RADIUS Question

Similar Messages

• 802.1x EAP-PEAP - Radius Question

  We're going to be deploying a wireless solution to a customer at some point shortly. So far we have a WLC 2500 Series,
  1140 LAPs, and a 2960-S switch. We're going to have Windows 7, iPhone, iPAD devices, and I was going to implement
  802.1x EAP-PEAP. I'm going to need a RADIUS server, but I was just wondering is there a cheaper solution than just
  getting a Cisco ACS to run a simple RADIUS server which is all I need.
  Also, when the Supplicant sends its NAI in a EAP-ResponseIdentity message, what exactly is this username
  and how does it differ from the username you provide after the secure TLS tunnel has been configured.                  

  Hey John,
  Yes, in fact its all about feeling comfortable. So here is a video showing LOCAL PEAP on a WLC.
  http://www.youtube.com/watch?v=YIxG4OEfwtY
  The 2000 is becuase there is a database limit this includes MACS, LOCAL ACCOUNTS and AP MACs for AP policy. The mac is 2048 .. Here I blogged about this ..
  http://www.my80211.com/cisco-wlc-cli-commands/2009/12/27/configure-local-mac-authentication-on-cisco-wlcs.html
  So yes it sounds right and you should be good.
  Hope this makes you feel a little bit better with your direction. If this helps can you mark the question as answered ?
  Thanks John!
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Urgent RADIUS question

  Hi,
  At a customer we have our WAAS appliances enabled for Radius authentication (via via to Active Directory). The authentication it self works. But when the AD password policy requests users to change credentials the AD accounts start locking-out.
  We found out that CM is pushing user accounts to the appliances. When saving the account to the CLI config the appliance, the appliance does a radius authentication request. Because CM is configured with old/expired passwords this action locks our accounts quickly (100+ appliances).
  How can we fix this? Can we configure the system not to store our old accounts and push them out to the remote appliances??
  Regards,
  Erik
  We see the following passing in the logs for every user every once in a while.
  2012 Nov 12 14:58:58 wae01-sitea config: %WAAS-PARSER-6-350232: CLI_LOG log_cli_command: username "etam" passwd 
  2012 Nov 12 14:58:58 wae01-sitea cfg_bin_users: %WAAS-UNKNOWN-5-899999: ***pam_radius pam_sm_authenticate: Got user name #####
  2012 Nov 12 14:58:58 wae01-sitea cfg_bin_users: %WAAS-UNKNOWN-5-899999: ***pam_radius pam_sm_authenticate: Sending RADIUS request code 1
  2012 Nov 12 14:58:58 wae01-sitea cfg_bin_users: %WAAS-UNKNOWN-5-899999: ***pam_radius pam_sm_authenticate: Got RADIUS response code 3
  2012 Nov 12 14:58:58 wae01-sitea perl: %WAAS-CMS-5-700001: Done with usercreation username :: "etam" process return value :: 0

  Hello,
  You're on the right track with CSM (Cisco Security Manager). CSM would fit perfectly in this role. We use it to maintain 6 ASAs and about 120 PIX firewalls. It is great for policy-based firewall administration. Compared to other CiscoWorks products, CSM is very stable and performs ideally in the situation you describe above. If you have anymore questions, let me know.
  -Mike
  http://cs-mars.blogspot.com

• Radius Questions

  Hi everyone. Hope you all had a good new year. Bring on 2008!
  I looking into a wireless network at my school and have previously had real bad experience with wireless. The school I previously worked had wireless and I think the reason why it didnt work properly was because they weren't using Commerical access points and stuck with the home based equipment and dotted lots of these around the building. It was a nightmare to administer because you had to keep note of every IP for each AP if you needed to make a change and login to every AP if it was a global change.
  I interested in knowing more about RADIUS server setup but the content I am finding online just seems to confuse me. I have a few questions which I hope someone may be able to answer for me:
  1. Am I right in saying that if you have a RADIUS server all AP which are radius compatible can be managed from the server end. So for example if I wanted to change the SSID for the whole wireless network I could simply go onto the RADIUS server make a change there and then the server will broadcast this to all the AP's?
  2. The authentication part of radius, does this link in with Active Directory?, so if a user wanted to log onto the network they could use their AD account to authenticate and allow access to the wireless network? or does it run on a separate authentication system.
  3. Network access control (NAC) is this a CISCO proprietary thing? and can this work with a RADIUS Server.
  I appreciate any help on this. If anyone could also point me out with some good companies who may be able to provide me with a solution that would be great.
  Your help is appreciated

  #1. That would be no. The radius server is used to authenticate the users, not to manage the APs. There can be some interaction with the APs from radius in that some configuations allow you to authenticate mac addresses with radius. That way you could enter the mac once on the radius server instead of doing it on each AP though I have not bothered with that. The nice thing about radius is that when someone tries to hack your wireless, a radius server tied to AD can cause AD account lockout based on your policies, and it is easy to tell if someone is hacking your wireless by checking your radius logs.
  2. Radius can point to several external user sources including AD or you can even have user IDs on the radius server itself.
  3. NAC should be able to work with radius though I have not used it as of yet.
  To manage all of the APs centrally, you would get Cisco's LWAPP APs and a wireless controller such as a 4404. You can also add WCS to manage multiple controllers. It is pretty cool, but I find WCS kind of difficult to navigate if you are used to the autonmous APs. In any case, it does things you can not do with standalone APs.
  Randy

• CSS3 Corner Radius question

  I know this question should be posted on a CSS3 Forum but I can’t seem to find one and thought DW users might have come across an answer.
  When the corner radius of an AP Div is defined and an image is placed inside the APD, the rectangular corners of the image are not clipped by the APD box. The image corners actually stick out beyond the rounded corners. Is there a style property that hides the image corners or clips them? I’ve tried setting the overflow to Hidden without success.

  Actually there is a way to clip images as long as you target the image and not the containing element as in
  <!DOCTYPE html>
  <head>
  <meta charset="UTF-8">
  <title>Untitled Document</title>
  <style>
  #tab1 img {
      position:absolute;
      left:92px;
      top:33px;
      width:115px;
      height:34px;
      z-index:1;
      /* border radius and drop shadows */
      border-radius: 20px 20px 0px 0px / 20px 20px 0px 0px;
      border-top-left-radius: 20px 20px;
      border-top-right-radius: 20px 20px;
      border-bottom-right-radius: 0px 0px;
      border-bottom-left-radius: 0px 0px;
      box-shadow: -4px -7px 5px 0px rgba(128,128,128,0.3);
      -moz-box-shadow: -4px -7px 5px 0px rgba(128,128,128,0.3);
      -webkit-box-shadow: -4px -7px 5px 0px rgba(128,128,128,0.3);
      font-family: Arial, Helvetica, sans-serif;
      font-size: 18px;
      color: #333333;
      border-top-width: 1px;
      border-right-width: 1px;
      border-left-width: 1px;
      border-top-style: solid;
      border-right-style: solid;
      border-bottom-style: none;
      border-left-style: solid;
      border-top-color: #000000;
      border-right-color: #000000;
      border-left-color: #000000;
  </style>
  </head>
  <body>
  <div id="tab1"><img src="Home1.png" alt="tab1" /></div>
  </body>
  </html>
  Gramps

• Local radius question?

  Hi,
  I was just taking a look at the local radius functionality on a router. I've found a strange problem which doesn't make sense to me and I was wondering if someone could explain what I'm seeing. As a basic lab to learn the ropes with local radius I created a local radius server on my router and got the local vty lines to use it for authentication.
  This is my config:
  interface Loopback0
    ip address 192.168.0.1 255.255.255.255
  ip radius source-interface Loopback0
  aaa group server radius LOCAL-RADIUS
  server 192.168.0.1 auth-port 1812 acct-port 1813
  aaa authentication login default group LOCAL-RADIUS
  radius-server local
    nas 192.168.0.1 key 0 <removed>
    user mwhittle nthash 0 <removed>
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key <removed>
  radius-server vsa send accounting
  Now he's the strange thing... If I configure the radius user to "mwhittle" with the password "mwhittle" it works and I get an Access-Accept. If I configure anything another than the username for the password it doesn't work and I get an Access-Reject. I have tried many combinations but as long as the username and password are the same it works and if they aren't it doesn't. This can't be normal behavior unless I'm missing something.
  Any ideas?
  Kind regards,
  Mike

  Hi,
  What kind of RADIUS client application are you using with the IOS local  RADIUS server?  Please note that this server supports *only* wireless  clients,
  and only for the LEAP and EAP-FAST EAP types, and also MAC authentication.  It does not provide support for other kinds of RADIUS clients.
  The fact that username=password happens to seem to work is, I believe, an accidental artifact of the MAC authentication support, where username
  is always equal to password.
  If we are not using the MAC auth, then please feel free to open up a TAC case and we will help you..
  lemme know if this answered your question..
  Regards
  Surendra
  ====
  Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

• Anyconnect Radius Question

  I have a ASA 5510 and I'm currently using it to serve my VPN client (ipsec) users. I want to be able to also use it for the AnyConnect client but limit who can use the client to connect. I'm authenticating my users using a Windows IAS server and I push down ACLs via the AV Pair attribute. Is there a way via radius or on the ASA to specify which users are allowed to use the AnyConnect client? I need to limit access to this. I wasn't able to find anything in the documentation but I may be missing something.
  Thanks for the assistance.

  You can use the IETF Class value (att 25) to pass along a string to the asa, using this string, you can have the ASA to place the user on a specific group-policy that matches that string and in the group-policy you can have the tunnel-protocol svc or webvpn enabled or not. When the user that should not be connecting via anyconect receives the string and the asa places the user on the group-policy that does not have that tunnel protocol enabled, the connection will never happen.

• ACS Radius Question about Request Authenticator Field

  Hi, I did a little bit reading about Radius to understand more in deepth
  if I understand correctly the Request-Authenticator-Field in the Radius-Request Packet is just a random number and has nothing to do with the configured shared secret on AAA-Client.
  That would mean that ACS does not check the shared secret in an incoming request.
  So in case of CHAP Authentication the password in the request is not encrypted with the shared secret, ACS can successfully check the credentials from the request , though the shared secret between ACS and AAA-client does not match and will send a Radius Accept packet
  The Response-Authenticator-Field in the Radius-Accept Packet is a MD5 over (Code+ID+Length+RequestAuth+Attributes+SharedSecret)
  So if the the shared secret does not match the AAA-Client will recongize this and will not grant access.
  Is that true so far.
  I always thougth that shared secret must match, otherwise the ACS will not accept any radius-request?
  Thx
  hubert

  Hi Nicholas,
  pls see attached a packet-capture from 6 Radius-request of a AAA-Client (small Radius-Test-SW) and the answer from ACS
  1 PAP wrong key correct Password -> ACS logs failed auth
  2 PAP correct key correct Password -> ACS logs success auth
  3 CHAP wrong key correct Password -> ACS logs success auth
  4 CHAP correct key correct Password -> ACS logs success auth
  5 CHAP wrong key wrong Password -> ACS logs failed auth
  6 CHAP correct key wrong Password -> ACS logs failed auth

• Corner radius question

  When I make a rectangle stroke with a corner radius in Illustrator and try to scale it down using shift and drag the corner radius changes. How do I keep it from doing this?

  If you don't want this to happen, you will have to do the scaling in two stages using the Direct Select tool. Highlight all the anchor points along one end and scale horizontally using the Shift key to constrain. Then do an edge in the same manner.

• WLC RADIUS Fallback Questions

  We would like to configure RADIUS fallback to ensure RADIUS authentications always go to their primary ACS while it's available, but the documentation is not very clear with regard to the username configuration.
  There is no mention of a password, but if you enable fallback - even with the default "cisco-probe" username, failures of that account show up on the ACS server log, so I'm assuming it's not working.
  Can someone shed some light on how exactly this "cisco-probe" should work?
  Thanks!

  There are three modes to fall back:
  off - no fallback
  passive - WLC sends the credentials to the 'dead' server when a user tries to authenticate
  on - You configure a username, and an interval.  WLC sends the credentials to the 'dead' server at configured interval.
  The password really doesn't matter, just that the WLC gets a packet back.  So getting a reject back from the server would bring it back 'alive' in the AAA list.
  make sense?
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Flexconnect Radius Server Overwrite interface Question

  Hello All,
  Can someone confirm/comment on the following:
  In a flexconnect scenario, for site 1, i would like to source the radius requests to a remote radius (at the flexconnect site 1).  as i can understand i need to enable the RAdius Server Overwrite interface option. Is that all?
   Also, for flexconnect sites X this can also be done per WLAN X configuration. 
  Is this correct?
  Thanks

  Hi pana,
  Answers below :
  Meaning that, even if i configure the Flexconnect groups with local authentication, then how does the Flexconnect ap reach the local radius?
  When you are working with local authentication, the AP will communicate with the local RADIUS Server using the local routing in the branch office without the 802.1X traffic being sending to the WLC......the AP will communicate directly to the local radius server using it IP address and the local routing. (This communication is transparent if you see from the WLC because the WLC will not intermediate the authentication between the client and RADIUS, who will intermediate is the AP. The WLC will receive informations when the AP is in connected mode about the client and the authentication method and etc after the user was authenticated).
  Example :
                                                                                                             RADIUS SERVER
  WLC ----SWITCH L3------ROUTER----(MPLS Link)-----ROUTER---SWITCH L3---AP
  The WLC continues managing the Access Point but will  not"talk" to the RADIUS Server, who will "talk" to the RADIUS Server is the AP in the branch office using the SWITCH L3 (Asumming that you have the RADIUS in one network and the AP in another network in the same branch office)
  Understand now ?
  As i can understand, in a local switching/local authentication scenario the Flexconnect ap can only map a WLAN to local VLAN( route-able network on the remote site) that serves for the users-data plane. Then in conjunction with the radius server override option, how can this FlexconnectAP send requests to the local radius? I can only suppose that it will do so using the users locally mapped VLAN/WLAN but i cant reference this anywhere. 
  The AP will only send the requests do the local radius only if you configure the FlexConnect Local Auth and FlexConnect Group. Enabling this option the AP will use it IP Address to communicate with RADIUS without the WLC intermedianting this communication.
  Without the FlexConnect Local Auth enable in the WLAN the AP will continue directing the 802.1X requests to the WLC and the WLC will send to the RADIUS Server and in this situation if you enabled the radius overwrite interface the WLC will try to reach the RADIUS Server using the WLAN interface and not the management the interface. (You do not need the radius overwrite interface option to work with Local Auth if you want to use the AP as a Authenticatior, you only use this interface if you want that the WLC with central authentication direct the 802.1X authentications to the RADIUS)
  One information about the VLAN/WLAN is really mapped statically but you can manipulate it using the RADIUS Atrributes, changing the VLANs from the USERs based in the AD Group and after the authentication. It can work in local auth scenario or central auth scenario.
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#pgfId-1103070
  I hope it helps and if not helps i think i am not understanding the real question.

• Question about RADIUS server configuration with a MacBook Pro

  Hello,
  I own a modem router which is capable of WPA2 Enterprise and I want to use it with a RADIUS server for authentication and security purposes.
  However, I have a few doubts about this.
  MY CONFIGURATION:
  The modem router would be connected to a fixed PC with Windows and to a MacBook Pro (both with Ethernet)
  The RADIUS server would be running on the MacBook Pro (freeRADIUS)
  The bold is the issue, that comes when I disconnect the MBP (it's a notebook, so I use it disconnected from the router sometimes).
  Supposing the router would have recognized it (correct configuration), it would disconnect from it.
  My questions:
  Would Wi-Fi be lost in this manner? Or would the modem router automatically switch to another Wi-Fi authentication?
  If I reconnected the MBP to the modem router and re-run the RADIUS server, would I need to access the control panel and re-configure the WPA2 Enterprise in order for Wi-Fi to work again?
  Thanks in advance,
  Tyrexionibus

  "Full HD 3DD camcorder..." Marketing at it's best.
  This is HDV, right? HDV has the same data rate as DV...13.6GB/hour. But because of the MPEG-2 Long GOP format the HDV format employs, it can be a bit tough to edit, but mainly when rendering effects. IT will be slower than DV, and you can't monitor thru the camera like you can with DV, but a simple FW400 drive and Intel Mac will be fine. Better if you can convert to ProRes upon ingest, but then that eats up a LOT more space and requires at least FW800...
  http://library.creativecow.net/articles/poisson_chris/hdv-prores.php
  Shane

• Radius Authorization question

  Can you configure Radius authorization to access a router or not.
  I am confused because the Practical Studies book says "Use the local database for authorization instead of RADIUS because is incapable of understanding CLI":
  aaa new-model
  aaa authentication login default group radius
  aaa authorization default local
  Now in the Cisco website, says you can after configuring the following:
  Cisco Secure NT RADIUS
  Follow these steps to configure the server. http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml
  IETF, Service-type (attribute 6) = Nas-Prompt
  In the CiscoRADIUS area, check AV-Pair, and in the rectangular box underneath, enter shell:priv-lvl=7.
  aaa new-model
  aaa authentication login default tacacs+|radius local
  aaa authorization exec tacacs+|radius local
  username backup privilege xxx password xxxx
  radius-server host 171.x.x.x
  radius-server key xxxx
  privilege configure level 7 snmp-server host
  privilege configure level 7 snmp-server enable
  privilege configure level 7 snmp-server
  privilege exec level 7 ping
  privilege exec level 7 configure terminal
  privilege exec level 7 configure

  You can specify the exec privelege level for certain user on specific AAA client using RADIUS.
  Based on that certain user can run all the commands that are part of that particular Privelege exec level.
  Now if you want to allow certain set of commands from particular privilege exec level you need to use tacacs+ protocol
  and enable command authorization sets command on your AAA server.
  Check the following links as references on command authorization:
  http://www.cisco.com/en/US/partner/products/ps9911/products_configuration_example09186a0080bc8514.shtml
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Please make sure to rate correct answers

• Last question for today - how to draw with API circle of N pixels radius

  Hi,
  While I'm bit of exhausted while fighting with those paths movement (see my other thread in this forum) - I'd like to ask maybe someone has code snippet, which shows how to draw a circle of N pixels/N mm/inches radius?
  There is one helper function for that inside SDK samples:
  PDEPath DrawCurve(ASFixed x, ASFixed y, ASFixed x1, ASFixed y1, ASFixed x2, ASFixed y2, ASFixed x3, ASFixed y3, int lineWidth, int r, int g, int b)
  but I'm just out of my mind for today what parameters should be provided and how many calls of it I should write.
  Any help would be appreciated.

  You call it four times...
  Here is a snippet that explains the math...
  /* 4/3 * (1-cos 45)/sin 45 = 4/3 * sqrt(2) - 1 */
  #define ARC_MAGIC ((ASFixed) 0.552284749)
  #define PI ((ASFixed)3.141592654)
  void DrawCircle( ASFixed inCenterX, ASFixed inCenterY, ASFixed inRadius )
  /* draw four Bezier curves to approximate a circle */
  MoveTo( inCenterX + inRadius, inCenterY );
  CurveTo( inCenterX + inRadius, inCenterY + inRadius*ARC_MAGIC,
  inCenterX + inRadius*ARC_MAGIC, inCenterY + inRadius,
  inCenterX, inCenterY + inRadius );
  CurveTo( inCenterX - inRadius*ARC_MAGIC, inCenterY + inRadius,
  inCenterX - inRadius, inCenterY + inRadius*ARC_MAGIC,
  inCenterX - inRadius, inCenterY );
  CurveTo( inCenterX - inRadius, inCenterY - inRadius*ARC_MAGIC,
  inCenterX - inRadius*ARC_MAGIC, inCenterY - inRadius,
  inCenterX, inCenterY - inRadius );
  CurveTo( inCenterX + inRadius*ARC_MAGIC, inCenterY - inRadius,
  inCenterX + inRadius, inCenterY - inRadius*ARC_MAGIC,
  inCenterX + inRadius, inCenterY );
  Close();

• Question in ACS radius ports and how test connectivity between router

  hi all
  im asking here about default ports used in cisco acs for radius protocol
  is it 1812 and 1813 ???
  or there is another ports ??
  Q2-
  how to test connectivity between ACS "server aaa"  and the router "client aaa " ??????
  Q3-
  can anyone give me simple config on router for radius protocol to connect acs based on radius protocol ?
  regards

  The default authentictaion port is 1812 and the default accounting port is 1813.
  Here's an example config-
  aaa new-model
  aaa group server radius ACME-RADIUS
  server-private 192.168.1.5 auth-port 1812 acct-port 1813 key SeCrEtPaSsWoRd
  aaa authentication login default local
  aaa authentication login ACME-AAA group ACME-RADIUS local
  aaa accounting send stop-record authentication failure
  aaa accounting exec default start-stop group ACME-RADIUS
  line vty 0 4
  login authentication ACME-AAA
  You can test with-
  test aaa group radius server 192.168.1.5 mmessier St@nleyCup
  where mmessier is your username and the password is St@nleyCup