Radius communication
Hi all,
I have two 3750s, one is connected to the radius server (ACS), and the other is connected to clients. There's a trunk connection between the two switches.
By the way, radius works fine. However my problem is that the switch that is connected to clients must relay the 802.3 encapsulated EOPOL frames to the switch at the end of the trunk and that switch must forward those frames encapsulated in radius format.
When a client initiates authentication by sending EAPOL frames with multicast L2 address, the trunk does not appear to be forwarding the frames over the trunk link.
To summarize How am I supposed to implement wired 802.1x authentication with a radius server connected multiple switches away?
Thanks in advance.
If the switch to which the hosts are connected is configured as the AAA Client (Authenticator), this switch communicates with the RADIUS server via RADIUS packets, not EAPOL.
EAPOL is used between the host and the Authenticator.
Configure the switch that the hosts are connected to, as the AAA Client (Authenticator).
Similar Messages
-
ISE 1.2 rejects RADIUS messages from vWLC
Hello,
I have an ISE appliance with the Wireless license. The Cisco vWLC is configured to send Radius traffic to the device, but is getting the error message:
11054 Request from a non-wireless device was dropped due to installed Wireless license
The vWLC is showing up under endpoints as a VMWARE workstation, and not a WLC, and so under the licensing requirements will not allow RADIUS to be received from anything other than a WLC. I tried hard-coding the policy to match a Cisco WLC with a condition of matching its MAC address, and even disabled the VMWARE profile policy, but the endpoint then only matches the "Unknown" policy. Any ideas?Check the Cisco ISE dashboard (
Operations > Authentications
) for any indication
regarding the nature of RADIUS communication loss. (Look for instances of your
specified RADIUS usernames and scan the sy
stem messages that are associated with
any error message entries.)
Log into the Cisco ISE CLI
2
and enter the following command to produce RADIUS
attribute output that may aid in debugging connection issues:
test aaa group radius
new-code
If this test command is successful, you should see the following attributes:
Connect port
Connect NAD IP address
Connect Policy Service ISE node IP address
Correct server key
Recognized username or password
Connectivity between the NAD and Policy Service ISE node
You can also use this command to help narrow the focus of the potential problem
with RADIUS communication by deliberatel
y specifying incorrect parameter values
in the command line and then returning to the administrator dashboard (
Operations
> Authentications
) to view the type and frequency
of error message entries that
result from the incorrect command line. For example, to test whether or not user
credentials may be the source
of the problem, enter a username and or password that
you
know
is incorrect, and then go look for error message entries that are pertinent
to that username in the
Operations > Authentications
page to see what Cisco ISE
is reporting.)
Note
This command does not validate whether or not the NAD is configured to use
RADIUS, nor does it verify whether th
e NAD is configured to use the new
AAA model. -
Cisco ise 1.1.4 no open radius port
Hi,
I have a big issue with my ise appliance configured with the last version, which is 1.1.4
I have configured one network device but she doesn't want communicate with ise. The radius communication doesn't works.
In fact, we see when we do "sh ports" on the ise that the radius port are not open.
I ever installed one ise appliance in 1.1.3 and it works.
A idea ????? please
thanks for advancedHi,
Can you post the output of your show ports? Also is this in a distributed setup or is this a standalone node.
here are the port information on my psn -
udp: 10.250.250.183:58626, 10.250.250.183:1812, 10.250.250.183:1813, 10.250.250.183:1700, 0.0.0.0:60599, 10.250.250.183:3799, 10.250.250.183:1645, 10.250.250.183:1646,
From my admin node -
10.250.250.185:1700, 10.250.250.185:3799, 10.250.250.185:64217, 0.0.0.0:20057, 0.0.0.0:50140
If this is a standalone node, can you go to the deployment section and make sure that all checkboxes are selected, in particular the third box "Policy Service"
Tarik Admani
*Please rate helpful posts* -
ISE acting as Radius Proxy Client?
Hi,
I have an issue where a remote company has there internal redius server and I have my ISE radius server.
When there users come to my site, they can authenticate with my wireless and my ISE server proxies the request to there home site to be authenticated and tells me if I should allow them access or not.
So standard radius proxy and it all works well when my ISE server begins the exchange.
However if my staff go to there site the reverse is not working, they are proxying the requests back OK, and I can see on the firewall and router the incomming radius packets destined to my ISE server. But there is no recourd on the ISE server of ever reciving them and it all times out.
Is tehre some thing I need to do to allow ISE to act as the client in a radius proxy set up?
Cheers.
Oh I am running version 1.2Hi Aaron,
Check the Cisco ISE dashboard (Operations > Authentications) for any indication regarding the nature of RADIUS communication loss. (Look for instances of your specified RADIUS usernames and scan the system messages that are associated with any error message entries.)
Log into the Cisco ISE CLI5 and enter the following command to produce RADIUS attribute output that may aid in debugging connection issues:
test aaa group radius new-code
If this test command is successful, you should see the following attributes:
Connect port
Connect NAD IP address
Connect Policy Service node IP address
Correct server key
Recognized username or password
Connectivity between the NAD and Policy Service node
You can also use this command to help narrow the focus of the potential problem with RADIUS communication by deliberately specifying incorrect parameter values in the command line and then returning to the administrator dashboard (Operations > Authentications) to view the type and frequency of error message entries that result from the incorrect command line. For example, to test whether or not user credentials may be the source of the problem, enter a username and or password that you know is incorrect, and then go look for error message entries that are pertinent to that username in the Operations > Authentications page to see what Cisco ISE is reporting.)
Note This command does not validate whether or not the NAD is configured to use RADIUS, nor does it verify whether the NAD is configured to use the new AAA model.
The Cisco ISE network enforcement device (switch) is missing the radius-server vsa send accounting command.
Verify that the switch RADIUS configuration for this device is correct and features the appropriate command(s).
For more details please go through the following link:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html#pgfId-192989 -
ISE 1.2 With WLC and AD
Hi everyone,
What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.
The wireless network is configured with 2 SSID (Staff and Guest)
Active Directory, DNS, DHCP, and NTP configured & synced.
ISE and AD running on C220 VMs, and WLC is 5760 Appliance.
Please provide your thoughts and assistance.
RegardsYou have to implement dot1x and radius between your NAD and ISE device.
Using the switch 3850, that are the steps:
username RADIUS-HEALTH password radiusKey1 privilege 15
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
!this password will be used to communicate with ISE and to verify reachability
!between ISE and Switch
aaa server radius dynamic-author
client 172.16.1.18 server-key 7 radiuskey
client 172.16.1.20 server-key 7 radiuskey
ip domain-name lab.local
ip name-server 172.16.1.1
dot1x system-auth-control
interface GigabitEthernet1/0/3
switchport mode access
switchport voice vlan 50
switchport access vlan 10
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip access-list extended ACL-ALLOW
permit ip any any
!the comm between radius and ise will occur on these Port
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
snmp-server community ciscoro RO
snmp-server community public RO
snmp-server trap-source Vlan100
snmp-server source-interface informs Vlan100
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!defining ISE servers
radius server ISE-RADIUS-1
address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
automate-tester username RADIUS-HEALTH idle-time 15
key radiusKey
Please be sure that NTP servers and time are synchronized.
enable dot1X on windows machine, or using cisco NAM.
you can enable debugging on aaa authentication to see the events.
you have to create this user on ISE (RADIUS-HEALTH).
3850#test aaa group radius username password new-code
and observe the result. You are supposed to have user authenticated successfully.
You Must also have define these device in ISE on the radius interface.
ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE.
administration-->network resources -->Network Devices-->Add
input the name
input the Ip address for radius communication
select the authentication settings and field the corresponding shared secret radius key
select snmp settings and select version 2c.
snmp community : ciscoro
you can customize the polling interval if you want and that all.
you are supposed to received message communication between your NAD and ISE.
After you can do the procedure for WLC device.
I will fill it after you have passed the first steps (3850 authentication). -
802.1x authentication fail when trying to implement 802.11N
Hello, I'm trying to deploy 802.11N along with 802.1X and IAS.
Controller comunciates with Radius server (IAS) and this lives in a ESX host along with the Domain controller. Somehow users are not able to authenticate.
WLC: AIR-CT550 - IP 10.152.36.5
IAS: 10.204.34.35
Domain controller: 10.204.35.149
Testing client MAC: 24:77:03:dc:c6:10
Check these logs:
*Jan 29 19:11:45.816: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Jan 29 19:11:45.842: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Jan 29 19:11:45.844: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Jan 29 19:11:50.691: 24:77:03:dc:c6:10 apfMsExpireCallback (apf_ms.c:418) Expiring Mobile!
*Jan 29 19:11:50.692: 24:77:03:dc:c6:10 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [0c:27:24:4e:62:10]
*Jan 29 19:11:50.692: 24:77:03:dc:c6:10 Deleting mobile on AP 0c:27:24:4e:62:10(0)
*Jan 29 19:11:51.727: 24:77:03:dc:c6:10 Adding mobile on LWAPP AP 50:17:ff:df:08:70(1)
*Jan 29 19:11:51.727: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station: (callerId: 23) in 5 seconds
*Jan 29 19:11:51.727: 24:77:03:dc:c6:10 apfProcessProbeReq (apf_80211.c:4722) Changing state for mobile 24:77:03:dc:c6:10 on AP 50:17:ff:df:08:70 from Idle to Probe
*Jan 29 19:11:51.729: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Jan 29 19:11:51.742: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Jan 29 19:11:51.743: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Jan 29 19:11:51.758: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Jan 29 19:11:51.758: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Jan 29 19:11:51.773: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Jan 29 19:11:51.774: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Jan 29 19:11:51.943: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Association received from mobile on AP 50:17:ff:de:45:90
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Applying site-specific IPv6 override for station 24:77:03:dc:c6:10 - vapId 3, site 'default-group', interface 'enterprise wireless 3rd floor'
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Applying IPv6 Interface Policy for station 24:77:03:dc:c6:10 - vlan 603, interface id 11, interface 'enterprise wireless 3rd floor'
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Processing RSN IE type 48, length 22 for mobile 24:77:03:dc:c6:10
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Received RSN IE with 0 PMKIDs from mobile 24:77:03:dc:c6:10
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [50:17:ff:df:08:70]
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Updated location for station old AP 50:17:ff:df:08:70-1, new AP 50:17:ff:de:45:90-1
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 START (0) Initializing policy
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 50:17:ff:de:45:90 vapId 3 apVapId 3
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 apfPemAddUser2 (apf_policy.c:213) Changing state for mobile 24:77:03:dc:c6:10 on AP 50:17:ff:de:45:90 from Probe to Associated
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Stopping deletion of Mobile Station: (callerId: 48)
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Sending Assoc Response to station on BSSID 50:17:ff:de:45:90 (status 0) Vap Id 3 Slot 1
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 apfProcessAssocReq (apf_80211.c:4389) Changing state for mobile 24:77:03:dc:c6:10 on AP 50:17:ff:de:45:90 from Associated to Associated
*Jan 29 19:11:51.947: 24:77:03:dc:c6:10 Station 24:77:03:dc:c6:10 setting dot1x reauth timeout = 0
*Jan 29 19:11:51.947: 24:77:03:dc:c6:10 Stopping reauth timeout for 24:77:03:dc:c6:10
*Jan 29 19:11:51.947: 24:77:03:dc:c6:10 dot1x - moving mobile 24:77:03:dc:c6:10 into Connecting state
*Jan 29 19:11:51.947: 24:77:03:dc:c6:10 Sending EAP-Request/Identity to mobile 24:77:03:dc:c6:10 (EAP Id 1)
*Jan 29 19:11:51.974: 24:77:03:dc:c6:10 Received EAPOL START from mobile 24:77:03:dc:c6:10
*Jan 29 19:11:51.974: 24:77:03:dc:c6:10 dot1x - moving mobile 24:77:03:dc:c6:10 into Connecting state
*Jan 29 19:11:51.974: 24:77:03:dc:c6:10 Sending EAP-Request/Identity to mobile 24:77:03:dc:c6:10 (EAP Id 2)
*Jan 29 19:11:52.006: 24:77:03:dc:c6:10 Received EAPOL EAPPKT from mobile 24:77:03:dc:c6:10
*Jan 29 19:11:52.006: 24:77:03:dc:c6:10 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 24:77:03:dc:c6:10
*Jan 29 19:11:52.030: 24:77:03:dc:c6:10 Received EAPOL EAPPKT from mobile 24:77:03:dc:c6:10
*Jan 29 19:11:52.030: 24:77:03:dc:c6:10 Username entry (NA\a-Gregg.Davis) created for mobile
*Jan 29 19:11:52.030: 24:77:03:dc:c6:10 Received Identity Response (count=2) from mobile 24:77:03:dc:c6:10
*Jan 29 19:11:52.030: 24:77:03:dc:c6:10 EAP State update from Connecting to Authenticating for mobile 24:77:03:dc:c6:10
*Jan 29 19:11:52.030: 24:77:03:dc:c6:10 dot1x - moving mobile 24:77:03:dc:c6:10 into Authenticating state
*Jan 29 19:11:52.030: 24:77:03:dc:c6:10 Entering Backend Auth Response state for mobile 24:77:03:dc:c6:10
*Jan 29 19:11:52.031: apfVapRadiusInfoGet: WLAN(3) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Jan 29 19:11:52.031: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
*Jan 29 19:11:52.051: ****Enter processIncomingMessages: response code=11
*Jan 29 19:11:52.051: Received a RADIUS message from unknown server 10.204.35.149 port 1812
*Jan 29 19:11:54.032: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
*Jan 29 19:11:54.049: ****Enter processIncomingMessages: response code=11
*Jan 29 19:11:54.049: Received a RADIUS message from unknown server 10.204.35.149 port 1812
*Jan 29 19:11:56.032: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
*Jan 29 19:11:56.048: ****Enter processIncomingMessages: response code=11
*Jan 29 19:11:56.048: Received a RADIUS message from unknown server 10.204.35.149 port 1812
Any idea of what could be the problem?
Thanks.Hi Francisco,
*Jan 29 19:11:52.031: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
*Jan 29 19:11:52.051: ****Enter processIncomingMessages: response code=11*Jan 29 19:11:52.051: Received a RADIUS message from unknown server 10.204.35.149 port 1812
*Jan 29 19:11:54.032: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
*Jan 29 19:11:54.049: ****Enter processIncomingMessages: response code=11*Jan 29 19:11:54.049: Received a RADIUS message from unknown server 10.204.35.149 port 1812
These message indicate there is some issue with RADIUS communication. Looks like WLC send RADIUS packets to IAS, but it does not get any response. Instead it getting RADIUS response from DC.
Pls check this communication
HTH
Rasika
**** Pls rate all useful resposnes ***** -
Hi All,
Just wanted to know if the small business WAP 4410N access point can work with a UC520 router? I presently use the 521 models but will want to use another model/type.> Do you have any idea? Could there be any software issues on the WAP?
just blind shot... MTU changed after pfSense upgrade? or NF (not fragment) bit changed on interface?
I recommend to make packet capture of RADIUS communication on pfSense (WAP4410N side) and on RADIUS server as well.
what about logs from RADIUS server? -
Where is radius/tacacs communication taking place
hello,
if iam logging in to a domain, and my domain is configured for an authentication to an ACS, where is the radius/tacacs communication taking place?
- is it from client to ACS
- or is it from domain to ACSDepending on what device you are authenticating against - normally it would be client->Device->ACS->Domain
HTH> -
Hi Community,
I have a challenge getting 2 Oracle servers with each located in "internal" and "DMZ" network segments.
The oracle server on the internal network can communicate with the one on the DMZ but the one on the DMZ can NOT talk to the one on the internal network.
The customer wants the architecture to enable realtime data updates on the Oracle in DMZ.
My config is as follows: I need help.
ciscoasa# wr t
: Saved
ASA Version 8.4(3)
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.1.184.131 Proxy_Server
name 192.168.10.1 Internet_Router
name 10.1.184.122 Mail_Server
name 10.1.184.116 Mail_Server_2
name 10.1.184.121 Mail_Server_3
dns-guard
interface GigabitEthernet0/0
nameif Inside
security-level 100
ip address 10.1.184.1 255.255.248.0 standby 10.1.184.254
interface GigabitEthernet0/1
description LAN/STATE Failover Interface
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 192.168.30.1 255.255.255.0 standby 192.168.30.2
interface GigabitEthernet0/3
nameif Outside
security-level 0
ip address 192.168.10.2 255.255.255.0 standby 192.168.10.20
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone GMT 1
dns server-group DefaultDNS
domain-name default.domain.invalid
object network Proxy_Server
host 10.1.184.131
object network Mail_Server
host 10.1.184.122
object network Internet_Router
host 192.168.10.1
description Created during name migration
object network Mail_Server_2
host 10.1.184.116
description Created during name migration
object network Mail_Server_3
host 10.1.184.121
description Created during name migration
object network WebServer1
host 192.168.30.3
object network InternalNetwork
subnet 10.1.184.0 255.55.248.0
object network DMZ-IdentityPool
range 192.168.30.30 192.168.30.254
object network WebServer2
host 192.168.30.4
object network obj-remote
subnet 192.168.0.0 255.255.255.0
object network obj-DMZ
subnet 192.16.30.0 255.255.255.0
object network DatabaseServer
host 10.1.184.134
object network AppServer
host 10.1.184.126
object network MailServer
host 10.1.184.116
access-list Inside_access_in extended permit ip object Proxy_Server any
access-list Inside_access_in extended permit ip host 10.1.184.190 any
access-list Inside_access_in extended permit ip host 10.1.184.83 any
access-list Inside_access_in extended permit icmp host 10.1.184.190 any
access-list Inside_access_in extended permit ip host 10.1.184.67 any inactive
access-list Inside_access_in extended permit ip host 10.1.184.83 object Internet_Router
access-list Inside_access_in extended permit ip host 10.1.184.190 object Internet_Router
access-list Inside_access_in extended permit udp any any
access-list Inside_access_in extended permit icmp any any
access-list Inside_access_in extended permit ip object Mail_Server any
access-list Inside_access_in extended permit tcp object Mail_Server any eq smtp
access-list Inside_access_in extended permit ip object Mail_Server_2 any
access-list Inside_access_in extended permit tcp object Mail_Server_2 any eq smtp
access-list Inside_access_in extended deny tcp any any eq smtp
access-list Inside_access_in extended permit icmp host 10.1.184.43 any
access-list Inside_access_in extended permit ip object Mail_Server_3 any
access-list Inside_access_in extended permit tcp object Mail_Server_3 any eq smtp
access-list Inside_access_in extended permit ip host 10.1.184.190 host 192.168.30.3
access-list Inside_access_in extended permit tcp object InternalNetwork host 192.168.30.3 eq www
access-list Inside_access_in extended permit ip host 10.1.184.137 host 10.1.184.133
access-list Inside_access_in extended permit ip host 10.1.184.62 host 10.1.184.133
access-list Inside_access_in extended permit ip host 10.1.184.117 any
access-list Inside_access_in extended permit ip host 10.1.184.117 object Internet_Router
access-list Inside_access_in extended permit ip host 10.1.184.129 any
access-list Inside_access_in extended permit ip host 10.1.184.129 object Internet_Router
access-list Inside_access_in extended permit ip host 10.1.184.150 host 10.1.184.133
access-list Inside_access_in extended permit ip host 10.1.184.150 any
access-list Inside_access_in extended permit ip host 10.1.184.190 host 192.168.30.4
access-list Inside_access_in extended permit tcp object InternalNetwork host 192.168.30.4 eq www
access-list Inside_access_in extended permit tcp host 10.1.184.134 host 192.168.30.4 eq sqlnet
access-list Outside_access_in extended permit udp any eq domain object Proxy_Server
access-list Outside_access_in extended permit icmp object Internet_Router any
access-list Outside_access_in extended permit icmp any host 10.1.184.190
access-list Outside_access_in extended permit icmp any host 10.1.184.83 inactive
access-list Outside_access_in extended permit tcp any object Proxy_Server eq https
access-list Outside_access_in extended permit tcp any object Proxy_Server eq www
access-list Outside_access_in extended permit tcp any object Mail_Server eq smtp inactive
access-list Outside_access_in extended permit tcp any object Mail_Server_2 eq pop3
access-list Outside_access_in extended permit udp any eq domain object Mail_Server_2
access-list Outside_access_in extended permit tcp any object Mail_Server eq imap4 inactive
access-list Outside_access_in extended permit icmp any object Mail_Server inactive
access-list Outside_access_in extended permit tcp any object Mail_Server_2 eq smtp
access-list Outside_access_in extended permit tcp any object Mail_Server_2 eq imap4
access-list Outside_access_in extended permit icmp any object Mail_Server_2
access-list Outside_access_in extended permit icmp any host 10.1.184.43
access-list Outside_access_in extended permit tcp any host 192.168.30.3 eq www
access-list Outside_access_in extended permit tcp any host 192.168.30.3 eq https
access-list Outside_access_in extended permit icmp any host 192.168.30.3
access-list Outside_access_in extended permit icmp any any echo-reply
access-list Outside_access_in extended permit icmp any host 192.168.30.3 echo
access-list Outside_access_in extended permit tcp any host 192.168.30.4 eq www
access-list Outside_access_in extended permit tcp any host 192.168.30.4 eq https
access-list Outside_access_in extended permit icmp any host 192.168.30.4 echo
access-list Outside_access_in extended permit icmp any host 192.168.30.4
access-list branchgroup-SplitACL standard permit 10.0.0.0 255.0.0.0
access-list branchgroup-SplitACL standard permit 192.168.30.0 255.255.255.0
access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 192.168.30.116 eq smtp
access-list DMZ_access_in extended permit icmp host 192.168.30.4 any
access-list DMZ_access_in extended permit ip host 192.168.30.4 host 192.168.30.134
access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 192.168.30.134 eq sqlnet
pager lines 24
logging enable
logging timestamp
logging standby
logging emblem
logging list InformationalLog level informational
logging list InformationalLog message 101001
logging buffer-size 16384
logging console notifications
logging monitor errors
logging buffered critical
logging trap errors
logging asdm critical
logging mail informational
logging host Inside 10.1.184.132
logging host Inside 10.1.184.190 6/1470
logging debug-trace
logging ftp-server 10.1.184.190 \\marinasec\akanoa akanoa *****
logging permit-hostdown
logging class auth buffered emergencies trap emergencies
logging class bridge buffered emergencies trap emergencies
logging class config buffered alerts trap emergencies
logging class ip buffered emergencies trap alerts
logging class sys trap alerts
logging class ca trap emergencies
logging class email buffered emergencies trap errors
mtu Inside 1500
mtu DMZ 1500
mtu Outside 1500
mtu management 1500
ip local pool remoteusers 192.168.0.1-192.168.0.254
failover
failover lan unit secondary
failover lan interface stateful_failover GigabitEthernet0/1
failover replication http
failover link stateful_failover GigabitEthernet0/1
failover interface ip stateful_failover 192.168.20.1 255.255.255.252 standby 192.168.20.2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (DMZ,Outside) source static obj-DMZ obj-DMZ destination static obj-remote obj-remote
nat (Inside,Outside) source static InternalNetwork InternalNetwork destination static obj-remote obj-remote
object network Mail_Server
nat (Inside,Outside) static Mail_Server no-proxy-arp route-lookup
object network WebServer1
nat (DMZ,Outside) static 192.168.30.3 dns
object network WebServer2
nat (DMZ,Outside) static 192.168.30.4 dns
object network DatabaseServer
nat (Inside,DMZ) static 192.168.30.134
object network AppServer
nat (Inside,DMZ) static 192.168.30.126
object network MailServer
nat (Inside,DMZ) static 192.168.30.116
access-group Inside_access_in in interface Inside
access-group DMZ_access_in in interface DMZ
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 Internet_Router 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (Inside) host 10.1.184.119
key *****
aaa-server vpn (Inside) host 10.1.184.120
key *****
user-identity default-domain LOCAL
http server enable
http 10.1.184.190 255.255.255.255 Inside
http 10.1.184.2 255.255.255.255 Inside
http 10.1.184.83 255.255.255.255 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set rmtset esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set ikev1 transform-set rmtset
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface Outside
crypto ikev1 enable Outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
telnet 10.1.184.83 255.255.255.255 Inside
telnet 10.1.184.190 255.255.255.255 Inside
telnet 10.1.184.167 255.255.255.255 Inside
telnet timeout 5
ssh 10.1.184.83 255.255.255.255 Inside
ssh 10.1.184.190 255.255.255.255 Inside
ssh 10.1.184.43 255.255.255.255 Inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy branchgroup internal
group-policy branchgroup attributes
dns-server value 10.1.184.120
split-tunnel-policy tunnelspecified
split-tunnel-network-list value branchgroup-SplitACL
default-domain value marinasecuritieslimited.com
username sannib password 3gB/xWLMBVp/AjjW encrypted
username adebimpel password O./lZ/3rlYD/87u2 encrypted
username ojoawob password w1h9Aq2Welzv1fuW encrypted
username agbajer password NuDaZPLHC0BcF7iI encrypted
username oyenihib password eoxptVEUfczen6VR encrypted
username odewolef password yB12L9t1gcr.Wgx/ encrypted
username mainuser password 8KBTvbq5FOuoFce2 encrypted privilege 15
username maakano password c1Cb3uSluyfsyWUb encrypted
tunnel-group branchgroup type remote-access
tunnel-group branchgroup general-attributes
address-pool remoteusers
default-group-policy branchgroup
tunnel-group branchgroup ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:bbe838eb9af33fc84083989823bc0c22
: end
[OK]
ciscoasa#Hi,
Seems to me that you have configured Static NAT from "inside" to "dmz" so that the "inside" servers are visible to the "dmz" with the IP address belonging to the "dmz"
Is this something that you absolutely need? Is there something preventing you from using the IP address ranges on both "inside" and "dmz" and not doing NAT for them at all between those interfaces?
IF you want to keep the current setup intact regarding NAT, change the DMZ ACL to use the actual 10.1.184.x IP addresses as the destination IP address in the ACL.
In other words, always use the Real IP address of the host in the ACL configuration, NOT the NAT IP address. After doing that change I suppose it should also work for "dmz" to "inside". (NAT IP was used in the ACL in the ASA versions 8.2 and below, the Real IP address is used in software 8.3 and above)
Change
access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 192.168.30.116 eq smtp
access-list DMZ_access_in extended permit icmp host 192.168.30.4 any
access-list DMZ_access_in extended permit ip host 192.168.30.4 host 192.168.30.134
access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 192.168.30.134 eq sqlnet
To
access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 10.1.184.116 eq smtp
access-list DMZ_access_in extended permit icmp host 192.168.30.4 any
access-list DMZ_access_in extended permit ip host 192.168.30.4 host 10.1.184.134
access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 10.1.184.134 eq sqlnet
You can also use the "object" names in the ACL.
Which would be
access-list DMZ_access_in extended permit tcp host 192.168.30.4 object MailServer eq smtp
access-list DMZ_access_in extended permit icmp host 192.168.30.4 any
access-list DMZ_access_in extended permit ip host 192.168.30.4 object DatabaseServer
access-list DMZ_access_in extended permit tcp host 192.168.30.4 object DatabaseServer eq sqlnet
Hope the above helps Please ask more if needed.
- Jouni -
ISE 1.2 Patch 2 External RADIUS Server Sequence Broken?
Hi community,
We have upgraded our proof of concept ISE 1.2 lab to Patch level 2.
Our lab design includes the use of external RADIUS servers which we off-load certain authentication rules to.
To ensure resiliency of the external RADIUS service, we have two of these which we add to a RADIUS Server Sequence, the idea being that if the first in the list is unavailable, ISE will try the second and all will be well.
Now this worked for us in testing ISE 1.2, but I have noticed that after the upgrade to Patch 2 ISE is sending the majority RADIUS traffic to the first (failed) external RADIUS server, with only the odd RADIUS Access-Request to thte next in the list.
Anybody else come across this??
All helpful comments rated!
Many thanks, Ash.I couldn't find any known issues with this feature. Could you please paste the screen shot of external radius sequence and configuration. Also, how are we determing that the first server in the sequence is DEAD?
~BR
Jatin Katyal
**Do rate helpful posts** -
SSL VPN on C2821 Radius auth issues
I've been looking through the discussions and I can't seem to nail this one down. I'm implimenting SSL VPN on a 2821 to do SMTP only. I need it to auth off the radius server and it is only asking for local router login P/Ws. It will not auth against Radius. I've created a seperate aaa auth group to no avail and tried a few different tweaks. I'm throwing science at the wall and seeing what sticks at this point.
I've made a new group server for Radius to test it, not working. I've tried variations in domain, not working. Can't use SDM, nor want to.
This is what the config looks like
Building configuration...
Current configuration : 24735 bytes
! Last configuration change at 08:19:39 Arizona Tue Aug 28 2012 by dci
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname N****
aaa new-model
aaa group server radius IAS_AUTH
server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
aaa group server radius Global ***made for testing. Redundant
server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 group IAS_AUTH
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login SSL_Global group Global ** created for SSL VPN redundant, but did for testing
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa session-id common
clock timezone Arizona -7
dot11 syslog
ip source-route
ip cef
password encryption aes
crypto pki trustpoint TP-self-signed-2464190257
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2464190257
revocation-check none
rsakeypair TP-self-signed-2464190257
crypto pki certificate chain TP-self-signed-2464190257
certificate self-signed 01
REMOVED
interface GigabitEthernet0/0
INTERFACES REMOVED
ip local pool SDM_POOL_2 10.12.252.1 10.12.252.254
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
ip flow-export source GigabitEthernet0/0
ip flow-export version 5 peer-as
ip flow-export destination 10.12.1.17 2048
ROUTES REMOVED
ACLS REMOVED SSL IS ALLOWED
route-map STAT_NAT permit 10
match ip address 109
route-map DYN_NAT permit 10
match ip address 108
snmp-server community $DCI$ RO
control-plane
banner login ^C
line con 0
password 7 01100F175804
login authentication local
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
webvpn gateway gateway_1
ip address **outside ip*** port 443
http-redirect port 80
ssl trustpoint TP-self-signed-2464190257
no inservice
webvpn context webvpn
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
port-forward "portforward_list_1"
local-port 3000 remote-server "10.12.1.23" remote-port 25 description "Email"
policy group policy_1
port-forward "portforward_list_1"
default-group-policy policy_1
aaa authentication list SSL_Global
aaa authentication domain @n****
gateway gateway_1 domain N****
max-users 10
no inservice
end
Can't change "no inservice" to "inservice" and I can't figure out why. Any help with this?OK, upgraded IOS to most current stable version and I'm now able to do inservice on the context and gateway. I'm trying to go through the SDM route, but Java crashes with ValidatorException errors. I'm going to try updating the SDM since it's the original version to the 2008 version since all the little "fixes" for this do not work. Any ideas on that?
-
Authorization RADIUS - read-only user on FWSM
Hi support community,
I am experiencing an issue while trying to create some read-only users on my FWSM.
I've setup the authentication on my RADIUS Server, which works fine, and put the aaa authorization command LOCAL command.
I've also set the commands - associated priviege :
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
All this things works great when i authenticate locally on the FWSM.
However, this is not working whe authenticating via the RADIUS server:
aaa authentication enable console MY_RADIUS LOCAL
aaa authentication http console MY_RADIUS LOCAL
aaa authentication ssh console MY_RADIUS LOCAL
And i set up the authorization locall, because i dont run any TACACS server :
aaa authorization command LOCAL
I managed to make this work on ASA, by sending RADIUS attributes (cf a document that i can't find anymore...).
So what are exactly the differences between asa and FWSM ?
On my ASA there was a command i could not run on the FWSM :
aaa authorization exec authentication-server
(i am running version 4.1 on FWSM and 8.4 on ASA).
Thank you for your help.
FlorianYou really need to see the example given here,
[Read only user for a schema|http://arjudba.blogspot.com/2008/09/create-read-only-user-for-schema.html]
[Global read only user|http://arjudba.blogspot.com/2008/09/how-to-make-global-read-only-user.html] -
Authentication via RADIUS : MSCHAPv2 Error 691
Hello All,
I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request
messages are in fact getting to the RADIUS server at which point the RADIUS server starts communicating with the domain controllers. I then see the chain of communication going back to the RADIUS and then finally back to the SBC. The problem is the response
I get back is always an access-reject message with a reason code of 16 (Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect). This is confirmed by looking
at the security event logs where I can see events 4625 and 6273. See the events below (Note: The names and IPs have been changed to protect the innocent):
Event ID: 6273
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
NULL SID
Account Name:
real_username
Account Domain:
real_domain
Fully Qualified Account Name:
real_domain\real_username
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name:
OS-Version:
Called Station Identifier:
Calling Station Identifier:
NAS:
NAS IPv4 Address:
10.0.0.10
NAS IPv6 Address:
NAS Identifier:
radius1.real_domain
NAS Port-Type:
NAS Port:
101451540
RADIUS Client:
Client Friendly Name:
sbc1mgmt
Client IP Address:
10.0.0.10
Authentication Details:
Connection Request Policy Name:
SBC Authentication
Network Policy Name:
Authentication Provider:
Windows
Authentication Server:
RADIUS1.real_domain
Authentication Type:
MS-CHAPv2
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the SQL data store and the local log file.
Reason Code:
16
Reason:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Event ID: 4625
An account failed to log on.
Subject:
Security ID:
SYSTEM
Account Name:
RADIUS1$
Account Domain:
REAL_DOMAIN
Logon ID:
0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID:
NULL SID
Account Name:
real_username
Account Domain:
REAL_DOMAIN
Failure Information:
Failure Reason:
Unknown user name or bad password.
Status:
0xC000006D
Sub Status:
0xC000006A
Process Information:
Caller Process ID:
0x2cc
Caller Process Name:
C:\Windows\System32\svchost.exe
Network Information:
Workstation Name:
Source Network Address:
Source Port:
Detailed Authentication Information:
Logon Process:
IAS
Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:
Package Name (NTLM only):
Key Length:
0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
So at first glance it would seem that the issue is merely a case of an invalid username or mismatched password. This is further confirmed in the packet capture where I can see the MSCHAPv2 response has an error code of 691 (Access denied because username or
password, or both, are not valid on the domain). The thing is I know I am using a valid username and I have tried many usernames including new ones I created just for troubleshooting. I don't know how many times I have reset the password in an attempt to ensure
it is not a mismatch password. I have even made sure to use passwords that are fairly short and contain only letters to ensure there was no terminal encoding issues (we connect to the SBC via SSH clients). I have also done this same thing with the shared secret
used during communication between the SBC and the RADIUS server. I have tried prefixing the username with the domain name at login (though I don't think that should be necessary). I have also tried using the full UPN of the user to login. I have tried several
RADIUS testing clients (NTRadPing, RadiusTest, etc.), but they either don't support MSCHAPv2 or only support EAP-MSCHAPv2. I have even created my own client using PHP's PECL RADIUS module. Still it always seems to fail with the MSCHAPv2 authentication with
an error code of 691. Does anyone have any ideas as to why I always get an invalid username or bad password response when I have done everything possible to ensure that is not the case?
Here are the specs for our RADIUS configuration:
Windows Server 2012 R2
SQL Server 2012 Back End Database for accounting.
The server has been authorized on the domain and is a member of the "RAS and IAS Servers" group. For which that group does have access to the accounts we are testing with.
The accounts we are testing with do have the "Control access through NPS Network Policy" option checked under their "Dial-in" property tab.
RADIUS clients configured to simply match on the IP address which you can see from the events above that it is applying the client friendly name.
Connection Request Policy: The "SBC Authenication" policy is being applied as seen above. The only condition is a regex expression that does successfully match the friendly name.
Network Policy: As seen in events above, none are getting applied. For troubleshooting purposes I have created a Network Policy that is set to "1" for the processing order and its only condition is a Day and Time Restriction currently set to any
time, any day.
The authentication method is set to only MSCHAPv2 or MSCHAPv2 (User can change password after it has expired). I have tried adding this to just the Network Policy and I have also tried adding this to the Connection Request Policy and setting it to override
the authentication method of the Network Policy.
We do have other RADIUS servers in our domain that use PEAP to authenticate wireless clients and they all work fine. However, we need this to work with MSCHAPv2 only (No EAP).
All other configurations are set to the defaults.
The only other things of note to consider is the fact that in the events above you can see that the Security ID is "NULL SID". Now I know this is common especially among failed logons but given that this issue is stating an invalid username or
bad password, perhaps it matters in this case. Also, this server has been rebuilt using the same computer account in Active Directory. I do not know if it would have worked before the rebuild. Essentially we built this server and only got as far as authorizing
the server to the domain and adding SQL when we decided to separate out the SQL role onto another server. Rather than uninstalling SQL we just rebuilt the machine. However, before reinstalling Windows I did do a reset on the computer account. I don't think
this should matter but thought I would point it out if there is some weird quirk where reusing the same SID of a previously authorized NPS server would cause an issue.
All in all it is a fairly basic setup and hopefully I have provided enough information for someone to get an idea of what might be going on. I hope this was the right forum to post this too, I figured there would be a higher number of RADIUS experts here than
any of the other categories. Apologies if my understanding of this seems a bit basic, after all, when it comes to RADIUS servers I guess you could say I'm the new guy here.Update 1:
In an attempt to further troubleshoot this issue I have tried bringing up additional servers for testing. Here are the additional tests I have performed.
Multiple Domains
I have now tried this in 3 different isolated domains. Both our test and production domains as well as my private home domain which has very little in the way of customizations aside from the modifications made for Exchange and ConfigMgr. All have the same
results described above.
VPN Service
Using Windows Server 2012 R2 we brought up a separate server to run a standard VPN setup. The intent was to see if we could use RADIUS authentication with the VPN and if that worked we would know the issue is with the SBCs. However, before we could even
configure it to use RADIUS we just attempted to make sure it worked with standard Windows Authentication on the local VPN server. Interestingly, it too fails with the same events getting logged as the RADIUS servers. The client machine being a Windows 8.1
workstation. Again I point out that we have working RADIUS servers used specifically for our wireless environment. The only difference between those RADIUS servers and the ones I am having problems with is that the working wireless servers are using PEAP instead
of MSCHAPv2.
FreeRADIUS
Now I'm no Linux guru but I believe I have it up and running. I am able to use ntlm_auth to authenticate users when logged on to the console. However, when the radiusd service tries to use ntlm_auth to do essentially the same thing it fails and returns the
same message I've been getting with the Windows server (E=691). I have the radiusd service running in debug mode so I can see more of what is going on. I can post the debug info I am getting if requested. The lines I am seeing of particular interest however
are as follows:
(1) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)'
(1) mschap : External script failed.
(1) ERROR: mschap : External script says: Logon Failure (0xc000006d)
(1) ERROR: mschap : MS-CHAP2-Response is incorrect
The thing to note here is that while we are essentially still getting a "wrong password" message, the actual status code (0xc000006d) is slightly different than what I was getting on the Windows Servers which was (0xc000006a). From this document
you can see what these codes mean:
NTSTATUS values . The good thing about this FreeRADIUS server is that I can see all of the challenge responses when it is in debug mode. So if I can wrap my head around how a MSCHAPv2 response is computed I can compare it to see if this is simply a miscomputed
challenge response. Update: Was just noticing that the 6a code is just the sub-status code for the 6d code. So nothing different from the Windows Servers, I still wonder if there is a computation error with the challenge responses though.
Currently, I am working on bringing up a Windows Server 2008 R2 instance of a RADIUS server to see if that helps at all. However, I would be surprised if something with the service broke between W2K8 R2 and W2K12 R2 without anyone noticing until now. If this
doesn't work I may have to open a case with Microsoft. Update: Same results with W2K8 R2. -
Exchange Server 2013 with a RADIUS server (freeRADIUS).
Hello,
I am a student and doing an internship. I have to test Microsoft Exchange Server 2013.
I am using Windows Server 2012, I already installed Exchange Server 2013 on it and everything works as intended.
But I couldn't find out how to configure my Windows Server 2012 in order to authenticate my mailbox users from Exchange Server 2013 with a RADIUS server which is not on my Windows Server 2012. I have to use their RADIUS server (freeRADIUS), the RADIUS server
from the company where I am doing my internship.
I already created a NPS and added the RADIUS Client + Remote
RADIUS Server Groups. I created a Connection Request Policies with the condition:
User Name *
I forwarded the Connection Request to the
Remote RADIUS server that I created in Remote RADIUS Server Groups and then I registered the NPS in th AD. But it's still not working.
Maybe I did something wrong or I misunderstood something or does this even work with Exchange Server 2013? To authenticate mailbox users with a RADIUS server before they can login into their mailbox and use their mailbox?
Thanks in advance.Hi,
I suggest we refer to the following article to double confirm the Network Policy Server is registered properly.
http://technet.microsoft.com/library/cc732912.aspx
Thanks,
Simon Wu
TechNet Community Support -
Can dot1x authetication relayed by ACSv4.2 to another RADIUS Server ?
Dear all,
I'm doing dot1x authentication with ACSv4.2 , my goal is the dot1x authentication request (EAP-MD5) is relayed to another RADIUS Server by ACSv4.2.
I'd configured the ACS to use External Database with Radius Token Server, but it did not work. With the same configuration , the login authentication is relayed correctly.
Can dot1x authetication relayed by ACSv4.2 to another RADIUS Server ?
JerryI think it is possible because Extensible Authentication Protocol (EAP), provides the ability to deploy RADIUS into Ethernet network environments. The 802.1x standard, also known as EAP over LAN (EAPoL), concerns the part of the wider EAP standard that relates to broadcast media networks. Upon connection, EAPoL provides a communications channel between an end user on a client LAN device to the AAA server through the LAN switch. The functionality is similar to what Point-to-Point Protocol (PPP) servers on point-to-point links provide.
Hope the following URL helps you:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/deploy.html
Following URL explains about enhanced login features in ACS 4.2
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/new_feats.html#wp1011240
Maybe you are looking for
-
Time capsule -connecting, backup, file transfer
hello, i am very new to time capsule, and have the following issue i would like to get solved/understand: 1. when i want to access my time capsule disk through the normal finder window, clicking on the time capsule icon to the left, it appears that f
-
Links in Mac Mail will not open in Firefox. This recently became an issue.
When I select a hyperlink in Mac Mail the courser changes shape but will not open in Firefox, my default browser. I have used Mail with Firefox for a couple of years & it worked fine, until now. I can change the default to Safari & it works fine with
-
Help! iTunes won't load...
I am a teacher with an iPad cart w/Macbook Pro OSX. Since I updated my iTunes it will not load. It keeps freezing while updating the library.
-
Disassembly order for child parts in plastic mold industry
Hi all, Below is the scenario for Disassembly of child parts in plastic mold industry 1. Client has a FG1 with Child parts CP!, CP2 & CP3. 2. Client delivers 100 Nos of FG1 to a customer 3. Customer returns 20 nos of FG1 as rejected. 4. Client feels
-
Reporting data in the Archive Database
Environment: 10gR3 StandAlone Enterprise. I successfully configured Archiving and I can see data being written to the archiving database. I want to now report on the data present in this database. My reports need to be more detailed than what the Arc