Radius command

Similar Messages

• Looking for info on "test wlan dot1x radius" command

  Is there a way to perform RADIUS connectivity and optionally basic auth testing, without a client?
  I see the "test wlan dot1x radius" command in the CLI which looks promising, but I can't find any info on it. 
  The "test ..." commands aren't in the Command Reference (?!)
  Can anyone provide any info on how the above command works (if at all)
  Thanks in advance

  For testing radius, I use NTRadPing. Might be a better option for you.
  http://www.novell.com/coolsolutions/tools/14377.html
  Sent from Cisco Technical Support iPhone App

• Cisco 4.2 radius command authorization

  Hi,
  I am trying to do command authorization in radius. I have searched but i couldnt get any luck.
  Is it possible to do this? if any yes can anyone tell me the steps. i would be great.
  Thanks,

  IOS does support command authorization, however, only with TACACS (updated by paul)
  very Nice configuration example on command authorization with tacacs
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#backinfo
  Rgds, Jatin
  Do rate helpful posts~

• TCL and Radius, not getting a ACCESS-REQUEST /ACCEPT / REJECT

  I'm trying to setup TCL for PREPAID. I'm told by the person who's making the script that no ACCESS-REQUEST is going through to the RADIUS SERVER (FREE RADIUS).
  Anyone have any ideas?? Here's a debug output...
  Feb 25 21:36:36.798: RADIUS(0000229C): Config NAS IP: 0.0.0.0
  Feb 25 21:36:36.798: RADIUS(0000229C): sending
  Feb 25 21:36:36.802: RADIUS/ENCODE: Best Local IP-Address 66.38.123.145 for Radius-Server 66.38.193.149
  Feb 25 21:36:36.802: RADIUS(0000229C): Send Accounting-Request to 66.38.193.149:1646 id 21829/176, len 213
  Feb 25 21:36:36.802: RADIUS: authenticator B5 29 CF 05 BE 7E 9C F8 - FE 15 76 F2 9F 32 3D 55
  Feb 25 21:36:36.802: RADIUS: Acct-Session-Id [44] 139 "14714/16:36:36.794 EST Fri Feb 25 2005/Router./1E30B8A1 86AC11D9 81649A83 4E410D97/originate/VoIP/////1E30B8A1 86AC11D9 81649A83 4E410D97"
  Feb 25 21:36:36.806: RADIUS: User-Name [1] 12 "1111111111"
  Feb 25 21:36:36.806: RADIUS: Acct-Status-Type [40] 6 Start [1]
  Feb 25 21:36:36.806: RADIUS: Calling-Station-Id [31] 12 "4169237347"
  Feb 25 21:36:36.806: RADIUS: Called-Station-Id [30] 6 "1111"
  Feb 25 21:36:36.806: RADIUS: Service-Type [6] 6 Login [1]
  Feb 25 21:36:36.806: RADIUS: NAS-IP-Address [4] 6 66.38.123.145
  Feb 25 21:36:36.806: RADIUS: Acct-Delay-Time [41] 6 0
  Feb 25 21:36:36.834: RADIUS(0000229C): Config NAS IP: 0.0.0.0
  Feb 25 21:36:36.834: RADIUS(0000229C): sending
  Feb 25 21:36:36.834: RADIUS/ENCODE: Best Local IP-Address 66.38.123.145 for Radius-Server 66.38.193.149
  Feb 25 21:36:36.834: RADIUS(0000229C): Send Accounting-Request to 66.38.193.149:1646 id 21829/177, len 322
  Feb 25 21:36:36.838: RADIUS: authenticator 11 18 AA 5F 2A 1D C6 5D - FD D5 85 A7 77 D3 08 CB
  Feb 25 21:36:36.838: RADIUS: Acct-Session-Id [44] 218 "14714/16:36:36.786 EST Fri Feb 25 2005/Router./1E30B8A1 86AC11D9 81649A83 4E410D97/originate/VoIP/16:36:36.830 EST Fri Feb 25 2005/16:36:36.830 EST Fri Feb 25 2005/1C/66.38.193.148/1E30B8A1 86AC11D9 81649A83
  thanks,
  Paul

  Maybe you miss some radius commands:
  aaa authentication login h323 group radius
  aaa authorization exec h323 group radius
  best regards
  Grzegorz

• Cisco WLC 5508 - NPS Radius

  Cisco WLC 5508
  Software Version: 7.4.100.0
  Windows Server 2008R2
  I've got everything setup on the Windows Server 2008 side of things (certificates, radius clients, etc)
  I added the radius server on the WLC, and configured a new WLAN to use it.
  Both are on the same subnet.
  When trying to conect to the WLAN it kept failing.  I installed wireshark on the server to monitor the radius traffic, and to my surprise there was no radius traffic showing up on the server.  The radius statistics on the WLC are at 0 as well, so it's like the WLC isn't even attempting Radius.
  I reverified that the server was enabled on both the security tab and the WLAN itself on the WLC.  Rebooted the controller and the server, all to no avail.  I used a radius test client, and can successfully send radius commands to the server using that utility.
  Frustrated, I just kept trying to reconnect on my wireless device, and after about the 15th try, finally I saw radius activity on wireshark.  It rejected my access, but at least I saw activity.  It also registerd radius statistcs on the WLC as well.
  So now if I keep trying to connect repeatedly, about every dozen or so times the WLC actually will send a radius request to the server.
  What in the world is going on here?

  I do have local management users on the controller.
  Some hours later I added the option of authenticating management users, for the NPS server. Then logged inn to the management GUI using NPS radius, worked just fine.
  However, these commands have been useful to me several times, to make sure unsuccessful requests appear in the Windows Event log:
  auditpol /get /subcategory:"Network Policy Server"
  If it shows ‘No auditing’ or just "Success", you can run this command to enable it:
  auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
  So now I know that the NPS radius server works, for management access. I will go to the customer's site some other day to test it for 802.1x authentication. If not, I'll do some debugging to decide wihich to blame - the WLC or NPS.

• Missing aaa accounting commands

  Hi,
  I might be being REALLY STUPID, but I am trying to config a 12.3 IOS router to send command accounting records to an ACS 3.3 server via RADIUS.
  When a input the 'aaa accounting commands 15 default group radius' command, it is accepted by the router, but show the config, and its not there. This is the same for all command levels. This router is logging VoIP accounting records too, to the same RADIUS box, without problems.
  Have I missed somthing about setting up AAA ?
  Grateful for any help!
  Thanks
  Pete Moore

  Even if IOS did support it, the format of any RADIUS cmd accounting will be inferior for a couple of reasons
  1) The ACS TACACS+ reports are totally geared up for this with pre-defined columns for each T+ attrbute.
  2) ACS has a dedicated cmd accounting report which splits out cmds from sessions
  3) To package in RADIUS, IOS would have to create many cisco-av-pair VSA instances. In the RADIUS accounting logs these will all be compressed into a single column of the format
  "attr1=value1;attr2=value2;..."
  Depending on what you want to do with the data this format is quite restrictive.
  My advice is to enable TACACS+
  Darran

• WLC 4400 and multiple authentication servers e.g. RADIUS, ACS

  WLC 4400 and multiple authentication servers e.g. RADIUS, ACS
  Can the WCL 4400 be set up to use multiple RADIUS servers? The user accounts for accessing wireless would use a RADIUS server. The administrative accounts for the WLC would reside on an ACS server.

  Yes, that is correct. You can set acs to use both radius and tacacs.
  For this you need to add WLC twice in acs-->network configuration. But you need to keep host name different.
  eg 1) Host name WLC --->IP x.x.x.x -->Auth using -->radius
  2) Host name WLC1--->IP x.x.x.x --->Auth using -->Tacacs.
  You need to set up tacacs commands on WLC along with radius commands.
  Regards,
  ~JG
  Please rate helpful posts

• Radius broke my IOS?

  while configuring a 3560G for aaa\radius my router froze and had to be manually booted.
  aaa settings are ok, didn't get any problems with this part
  but when I started typing the radius commands... oh boy!
  this is the first line: ip radius source-interface Vlan200
  then this is the second command which broke it all:
  radius-server host 192.168.200.x auth-port 1645 acct-port 1646 key 7 password
  any idea what & why this command would break and how can I configure my radius without breaking the switch?

  This example shows how to enable AAA, use RADIUS authentication and enable device tracking:
  Switch(config) configure terminal
  Switch(config)# aaa new-model
  Switch(config)# aaa authentication login default group radius
  Switch(config)# aaa authorization auth-proxy default group radius
  Switch(config)# radius-server host key key1
  Switch(config)# radius-server attribute 8 include-in-access-req
  Switch(config)# radius-server vsa send authentication
  Switch(config)# ip device tracking
  Switch(config) end

• IAS dot1x dynamic VLAN assignment not working

  I have a windows 2003 server with AD and IAS configured. IAS uses AD for authentication. I have AAA login configured and working. I have AAA dot1x configured on the 3550 switch. IAS has a Wired Ethernet policy configured for PEAM and is send back attributes tunnel-type = VLAN, tunnel-medium-type = 802, and tunnel-pvt-group-id = 210. My XP supplicant has dot1x enabled and is authenticating through the switch and IAS.
  Using Ethereal I can see the both the Radius request and accept packets. I can see that radius is sending the above attributes through ethereal as well. Using the Debug Radius command I can see that the attributes are getting to the switch. When I use the show VLAN command the switch port is still in VLAN 1. I want it to be in VLAN 210.
  I have upgraded the IOS in the 3550 switch. This fixed a previous problem of the switch not sending the NAS port type of Ethernet. It as sending a port type of Asynch.
  I also have service pack 2 on the Windows 2003 server.
  Has anyone else had this problem? If so how do I fix it.
  Here is my debug code:
  06:56:45: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]
  06:56:45: RADIUS: Tunnel-Private-Group[81] 5 "210"
  06:56:45: RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
  Here is my switch code:
  aaa new-model
  aaa authentication login default group radius local
  aaa authentication dot1x default group radius local
  aaa session-id common
  interface FastEthernet0/1
  switchport mode access
  dot1x pae authenticator
  dot1x port-control auto
  radius-server host 10.1.1.254 auth-port 1645 acct-port 1646 key test
  radius-server deadtime 60

  You're missing this:
  aaa authorization network default group radius
  I assume "everything works" other than VLAN-Assignment itself.
  This should get you squared away,

• PPPoE circuit-id tag processing with NAS-port-ID feature in 7200VXR problem

  We faced the following problem when we configured both vendor-tag circuit-id service and radius-server attribute nas-port format d command in our 7200VXR.
  When finishing configuration we did a debug radius and received the "AAA Unsupported Attr: circuit-id-tag". Circuit-id-tag as you can see in the sniffer traces has a format of access-node-identifier atm slot/module/port/vpi/vci.
  However we never got this value as a NAS-Port-Id in our debug radius command. Instead we received in specific NAS-Port-Id the format Access-Node-Identifier eth slot/subslot/port:vlan tag (? I guess so).
  The above described situation occurs when we run 12.2(31)SB2 IOS version. However we received different (probably better) results when we run on the router 12.3(7)XI7a IOS version. In this latter case as you can see in the debug radius output log the NAS-Port-Id field is filled with the correct circuit-id-tag : 10.112.0.227 atm 1/6:8.35.
  Shall we try another configuration than the nas-port format d command for radius?
  Thanks in advance for any answer provided.
  Kind Regards
  Dimitris Elefsiniotis

  Hello,
  thank you for your prompt response.
  You can find additional information in the attached files (BRAS show tech/run, sniffer traces, debug radius commands in BRAS).
  We are talking for normal sessions and as you can easily track yourself the NAS-Port-Id is different than the circuit-id-tag inserted by access device (DSLAM)(IOS 12.2(31)SB2. However, the DHCP snooping is used in aggregation 7600 router and option 82 is set by DSLAM as well.

• ISE MAB is not Triggered for Linux Host

  Hello,
  We have configured MAB for hostst that do not support 802.1x, and in general working for most of the devices. For Some linux machines however, MAB is never triggered, i.e "debug mab all" and "debug radius" commands do not produce any output for the port. "show authentication session interface" command shows the 802.1x fail over to MAB, and after it MAB process starts to run but stays in running state without finishing.
  If we put another MAB host as Windows 7 or XP or Printer, it works properly passsing tthe MAB Authentication and assigned Vlan. If we put the port as to the normal "switchport mode access" and "switchport access vlan x", the device shows up in the MAC address table of the switch, and starts to work.
  As additional steps we have configured "authentication mode open" and "dot1x control-direction in" inorder to trigger or start the MAB Process allowing the packets out, but the "show interface " command the input packets counter remains 0, although output packet counters seem to increase continously to 1000 and above.
  The IP Addresses are static, and it is a requirement, so dhcp may trigger MAB but this is not a choice currently.
  IP device tracking is enabled, but again this did not change anything
  Any recommendations or workarounds for this Problem? Although seems an endpoint issue, that it never produces a single packet  , there may be some
  solutions to trigger MAB or learn the switch the Mac address of the Linux host, i.e. keepalive. We are also looking at the host side,
  The port configuration is:
  switchport access vlan 98
  switchport mode access
  ip access-group ACL-ALLOW in
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 97
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication open
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  Thanks in Advance,
  Best Regards,

  Hi Ravi,
  Since the linux is some kind of embedded linux, we could not get the tcp dump on the PC itself, but tried to see what is going on with a span of this port. What is interesting is that the machine does not produce even a single ethernet or IP packet and remains completely silent. (We thought dhcp would be solution but the configuration file only allows to statically assign IP address).
  What we think is that somehow the machine starts to send packets after receiving a packet like Wake on LAN or arp. As you see on the port configuration the machine starts in Vlan 98, so in this Vlan it is not possible to get this packet from any other hosts on the same IP subnet since the IP of the host is Vlan 6. But in order to ISE to assign this Vlan 6 to the port with MAB, Mac Address of the host needs to be authenticated, which is not occuring because of the silence problem.
  As a workaround to a similar problem, we changed the "switchport access vlan 98" to "switchport access vlan 6" and with this configuration the Mac address is learned and the host is authenticated by ISE and port is assigned to Vlan 6 dynamically which is observed on "show authentication session interface" command output. This is also not accepted because the access port configuration is required to be as standard as possible due to changing of the cabling frequently. So every MAB host should start with a PreAuthentication Vlan, and go to final Vlan after Authentication and authorizaiton with Posture checking or profiling.
  As a second workaround these kind of machines are being worked on supporting dot1x, but this is a tedious process because often you need to escalate to the producer, and enhancement requests often prolong to be confirmed or denied.
  Since we meet this problem also with some Printers, we think this is a problem of the TCP/IP Stack of the Operating System of the host. We are searching if there can be some mechanism to be able to make the host start conversation with a packet through a keepalive or some other protocol (or a script)  that can be enabled.
  Best Regards,

• Authentication host-mode

  Dears,
           i have strange issue with dot1x , when i configured the port as multi-domain it is working if IP phone connected.
  if IP phone removed and PC connected directly to the switch port the PC can't work properly although it authentciated ,autorized and have the proper IP address.
  when i changed to single-host it is working properly.
  Thanks,
  Ibrahim

  Hello Ibrahim
  This is really a strange issue. However please review the few steps which are given below:
  Enable Multi-Auth host mode. Multi-Auth is essentially a superset of Multi-Domain Authentication
  (MDA). MDA only allows a single endpoint in the data domain. When multi-auth is configured, a single
  authenticated phone is allowed in the voice domain (as with MDA) but an unlimited number of data
  devices can be authenticated in the data domain.
  ! Allow voice + multiple endpoints on same physical access port
  authentication host-mode multi-auth
  • Ensure that the RADIUS probe is enabled in Cisco ISE.
  • Ensure that network access devices support an IOS sensor for collecting DHCP, CDP, and LLDP
    information.
  • Ensure that network access devices run the following CDP and LLDP commands to capture CDP
    and LLDP information from endpoints:
  cdp enable
  lldp run
  • Ensure that session accounting is enabled separately, by using the standard AAA and RADIUS
    commands.
  For example, use the following commands:
  aaa new-model
  aaa accounting dot1x default start-stop group radius
  radius-server host auth-port acct-port key
  radius-server vsa send accounting
  Thanks:
  Muhammad Munir

• Authorization on PIX

  What's the correct way to configure authorization on PIX?
  By following the steps in:
  http://cco/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800949d6.shtml
  The PIX always hangs and has to be rebooted.

  The commands performed may be controlled locally on the PIX or remotely through TACACS+. RADIUS command authorization is not supported, this is a limitation of the RADIUS protocol. This is quoted from the same document you referred.

• AP1242, WLSE & ACS

  I'm trying to configure a WLAN composed of AP1242's managed by a WLSE and authenticating via an ACS Appliance. At present I'm still testing so the ACS box is using it's internal user database and I've generated a self signed and installed cert on it. I've exported the cert and installed on the clients but my problem is that I'm not getting authenticated and I think the weak link is the AP's.
  When I try and authenticate a client I get an authentication failed error on the AP and that's it, nothing on the ACS server at all. Using Ethereal I can't see any 1645 or 1812 UDP traffic between the AP and the ACS box (or any traffic at all for that matter) so it looks like the AP isn't even trying the ACS box. I've tried running debug aaa and radius commands on the AP but the only thing I see are AAA/BIND messages appearing every minute or so. I've even tried stopping the ACS services and trying again with the services stopped to try and raise an error.
  Any ideas would be very welcome!

  Which authentication / authorization scheme are you using?
  Are you using the Microsoft Zero Wireless Config system, or the client software (in addition to the client drivers)?
  Do you have a software firewall on the PC/Laptops? Try disabling it for diagnostics (make sure you shut down the service as well as the "front end" code).
  Have you verified that the client has assocated?
  With the PC/Laptop on, try disabling and re-enabling the NIC (versus re-booting) and see if you get the auth traffic (on your Ethereal capture).
  Check it out & let us know.
  Scott

• V10 does not PRINT at all....

  I just want to scream, really.....
  I'm in the process of creating new components in Ultiboard and need to verify that sizing and orientation. I did the usual by selecting all the mech layers, drill layer, and the top silk, when I click preview, the image looks exactly as it should.....I hit print, it send the data to my printer.....and what comes out is a nice clean white sheet of paper.......thats it.....nothing else.
  I try several times...no dice
  I try to add every single layer.....still nice virgin white sheet of paper comes out.
  I immediately run a "print test page" from windows xp....it comes out exactly as Microsoft coded it.....nothing wrong with the printer.
  Try to do a direct print from the icon ribbon....still same output.......NOTHING.
  I would classify this as a critical to severe error.
  Anyone seeing this?
  Chris
  Signature: Looking for a footprint, component, model? Might be here > http://ni.kittmaster.com

  I export as .DXF format files and open and print them from my CAD software, so I never had occasion to try a direct print.  So, as an experiment, I did an electronic print of the silkscreen layer on a small board design of mine, using Acrobat's PDF printer.  I got a result, but noticed it took a long, long time.  It was also missing the arcs I have in the outline of a selector switch.  Not cool. 
  I will speculate the lengthy generating time results from something I noticed with the .DXF format files.  That is, arcs are piece-wise approximations made up of line segments, while solids, including round pads, are clusters of filled polygons.  Normally, .DXF, as currently exported from a number of CAD programs, makes arcs and circles by employing center point location and radius commands, and will fill a defined closed circle.  That the exported board files are not done this way clutters the result with large numbers of little elements, making them large for their content and slow to render in CAD software.  It is an area where a little sophistication would go a long way toward improving the portability of the output.
  It may be that your printer is having trouble with the bulk of the clutter?  If it has a driver that doesn't play nicely with the spooler, that could also explain it?
  As to checking dimensions, I would use the tools in Ultiboard.  Set the working layer to silkscreen and use the Place|Dimensions command.  Just don't set the dimension down on the layout after you have it; cancel it instead.  Otherwise, you can place the dimension, then use Undo to get rid of it.  I've have had no problems with the accuracy of the sizes being as dimensioned.  I have, however, seen printers that are a bit off when it comes to keeping X and Y well matched, so I consider them a less reliable check of dimensions.  Incidentally, to do this, you will probably want to right click in the board window with nothing selected, then pick Properties from the flyout menu.  Click on the Grid & units tab and set the visible grid and also the component, copper, and via grid steps to a small size, like 0.001" or even 0.0005" to make it easier to zoom in and pick out small dimensional differences.
  Message Edited by Unclenick on 08-08-2007 07:30 PM
  Message Edited by Unclenick on 08-08-2007 07:30 PM