Radius NMAS 2 Calling station Id

Hello,
can the Novell RADIUS server be set up to provide authentication based on
MAC address and/or Calling - Station -ID ?
Currently running system 6.5sp2 servers and NMAS with radius.
Thanks
Michael

The called-station-id and calling-station-id attributes are generally
referred to as "request attributes" because the NAS provides them in the
access-request packet. Unfortunately, the current version of RADIUS does not
support request attributes. When you configure attributes for Novell RADIUS,
you may only configure attributes for the access-accept packet.
>>> <[email protected]> 10/07/04 7:08 AM >>>
Hello,
can the Novell RADIUS server be set up to provide authentication based on
MAC address and/or Calling - Station -ID ?
Currently running system 6.5sp2 servers and NMAS with radius.
Thanks
Michael

Similar Messages

Calling-station-id has nothing

I am using cisco 7206 VXR as pptp server with radius aaa, everithing work exept that router doesn't send to radius attribute Calling-station-id that should contain IP adress of connecting client (I need that for authorization check).
I'm using Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4)

Thanks, but that doesn't help.
By the way, i'm not needed exacly Calling-station-id. I can accept any posobility to send client IP to radius.
What can I try more?

RADIUS packet-id not incrementing, called-station-id missing

I am running v1.3.5.58 on an SG300-20. I am attempting to use a Network Access Control (NAC) solution, which involves a RADIUS proxy. It is getting confused by two odd behaviors of the SG300 when attempting EAP-PEAP-MSCHAPv2 authentication.
1. The SG300 does not properly increment the "Packet Identifier" bits as it progresses through the RADIUS negotiation. The packet identifier is always 0x00.
2. The SG300 does not properly set the "Called-Station-ID" Attribute-Value-Pair (AVP). Instead, it is left blank.
Although freeradius is able to find away around these problems, the NAC RADIUS proxy cannot. Have I done something in the config to cause this to happen (see below)? Is this a known bug? Does it have a workaround? Will our hero save defeat the villain and save the day? ;-)
config-file-header
ausoff-sw-test1
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
spanning-tree priority 40960
port jumbo-frame
vlan database
vlan 2-3,12,14,16,99,600,1000,1010
exit
voice vlan id 1010
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
dot1x traps authentication failure 802.1x
dot1x traps authentication success 802.1x
hostname ausoff-sw-test1
line console
exec-timeout 30
exit
line ssh
exec-timeout 30
exit
line telnet
exec-timeout 30
exit
encrypted radius-server key C1TbrSasKDSDdUoOG2XrohFMsM5tVmu+3QyTwkiVKMI=
encrypted radius-server host 172.18.14.114 key C1TbrSasKDSDdUoOG2XrohFMsM5tVmu+3QyTwkiVKMI= priority 1 usage dot1.x
radius-server host 172.18.58.58 usage dot1.x
radius-server timeout 10
logging host 172.18.58.50
aaa accounting dot1x start-stop group radius
enable password level 15 encrypted
username nac password encrypted *** privilege 15
username admin password encrypted *** privilege 15
username cisco password encrypted *** privilege 15
username readonly password encrypted ***
ip ssh server
ip ssh password-auth
snmp-server server
snmp-server engineID local 800000090308cc68423f4d
snmp-server location "***"
snmp-server contact "***"
snmp-server community *** rw 172.18.58.58 view DefaultSuper
snmp-server community *** rw 172.18.14.105 view DefaultSuper
snmp-server host 172.18.58.58 traps version 2c nac
snmp-server host 172.18.58.58 version 3 auth nac
snmp-server group nac v3 auth notify DefaultSuper read DefaultSuper write DefaultSuper
snmp-server group SNMPSuperuser v3 auth notify DefaultSuper read DefaultSuper write DefaultSuper
encrypted snmp-server user nac nac v3 auth sha ***
encrypted snmp-server user ManageEngines SNMPSuperuser v3 auth sha ***
ip http timeout-policy 1800
clock timezone " " -6
sntp anycast client enable ipv4
sntp broadcast client enable ipv4
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 0.pool.ntp.org poll
sntp server 1.pool.ntp.org poll
ip domain name blah.net
ip name-server 172.18.19.232
ip domain timeout 2
ip domain retry 1
ip telnet server
interface vlan 2
name NACRegistration
interface vlan 3
name NACIsolation
interface vlan 12
name Users
interface vlan 14
name Dev
interface vlan 16
name LAN
interface vlan 99
name Mgmt
ip address 172.18.58.61 255.255.255.128
interface vlan 600
name "Core Test"
dot1x guest-vlan
interface vlan 1000
name Guest
interface vlan 1010
name Voice
interface gigabitethernet1
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet2
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet3
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet4
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet5
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet6
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet7
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet8
dot1x host-mode multi-sessions
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 600
interface gigabitethernet9
dot1x host-mode single-host
dot1x violation-mode protect trap 10
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet10
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet11
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet12
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet13
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet14
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet15
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet16
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet17
dot1x host-mode multi-sessions
no snmp trap link-status
port monitor GigabitEthernet 20
spanning-tree disable
spanning-tree bpduguard enable
switchport mode general
switchport general acceptable-frame-type untagged-only
switchport forbidden default-vlan
interface gigabitethernet18
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x radius-attributes vlan static
dot1x port-control auto
spanning-tree disable
spanning-tree bpduguard enable
switchport mode access
interface gigabitethernet19
switchport trunk native vlan 600
interface gigabitethernet20
spanning-tree link-type point-to-point
switchport trunk allowed vlan add 2-3,12,14,16,99,600,1000,1010
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
exit
ip default-gateway 172.18.58.1

Thank you for your response, Tom. I have performed packet captures associated with this issue, and they show that the Called-Station-ID AVP is not sent with the RADIUS packets, from the SG300. There is not an issue with capitalization, the value is simply not provided at all. Here is an example of a tcpdump decode of such a packet. Please note the missing attribute:
15:48:01.843296 IP (tos 0x0, ttl 64, id 59875, offset 0, flags [none], proto UDP (17), length 142)
    172.18.58.61.49205 > 172.18.58.58.1812: [udp sum ok] RADIUS, length: 114
        Access Request (1), id: 0x00, Authenticator: 390000003f2000009e3f0000eb670000
          NAS IP Address Attribute (4), length: 6, Value: 172.18.58.61
            0x0000: ac12 3a3d
          NAS Port Type Attribute (61), length: 6, Value: Ethernet
            0x0000: 0000 000f
          NAS Port Attribute (5), length: 6, Value: 57
            0x0000: 0000 0039
          Username Attribute (1), length: 12, Value: SSO\dalewl
            0x0000: 5353 4f5c 6461 6c65 776c
          Accounting Session ID Attribute (44), length: 10, Value: 050000DF
            0x0000: 3035 3030 3030 4446
          Calling Station Attribute (31), length: 19, Value: E0-DB-55-B3-1D-5C
            0x0000: 4530 2d44 422d 3535 2d42 332d 3144 2d35
            0x0010: 43
          EAP Message Attribute (79), length: 17, Value: ..
            0x0000: 0201 000f 0153 534f 5c64 616c 6577 6c
          Message Authentication Attribute (80), length: 18, Value: ......R..1...EU.
            0x0000: bed3 b19e c70f 52e0 ec31 afcb d545 55ad

Called-Station-ID attribute and Cisco WLC code 7.4

Hello
I have 2 WLCs configured with 2 SSIDs (one is [WPA2][Auth(802.1X)] and the other is Web-Auth). One of the WLCs is remote and its WLANs are configured with mobility anchors pointing to the other WLC. Both WLCs are configured with Called-Station-ID set to AP Mac Address:SSID. I use this attribute on ACS to authenticate/authorize users based on what SSID they connect to.
This worked fine on WLC code 7.0 but on upgrading to 7.4 I started having some issues:
clients on the remote WLC can still authenticate on the [WPA2][Auth(802.1X)] SSID as the Called-Station-ID attribute is still AP Mac Address:SSID
clients on the remote WLC cannot authenticate on the Web-Auth SSID as the Called-Station-ID attribute now appears to be the Mac Address of the WLC anchor controller
WLC models are 5508 and current code is 7.4.110.0 (APs are AIR-LAP1142N-E-K9). Can anyone tell me why I'm seeing this behaviour on the Web-Auth SSID on the remote WLC?
Thanks
Andy

Since you have two AAA devices that's sending info, you can have your policy for the guest specifying the guest WLC. The SSID policy for the foreign WLC is only really needed if you have multiple 802.1x authentication from the foreign WLC and that's when you can use the regex to defiance the SSID per AD Group.
Look at a successful authentication from one of the guest users. Look at the detailed log and then in that log, you will see all the attributes being sent that the radius can send back to the WLC. You can use any of those attributes in your policies.
Called-Station-ID might not be sent like what your use to, because the foreign WLC has the access point the guest user associates to and tunnels it back to the anchor WLC. So this attribute might not be available. Things do change with code versions so you might just have to adjust your policies. I haven't played around with 7.0.x code with guest anchor and radius in a while, but I have in the past upgraded radius or the WLC and had to tweak my radius policies.
Sent from Cisco Technical Support iPhone App

Why Calling-Station-Id [31] attribute is "async"??

AS5350, IOS tried 12.4(4T) and 12.4(3b).
Cisco configured as dial-up server. When subscriber connects to some SPE via usual modem using radius authentication, his callback number may not be determined. Then I see in radius debug, that:
RADIUS: Calling-Station-Id [31] 7 "async"
When I used ios 12.3(3a) in that case i saw a blank field instead of "async".
When callback number is determined i see, i.e.:
RADIUS: Calling-Station-Id [31] 12 "3272779467"
What does "async" mean? Why exactly this? How to cut this async off?

Okay. Let it so. But in IOS 12.3(3a) there was a blank field. No "async" words.
Have you got any link to a document where it is said that "async" is a normal value of 31th attribute of RADIUS protocol?

Why Calling-Station-Id [31] attribute has an "async" value??

AS5350, IOS tried 12.4(4T) and 12.4(3b).
Cisco configured as dial-up server. When subscriber connects to some SPE via usual modem using radius authentication, his callback number may not be determined. Then I see in radius debug, that:
RADIUS: Calling-Station-Id [31] 7 "async"
When I used ios 12.3(3a) in that case i saw a blank field instead of "async".
When callback number is determined i see, i.e.:
RADIUS: Calling-Station-Id [31] 12 "3272779467"
What does "async" mean? Why exactly this? How to cut this async off?

It doesn't matter what RADIUS I am using. Records are sent by cisco to radius. And after IOS changing these records changed.
If you think it's too important, my radius is self-made by RASTEL company. That company says that curve records are seen from cisco...

Cisco 3640, PPPoE, MAC in Calling-Station-Id

Hi ALL!
Almighty ALL, please tell me which IOS on 3640 can send MAC address in Calling-Station-Id when user connecting via РРРоЕ? I tried command "radius-server attribute 31 mac format unformatted" with no luсk :(
Thanks!

You can try using the code 12.3(9.9) on a 3640. You could use the radius-server attribute nas-port format command to configure the NAS-Port field for the PPP extended format. And the called-station-id should be the mac of the AP.

Radius / NMAS / BM / Ichain

Hello,
i have the following Setup:
1x Single Tree Server with Nw 6.5 SP1a / BM3.8 SP2
This is a simple authentication Server which is placed in our dmz. Some users are synchronized with dirxml from the productive main tree to the authentication tree.
Primary this box is used for client2site vpn with vasco digipass tokens. This setup is working.
Now i wish to use the same box for ichain Radius authentication.
I have setup a 2nd box in the dmz for ichain 2.3. I have made the necessary schema extension on the Authentication server and installed the snapins for ichain.
I tested authentication with ldap to the authentication server.... no problem
Now the problems:
I setup a authentication profile on the ichain server for radius
I configured the authentication servers lpo and radius objects. All this is described in the ichain admin book page 89 (chapter 7 using radius authentication)
When i check the radius console i get the following message:
[DATE TIME] Access Request Dropped
IchainIP, cn, Unknown Radius client
What i did again: I found several tid's where the problem is described. I Changed rights to the lpo, installed the nmas234.tar, changed userprops.....but till now nothing works.
MoreSysinfos:
Radius.nlm V 4.14 / 6.March 2003
nmas.nlm 2.68 / 17.June 2004
nmasldap.nlm V 1.20 / 31.March 2004
Here the RadiusDebugLog, during authentication:
[2004-08-09 02:42:40 PM] Deleting file "sys:etc\radius\log\20040802.log", failed
[2004-08-09 02:42:40 PM] Parameter count = 1
[2004-08-09 02:42:40 PM] argv[0] = SYS:\SYSTEM\RADIUS.NLM
[2004-08-09 02:42:40 PM] Tree Name = "<null>"
[2004-08-09 02:42:40 PM] Login Name = "<null>"
[2004-08-09 02:42:40 PM] Name = "<null>"
[2004-08-09 02:42:40 PM] Workers = 0
[2004-08-09 02:42:40 PM] Port = 0
[2004-08-09 02:42:40 PM] Error encountered = 0
[2004-08-09 02:42:40 PM] Checking if parameters are to be retrieved from Registry
[2004-08-09 02:42:40 PM] Got Tree Name from registry, "<null>"
[2004-08-09 02:42:40 PM] Got Login Name from registry, "<null>"
[2004-08-09 02:42:40 PM] Got Service Name from registry, "<null>"
[2004-08-09 02:42:40 PM] Got Number Threads from registry, 5
[2004-08-09 02:42:40 PM] Got Service Port from registry, 1645
[2004-08-09 02:42:40 PM] Got Accounting Port from registry, 1646
[2004-08-09 02:42:40 PM] Got Accounting Path from registry, "sys:\etc\radius\acct"
[2004-08-09 02:42:40 PM] Got Accounting File Format from registry, "comma"
[2004-08-09 02:42:40 PM] Got RollOver from registry, "daily"
[2004-08-09 02:42:40 PM] Services supported, [2004-08-09 02:42:40 PM] "authentication" [2004-08-09 02:42:40 PM] "accounting" [2004-08-09 02:42:40 PM]
[2004-08-09 02:42:40 PM] Got Accounting Attribute File from registry, sys:\etc\radius\radacct.atr
[2004-08-09 02:42:40 PM] Got Authentication Path from registry, sys:etc\radius
[2004-08-09 02:43:03 PM] Debug logging enabled to file sys:etc\radius\debug\raddbg.log
[2004-08-09 02:43:17 PM] 1) [(ip) 62.200.168.121:1812], Received 43 Bytes (Access-Request (1))
[2004-08-09 02:43:17 PM] [(total=1) (p=0) (d=0) (r=0) (acc=0) (rej=0)]
[2004-08-09 02:43:17 PM] <2> Done GetNextMessage [(ip) 62.200.168.121:1812]: time:208207
[2004-08-09 02:43:17 PM] -------- START : (Access-Request (1)) [(ip) 62.200.168.121:1812]: time:-35971301---
[2004-08-09 02:43:17 PM] CACHE: CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-09 02:43:17 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-09 02:43:17 PM] CACHE: CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-09 02:43:17 PM] HandleLocalRequest(), CacheReadSecretForNASAddress failed, no such RADIUS client (-822), Packet Dropped
[2004-08-09 02:43:17 PM] -------- END : (Access-Request (1)) [(ip) 62.200.168.121:1812]: time:-35971299---
[2004-08-09 02:43:23 PM] 2) [(ip) 62.200.168.121:1812], Received 43 Bytes (Access-Request (1))
[2004-08-09 02:43:23 PM] [(total=2) (p=1) (d=0) (r=0) (acc=0) (rej=0)]
[2004-08-09 02:43:23 PM] <3> Done GetNextMessage [(ip) 62.200.168.121:1812]: time:266774
[2004-08-09 02:43:23 PM] -------- START : (Access-Request (1)) [(ip) 62.200.168.121:1812]: time:-35912704---
[2004-08-09 02:43:23 PM] CACHE: CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-09 02:43:23 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-09 02:43:23 PM] CACHE: CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-09 02:43:23 PM] HandleLocalRequest(), CacheReadSecretForNASAddress failed, no such RADIUS client (-822), Packet Dropped
[2004-08-09 02:43:23 PM] -------- END : (Access-Request (1)) [(ip) 62.200.168.121:1812]: time:-35912701---
[2004-08-09 02:48:42 PM] (->)Cacher: NWDSReadObjectInfo(ichaindas.ichain.netstal), succeeded, time:2
Thanks
Stefan

It's working now.
The Problem was the LPO. In the LoginSequences tab i have modified the standard digipass entry and added a
NDS entry. This was necessary for BM3.8 VPN Logins in our environment.
So I createt a new one, with only digipass inside and associate this LoginSequence to the Radius DAS.
Have a nice time
Stefan
>>> Scott Kiester<[email protected]> 11.08.04 22:21 >>>
You can't execute two login sequences with RADIUS, because there is no way
for RADIUS to prompt for a second set of credentials over the PAP or CHAP
protocols. The ConsoleOne snapin should not be allowing you to mark more
than one sequence as mandatory, as this configuration is invalid.
The recommended way of supporting multiple methods through RADIUS is by
creating a single NMAS "OR" login sequence, rather than using multiple
rules. You could create a sequence that specified "NDS" OR "Digipass." In
this case RADIUS would first execute the NDS method, and only execute the
Digipass method if NDS fails.
I realize that you want to require NDS AND Digipass, not NDS OR Digipass. A
login sequence that specifies NDS AND Digipass would always fail, because
the password supplied by the user would never be valid for both methods.
Unfortunately, there is not a way to require both NDS and Digipass through
RADIUS.
>>> Stefan Winterberg<[email protected]> 08/11/04 2:43 AM >>>
Hello Scott,
thank you very much. it seems that your eyes are better than ours.
The unknown client is now gone, but we still have some problems.
I have the new raddbg and nmasmon-log file below.
We have set the Sequences in the LPO for this DAS-Object to:
NDS Mandatory
Digipass Mandatory
On the UserObject the DefaultLoginClearance is set to password&token.
When we attemp to login we can see that the vasco digipass successfull login
counter is incremented by 1.
--Raddbg.log------------------------------
[2004-08-11 10:38:36 AM] Debug logging enabled to file
sys:etc\radius\debug\raddbg.log
[2004-08-11 10:38:42 AM] Cacher: Console initiated rebuild of cache
[2004-08-11 10:38:42 AM] (->)Cacher:
NWDSReadObjectInfo(ichaindas.ichain.netstal), succeeded, time:3
[2004-08-11 10:38:42 AM] Cacher: Rebuilding cache, mod time different,
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:DAS Version)
succeeded, time:2
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Password Policy)
failed, no such attribute (-603), time:2
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Common Name
Resolution) succeeded, time:2
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Concurrent Limit)
failed, no such attribute (-603), time:1
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Interim Accting
Timeout) failed, no such attribute (-603), time:2
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Aged Interval)
failed, no such attribute (-603), time:2
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Maximum History
Record) failed, no such attribute (-603), time:1
[2004-08-11 10:38:42 AM] CACHE: Use Netware Password for
"ichaindas.ichain.netstal": Enabled
[2004-08-11 10:38:42 AM] CACHE: CN Login for "ichaindas.ichain.netstal":
Enabled
[2004-08-11 10:38:42 AM] CACHE: Concurrent Limit for
"ichaindas.ichain.netstal": 0x80000000
[2004-08-11 10:38:42 AM] CACHE: Interim Timeout for
"ichaindas.ichain.netstal": 10 minutes
[2004-08-11 10:38:42 AM] CACHE: Interval For Aging for
"ichaindas.ichain.netstal": 7 days
[2004-08-11 10:38:42 AM] CACHE: Max History Record for
"ichaindas.ichain.netstal": 30
[2004-08-11 10:38:42 AM]
Context Lookup List set to:
[2004-08-11 10:38:42 AM] 1) USERS.NETSTAL
[2004-08-11 10:38:42 AM] Number of contexts = 1
[2004-08-11 10:38:42 AM] tag extracted: 62.200.168.121, size: 15, tagLength:
30
[2004-08-11 10:38:42 AM] Cache: Successfully set up client table
[2004-08-11 10:38:42 AM]
(->)NDSSetUpContextList(ichaindas.ichain.netstal), ProxyContext is empty
[2004-08-11 10:38:42 AM] Cache: Successfully set up context list
[2004-08-11 10:38:42 AM] (->)NDSSetUpDomainList(ichaindas.ichain.netstal),
Domain list is empty.
[2004-08-11 10:38:42 AM] Cache: Successfully set up domain list
[2004-08-11 10:38:42 AM] Cache: Successfully set up search domain list
[2004-08-11 10:38:42 AM] Cache: Successfully build context list
[2004-08-11 10:38:42 AM] CACHE: Cache reloaded at [2004-08-11 10:38:42
AM], current reload count is 5
[2004-08-11 10:38:42 AM] Cacher: RefreshCache(), succeeded
[2004-08-11 10:38:42 AM] CACHE: Cache loaded at [2004-08-11 10:38:11 AM]
has been discarded , current reload count is 5
[2004-08-11 10:38:57 AM] 7) [(ip) 62.200.168.121:1812], Received 43 Bytes
(Access-Request (1))
[2004-08-11 10:38:57 AM] [(total=7) (p=6) (d=0) (r=0) (acc=0) (rej=0)]
[2004-08-11 10:38:57 AM] <3> Done GetNextMessage [(ip) 62.200.168.121:1812]:
time:7776133
[2004-08-11 10:38:57 AM] -------- START : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:1545446252---
[2004-08-11 10:38:57 AM] CACHE:
CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-11 10:38:57 AM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-11 10:38:57 AM] CACHE:
CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-11 10:38:57 AM] CACHE:
CacheGetEnableCNLogin(ichaindas.ichain.netstal), using cache
[2004-08-11 10:38:57 AM] CacheGetDNForName(wst), Using cache
[2004-08-11 10:38:57 AM] (->)CacheGetDNForName:NWDSReadObjectInfo(wst),
succeeded, time:9
[2004-08-11 10:38:57 AM] userName: wst
[2004-08-11 10:38:57 AM] userDN: WST.USERS.NETSTAL
[2004-08-11 10:38:57 AM]
(->)NDSVerifyAttr:NWDSRead(WST.USERS.NETSTAL,RADIUS: Dial Access Group)
succeeded, time:3
[2004-08-11 10:38:57 AM] (->)NWDSCompare:(WST.USERS.NETSTAL) succeeded,
time:2
[2004-08-11 10:38:57 AM] (->)NWDSRead(WST.USERS.NETSTAL,RADIUS Enable
Attr) failed, no such attribute (-603), time:2
[2004-08-11 10:38:57 AM] (->)User "WST.USERS.NETSTAL", Looking in
(USERS.NETSTAL) for (RADIUS:Enable Dial Access)
[2004-08-11 10:38:57 AM] (->)NWDSRead(USERS.NETSTAL,RADIUS Enable Attr)
succeeded, time:2
[2004-08-11 10:38:57 AM] User Name: wst, User DN: WST.USERS.NETSTAL,
Domain: , Service Tag:
[2004-08-11 10:38:57 AM] (->)NADMAuthRequest()
[2004-08-11 10:38:57 AM] (->)NADMAuthRequest(WST.USERS.NETSTAL) failed,
-1642 (0xfffff996), time:1776
[2004-08-11 10:38:57 AM] (->)Authenticate (0 policy, NDS pswd) (for
WST.USERS.NETSTAL), failed, -1642 (0xfffff996)
[2004-08-11 10:38:57 AM] (->)Authentication FAILED
[2004-08-11 10:38:57 AM] ->Sending Access-Reject (3) [(ip)
62.200.168.121(1812)] count=20
[2004-08-11 10:38:57 AM] ->Inserting into RespQ , code(3) id(6).
[2004-08-11 10:38:57 AM] -------- END : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:1545448063---
----nmasmon.log-------------------------------------------------------------
NMAS Enterprise Edition
0: Screen and file output started at Wed Aug 11 10:37:47 2004
GetLoginConfig: 0
NMAS_GetLoginConfig: 0
GetLoginConfig: 0
NMAS_GetLoginConfig: 0
GetLoginConfig: 0
NMAS_GetLoginConfig: 0
4: Destroy NMAS Session for reuse
4: Create NMAS Session
4: RemoteCheckIfLocalUser checking WST.USERS.NETSTAL.
4: RemoteCheckIfLocalUser is a local user.
4: Server thread started
4: NMAS_CanDo StartClientSession 0
4: >>ClientPut: message size=8 queue Size 0
4: >>ClientPut: message size=35 queue Size 8
4: NMAS_CanDo sendMessage 0
4: <<ClientGet: message size=8 queue Size 0
4: >>ServerGet: message size=8 queue size 0
4: >>ServerGet: message size=35 queue size 35
4: CanDo
4: Sequence Selected == "Digipass"
4: Login Method 0x00000050
4: MAF_Begin LSM 0x00000050
4: <<ServerPut: message size=8 queue size 0
4: <<ServerPut: message size=5 queue size 8
4: MAF_GetAttribute LSM 0x00000050 AID: 1 Value: WST.USERS.NETSTAL
4: <<ClientGet: message size=5 queue Size 0
4: NMAS_CanDo sendMessage 0
4: NMAS_CanDo disassembleDoPacket 0
4: MAF_Begin LCM 0x00000050
4: MAF_XRead LCM 0x00000050
4: <<ClientGet: message size=8 queue Size 0
4: MAF_GetAttribute LSM 0x00000050 AID: 22 Tag: digipass
4: MAF_XWrite LSM 0x00000050
4: <<ServerPut: message size=8 queue size 0
4: <<ServerPut: message size=60 queue size 8
4: MAF_XRead LSM 0x00000050
4: >>ServerGet: message size=8 queue size 0
4: <<ClientGet: message size=60 queue Size 0
4: MAF_GetAttribute LCM 0x00000050 AID: 6
4: MAF_XWrite LCM 0x00000050
4: >>ClientPut: message size=8 queue Size 0
4: >>ClientPut: message size=29 queue Size 8
4: MAF_XRead LCM 0x00000050
4: <<ClientGet: message size=8 queue Size 0
4: >>ServerGet: message size=29 queue size 0
4: MAF_PutAttribute LSM 0x00000050 AID: 22 Tag: digipass
4: MAF_XWrite LSM 0x00000050
4: <<ServerPut: message size=8 queue size 0
4: <<ServerPut: message size=16 queue size 8
4: MAF_End LSM 0x00000050 successful
4: >>ServerGet: message size=8 queue size 0
4: <<ClientGet: message size=16 queue Size 0
4: MAF_End LCM 0x00000007
4: >>ClientPut: message size=8 queue Size 0
4: <<ClientGet: message size=8 queue Size 0
4: WhatNext
4: Login Method 0x00000007
4: MAF_GetAttribute LSM 0x00000007 AID: 2
4: MAF_GetAttribute LSM 0x00000007 AID: 1 Value: WST.USERS.NETSTAL
4: MAF_Begin LSM 0x00000007
4: <<ServerPut: message size=8 queue size 0
4: <<ServerPut: message size=5 queue size 8
4: MAF_AllowPasswordSet LSM 0x00000007
4: MAF_GetPassword LSM 0x00000007
4: MAF_Write LSM 0x00000007
4: <<ServerPut: message size=8 queue size 5
4: <<ServerPut: message size=40 queue size 13
4: MAF_GetNDSPasswordHash LSM 0x00000007
4: MAF_XWrite LSM 0x00000007
4: <<ServerPut: message size=8 queue size 53
4: <<ServerPut: message size=36 queue size 61
4: MAF_XRead LSM 0x00000007
4: >>ServerGet: message size=8 queue size 0
4: <<ClientGet: message size=5 queue Size 0
4: MAF_Begin LCM 0x00000007
4: MAF_GetAttribute LCM 0x00000007 AID: 6
4: MAF_GetAttribute LCM 0x00000007 AID: 1 Value: WST.USERS.NETSTAL
4: MAF_Read LCM 0x00000007
4: <<ClientGet: message size=8 queue Size 92
4: <<ClientGet: message size=40 queue Size 84
4: MAF_XRead LCM 0x00000007
4: <<ClientGet: message size=8 queue Size 44
4: <<ClientGet: message size=36 queue Size 36
4: MAF_XWrite LCM 0x00000007
4: >>ClientPut: message size=8 queue Size 0
4: >>ClientPut: message size=56 queue Size 8
4: MAF_XRead LCM 0x00000007
4: <<ClientGet: message size=8 queue Size 0
4: >>ServerGet: message size=56 queue size 0
4: MAF_GetNDSPasswordHash LSM 0x00000007
4: MAF_XWrite LSM 0x00000007
4: <<ServerPut: message size=8 queue size 0
4: <<ServerPut: message size=32 queue size 8
4: MAF_End LSM 0x00000007 failed
4: ERROR: -1642 Login Method
4: ERROR: -1642 WhatNext
4: ERROR: -1642 NMAS Manager
4: <<ServerPut: message size=8 queue size 32
4: <<ServerPut: message size=4 queue size 40
4: >>ServerGet: message size=8 queue size 0
4: <<ClientGet: message size=32 queue Size 0
4: MAF_Write LCM 0x00000007
4: >>ClientPut: message size=8 queue Size 0
4: >>ClientPut: message size=12 queue Size 8
4: MAF_End LCM 0x00000007
4: >>ClientPut: message size=8 queue Size 12
4: <<ClientGet: message size=8 queue Size 12
4: <<ClientGet: message size=4 queue Size 4
4: >>ClientPut: message size=8 queue Size 20
4: <<ClientGet: message size=8 queue Size 0
4: >>ServerGet: message size=12 queue size 0
4: >>ServerGet: message size=8 queue size 16
4: >>ServerGet: message size=8 queue size 8
4: <<ServerPut: message size=8 queue size 0
4: Server thread exited
4: Client Session Destroy Request
4: Local Session Cleared (Not Destroyed)
Thanks
>>> Scott Kiester<[email protected]> 10.08.04 19:14 >>>
It looks like you transposed the middle two octets in the client IP
address.
Here's what RADIUS.NLM is reading out of the client table:
[2004-08-10 04:44:21 PM] tag extracted: 62.168.200.121, size: 15,
tagLength:
30
And here's the access-request:
[2004-08-10 04:45:32 PM] -------- START : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:901386806---
>>> Stefan Winterberg<[email protected]> 08/10/04 8:52 AM >>>
Hello Scott,
there is no problem with the tree key. ConsoleOne can add , remove and
modify these properties.
here the actual raddbg.log:
[2004-08-10 04:44:21 PM] Cacher: Console initiated rebuild of cache
[2004-08-10 04:44:21 PM] (->)Cacher:
NWDSReadObjectInfo(ichaindas.ichain.netstal), succeeded, time:2
[2004-08-10 04:44:21 PM] Cacher: Rebuilding cache, mod time different,
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:DAS Version)
succeeded, time:3
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Password Policy)
failed, no such attribute (-603), time:2
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Common Name
Resolution) succeeded, time:2
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Concurrent Limit)
failed, no such attribute (-603), time:1
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Interim Accting
Timeout) failed, no such attribute (-603), time:2
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Aged Interval)
failed, no such attribute (-603), time:2
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Maximum History
Record) failed, no such attribute (-603), time:2
[2004-08-10 04:44:21 PM] CACHE: Use Netware Password for
"ichaindas.ichain.netstal": Enabled
[2004-08-10 04:44:21 PM] CACHE: CN Login for "ichaindas.ichain.netstal":
Enabled
[2004-08-10 04:44:21 PM] CACHE: Concurrent Limit for
"ichaindas.ichain.netstal": 0x80000000
[2004-08-10 04:44:21 PM] CACHE: Interim Timeout for
"ichaindas.ichain.netstal": 10 minutes
[2004-08-10 04:44:21 PM] CACHE: Interval For Aging for
"ichaindas.ichain.netstal": 7 days
[2004-08-10 04:44:21 PM] CACHE: Max History Record for
"ichaindas.ichain.netstal": 30
[2004-08-10 04:44:21 PM]
Context Lookup List set to:
[2004-08-10 04:44:21 PM] 1) USERS.NETSTAL
[2004-08-10 04:44:21 PM] Number of contexts = 1
[2004-08-10 04:44:21 PM] tag extracted: 62.168.200.121, size: 15,
tagLength:
30
[2004-08-10 04:44:21 PM] Cache: Successfully set up client table
[2004-08-10 04:44:21 PM]
(->)NDSSetUpContextList(ichaindas.ichain.netstal), ProxyContext is empty
[2004-08-10 04:44:21 PM] Cache: Successfully set up context list
[2004-08-10 04:44:21 PM]
(->)NDSSetUpDomainList(ichaindas.ichain.netstal),
Domain list is empty.
[2004-08-10 04:44:21 PM] Cache: Successfully set up domain list
[2004-08-10 04:44:21 PM] Cache: Successfully set up search domain list
[2004-08-10 04:44:21 PM] Cache: Successfully build context list
[2004-08-10 04:44:21 PM] CACHE: Cache reloaded at [2004-08-10 04:44:21
PM], current reload count is 5
[2004-08-10 04:44:21 PM] Cacher: RefreshCache(), succeeded
[2004-08-10 04:44:21 PM] CACHE: Cache loaded at [2004-08-10 04:43:05 PM]
has been discarded , current reload count is 5
[2004-08-10 04:45:21 PM] (->)Cacher:
NWDSReadObjectInfo(ichaindas.ichain.netstal), succeeded, time:1
[2004-08-10 04:45:32 PM] 15) [(ip) 62.200.168.121:1812], Received 43 Bytes
(Access-Request (1))
[2004-08-10 04:45:32 PM] [(total=15) (p=14) (d=0) (r=0) (acc=0)
(rej=0)]
[2004-08-10 04:45:32 PM] <6> Done GetNextMessage [(ip)
62.200.168.121:1812]:
time:124205589
[2004-08-10 04:45:32 PM] -------- START : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:901386806---
[2004-08-10 04:45:32 PM] CACHE:
CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-10 04:45:32 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-10 04:45:32 PM] CACHE:
CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-10 04:45:32 PM] HandleLocalRequest(),
CacheReadSecretForNASAddress
failed, no such RADIUS client (-822), Packet Dropped
[2004-08-10 04:45:32 PM] -------- END : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:901386809---
[2004-08-10 04:45:38 PM] 16) [(ip) 62.200.168.121:1812], Received 43 Bytes
(Access-Request (1))
[2004-08-10 04:45:38 PM] [(total=16) (p=15) (d=0) (r=0) (acc=0)
(rej=0)]
[2004-08-10 04:45:38 PM] <2> Done GetNextMessage [(ip)
62.200.168.121:1812]:
time:124022378
[2004-08-10 04:45:38 PM] -------- START : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:901444855---
[2004-08-10 04:45:38 PM] CACHE:
CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-10 04:45:38 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-10 04:45:38 PM] CACHE:
CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-10 04:45:38 PM] HandleLocalRequest(),
CacheReadSecretForNASAddress
failed, no such RADIUS client (-822), Packet Dropped
[2004-08-10 04:45:38 PM] -------- END : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:901444857---
Thanks
Stefan
>>> Scott Kiester<[email protected]> 10.08.04 01:07 >>>
You might have a problem with the tree key in your environment. First of
all, make sure that ConosleOne is storing the client data. After you add a
new entry to the client table on your DAS, close the DAS properties dialog
and re-open it. If the new client is not there when you re-open the dialog,
then ConsoleOne may have been unable to save the data due to a problem with
the tree key. You can confirm this by executing ConsoleOne with the
following command line: "consoleone -debug -windowout". This will make
ConsoleOne display a debug window in the top-left portion of your screen.
If
there is a problem saving the client data, then ConsoleOne will display an
exception and an error code in this window. If the error is in the -14xx
range, (-1460 and -1418 are most common) then you most likely have a
problem
with your tree key.
If ConsoleOne is saving the data correctly, then you'll need to see what is
happening when RADIUS.NLM reads this data. To do this, issue a "radius
refreshcache" command at the server console after you enable debug logging.
Please post this file here and I'll take a look at it.
Tree key problems can be corrected with SDIDIAG, which IIRC is available as
a free download from the support site.
>>> Stefan Winterberg<[email protected]> 08/09/04 8:16 AM >>>
Hello,
i have the following Setup:
1x Single Tree Server with Nw 6.5 SP1a / BM3.8 SP2
This is a simple authentication Server which is placed in our dmz. Some
users are synchronized with dirxml from the productive main tree to the
authentication tree.
Primary this box is used for client2site vpn with vasco digipass tokens.
This setup is working.
Now i wish to use the same box for ichain Radius authentication.
I have setup a 2nd box in the dmz for ichain 2.3. I have made the necessary
schema extension on the Authentication server and installed the snapins for
ichain.
I tested authentication with ldap to the authentication server.... no
problem
Now the problems:
I setup a authentication profile on the ichain server for radius
I configured the authentication servers lpo and radius objects. All this is
described in the ichain admin book page 89 (chapter 7 using radius
authentication)
When i check the radius console i get the following message:
[DATE TIME] Access Request Dropped
IchainIP, cn, Unknown Radius client
What i did again: I found several tid's where the problem is described. I
Changed rights to the lpo, installed the nmas234.tar, changed
userprops.....but till now nothing works.
MoreSysinfos:
Radius.nlm V 4.14 / 6.March 2003
nmas.nlm 2.68 / 17.June 2004
nmasldap.nlm V 1.20 / 31.March 2004
Here the RadiusDebugLog, during authentication:
[2004-08-09 02:42:40 PM] Deleting file "sys:etc\radius\log\20040802.log",
failed
[2004-08-09 02:42:40 PM] Parameter count = 1
[2004-08-09 02:42:40 PM] argv[0] = SYS:\SYSTEM\RADIUS.NLM
[2004-08-09 02:42:40 PM] Tree Name = "<null>"
[2004-08-09 02:42:40 PM] Login Name = "<null>"
[2004-08-09 02:42:40 PM] Name = "<null>"
[2004-08-09 02:42:40 PM] Workers = 0
[2004-08-09 02:42:40 PM] Port = 0
[2004-08-09 02:42:40 PM] Error encountered = 0
[2004-08-09 02:42:40 PM] Checking if parameters are to be retrieved from
Registry
[2004-08-09 02:42:40 PM] Got Tree Name from registry, "<null>"
[2004-08-09 02:42:40 PM] Got Login Name from registry, "<null>"
[2004-08-09 02:42:40 PM] Got Service Name from registry, "<null>"
[2004-08-09 02:42:40 PM] Got Number Threads from registry, 5
[2004-08-09 02:42:40 PM] Got Service Port from registry, 1645
[2004-08-09 02:42:40 PM] Got Accounting Port from registry, 1646
[2004-08-09 02:42:40 PM] Got Accounting Path from registry,
"sys:\etc\radius\acct"
[2004-08-09 02:42:40 PM] Got Accounting File Format from registry,
"comma"
[2004-08-09 02:42:40 PM] Got RollOver from registry, "daily"
[2004-08-09 02:42:40 PM] Services supported, [2004-08-09 02:42:40 PM]
"authentication" [2004-08-09 02:42:40 PM] "accounting" [2004-08-09
02:42:40
PM]
[2004-08-09 02:42:40 PM] Got Accounting Attribute File from registry,
sys:\etc\radius\radacct.atr
[2004-08-09 02:42:40 PM] Got Authentication Path from registry,
sys:etc\radius
[2004-08-09 02:43:03 PM] Debug logging enabled to file
sys:etc\radius\debug\raddbg.log
[2004-08-09 02:43:17 PM] 1) [(ip) 62.200.168.121:1812], Received 43 Bytes
(Access-Request (1))
[2004-08-09 02:43:17 PM] [(total=1) (p=0) (d=0) (r=0) (acc=0) (rej=0)]
[2004-08-09 02:43:17 PM] <2> Done GetNextMessage [(ip)
62.200.168.121:1812]:
time:208207
[2004-08-09 02:43:17 PM] -------- START : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:-35971301---
[2004-08-09 02:43:17 PM] CACHE:
CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-09 02:43:17 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-09 02:43:17 PM] CACHE:
CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-09 02:43:17 PM] HandleLocalRequest(),
CacheReadSecretForNASAddress
failed, no such RADIUS client (-822), Packet Dropped
[2004-08-09 02:43:17 PM] -------- END : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:-35971299---
[2004-08-09 02:43:23 PM] 2) [(ip) 62.200.168.121:1812], Received 43 Bytes
(Access-Request (1))
[2004-08-09 02:43:23 PM] [(total=2) (p=1) (d=0) (r=0) (acc=0) (rej=0)]
[2004-08-09 02:43:23 PM] <3> Done GetNextMessage [(ip)
62.200.168.121:1812]:
time:266774
[2004-08-09 02:43:23 PM] -------- START : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:-35912704---
[2004-08-09 02:43:23 PM] CACHE:
CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-09 02:43:23 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-09 02:43:23 PM] CACHE:
CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-09 02:43:23 PM] HandleLocalRequest(),
CacheReadSecretForNASAddress
failed, no such RADIUS client (-822), Packet Dropped
[2004-08-09 02:43:23 PM] -------- END : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:-35912701---
[2004-08-09 02:48:42 PM] (->)Cacher:
NWDSReadObjectInfo(ichaindas.ichain.netstal), succeeded, time:2
Thanks
Stefan

Radius / NMAS / MD5

When trying to authenticate to novell radius using the MD5 login method
the novell server abends - Page fault processor exception on the
LSMMD5.nlm which was passed by NMAS. This is a NW 6.5 sp 1 and running
the radius.nlm from bordermanager 3.8 The LSMMD5.nlm is version 1.10
12/3/03. Note other login methods are working fine (NDSpassword and tokens)
Has anyone had a similar problem or is using MD5 authentication with the
Novell Radius server?

It sounds like there is a problem in the NMAS Digest MD5 Method. The NMAS
team will need to investigate this.
You should use the Simple Password method with RADIUS instead of the Digest
MD5 Method. The Digest MD5 Method uses the NMAS Simple Password, but my
understanding is that this method is intended to be used only with the LDAP
Digest MD5 SASL mechanism. You should not use this method with RADIUS.
If you're trying to set up CHAP, you should use the Simple Password Method.
The Simple Password Method supports both PAP and CHAP.
>>> Heidi<[email protected]> 6/23/2004 2:19:24 PM >>>
When trying to authenticate to novell radius using the MD5 login method
the novell server abends - Page fault processor exception on the
LSMMD5.nlm which was passed by NMAS. This is a NW 6.5 sp 1 and running
the radius.nlm from bordermanager 3.8 The LSMMD5.nlm is version 1.10
12/3/03. Note other login methods are working fine (NDSpassword and
tokens)
Has anyone had a similar problem or is using MD5 authentication with the
Novell Radius server?

How to identify used AP in RADIUS Accounting

We are using 5508 WLC with 3602 APs.
Looks like in RADIUS Authentication Called-Station-Id is the MAC address of the AP,
but in RADIUS Accounting Called-Station-Id is the MAC address of the WLC.
How can we change that behaviour so that Called-Station-Id will always be the MAC address of the AP?
Or is there some other way to identify the actual AP to which the user is connected?
Regards
Timo

Hmm, I did some trial and error and solved the problem.
On the WLC, go to Security > AAA > RADIUS > Authentication and set the Call Station ID Type to "AP MAC Address:SSID". Even tho that seems to be for RADIUS Authentication, it changes the Called-Station-Id also for RADIUS Accounting.
Thx anyway
Timo

PEAP authentication for domain & non-domain computers

Hello Everyone,
Some of our users have laptops that are not in the domain and are unable to connect to the wireless network. Although their computers aren't in the domain, the users do have an AD account and are currently a part of the security group attached to the Wireless NPS policy. The only remedy I have for this problem is to manually add the SSID to their computer which defeats the purpose of this wireless network. The ultimate goal is to allow the user to connect to the wireless network by entering their domain credentials and moving on.
We have a WLC 2504 running 7.4.110.0 with 15 1602i APs. The SSID is configured to pass 802.1x EAP authentication to NPS running on windows 2008 R2. With mobile phones and tablets, the authentication is successful without a hitch so I don't understand why a non-domain computer is unable to connect without manually entering the SSID. In the WLC log, I will see entries such as:
"AAA Authentication Failure for UserName:host/LastNameFirstInitial-LT.mydomain.Local User Type: WLAN USER".
By examining this log entry, to me it says the domain profile on the computer is being sent to the NPS for authentication instead of the username and password. We have a 3rd party SSL certificate installed on the NPS server.
Taking it one step further - We have a second SSID for guest users that is configured with the same setup except that the NPS is configured to accept authentication attempts from a single AD user called "mydomain\guest". We decided on this approach for the guest wireless network so that we can rotate the password automatically every week with a vbscript that manipulates the password via LDAP. Users with laptops in different domains are unable to connect to the guest wireless network and I'm starting to think the machine authentication is a problem.
Any suggestions would be greatly appreciated.
Thanks,
Ali.

Hi Ali,
That’s all part of the wonderful world of wireless on Windows.
When a connection to a WLAN is made on a windows machine, by selecting it from available Wireless Networks list (Passive RF Scan), and Windows as parsed the 802.11 AP Beacon to contain the WPA2, 802.1X element, by default it will attempt to connect with known or active session credentials.
Typically it will be Machine account (they all have them whether on a Domain or not) and then /Or User. This order and preference may change depending on version of Windows (Vista to Windows 8) and service pack level.
Regardless the only thing you can count of for sure is that the first authentication attempt from a windows client will not involve the user entering information. Once the first attempt fails the Windows supplicant will prompt the user for login information via a notification in the system tray, which may or may be noticed by the user. May or may not stay for more than 5 seconds.
Windows XP and Vista were the worst for this. Windows 7 and Windows 8 this process and recovery and user prompt mechanism is greatly improved but not infallible.
The only way to avoid this would be to manually configure the WLAN profile on the windows machine as you are currently doing.
Mobile phones and tablets don’t have this issue as they don’t have issue because software coding in their supplicants. Besides the only “system” credentials on iOS or Android phone are typically your Play Store and App Store accounts, and both vendors know those won’t be accepted for network access by default anywhere.
There isn’t an easy way to support non-domain windows systems on a domain integrated one.
You might want to try adding another SSID.
You could have a corporate SSID, Guest Portal and a third that is PSK + Guest Portal. ON NPS you could filter for RADIUS attribute called-station-id (includes SSID) to allow all domain ID’s access instead of the just that WLAN.
Or you could look at swapping out NPS for a Cisco ISE VM/appliance with the new Plus licenses add lower cost for onboarding devices and Windows XP and up are supported for supplicant configuration via ISE.

ISE web auth for non-cisco switch(D-link 3528)

Is it possible to use ISE(inline posture node) to redirect the wired users to ISE guest portal ?
And the wired users will get full network access after they pass the web auth.

you can use ISE ln-line posture node with 3rd part switches
RADIUS access device must supply the following RADIUS attributes:
    Calling-Station-Id (for MAC_ADDRESS)
    User-Name
    NAS-Port-Type
    RADIUS accounting message must have the Framed-IP-Address attribute
VLAN, DACL features can be used but again it depends on switch models let us know specific switch models . Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality,

ISE Design Question

I have few design questions regarding ISE v.1.0.4.573
Do ISE 3395 gigabit ports support Link aggregation? how can i utilize all 4 ports for uplink ?
When doing a standalone HA setup of 2x3395, Is there a heartbeat link between the two ISE or they will use the same uplink to the network for heartbeat and synchronizing?
I am designing ISE with WLC. My WLC (5508) setup is like 5 floors having different Vlans but same SSID. How can i make ISE authenticate in this scenario since WGB AP is not supported in ISE v.1.0. Is there a work around for this type of WiFi setup in ISE?
Continuing from the above setup, while roaming from one floor to another floor after changing Vlan, the user will re-authenticate or use the same session?
Thanks for the help.
Regards,
Zohaib

1. The current version does not support Link aggregation..
2. They will use the same uplink to the network for heartbeat and synchronizing.
3. My suggestion is to assign your SSID an interface group, containing all interfaces belonging to your VLANs, on your WLC and set AAA override. Then, in ISE, create authorization profiles which include the appropriate VLAN. use RADIUS attribute Called-Station-ID with your AP MAC address as condition.
4. They will use the same session.

NAC Guest Server- Can port redundancy be acheived ?

Dear Folks,
I do have NAC Guest Server which i need to deploy for wireless clients (guest users ) . I want to connect to two core switches. Can I establish redundancy on it . I checked in documentation, as it says to configure IP in eth0 to connect to the network . Is there any feature like teaming can be deployed?
Regards,
Aaron

We had the same problem.
You can solve sending to RADIUS Server (Cisco NGS) this additional radius attribute:
Calling Station ID
NAS IP Address

WLAN ACS AD Authentication

I have a cisco ACS 5.6.0.22 and a WLC 5508 7.4.110.0. I have setup network authentication on the WLC through radius using the ACS. I created two groups lets say group1 and group2 in AD. I was hoping to authenticate group1 to WLAN 1 and group2 to WLAN 2. Authentication works fine, but group1 can access both WLAN 1 and 2 and group2 can access both WLAN 1 and 2 as well. I do not want this. I know it has to be a configuration with the authorization profile in the ACS for each WLAN, but I just can't find or figure it out. Any help would be much appreciated!

I have the same situation in a customer but i resolved this situation applying the called station id like Scott Fella said.
If the SSIDs are apparently similar you can have problems with the rules in the called station id field :
Examples :
SSID 1 - mobile - group 01
SSID 2 - mobile_vip - group 02
The group associated to mobile in the ACL rule will be valid to both SSIDs.
To create a rule in the ACS you can creathe a condition in the authorization profile that is a RADIUS attribute (called-station id) and select ends with and put the SSID information in this field.
I hope it helps.

Radius NMAS 2 Calling station Id

Similar Messages

Maybe you are looking for