Radius communication

Similar Messages

• ISE 1.2 rejects RADIUS messages from vWLC

  Hello,
  I have an ISE appliance with the Wireless license. The Cisco vWLC is configured to send Radius traffic to the device, but is getting the error message:
  11054 Request from a non-wireless device was  dropped due to installed Wireless license
  The vWLC is showing up under endpoints as a VMWARE workstation, and not a WLC, and so under the licensing requirements will not allow RADIUS to be received from anything other than a WLC. I tried hard-coding the policy to match a Cisco WLC with a condition of matching its MAC address, and even disabled the VMWARE profile policy, but the endpoint then only matches the "Unknown" policy. Any ideas?

  Check the Cisco ISE dashboard (
  Operations > Authentications
  ) for any indication
  regarding the nature of RADIUS communication loss. (Look for instances of your
  specified RADIUS usernames and scan the sy
  stem messages that are associated with
  any error message entries.)
  Log into the Cisco ISE CLI
  2
  and enter the following command to produce RADIUS
  attribute output that may aid in debugging connection issues:
  test aaa group radius
  new-code
  If this test command is successful, you should see the following attributes:
  Connect port
  Connect NAD IP address
  Connect Policy Service ISE node IP address
  Correct server key
  Recognized username or password
  Connectivity between the NAD and Policy Service ISE node
  You can also use this command to help narrow the focus of the potential problem
  with RADIUS communication by deliberatel
  y specifying incorrect parameter values
  in the command line and then returning to the administrator dashboard (
  Operations
  > Authentications
  ) to view the type and frequency
  of error message entries that
  result from the incorrect command line. For example, to test whether or not user
  credentials may be the source
  of the problem, enter a username and or password that
  you
  know
  is incorrect, and then go look for error message entries that are pertinent
  to that username in the
  Operations > Authentications
  page to see what Cisco ISE
  is reporting.)
  Note
  This command does not validate whether or not the NAD is configured to use
  RADIUS, nor does it verify whether th
  e NAD is configured to use the new
  AAA model.

• Cisco ise 1.1.4 no open radius port

  Hi,
  I have a big issue with my ise appliance configured with the last version, which is 1.1.4
  I have configured one network device but she doesn't want communicate with ise. The radius communication doesn't works.
  In fact, we see when we do "sh ports" on the ise that the radius port are not open.
  I ever installed one ise appliance in 1.1.3 and it works.
  A idea ????? please
  thanks for advanced

  Hi,
  Can you post the output of your show ports? Also is this in a distributed setup or is this a standalone node.
  here are the port information on my psn -
  udp: 10.250.250.183:58626, 10.250.250.183:1812, 10.250.250.183:1813, 10.250.250.183:1700, 0.0.0.0:60599, 10.250.250.183:3799, 10.250.250.183:1645, 10.250.250.183:1646,
  From my admin node -
  10.250.250.185:1700, 10.250.250.185:3799, 10.250.250.185:64217, 0.0.0.0:20057, 0.0.0.0:50140
  If this is a standalone node, can you go to the deployment section and make sure that all checkboxes are selected, in particular the third box "Policy Service"
  Tarik Admani
  *Please rate helpful posts*

• ISE acting as Radius Proxy Client?

  Hi,
  I have an issue where a remote company has there internal redius server and I have my ISE radius server.
  When there users come to my site, they can authenticate with my wireless and my ISE server proxies the request to there home site to be authenticated and tells me if I should allow them access or not.
  So standard radius proxy and it all works well when my ISE server begins the exchange.
  However if my staff go to there site the reverse is not working, they are proxying the requests back OK, and I can see on the firewall and router the incomming radius packets destined to my ISE server. But there is no recourd on the ISE server of ever reciving them and it all times out.
  Is tehre some thing I need to do to allow ISE to act as the client in a radius proxy set up?
  Cheers.
  Oh I am running version 1.2

  Hi Aaron,
  Check the Cisco ISE dashboard (Operations > Authentications) for any indication regarding the nature of RADIUS communication loss. (Look for instances of your specified RADIUS usernames and scan the system messages that are associated with any error message entries.)
  Log into the Cisco ISE CLI5 and enter the following command to produce RADIUS attribute output that may aid in debugging connection issues:
  test aaa group radius new-code
  If this test command is successful, you should see the following attributes:
  Connect      port
  Connect NAD      IP address
  Connect      Policy Service node IP address
  Correct      server key
  Recognized      username or password
  Connectivity      between the NAD and Policy Service node
  You can also use this command to help narrow the focus of the potential problem with RADIUS communication by deliberately specifying incorrect parameter values in the command line and then returning to the administrator dashboard (Operations > Authentications) to view the type and frequency of error message entries that result from the incorrect command line. For example, to test whether or not user credentials may be the source of the problem, enter a username and or password that you know is incorrect, and then go look for error message entries that are pertinent to that username in the Operations > Authentications page to see what Cisco ISE is reporting.)
  Note This command does not validate whether or not the NAD is configured to use RADIUS, nor does it verify whether the NAD is configured to use the new AAA model.
  The Cisco ISE network enforcement device (switch) is missing the radius-server vsa send accounting command.
  Verify that the switch RADIUS configuration for this device is correct and features the appropriate command(s).
  For more details please go through the following link:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html#pgfId-192989

• ISE 1.2 With WLC and AD

  Hi everyone,
  What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.
  The wireless network is configured with 2 SSID (Staff and Guest) 
  Active Directory, DNS, DHCP, and  NTP configured & synced.
  ISE and AD running on C220 VMs, and WLC is 5760 Appliance.
  Please provide your thoughts and assistance.
  Regards

  You have to implement dot1x and radius between your NAD and ISE device.
  Using the switch 3850, that are the steps: 
  username RADIUS-HEALTH password radiusKey1 privilege 15
  aaa new-model
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  !this password will be used to communicate with ISE and to verify reachability
  !between ISE and Switch
  aaa server radius dynamic-author
   client 172.16.1.18 server-key 7 radiuskey
   client 172.16.1.20 server-key 7 radiuskey
  ip domain-name lab.local
  ip name-server 172.16.1.1
  dot1x system-auth-control
  interface GigabitEthernet1/0/3
   switchport mode access
   switchport voice vlan 50
   switchport access vlan 10
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize voice
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  ip access-list extended ACL-ALLOW
   permit ip any any
  !the comm between radius and ise will occur on these Port
  ip radius source-interface Vlan100
  logging origin-id ip
  logging source-interface Vlan100
  logging host 172.16.1.20 transport udp port 20514
  logging host 172.16.1.18 transport udp port 20514
  ip radius source-interface Vlan100
  logging origin-id ip
  logging source-interface Vlan100
  logging host 172.16.1.20 transport udp port 20514
  logging host 172.16.1.18 transport udp port 20514
  snmp-server community ciscoro RO
  snmp-server community public RO
  snmp-server trap-source Vlan100
  snmp-server source-interface informs Vlan100
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 10 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  !defining ISE servers
  radius server ISE-RADIUS-1
   address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
   automate-tester username RADIUS-HEALTH idle-time 15
   key radiusKey
  Please be sure that NTP servers and time are synchronized. 
  enable dot1X on windows machine, or using cisco NAM. 
  you can enable debugging on aaa authentication to see the events. 
  you have to create this user on ISE (RADIUS-HEALTH). 
  3850#test aaa group radius username password new-code 
  and observe the result. You are supposed to have user authenticated successfully. 
  You Must also have define these device in ISE on the radius interface.
  ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE. 
  administration-->network resources -->Network Devices-->Add
  input the name
  input the Ip address for radius communication
  select the authentication settings and field the corresponding shared secret radius key
  select snmp settings and select version 2c. 
  snmp community : ciscoro
  you can customize the polling interval if you want and that all. 
  you are supposed to received message communication between your NAD and ISE. 
  After you can do the procedure for WLC device. 
  I will fill it after you have passed the first steps (3850 authentication). 

• 802.1x authentication fail when trying to implement 802.11N

  Hello, I'm trying to deploy 802.11N along with 802.1X and IAS.
  Controller comunciates with Radius server (IAS) and this lives in a ESX host along with the Domain controller. Somehow users are not able to authenticate.
  WLC: AIR-CT550 - IP 10.152.36.5
  IAS: 10.204.34.35
  Domain controller: 10.204.35.149
  Testing client MAC:  24:77:03:dc:c6:10
  Check these logs:
  *Jan 29 19:11:45.816: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:45.842: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:45.844: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:50.691: 24:77:03:dc:c6:10 apfMsExpireCallback (apf_ms.c:418) Expiring Mobile!
  *Jan 29 19:11:50.692: 24:77:03:dc:c6:10 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [0c:27:24:4e:62:10]
  *Jan 29 19:11:50.692: 24:77:03:dc:c6:10 Deleting mobile on AP 0c:27:24:4e:62:10(0)
  *Jan 29 19:11:51.727: 24:77:03:dc:c6:10 Adding mobile on LWAPP AP 50:17:ff:df:08:70(1)
  *Jan 29 19:11:51.727: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 23) in 5 seconds
  *Jan 29 19:11:51.727: 24:77:03:dc:c6:10 apfProcessProbeReq (apf_80211.c:4722) Changing state for mobile 24:77:03:dc:c6:10 on AP 50:17:ff:df:08:70 from Idle to Probe
  *Jan 29 19:11:51.729: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:51.742: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:51.743: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:51.758: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:51.758: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:51.773: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:51.774: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:51.943: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Association received from mobile on AP 50:17:ff:de:45:90
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Applying site-specific IPv6 override for station 24:77:03:dc:c6:10 - vapId 3, site 'default-group', interface 'enterprise wireless 3rd floor'
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Applying IPv6 Interface Policy for station 24:77:03:dc:c6:10 - vlan 603, interface id 11, interface 'enterprise wireless 3rd floor'
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Processing RSN IE type 48, length 22 for mobile 24:77:03:dc:c6:10
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Received RSN IE with 0 PMKIDs from mobile 24:77:03:dc:c6:10
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [50:17:ff:df:08:70]
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Updated location for station old AP 50:17:ff:df:08:70-1, new AP 50:17:ff:de:45:90-1
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 START (0) Initializing policy
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 50:17:ff:de:45:90 vapId 3 apVapId 3
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 apfPemAddUser2 (apf_policy.c:213) Changing state for mobile 24:77:03:dc:c6:10 on AP 50:17:ff:de:45:90 from Probe to Associated
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Stopping deletion of Mobile Station: (callerId: 48)
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Sending Assoc Response to station on BSSID 50:17:ff:de:45:90 (status 0) Vap Id 3 Slot 1
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 apfProcessAssocReq (apf_80211.c:4389) Changing state for mobile 24:77:03:dc:c6:10 on AP 50:17:ff:de:45:90 from Associated to Associated
  *Jan 29 19:11:51.947: 24:77:03:dc:c6:10 Station 24:77:03:dc:c6:10 setting dot1x reauth timeout = 0
  *Jan 29 19:11:51.947: 24:77:03:dc:c6:10 Stopping reauth timeout for 24:77:03:dc:c6:10
  *Jan 29 19:11:51.947: 24:77:03:dc:c6:10 dot1x - moving mobile 24:77:03:dc:c6:10 into Connecting state
  *Jan 29 19:11:51.947: 24:77:03:dc:c6:10 Sending EAP-Request/Identity to mobile 24:77:03:dc:c6:10 (EAP Id 1)
  *Jan 29 19:11:51.974: 24:77:03:dc:c6:10 Received EAPOL START from mobile 24:77:03:dc:c6:10
  *Jan 29 19:11:51.974: 24:77:03:dc:c6:10 dot1x - moving mobile 24:77:03:dc:c6:10 into Connecting state
  *Jan 29 19:11:51.974: 24:77:03:dc:c6:10 Sending EAP-Request/Identity to mobile 24:77:03:dc:c6:10 (EAP Id 2)
  *Jan 29 19:11:52.006: 24:77:03:dc:c6:10 Received EAPOL EAPPKT from mobile 24:77:03:dc:c6:10
  *Jan 29 19:11:52.006: 24:77:03:dc:c6:10 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 24:77:03:dc:c6:10
  *Jan 29 19:11:52.030: 24:77:03:dc:c6:10 Received EAPOL EAPPKT from mobile 24:77:03:dc:c6:10
  *Jan 29 19:11:52.030: 24:77:03:dc:c6:10 Username entry (NA\a-Gregg.Davis) created for mobile
  *Jan 29 19:11:52.030: 24:77:03:dc:c6:10 Received Identity Response (count=2) from mobile 24:77:03:dc:c6:10
  *Jan 29 19:11:52.030: 24:77:03:dc:c6:10 EAP State update from Connecting to Authenticating for mobile 24:77:03:dc:c6:10
  *Jan 29 19:11:52.030: 24:77:03:dc:c6:10 dot1x - moving mobile 24:77:03:dc:c6:10 into Authenticating state
  *Jan 29 19:11:52.030: 24:77:03:dc:c6:10 Entering Backend Auth Response state for mobile 24:77:03:dc:c6:10
  *Jan 29 19:11:52.031: apfVapRadiusInfoGet: WLAN(3) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *Jan 29 19:11:52.031: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
  *Jan 29 19:11:52.051: ****Enter processIncomingMessages: response code=11
  *Jan 29 19:11:52.051: Received a RADIUS message from unknown server 10.204.35.149 port 1812
  *Jan 29 19:11:54.032: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
  *Jan 29 19:11:54.049: ****Enter processIncomingMessages: response code=11
  *Jan 29 19:11:54.049: Received a RADIUS message from unknown server 10.204.35.149 port 1812
  *Jan 29 19:11:56.032: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
  *Jan 29 19:11:56.048: ****Enter processIncomingMessages: response code=11
  *Jan 29 19:11:56.048: Received a RADIUS message from unknown server 10.204.35.149 port 1812
  Any idea of what could be the problem?
  Thanks.

  Hi Francisco,
  *Jan 29 19:11:52.031: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
  *Jan 29 19:11:52.051: ****Enter processIncomingMessages: response code=11*Jan 29 19:11:52.051: Received a RADIUS message from unknown server 10.204.35.149 port 1812
  *Jan 29 19:11:54.032: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
  *Jan 29 19:11:54.049: ****Enter processIncomingMessages: response code=11*Jan 29 19:11:54.049: Received a RADIUS message from unknown server 10.204.35.149 port 1812
  These message indicate there is some issue with RADIUS communication. Looks like WLC send RADIUS packets to IAS, but it does not get any response. Instead it getting RADIUS response from DC.
  Pls check this communication
  HTH
  Rasika
  **** Pls rate all useful resposnes *****

• Can WAP 4410N work with UC520

  Hi All,
  Just wanted to know if the small business WAP 4410N access point can work with a UC520 router? I presently use the 521 models but will want to use another model/type.

  > Do you have any idea? Could there be any software issues on the WAP?
  just blind shot... MTU changed after pfSense upgrade? or NF (not fragment) bit changed on interface?
  I recommend to make packet capture of RADIUS communication on pfSense (WAP4410N side) and on RADIUS server as well.
  what about logs from RADIUS server?

• Where is radius/tacacs communication taking place

  hello,
  if iam logging in to a domain, and my domain is configured for an authentication to an ACS, where is the radius/tacacs communication taking place?
  - is it from client to ACS
  - or is it from domain to ACS

  Depending on what device you are authenticating against - normally it would be client->Device->ACS->Domain
  HTH>

• Sqlnet Communication problem

  Hi Community,
  I have a challenge getting 2 Oracle servers with each located in "internal" and "DMZ" network segments.
  The oracle server on the internal network can communicate with the one on the DMZ but the one on the DMZ can NOT talk to the one on the internal network.
  The customer wants the architecture to enable realtime data updates on the Oracle in DMZ.
  My config is as follows: I need help.
  ciscoasa# wr t
  : Saved
  ASA Version 8.4(3)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.1.184.131 Proxy_Server
  name 192.168.10.1 Internet_Router
  name 10.1.184.122 Mail_Server
  name 10.1.184.116 Mail_Server_2
  name 10.1.184.121 Mail_Server_3
  dns-guard
  interface GigabitEthernet0/0
  nameif Inside
  security-level 100
  ip address 10.1.184.1 255.255.248.0 standby 10.1.184.254
  interface GigabitEthernet0/1
  description LAN/STATE Failover Interface
  interface GigabitEthernet0/2
  nameif DMZ
  security-level 50
  ip address 192.168.30.1 255.255.255.0 standby 192.168.30.2
  interface GigabitEthernet0/3
  nameif Outside
  security-level 0
  ip address 192.168.10.2 255.255.255.0 standby 192.168.10.20
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  boot system disk0:/asa843-k8.bin
  ftp mode passive
  clock timezone GMT 1
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object network Proxy_Server
  host 10.1.184.131
  object network Mail_Server
  host 10.1.184.122
  object network Internet_Router
  host 192.168.10.1
  description Created during name migration
  object network Mail_Server_2
  host 10.1.184.116
  description Created during name migration
  object network Mail_Server_3
  host 10.1.184.121
  description Created during name migration
  object network WebServer1
  host 192.168.30.3
  object network InternalNetwork
  subnet 10.1.184.0 255.55.248.0
  object network DMZ-IdentityPool
  range 192.168.30.30 192.168.30.254
  object network WebServer2
  host 192.168.30.4
  object network obj-remote
  subnet 192.168.0.0 255.255.255.0
  object network obj-DMZ
  subnet 192.16.30.0 255.255.255.0
  object network DatabaseServer
  host 10.1.184.134
  object network AppServer
  host 10.1.184.126
  object network MailServer
  host 10.1.184.116
  access-list Inside_access_in extended permit ip object Proxy_Server any
  access-list Inside_access_in extended permit ip host 10.1.184.190 any
  access-list Inside_access_in extended permit ip host 10.1.184.83 any
  access-list Inside_access_in extended permit icmp host 10.1.184.190 any
  access-list Inside_access_in extended permit ip host 10.1.184.67 any inactive
  access-list Inside_access_in extended permit ip host 10.1.184.83 object Internet_Router
  access-list Inside_access_in extended permit ip host 10.1.184.190 object Internet_Router
  access-list Inside_access_in extended permit udp any any
  access-list Inside_access_in extended permit icmp any any
  access-list Inside_access_in extended permit ip object Mail_Server any
  access-list Inside_access_in extended permit tcp object Mail_Server any eq smtp
  access-list Inside_access_in extended permit ip object Mail_Server_2 any
  access-list Inside_access_in extended permit tcp object Mail_Server_2 any eq smtp
  access-list Inside_access_in extended deny tcp any any eq smtp
  access-list Inside_access_in extended permit icmp host 10.1.184.43 any
  access-list Inside_access_in extended permit ip object Mail_Server_3 any
  access-list Inside_access_in extended permit tcp object Mail_Server_3 any eq smtp
  access-list Inside_access_in extended permit ip host 10.1.184.190 host 192.168.30.3
  access-list Inside_access_in extended permit tcp object InternalNetwork host 192.168.30.3 eq www
  access-list Inside_access_in extended permit ip host 10.1.184.137 host 10.1.184.133
  access-list Inside_access_in extended permit ip host 10.1.184.62 host 10.1.184.133
  access-list Inside_access_in extended permit ip host 10.1.184.117 any
  access-list Inside_access_in extended permit ip host 10.1.184.117 object Internet_Router
  access-list Inside_access_in extended permit ip host 10.1.184.129 any
  access-list Inside_access_in extended permit ip host 10.1.184.129 object Internet_Router
  access-list Inside_access_in extended permit ip host 10.1.184.150 host 10.1.184.133
  access-list Inside_access_in extended permit ip host 10.1.184.150 any
  access-list Inside_access_in extended permit ip host 10.1.184.190 host 192.168.30.4
  access-list Inside_access_in extended permit tcp object InternalNetwork host 192.168.30.4 eq www
  access-list Inside_access_in extended permit tcp host 10.1.184.134 host 192.168.30.4 eq sqlnet
  access-list Outside_access_in extended permit udp any eq domain object Proxy_Server
  access-list Outside_access_in extended permit icmp object Internet_Router any
  access-list Outside_access_in extended permit icmp any host 10.1.184.190
  access-list Outside_access_in extended permit icmp any host 10.1.184.83 inactive
  access-list Outside_access_in extended permit tcp any object Proxy_Server eq https
  access-list Outside_access_in extended permit tcp any object Proxy_Server eq www
  access-list Outside_access_in extended permit tcp any object Mail_Server eq smtp inactive
  access-list Outside_access_in extended permit tcp any object Mail_Server_2 eq pop3
  access-list Outside_access_in extended permit udp any eq domain object Mail_Server_2
  access-list Outside_access_in extended permit tcp any object Mail_Server eq imap4 inactive
  access-list Outside_access_in extended permit icmp any object Mail_Server inactive
  access-list Outside_access_in extended permit tcp any object Mail_Server_2 eq smtp
  access-list Outside_access_in extended permit tcp any object Mail_Server_2 eq imap4
  access-list Outside_access_in extended permit icmp any object Mail_Server_2
  access-list Outside_access_in extended permit icmp any host 10.1.184.43
  access-list Outside_access_in extended permit tcp any host 192.168.30.3 eq www
  access-list Outside_access_in extended permit tcp any host 192.168.30.3 eq https
  access-list Outside_access_in extended permit icmp any host 192.168.30.3
  access-list Outside_access_in extended permit icmp any any echo-reply
  access-list Outside_access_in extended permit icmp any host 192.168.30.3 echo
  access-list Outside_access_in extended permit tcp any host 192.168.30.4 eq www
  access-list Outside_access_in extended permit tcp any host 192.168.30.4 eq https
  access-list Outside_access_in extended permit icmp any host 192.168.30.4 echo
  access-list Outside_access_in extended permit icmp any host 192.168.30.4
  access-list branchgroup-SplitACL standard permit 10.0.0.0 255.0.0.0
  access-list branchgroup-SplitACL standard permit 192.168.30.0 255.255.255.0
  access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 192.168.30.116 eq smtp
  access-list DMZ_access_in extended permit icmp host 192.168.30.4 any
  access-list DMZ_access_in extended permit ip host 192.168.30.4 host 192.168.30.134
  access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 192.168.30.134 eq sqlnet
  pager lines 24
  logging enable
  logging timestamp
  logging standby
  logging emblem
  logging list InformationalLog level informational
  logging list InformationalLog message 101001
  logging buffer-size 16384
  logging console notifications
  logging monitor errors
  logging buffered critical
  logging trap errors
  logging asdm critical
  logging mail informational
  logging host Inside 10.1.184.132
  logging host Inside 10.1.184.190 6/1470
  logging debug-trace
  logging ftp-server 10.1.184.190 \\marinasec\akanoa akanoa *****
  logging permit-hostdown
  logging class auth buffered emergencies trap emergencies
  logging class bridge buffered emergencies trap emergencies
  logging class config buffered alerts trap emergencies
  logging class ip buffered emergencies trap alerts
  logging class sys trap alerts
  logging class ca trap emergencies
  logging class email buffered emergencies trap errors
  mtu Inside 1500
  mtu DMZ 1500
  mtu Outside 1500
  mtu management 1500
  ip local pool remoteusers 192.168.0.1-192.168.0.254
  failover
  failover lan unit secondary
  failover lan interface stateful_failover GigabitEthernet0/1
  failover replication http
  failover link stateful_failover GigabitEthernet0/1
  failover interface ip stateful_failover 192.168.20.1 255.255.255.252 standby 192.168.20.2
  no monitor-interface management
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any Inside
  asdm image disk0:/asdm-647.bin
  no asdm history enable
  arp timeout 14400
  nat (DMZ,Outside) source static obj-DMZ obj-DMZ destination static obj-remote obj-remote
  nat (Inside,Outside) source static InternalNetwork InternalNetwork destination static obj-remote obj-remote
  object network Mail_Server
  nat (Inside,Outside) static Mail_Server no-proxy-arp route-lookup
  object network WebServer1
  nat (DMZ,Outside) static 192.168.30.3 dns
  object network WebServer2
  nat (DMZ,Outside) static 192.168.30.4 dns
  object network DatabaseServer
  nat (Inside,DMZ) static 192.168.30.134
  object network AppServer
  nat (Inside,DMZ) static 192.168.30.126
  object network MailServer
  nat (Inside,DMZ) static 192.168.30.116
  access-group Inside_access_in in interface Inside
  access-group DMZ_access_in in interface DMZ
  access-group Outside_access_in in interface Outside
  route Outside 0.0.0.0 0.0.0.0 Internet_Router 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server vpn protocol radius
  aaa-server vpn (Inside) host 10.1.184.119
  key *****
  aaa-server vpn (Inside) host 10.1.184.120
  key *****
  user-identity default-domain LOCAL
  http server enable
  http 10.1.184.190 255.255.255.255 Inside
  http 10.1.184.2 255.255.255.255 Inside
  http 10.1.184.83 255.255.255.255 Inside
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set rmtset esp-3des esp-md5-hmac
  crypto dynamic-map dyn1 1 set ikev1 transform-set rmtset
  crypto dynamic-map dyn1 1 set reverse-route
  crypto map mymap 1 ipsec-isakmp dynamic dyn1
  crypto map mymap interface Outside
  crypto ikev1 enable Outside
  crypto ikev1 policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 43200
  telnet 10.1.184.83 255.255.255.255 Inside
  telnet 10.1.184.190 255.255.255.255 Inside
  telnet 10.1.184.167 255.255.255.255 Inside
  telnet timeout 5
  ssh 10.1.184.83 255.255.255.255 Inside
  ssh 10.1.184.190 255.255.255.255 Inside
  ssh 10.1.184.43 255.255.255.255 Inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  group-policy branchgroup internal
  group-policy branchgroup attributes
  dns-server value 10.1.184.120
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value branchgroup-SplitACL
  default-domain value marinasecuritieslimited.com
  username sannib password 3gB/xWLMBVp/AjjW encrypted
  username adebimpel password O./lZ/3rlYD/87u2 encrypted
  username ojoawob password w1h9Aq2Welzv1fuW encrypted
  username agbajer password NuDaZPLHC0BcF7iI encrypted
  username oyenihib password eoxptVEUfczen6VR encrypted
  username odewolef password yB12L9t1gcr.Wgx/ encrypted
  username mainuser password 8KBTvbq5FOuoFce2 encrypted privilege 15
  username maakano password c1Cb3uSluyfsyWUb encrypted
  tunnel-group branchgroup type remote-access
  tunnel-group branchgroup general-attributes
  address-pool remoteusers
  default-group-policy branchgroup
  tunnel-group branchgroup ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  class class-default
    user-statistics accounting
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  hpm topN enable
  Cryptochecksum:bbe838eb9af33fc84083989823bc0c22
  : end
  [OK]
  ciscoasa#

  Hi,
  Seems to me that you have configured Static NAT from "inside" to "dmz" so that the "inside" servers are visible to the "dmz" with the IP address belonging to the "dmz"
  Is this something that you absolutely need? Is there something preventing you from using the IP address ranges on both "inside" and "dmz" and not doing NAT for them at all between those interfaces?
  IF you want to keep the current setup intact regarding NAT, change the DMZ ACL to use the actual 10.1.184.x IP addresses as the destination IP address in the ACL.
  In other words, always use the Real IP address of the host in the ACL configuration, NOT the NAT IP address. After doing that change I suppose it should also work for "dmz" to "inside". (NAT IP was used in the ACL in the ASA versions 8.2 and below, the Real IP address is used in software 8.3 and above)
  Change
  access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 192.168.30.116 eq smtp
  access-list DMZ_access_in extended permit icmp host 192.168.30.4 any
  access-list DMZ_access_in extended permit ip host 192.168.30.4 host 192.168.30.134
  access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 192.168.30.134 eq sqlnet
  To
  access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 10.1.184.116 eq smtp
  access-list DMZ_access_in extended permit icmp host 192.168.30.4 any
  access-list DMZ_access_in extended permit ip host 192.168.30.4 host 10.1.184.134
  access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 10.1.184.134 eq sqlnet
  You can also use the "object" names in the ACL.
  Which would be
  access-list DMZ_access_in extended permit tcp host 192.168.30.4 object MailServer eq smtp
  access-list DMZ_access_in extended permit icmp host 192.168.30.4 any
  access-list DMZ_access_in extended permit ip host 192.168.30.4 object DatabaseServer
  access-list DMZ_access_in extended permit tcp host 192.168.30.4 object DatabaseServer eq sqlnet
  Hope the above helps Please ask more if needed.
  - Jouni

• ISE 1.2 Patch 2 External RADIUS Server Sequence Broken?

  Hi community,
  We have upgraded our proof of concept ISE 1.2 lab to Patch level 2.
  Our lab design includes the use of external RADIUS servers which we off-load certain authentication rules to.
  To ensure resiliency of the external RADIUS service, we have two of these which we add to a RADIUS Server Sequence, the idea being that if the first in the list is unavailable, ISE will try the second and all will be well.
  Now this worked for us in testing ISE 1.2, but I have noticed that after the upgrade to Patch 2 ISE is sending the majority RADIUS traffic to the first (failed) external RADIUS server, with only the odd RADIUS Access-Request to thte next in the list.
  Anybody else come across this??
  All helpful comments rated!
  Many thanks, Ash.

  I couldn't find any known issues with this feature. Could you please paste the screen shot of external radius sequence and configuration. Also, how are we determing that the first server in the sequence is DEAD?
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• SSL VPN on C2821 Radius auth issues

  I've been looking through the discussions and I can't seem to nail this one down. I'm implimenting SSL VPN on a 2821 to do SMTP only. I need it to auth off the radius server and it is only asking for local router login P/Ws. It will not auth against Radius. I've created a seperate aaa auth group to no avail and tried a few different tweaks. I'm throwing science at the wall and seeing what sticks at this point.
  I've made a new group server for Radius to test it, not working. I've tried variations in domain, not working. Can't use SDM, nor want to.
  This is what the config looks like
  Building configuration...
  Current configuration : 24735 bytes
  ! Last configuration change at 08:19:39 Arizona Tue Aug 28 2012 by dci
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname N****
  aaa new-model
  aaa group server radius IAS_AUTH
  server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
  aaa group server radius Global ***made for testing. Redundant
  server-private 10.12.1.7 auth-port 1645 acct-port 1646 key $*****
  aaa authentication login default local
  aaa authentication login sdm_vpn_xauth_ml_1 group IAS_AUTH
  aaa authentication login sdm_vpn_xauth_ml_2 local
  aaa authentication login SSL_Global group Global ** created for SSL VPN redundant, but did for testing
  aaa authorization network sdm_vpn_group_ml_1 local
  aaa authorization network sdm_vpn_group_ml_2 local
  aaa session-id common
  clock timezone Arizona -7
  dot11 syslog
  ip source-route
  ip cef
  password encryption aes
  crypto pki trustpoint TP-self-signed-2464190257
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-2464190257
  revocation-check none
  rsakeypair TP-self-signed-2464190257
  crypto pki certificate chain TP-self-signed-2464190257
  certificate self-signed 01
  REMOVED
  interface GigabitEthernet0/0
  INTERFACES REMOVED
  ip local pool SDM_POOL_2 10.12.252.1 10.12.252.254
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip flow-cache timeout inactive 10
  ip flow-cache timeout active 5
  ip flow-export source GigabitEthernet0/0
  ip flow-export version 5 peer-as
  ip flow-export destination 10.12.1.17 2048
  ROUTES REMOVED
  ACLS REMOVED SSL IS ALLOWED
  route-map STAT_NAT permit 10
  match ip address 109
  route-map DYN_NAT permit 10
  match ip address 108
  snmp-server community $DCI$ RO
  control-plane
  banner login ^C
  line con 0
  password 7 01100F175804
  login authentication local
  line aux 0
  line vty 0 4
  privilege level 15
  transport input telnet ssh
  line vty 5 15
  privilege level 15
  transport input telnet ssh
  scheduler allocate 20000 1000
  webvpn gateway gateway_1
  ip address **outside ip*** port 443
  http-redirect port 80
  ssl trustpoint TP-self-signed-2464190257
  no inservice
  webvpn context webvpn
  secondary-color white
  title-color #CCCC66
  text-color black
  ssl authenticate verify all
  port-forward "portforward_list_1"
     local-port 3000 remote-server "10.12.1.23" remote-port 25 description "Email"
  policy group policy_1
     port-forward "portforward_list_1"
  default-group-policy policy_1
  aaa authentication list SSL_Global
  aaa authentication domain @n****
  gateway gateway_1 domain N****
  max-users 10
  no inservice
  end
  Can't change "no inservice" to "inservice" and I can't figure out why. Any help with this?

  OK, upgraded IOS to most current stable version and I'm now able to do inservice on the context and gateway. I'm trying to go through the SDM route, but Java crashes with ValidatorException errors. I'm going to try updating the SDM since it's the original version to the 2008 version since all the little "fixes" for this do not work. Any ideas on that?    

• Authorization RADIUS - read-only user on FWSM

  Hi support community,
  I am experiencing an issue while trying to create some read-only users on my FWSM.
  I've setup the authentication on my RADIUS Server, which works fine, and put the aaa authorization command LOCAL  command.
  I've also set the commands - associated priviege :
  privilege show level 3 mode configure command dhcpd
  privilege show level 5 mode configure command privilege
  All this things works great when i authenticate locally on the FWSM.
  However, this is not working whe authenticating via the RADIUS server:
  aaa authentication enable console MY_RADIUS LOCAL
  aaa authentication http console MY_RADIUS LOCAL
  aaa authentication ssh console MY_RADIUS LOCAL
  And i set up the authorization locall, because i dont run any TACACS server :
  aaa authorization command LOCAL
  I managed to make this work on ASA, by sending RADIUS attributes (cf a document that i can't find anymore...).
  So what are exactly the differences between asa and FWSM ?
  On my ASA there was a command i could not run on the FWSM :
  aaa authorization exec authentication-server
  (i am running version 4.1 on FWSM and 8.4 on ASA).
  Thank you for your help.
  Florian

  You really need to see the example given here,
  [Read only user for a schema|http://arjudba.blogspot.com/2008/09/create-read-only-user-for-schema.html]
  [Global read only user|http://arjudba.blogspot.com/2008/09/how-to-make-global-read-only-user.html]

• Authentication via RADIUS : MSCHAPv2 Error 691

  Hello All,
  I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request
  messages are in fact getting to the RADIUS server at which point the RADIUS server starts communicating with the domain controllers. I then see the chain of communication going back to the RADIUS and then finally back to the SBC. The problem is the response
  I get back is always an access-reject message with a reason code of 16 (Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect). This is confirmed by looking
  at the security event logs where I can see events 4625 and 6273. See the events below (Note: The names and IPs have been changed to protect the innocent):
  Event ID: 6273
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID:
  NULL SID
  Account Name:
  real_username
  Account Domain:
  real_domain
  Fully Qualified Account Name:
  real_domain\real_username
  Client Machine:
  Security ID:
  NULL SID
  Account Name:
  Fully Qualified Account Name:
  OS-Version:
  Called Station Identifier:
  Calling Station Identifier:
  NAS:
  NAS IPv4 Address:
  10.0.0.10
  NAS IPv6 Address:
  NAS Identifier:
  radius1.real_domain
  NAS Port-Type:
  NAS Port:
  101451540
  RADIUS Client:
  Client Friendly Name:
  sbc1mgmt
  Client IP Address:
  10.0.0.10
  Authentication Details:
  Connection Request Policy Name:
  SBC Authentication
  Network Policy Name:
  Authentication Provider:
  Windows
  Authentication Server:
  RADIUS1.real_domain
  Authentication Type:
  MS-CHAPv2
  EAP Type:
  Account Session Identifier:
  Logging Results:
  Accounting information was written to the SQL data store and the local log file.
  Reason Code:
  16
  Reason:
  Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
  Event ID: 4625
  An account failed to log on.
  Subject:
  Security ID:
  SYSTEM
  Account Name:
  RADIUS1$
  Account Domain:
  REAL_DOMAIN
  Logon ID:
  0x3E7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID:
  NULL SID
  Account Name:
  real_username
  Account Domain:
  REAL_DOMAIN
  Failure Information:
  Failure Reason:
  Unknown user name or bad password.
  Status:
  0xC000006D
  Sub Status:
  0xC000006A
  Process Information:
  Caller Process ID:
  0x2cc
  Caller Process Name:
  C:\Windows\System32\svchost.exe
  Network Information:
  Workstation Name:
  Source Network Address:
  Source Port:
  Detailed Authentication Information:
  Logon Process:
  IAS
  Authentication Package:
  MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Transited Services:
  Package Name (NTLM only):
  Key Length:
  0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  So at first glance it would seem that the issue is merely a case of an invalid username or mismatched password. This is further confirmed in the packet capture where I can see the MSCHAPv2 response has an error code of 691 (Access denied because username or
  password, or both, are not valid on the domain). The thing is I know I am using a valid username and I have tried many usernames including new ones I created just for troubleshooting. I don't know how many times I have reset the password in an attempt to ensure
  it is not a mismatch password. I have even made sure to use passwords that are fairly short and contain only letters to ensure there was no terminal encoding issues (we connect to the SBC via SSH clients). I have also done this same thing with the shared secret
  used during communication between the SBC and the RADIUS server. I have tried prefixing the username with the domain name at login (though I don't think that should be necessary). I have also tried using the full UPN of the user to login. I have tried several
  RADIUS testing clients (NTRadPing, RadiusTest, etc.), but they either don't support MSCHAPv2 or only support EAP-MSCHAPv2. I have even created my own client using PHP's PECL RADIUS module. Still it always seems to fail with the MSCHAPv2 authentication with
  an error code of 691. Does anyone have any ideas as to why I always get an invalid username or bad password response when I have done everything possible to ensure that is not the case?
  Here are the specs for our RADIUS configuration:
  Windows Server 2012 R2
  SQL Server 2012 Back End Database for accounting.
  The server has been authorized on the domain and is a member of the "RAS and IAS Servers" group. For which that group does have access to the accounts we are testing with.
  The accounts we are testing with do have the "Control access through NPS Network Policy" option checked under their "Dial-in" property tab.
  RADIUS clients configured to simply match on the IP address which you can see from the events above that it is applying the client friendly name.
  Connection Request Policy: The "SBC Authenication" policy is being applied as seen above. The only condition is a regex expression that does successfully match the friendly name.
  Network Policy: As seen in events above, none are getting applied. For troubleshooting purposes I have created a Network Policy that is set to "1" for the processing order and its only condition is a Day and Time Restriction currently set to any
  time, any day.
  The authentication method is set to only MSCHAPv2 or MSCHAPv2 (User can change password after it has expired). I have tried adding this to just the Network Policy and I have also tried adding this to the Connection Request Policy and setting it to override
  the authentication method of the Network Policy.
  We do have other RADIUS servers in our domain that use PEAP to authenticate wireless clients and they all work fine. However, we need this to work with MSCHAPv2 only (No EAP).
  All other configurations are set to the defaults.
  The only other things of note to consider is the fact that in the events above you can see that the Security ID is "NULL SID". Now I know this is common especially among failed logons but given that this issue is stating an invalid username or
  bad password, perhaps it matters in this case. Also, this server has been rebuilt using the same computer account in Active Directory. I do not know if it would have worked before the rebuild. Essentially we built this server and only got as far as authorizing
  the server to the domain and adding SQL when we decided to separate out the SQL role onto another server. Rather than uninstalling SQL we just rebuilt the machine. However, before reinstalling Windows I did do a reset on the computer account. I don't think
  this should matter but thought I would point it out if there is some weird quirk where reusing the same SID of a previously authorized NPS server would cause an issue.
  All in all it is a fairly basic setup and hopefully I have provided enough information for someone to get an idea of what might be going on. I hope this was the right forum to post this too, I figured there would be a higher number of RADIUS experts here than
  any of the other categories. Apologies if my understanding of this seems a bit basic, after all, when it comes to RADIUS servers I guess you could say I'm the new guy here.

  Update 1:
  In an attempt to further troubleshoot this issue I have tried bringing up additional servers for testing. Here are the additional tests I have performed.
  Multiple Domains
  I have now tried this in 3 different isolated domains. Both our test and production domains as well as my private home domain which has very little in the way of customizations aside from the modifications made for Exchange and ConfigMgr. All have the same
  results described above.
  VPN Service
  Using Windows Server 2012 R2 we brought up a separate server to run a standard VPN setup. The intent was to see if we could use RADIUS authentication with the VPN and if that worked we would know the issue is with the SBCs. However, before we could even
  configure it to use RADIUS we just attempted to make sure it worked with standard Windows Authentication on the local VPN server. Interestingly, it too fails with the same events getting logged as the RADIUS servers. The client machine being a Windows 8.1
  workstation. Again I point out that we have working RADIUS servers used specifically for our wireless environment. The only difference between those RADIUS servers and the ones I am having problems with is that the working wireless servers are using PEAP instead
  of MSCHAPv2.
  FreeRADIUS
  Now I'm no Linux guru but I believe I have it up and running. I am able to use ntlm_auth to authenticate users when logged on to the console. However, when the radiusd service tries to use ntlm_auth to do essentially the same thing it fails and returns the
  same message I've been getting with the Windows server (E=691). I have the radiusd service running in debug mode so I can see more of what is going on. I can post the debug info I am getting if requested. The lines I am seeing of particular interest however
  are as follows:
  (1) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)'
  (1) mschap : External script failed.
  (1) ERROR: mschap : External script says: Logon Failure (0xc000006d)
  (1) ERROR: mschap : MS-CHAP2-Response is incorrect
  The thing to note here is that while we are essentially still getting a "wrong password" message, the actual status code (0xc000006d) is slightly different than what I was getting on the Windows Servers which was (0xc000006a). From this document
  you can see what these codes mean:
  NTSTATUS values . The good thing about this FreeRADIUS server is that I can see all of the challenge responses when it is in debug mode. So if I can wrap my head around how a MSCHAPv2 response is computed I can compare it to see if this is simply a miscomputed
  challenge response. Update: Was just noticing that the 6a code is just the sub-status code for the 6d code. So nothing different from the Windows Servers, I still wonder if there is a computation error with the challenge responses though.
  Currently, I am working on bringing up a Windows Server 2008 R2 instance of a RADIUS server to see if that helps at all. However, I would be surprised if something with the service broke between W2K8 R2 and W2K12 R2 without anyone noticing until now. If this
  doesn't work I may have to open a case with Microsoft. Update: Same results with W2K8 R2.

• Exchange Server 2013 with a RADIUS server (freeRADIUS).

  Hello,
  I am a student and doing an internship. I have to test Microsoft Exchange Server 2013.
  I am using Windows Server 2012, I already installed Exchange Server 2013 on it and everything works as intended.
  But I couldn't find out how to configure my Windows Server 2012 in order to authenticate my mailbox users from Exchange Server 2013 with a RADIUS server which is not on my Windows Server 2012. I have to use their RADIUS server (freeRADIUS), the RADIUS server
  from the company where I am doing my internship.
  I already created a NPS and added the RADIUS Client + Remote
  RADIUS Server Groups. I created a Connection Request Policies with the condition:
  User Name *
  I forwarded the Connection Request to the
  Remote RADIUS server that I created in Remote RADIUS Server Groups and then I registered the NPS in th AD. But it's still not working. 
  Maybe I did something wrong or I misunderstood something or does this even work with Exchange Server 2013? To authenticate mailbox users with a RADIUS server before they can login into their mailbox and use their mailbox?
  Thanks in advance.

  Hi,
  I suggest we refer to the following article to double confirm the Network Policy Server is registered properly.
  http://technet.microsoft.com/library/cc732912.aspx
  Thanks,
  Simon Wu
  TechNet Community Support

• Can dot1x authetication relayed by ACSv4.2 to another RADIUS Server ?

  Dear all,
  I'm doing dot1x authentication with ACSv4.2 , my goal is the dot1x authentication request (EAP-MD5) is relayed to another RADIUS Server by ACSv4.2.
  I'd configured the ACS to use External Database with Radius Token Server, but it did not work. With the same configuration , the login authentication is relayed correctly.
  Can dot1x authetication relayed by ACSv4.2 to another RADIUS Server ?
  Jerry

  I think it is possible because Extensible Authentication Protocol (EAP), provides the ability to deploy RADIUS into Ethernet network environments. The 802.1x standard, also known as EAP over LAN (EAPoL), concerns the part of the wider EAP standard that relates to broadcast media networks. Upon connection, EAPoL provides a communications channel between an end user on a client LAN device to the AAA server through the LAN switch. The functionality is similar to what Point-to-Point Protocol (PPP) servers on point-to-point links provide.
  Hope the following URL helps you:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/deploy.html
  Following URL explains about enhanced login features in ACS 4.2
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/new_feats.html#wp1011240