at least there is a way to disassociate a client through CLI command.
Thanks in advance.
-changDear Chang,
Thank you for reaching the Small Business Support Community.
None of the Small Business access points support the RADIUS CoA nor have CLI access, these are all GUI configurable devices with just the RADIUS feature.
I suggest you to look for an eterprise device and inquire about this feature on the wireless support community forum;
https://supportforums.cisco.com/community/netpro/wireless-mobility
Please do not hesitate to reach me back if there is any further assistance I may help you with.
Kind regards,
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found. -
Im having trouble renewing the IP address after a VLAN change after NAC Agent finishes its posture, the flow is as follows:
1. Wireless client access into the network, is 802.1x
2. NAC Agent succesfully validates posture and Coa is issued
3. I see the new Vlan for that client on the WLC, however my captures indicate that no dhcp renewal is issued from the PC to the DHCP Server
This is no guest access so the option for renew the VLAN dhcp is not a feasible one
any comments will be gladly received.
Thanks!Hello,
I went through your query and for the same I have found the link below which may help in solving it:-
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html -
WCS reports Radius server port 1813 up and down.
Hi all,
Help me on this, please. I use Radius server 172.20.104.253 and .254 port 1812 to authenticate some wireless clients. However, the .254 keep failling, deactivate on port 1813 (this is from the log); resulting some clients can't authenticate. How do I approach this? Why port 1813 fail effect the authentication which is on port 1812 ?
Thanks.jedubois!
I use Cisco ACS as my radius. For laptops, instead using pre-shared key, I use radius to authenticated the laptop. I create user/password on AD (username is laptop name). On laptop under Intel Proset/Wireless utility, I create a profile with this username. Upon startup, the Proset/Wireless utility authenticates this user this radius server; then gives the laptop wireless connectivity; no pre-shared key needed.
On the WCS event view; radius server is timeout (activated and deactivated) every 2 seconds (like you said; it is default). But is on port 1813 and I config radius server on WCS on port 1812.
My questions are what is ideal timeout on each radius server? and why radius server report timeout on port 1813 instead of 1812?
FYI, I ping -t both of my radius servers. And radius servers are available all the time.
Regards. -
Dear All,
I have the following scenario that I need to configure on CSM 4.2(12) (Cisco 6513).
Scenario:
Real IPs: 10.10.10.3 & 10.10.10.4
VIP: 10.10.10.1
When users will access 10.10.10.1 on port 81, 82, 83, 84 & 85. I want to forward port (redirect) this request to port 80.
Is this possible.
Can someone please post the required configuration for the above scenario.
Client and Server vlans are in the same subnet.
Thanks in advance
Regards,
AnserThis is possible.
All you need is specify the port you want to use by the rserver and by the vserver.
for example
serverfarm MyFarm
rserver 10.10.10.3 80
inservice
rserver 10.10.10.4 80
inservice
vserver MYVIP81
virtual 10.10.10.1 tcp port 81
serverfarm MyFarm
inservice
Gilles. -
Cannot get CoA switch to bounce port
Hi, I am trying to clear up a VLAN change/IP addressing conflict and have configured the profile's associated CoA type to 'port bounce'. I also created an exception action to force CoA with an associate rule in the policy.
I can see the device hit the correct profile upon MAB, and the correct VLAN is applied to the port. However, I never see the port bounce occuring, so the deviec does not know to release/renew it's IP address.
Is there something I'm missing to get the CoA port bounce to happen? Here is my switchport config...
interface GigabitEthernet1/5
description ISE_TEST
switchport access vlan 32
switchport mode access
switchport voice vlan 64
ip access-group ACL-ALLOW in
logging event link-status
authentication event fail action next-method
authentication event server dead action authorize vlan 2700
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 600
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
service-policy input QoS-Input-Policy
service-policy output QoS-Host-Port-Output-Policy
endI did, but my issue was not related to the port bounce itself. It was because arp inspection was identifying the arp based off the ports initial VLAN. Once ISE changed the VLAN, ip arp was denying the port because the address had changed. I disabled arp inspection and it cleared up the issue.
-
CoA Session Query and invalid signature (err=2)!
When the portal/radius client sends a CoA-Req (session query); the ISG responds with a CoA-ACK however the portal receives an error message stating “rad_verify: Received CoA-ACK packet from client 172.X.X.X port 3799 with invalid signature (err=2)! (Shared secret is incorrect.)
The same happens when the a CoA-Re (session query) is sent from the Radius Client with an invalid/non-existing portbundle number.
We were expecting an ACK in the first and a NAK in the second case!
Did any one see this before? Please provide inputs if any?
Thanks!Thank You Admani, I have already done that but just wanted to know if anyone else noticed the same and have a solution if any?
-
ISE 1.2 Patch 8 - Wired CoA Bug
Hi all,
Just wondering if anyone else is having CoA issues using patch 8 on wired infrastructure? I was troubleshooting CoA this morning in a 5 node deployment (1 x Admin, 1 x Monitoring, 1 x secondary admin/monitoring and 2 x PSN) and found that CoA was not working. I did a debug aaa pod and it said that POD message was dropped due to an unconfigured client and listed off the IP address of the primary admin node that I had initiated the CoA from (in the gui).
I thought this was strange in that I have always believed the CoA comes from the PSNs. I stopped the primary admin and did the same test using the secondary admin and the same error presented this time with the ip address of the secondary admin. I then proceeded to add the admin nodes as dynamic author clients and CoA started to work properly.
So in summary I am wondering whether this is a bug, a misunderstanding on my part or a change to the way that ISE CoA now works?CoA Not Initiating on Client Machine
Symptoms or
Issue
Cisco ISE is not able to identify the specified Network Access Device (NAD).
Conditions Click the magnifying glass icon in Authentications to display the steps in the
Authentication Report. The logs display the following error message:
• 11007 Could not locate Network Device or AAA Client Resolution
Possible Causes • The administrator did not correctly configure the Network Access Device
(NAD) type in Cisco ISE.
• Could not find the network device or the AAA Client while accessing NAS by
IP during authentication.
Resolution • Add the NAD in Cisco ISE again, verifying the NAD type and settings.
• Verify whether the Network Device or AAA client is correctly configured in
Administration > Network Resources > Network Devices
Symptoms or
Issue
Users logging into the Cisco ISE network are not experiencing the required Change
of Authorization (CoA).
Conditions Cisco ISE uses port 1700 by default for communicating RADIUS CoA requests from
supported network devices.
Possible Causes Cisco ISE network enforcement points (switches) may be missing key configuration
commands, may be assigning the wrong port (for example, a port other than 1700),
or have an incorrect or incorrectly entered key.
Resolution Ensure the following commands are present in the switch configuration file (required
on switch to activate CoA and configure the switch):
aaa server radius dynamic-author
client <Monitoring_node_IP_address> server-key <radius_key> -
CoA issues between ISE and 3750x
We are having an issue using the cisco ise 1.1.2 and a 3750x (Version 12.2(58)SE2)
When the radius sends a reauthentication CoA message to the switch, the switch responds with a 'session contect not found' reply. I have upgraded the code to the latest levels on both the ise and switch and still have the same resultts.
This reauthenticate is needed after the NAC profiler determines the pc is complient. I am receiving the complient message from the pc and switch, but becuase the switch never reauthentices the client after the CoA request, the client is never granted full access.
I am not sure if the radius server is sending the wrong session id, or if the switch is looking at it wrong.
Please Help...!!!!!
-Debug --
Log Buffer (10000 bytes):
Feb 28 19:34:21.940 UTC: RADIUS: COA received from id 38 10.122.1.82:40171, CoA Request, len 140
Feb 28 19:34:21.940 UTC: COA: 10.122.1.82 request queued
Feb 28 19:34:21.940 UTC: RADIUS: authenticator 62 6B 15 C9 C7 A5 CA 88 - 4F B2 EE 4C A0 3D 9F 50
Feb 28 19:34:21.948 UTC: RADIUS: NAS-IP-Address [4] 6 10.122.1.66
Feb 28 19:34:21.948 UTC: RADIUS: Event-Timestamp [55] 6 1362080061
Feb 28 19:34:21.948 UTC: RADIUS: Message-Authenticato[80] 18
Feb 28 19:34:21.948 UTC: RADIUS: BC B3 BA 2A 11 BD 63 0B 22 7E 82 AA C2 A5 F7 C4 [ *c"~]
Feb 28 19:34:21.948 UTC: RADIUS: Vendor, Cisco [26] 41
Feb 28 19:34:21.948 UTC: RADIUS: Cisco AVpair [1] 35 "subscriber:command=reauthenticate"
Feb 28 19:34:21.948 UTC: RADIUS: Vendor, Cisco [26] 49
Feb 28 19:34:21.948 UTC: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A7A014200000272048AF0F1"
Feb 28 19:34:21.948 UTC: COA: Message Authenticator decode passed
Feb 28 19:34:21.948 UTC: ++++++ CoA Attribute List ++++++
Feb 28 19:34:21.948 UTC: 07353140 0 00000001 nas-ip-address(585) 4 10.122.1.66
Feb 28 19:34:21.948 UTC: 0735375C 0 00000001 Event-Timestamp(430) 4 1362080061(512FB13D)
Feb 28 19:34:21.948 UTC: 0735376C 0 00000009 audit-session-id(794) 24 0A7A014200000272048AF0F1
Feb 28 19:34:21.948 UTC: 0735377C 0 00000009 ssg-command-code(475) 1 32
Feb 28 19:34:21.948 UTC:
Feb 28 19:34:21.957 UTC: AUTH-EVENT: auth_mgr_ch_search_record - Search record in IDC db failed
Feb 28 19:34:21.957 UTC: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Feb 28 19:34:21.957 UTC: RADIUS(00000000): sending
Feb 28 19:34:21.957 UTC: RADIUS(00000000): Send CoA Nack Response to 10.122.1.82:40171 id 38, len 62
Feb 28 19:34:21.957 UTC: RADIUS: authenticator DF 18 2F 59 21 4F 84 E1 - 61 B8 43 B8 01 C5 58 B4
Feb 28 19:34:21.957 UTC: RADIUS: Reply-Message [18] 18
Feb 28 19:34:21.957 UTC: RADIUS: 4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E [ No valid Session]
Feb 28 19:34:21.957 UTC: RADIUS: Dynamic-Author-Error[101] 6 Session Context Not Found [503]
Feb 28 19:34:21.957 UTC: RADIUS: Message-Authenticato[80] 18
Feb 28 19:34:21.957 UTC: RADIUS: 30 C9 AE 52 80 2E A2 54 FF F3 4B C7 28 31 A9 61 [ 0R.TK(1a]
ESWHQFL02-S#
ESWHQFL02-S#
-- Switch Config -
aaa authentication login default group tacacs+ local-case
aaa authentication login local_login local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization exec default group tacacs+ local
aaa authorization commands 5 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group radius
aaa authorization network auth-list group DOT1X
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 5 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa server radius dynamic-author
client 10.122.1.82 server-key 7 14141B180F0B
client 10.122.1.80 server-key 7 045802150C2E
aaa session-id common
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server host 10.122.1.82 auth-port 1812 acct-port 1813 key 7 13061E010803
radius-server host 10.122.1.80 auth-port 1812 acct-port 1813 key 7 104D000A0618
radius-server deadtime 5
radius-server key 7 030752180500
radius-server vsa send accounting
radius-server vsa send authenticationAs per the cisco recommendation IOSv12.2(52)SE is suitable for Catalyst 3750-X which will support all the features without any issues like MAB,802.1X,CWA,LWA,COA,VLAN,DACL,SAG as mentioned in the link below:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html.
I see you are using IOSv12.2(58)SE2,which is not recommended.So you can downgrade to IOSv12.2(52)SE which will solve your issues. -
Hello Guys,
I am using a Cisco 2951 with 15.3(3)M1, and when doing some tests with CoA i got the following error:
*Nov 7 10:34:24.780: COA: 1.1.1.1 request queued
*Nov 7 10:34:24.780: RADIUS: authenticator 52 CF BB 58 BB D5 69 4E - 59 3B 09 75 E9 83 54 4C
*Nov 7 10:34:24.780: RADIUS: User-Name [1] 2 ""
*Nov 7 10:34:24.780: RADIUS: Acct-Session-Id [44] 10 "0000002B"
*Nov 7 10:34:24.780: RADIUS: Vendor, Cisco [26] 42
*Nov 7 10:34:24.780: RADIUS: Cisco AVpair [1] 36 "subscriber:command=reauthenticate "
*Nov 7 10:34:24.780: RADIUS: Message-Authenticato[80] 18
*Nov 7 10:34:24.780: RADIUS: B6 78 8B EA DE 3B 73 26 57 53 C0 E7 47 89 2C 6D [ x;s&WSG,m]
*Nov 7 10:34:24.780: COA: Message Authenticator decode passed
*Nov 7 10:34:24.780: ++++++ CoA Attribute List ++++++
*Nov 7 10:34:24.780: 01EEAF6C 0 00000081 username(450) 0
*Nov 7 10:34:24.780: 01EEB7EC 0 00000001 session-id(408) 4 43(2B)
*Nov 7 10:34:24.780: 01EEB820 0 00000081 ssg-command-code(490) 1 32
*Nov 7 10:34:24.780:
*Nov 7 10:34:24.780: ++++++ Received CoA response Attribute List ++++++
*Nov 7 10:34:24.780: 01EEB7EC 0 00000082 reply-message(273) 16 No valid Session
*Nov 7 10:34:24.780: 01EEB820 0 00000002 error-cause(272) 4 Session Context Not Found
This is very strange, because the session-id is correct.
Can anyone advice me on this? Thanks!
DavidHello Manuel,
Thanks for all your help. Here is the show output
LNS#show subscriber session uid 47 detailed internal
Subscriber session handle: EC00005E, state: connected, service: Local Term
Unique Session ID: 47
Identifier: [email protected]
SIP subscriber access type(s): VPDN/PPP
Root SIP Handle: 5300005D, PID: 313
Child SIP Handle: 7900002F, PID: 318
Current SIP options: Req Fwding/Req Fwded
Session Up-time: 19:52:55, Last Changed: 19:52:55
Switch handle: 211E
Interface: Virtual-Access2.2
Policy information:
Context 10EC39C0: Handle 7B00002F
AAA_id 0000003B: Flow_handle 0
Authentication status: authen
Policy internals:
Policy state : wait-for-events
Authorization type : AAA service
Active key : apply-config-only
Authorization active key : Auth-User
Last top level rule type : session-service-found
Client : SM
Last message from client : Apply Config Success
Last message to client : Apply Config Success
Current key list from client :
Identifier: Auth-Domain = "xxx.xx"
Identifier: Protocol-Type = 0 (PPP Access Protocol)
Identifier: Session-Handle = 3959423070 (EC00005E)
Identifier: Tunnel-Name = "LNS"
Identifier: Media-Type = 2 (IP)
Identifier: Input Interface = "GigabitEthernet0/1.2000"
Identifier: AAA-Acct-Enbl = 1 (YES)
Identifier: Authen-Status = 0 (Authenticated)
Identifier: Nasport = Vty Terminal: port 47 IP 69.17.193.90
Identifier: Auth-User = "[email protected]"
Network plumbing done yet : Yes
Network plumbing directive proposed : None
AIE handle : 2B00002F
AIE user ID : 47
AAA user ID : 0000003B/59
Authorization index : 0
Authorization priority : 1
Context : 7B00002F
North handle : 00000000
North callback : 00000000
South handle : EC00005E
South callback : 06B898A8
Current access-type : PPP
All access-types : [0] VPDN
: [1] PPP
No more keys available from : PPP
Session activated : Yes
Session inbound features:
Feature: QoS Policy Map
Input Policy Map: INTERNET-15Mb-IN
Session outbound features:
Feature: QoS Policy Map
Output Policy Map: INTERNET-15Mb-OUT
Configuration sources associated with this session:
Interface: Virtual-Template1, Active Time = 19:52:55
Pending status associated with this session:
Bind status: Success, Delay delete: No, Pending mask: 0
And the debug output for a reauthenticate command
*Nov 8 10:21:58.367: RADIUS: COA received from id 1 x.x.x.x:60590, CoA Request, len 108
*Nov 8 10:21:58.367: COA: x.x.x.x request queued
*Nov 8 10:21:58.367: RADIUS: authenticator 1D 92 FF 04 43 EA 0E 11 - DE 49 2F AE 81 46 42 78
*Nov 8 10:21:58.367: RADIUS: User-Name [1] 18 [email protected]
*Nov 8 10:21:58.367: RADIUS: Acct-Session-Id [44] 10 "0000003B"
*Nov 8 10:21:58.367: RADIUS: Vendor, Cisco [26] 42
*Nov 8 10:21:58.367: RADIUS: Cisco AVpair [1] 36 "subscriber:command=reauthenticate "
*Nov 8 10:21:58.367: RADIUS: Message-Authenticato[80] 18
*Nov 8 10:21:58.367: RADIUS: 7F CA 0A 96 A7 4C 5F 05 57 33 4D 36 D6 7A 37 7E [ L_W3M6z7~]
*Nov 8 10:21:58.367: COA: Message Authenticator decode passed
*Nov 8 10:21:58.367: ++++++ CoA Attribute List ++++++
*Nov 8 10:21:58.367: 01FCE77C 0 00000081 username(450) 16 [email protected]
*Nov 8 10:21:58.367: 01FCFBAC 0 00000001 session-id(408) 4 59(3B)
*Nov 8 10:21:58.367: 01FCFBE0 0 00000081 ssg-command-code(490) 1 32
*Nov 8 10:21:58.367:
*Nov 8 10:21:58.367: RADIUS/ENCODE(00000000):Orig. component type = Invalid
*Nov 8 10:21:58.367: RADIUS(00000000): sending
*Nov 8 10:21:58.367: RADIUS(00000000): Send CoA Nack Response to 69.17.193.4:60590 id 1, len 62
*Nov 8 10:21:58.367: RADIUS: authenticator A3 EC 85 01 C3 31 E2 B3 - 25 22 38 79 DA 8E 95 46
*Nov 8 10:21:58.367: RADIUS: Reply-Message [18] 18
*Nov 8 10:21:58.367: RADIUS: 4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E [ No valid Session]
*Nov 8 10:21:58.367: RADIUS: Dynamic-Author-Error[101] 6 Session Context Not Found [503]
*Nov 8 10:21:58.367: RADIUS: Message-Authenticato[80] 18
*Nov 8 10:21:58.367: RADIUS: AC 83 2A 7C DE 7D 78 8E B7 91 C9 F0 16 8B 86 D2 [ *|}x]
Even the PoA is not working
*Nov 8 10:24:04.022: RADIUS: POD received from id 4 x.x.x.x:57061, POD Request, len 66
*Nov 8 10:24:04.022: POD: 69.17.193.4 request queued
*Nov 8 10:24:04.022: ++++++ POD Attribute List ++++++
*Nov 8 10:24:04.022: 01FCFBAC 0 00000081 username(450) 16
[email protected]
*Nov 8 10:24:04.022: 01FCE77C 0 00000001 session-id(408) 4 59(3B)
*Nov 8 10:24:04.022: 01FCE7B0 0 00000081 Message-Authenticator(274) 16 20 2C D0 32 B2 B7 70 BC CE 0F 57 30 8A 0B 52 B7
*Nov 8 10:24:04.022:
*Nov 8 10:24:04.022: RADIUS/ENCODE(00000000):Orig. component type = Invalid
*Nov 8 10:24:04.022: RADIUS(00000000): sending
*Nov 8 10:24:04.022: RADIUS(00000000): Send Disconnect Nack Response to x.x.x.x:57061 id 4, len 44
*Nov 8 10:24:04.022: RADIUS: authenticator 86 6C A4 7E EC E6 D8 DA - 30 03 38 E7 51 03 78 86
*Nov 8 10:24:04.022: RADIUS: Reply-Message [18] 18
*Nov 8 10:24:04.022: RADIUS: 4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E [ No valid Session]
*Nov 8 10:24:04.022: RADIUS: Dynamic-Author-Error[101] 6 Session Context Not Found [503] *Nov 8 10:24:04.022: RADIUS: POD received from id 4 x.x.x.x:57061, POD Request, len 66
*Nov 8 10:24:04.022: POD: x.x.x.x request queued
*Nov 8 10:24:04.022: ++++++ POD Attribute List ++++++
*Nov 8 10:24:04.022: 01FCFBAC 0 00000081 username(450) 16 [email protected]
*Nov 8 10:24:04.022: 01FCE77C 0 00000001 session-id(408) 4 59(3B)
*Nov 8 10:24:04.022: 01FCE7B0 0 00000081 Message-Authenticator(274) 16 20 2C D0 32 B2 B7 70 BC CE 0F 57 30 8A 0B 52 B7
*Nov 8 10:24:04.022:
*Nov 8 10:24:04.022: RADIUS/ENCODE(00000000):Orig. component type = Invalid
*Nov 8 10:24:04.022: RADIUS(00000000): sending
*Nov 8 10:24:04.022: RADIUS(00000000): Send Disconnect Nack Response to x.x.x.x:57061 id 4, len 44
*Nov 8 10:24:04.022: RADIUS: authenticator 86 6C A4 7E EC E6 D8 DA - 30 03 38 E7 51 03 78 86
*Nov 8 10:24:04.022: RADIUS: Reply-Message [18] 18
*Nov 8 10:24:04.022: RADIUS: 4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E [ No valid Session]
*Nov 8 10:24:04.022: RADIUS: Dynamic-Author-Error[101] 6 Session Context Not Found [503]
Thanks!!
David -
Hi *,
I have the following problem with RADIUS and EAP authentication.
Radius server sends an "Access-Accept" packet to my AP, but the station does not authenticate.
I've tried with different encryption configuration and with different authentication methods under "dot11 essid", but nothing changes...
What could it be?
Debug piece and configuration follows:
*Jan 25 14:23:34.795: RADIUS/ENCODE(00000012): acct_session_id: 17*Jan 25 14:23:34.795: RADIUS(00000012): sending*Jan 25 14:23:34.799: RADIUS: 4E 47 56 7A 78 65 4A 4F 55 31 47 40 77 6C 61 6E [NGVzxeJOU1G@wlan]*Jan 25 14:23:34.799: RADIUS: 2E 6D 6E 63 30 30 31 2E 6D 63 63 30 30 31 2E 33 [.mnc001.mcc001.3]*Jan 25 14:23:34.799: RADIUS: 67 70 70 6E 65 74 77 6F 72 6B 2E 6F 72 67 [gppnetwork.org]*Jan 25 14:23:34.799: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]*Jan 25 14:23:34.799: RADIUS: NAS-Port [5] 6 265 *Jan 25 14:23:34.799: RADIUS: NAS-Port-Id [87] 5 "265"*Jan 25 14:23:34.799: RADIUS: NAS-IP-Address [4] 6 192.168.173.2 *Jan 25 14:23:34.811: RADIUS/DECODE: EAP-Message fragments, 20, total 20 bytes*Jan 25 14:23:34.831: RADIUS/ENCODE(00000012):Orig. component type = DOT11*Jan 25 14:23:34.831: RADIUS: AAA Unsupported Attr: ssid [265] 8 *Jan 25 14:23:34.831: RADIUS: 57 69 66 69 45 41 [WifiEA]*Jan 25 14:23:34.831: RADIUS: AAA Unsupported Attr: interface [157] 3 *Jan 25 14:23:34.831: RADIUS: 32 [2]*Jan 25 14:23:34.831: RADIUS(00000012): Config NAS IP: 192.168.173.2*Jan 25 14:23:34.831: RADIUS/ENCODE(00000012): acct_session_id: 17*Jan 25 14:23:34.835: RADIUS(00000012): sending*Jan 25 14:23:34.835: RADIUS: 10 01 00 01 07 05 00 00 D9 37 C3 D9 79 3E 33 EA [?????????7??y>3?]*Jan 25 14:23:34.835: RADIUS: F3 7D 73 43 BF BA D0 6A [?}sC???j]*Jan 25 14:23:34.835: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]*Jan 25 14:23:34.835: RADIUS: NAS-Port [5] 6 265 *Jan 25 14:23:34.835: RADIUS: NAS-Port-Id [87] 5 "265"*Jan 25 14:23:34.835: RADIUS: NAS-IP-Address [4] 6 192.168.173.2 *Jan 25 14:23:35.035: RADIUS: Received from id 1645/64 192.168.177.158:1812, Access-Challenge, len 304*Jan 25 14:23:35.039: RADIUS: 46 10 78 5F 5F B0 CB 6C 0B 05 00 00 DA C3 BF 28 [F?x__??l???????(]*Jan 25 14:23:35.039: RADIUS: E0 18 2B 95 97 C2 0A D7 40 53 FE 62 [??+?????@S?b]*Jan 25 14:23:35.039: RADIUS(00000012): Received from id 1645/64*Jan 25 14:23:35.039: RADIUS/DECODE: EAP-Message fragments, 60+220, total 280 bytes*Jan 25 14:23:35.355: RADIUS/ENCODE(00000012):Orig. component type = DOT11*Jan 25 14:23:35.355: RADIUS: AAA Unsupported Attr: ssid [265] 8 *Jan 25 14:23:35.355: RADIUS: 57 69 66 69 45 41 [WifiEA]*Jan 25 14:23:35.355: RADIUS: AAA Unsupported Attr: interface [157] 3 *Jan 25 14:23:35.359: RADIUS: 92 DA 5E 26 CF 40 01 22 7A 8E F5 C1 [??^&?@?"z???]*Jan 25 14:23:35.359: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]*Jan 25 14:23:35.359: RADIUS: NAS-Port [5] 6 265 *Jan 25 14:23:35.359: RADIUS: NAS-Port-Id [87] 5 "265"*Jan 25 14:23:35.359: RADIUS: NAS-IP-Address [4] 6 192.168.173.2 *Jan 25 14:23:35.367: RADIUS: Received from id 1645/65 192.168.177.158:1812, Access-Accept, len 30*Jan 25 14:23:35.367: RADIUS: authenticator 8C 2C 1B 97 82 BB 6C 7F - AA D3 4A AB CA 22 8B B7*Jan 25 14:23:35.367: RADIUS: EAP-Message [79] 10 *Jan 25 14:23:35.367: RADIUS: 03 01 00 04 00 00 00 00 [????????]*Jan 25 14:23:35.371: RADIUS(00000012): Received from id 1645/65*Jan 25 14:23:35.371: RADIUS/DECODE: EAP-Message fragments, 8, total 8 bytes*Jan 25 14:23:35.671: %DOT11-7-AUTH_FAILED: Station d023.dbb8.d6a9 Authentication failed
Config:
aaa new-model!aaa group server radius rad_eap server-private 192.168.177.158 auth-port 1812 acct-port 1813 key 7 044803071D2448!aaa authentication login eap_methods group rad_eapaaa authorization exec default if-authenticated aaa authorization network default if-authenticated ! aaa session-id commonip name-server 192.168.177.45! dot11 ssid WifiEAP1 vlan 10 authentication open eap eap_methods authentication shared eap eap_methods authentication key-management wpa optional guest-mode! bridge irb! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 10 mode ciphers aes-ccm tkip wep128 ! broadcast-key vlan 10 change 300 ! ssid WifiEAP1 ! antenna gain 0 station-role root! interface Dot11Radio0.10 encapsulation dot1Q 10 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled! interface GigabitEthernet0 ip address 192.168.173.3 255.255.255.0 no ip route-cache! interface GigabitEthernet0.1 encapsulation dot1Q 10 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled! interface BVI1 ip address 192.168.173.2 255.255.255.0 no ip route-cache!ip radius source-interface BVI1 bridge 1 route ip
thanks so much!Stefano: not sure if related but there is an unsupported attribute in the debugs:
Jan 25 14:23:35.355: RADIUS: AAA Unsupported Attr:
*Jan 25 14:23:35.355: RADIUS: 57 69 66 69 45 41
*Jan 25 14:23:35.355: RADIUS: AAA Unsupported Attr: interface
Try to eliminate any configured attributes on radius except those in IETF radius. Then try again.
You may also chech by removing the shared eap as suggested above. Let us know if this works.
Sent from Cisco Technical Support iPad App
Maybe you are looking for
-
How to allocate the workflow to the action defnitions in solution manager
Hi, we are having solution manager with the CHARM configured, and currently we are looking for the trigger of mail and workitem for change of action. the work flow is designed for that, but how to assign the workflow to the condition and processing t
-
IPhone 6 Plus - No video sound in sports apps
I can hear music played to my external speakers via bluetooth or simply through my iPhone 6 Plus speakers. I can hear music played on Vevo (music app) and the YouTube app. However, I can't hear any sound at all from any videos in my sports apps (Tea
-
Has anybody worked on the Drill Down Reporting Tool of SAP? I need some help on the output layout. We need to display some characteristics on the output and by default the output brings out characteristic text and not the characteristic itself. Does
-
Hi Experts, while doing the transactions in R/3 system, the particular transactions are directly populated to respective (appropriate ) database tables. In the case of BW DataSources underlying in R/3 system the above statement is true? i.e. the data
-
Hi All, We have Outlook 2010 running on Terminal Services for one of our clients. Frequently users experience an error when trying to send mail. A message pops up stating the follow (sorry I cannot post pictures or links yet which would make this mu