RADIUS Requests not Populating Attribute 4 (NAS-IP-Address)
I'm trying to get a Cisco 3120G configured for RADIUS authentication. I have many other IOS devices with identical configuration lines working, however, this one is giving me a hard time. The RADIUS server policy is configured by NAS-IP-Address. The AAA and radius configuration is as follows:
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
radius-server host 10.x.x.x auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key 7 XXXXXXXXXXXXXX
See the following Radius debug information:
indrc3120a#
000284: Feb 8 14:05:15.447 PST: RADIUS: Pick NAS IP for u=0x5992EF4 tableid=0 cfg_addr=0.0.0.0
000285: Feb 8 14:05:15.447 PST: RADIUS: ustruct sharecount=1
000286: Feb 8 14:05:15.447 PST: Radius: radius_port_info() success=1 radius_nas_port=1
000287: Feb 8 14:05:15.447 PST: RADIUS(00000000): Send Access-Request to 10.x.x.x:1645 id 1645/8, len 84
000288: Feb 8 14:05:15.447 PST: RADIUS: authenticator 12 5E 7E DF 01 B5 F1 D8 - 40 07 09 76 C5 88 C1 A4
000289: Feb 8 14:05:15.447 PST: RADIUS: NAS-IP-Address [4] 6 0.0.0.0
000290: Feb 8 14:05:15.447 PST: RADIUS: NAS-Port [5] 6 2
000291: Feb 8 14:05:15.447 PST: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
000292: Feb 8 14:05:15.447 PST: RADIUS: User-Name [1] 13 "admin_user"
000293: Feb 8 14:05:15.447 PST: RADIUS: Calling-Station-Id [31] 15 "10.y.y.y"
000294: Feb 8 14:05:15.447 PST: RADIUS: User-Password [2] 18 *
000295: Feb 8 14:05:15.505 PST: RADIUS: Received from id 1645/8 10.x.x.x:1645, Access-Reject, len 20
000296: Feb 8 14:05:15.505 PST: RADIUS: authenticator 4E EC 8F AB BB 8E F9 BB - 13 67 56 A3 5F F9 99 94
000297: Feb 8 14:05:15.505 PST: RADIUS: saved authorization data for user 5992EF4 at 0
Note the NAS-IP-Address attribute populated as 0.0.0.0
Another switch with an identical configuration returns the following:
tritc3120a#
350554: Feb 8 14:11:00.916 PST: RADIUS/ENCODE(000155BC): ask "Username: "
350555: Feb 8 14:11:10.605 PST: RADIUS/ENCODE(000155BC): ask "Password: "
350556: Feb 8 14:11:14.480 PST: RADIUS/ENCODE(000155BC):Orig. component type = EXEC
350557: Feb 8 14:11:14.480 PST: RADIUS: AAA Unsupported Attr: interface [170] 4
350558: Feb 8 14:11:14.480 PST: RADIUS: 74 74 [ tt]
350559: Feb 8 14:11:14.480 PST: RADIUS/ENCODE(000155BC): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
350560: Feb 8 14:11:14.480 PST: RADIUS(000155BC): Config NAS IP: 0.0.0.0
350561: Feb 8 14:11:14.480 PST: RADIUS/ENCODE(000155BC): acct_session_id: 87482
350562: Feb 8 14:11:14.480 PST: RADIUS(000155BC): sending
350563: Feb 8 14:11:14.480 PST: RADIUS/ENCODE: Best Local IP-Address 10.x.x.x for Radius-Server 10.y.y.y
350564: Feb 8 14:11:14.480 PST: RADIUS(000155BC): Send Access-Request to 10.y.y.y:1645 id 1645/222, len 90
350565: Feb 8 14:11:14.480 PST: RADIUS: authenticator 5F B1 17 DF 72 4B A6 3D - B6 7C D8 5C 85 66 B9 8D
350566: Feb 8 14:11:14.480 PST: RADIUS: User-Name [1] 13 "admin_user"
350567: Feb 8 14:11:14.480 PST: RADIUS: User-Password [2] 18 *
350568: Feb 8 14:11:14.480 PST: RADIUS: NAS-Port [5] 6 2
350569: Feb 8 14:11:14.480 PST: RADIUS: NAS-Port-Id [87] 6 "tty2"
350570: Feb 8 14:11:14.480 PST: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
350571: Feb 8 14:11:14.480 PST: RADIUS: Calling-Station-Id [31] 15 "10.z.z.z"
350572: Feb 8 14:11:14.480 PST: RADIUS: NAS-IP-Address [4] 6 1.2.3.4
350573: Feb 8 14:11:14.556 PST: RADIUS: Received from id 1645/222 10.y.y.y:1645, Access-Accept, len 83
350574: Feb 8 14:11:14.556 PST: RADIUS: authenticator 24 D9 F9 E2 BB A3 66 F6 - 73 E8 5D 42 8C A5 17 DA
350575: Feb 8 14:11:14.556 PST: RADIUS: Service-Type [6] 6 Administrative [6]
350576: Feb 8 14:11:14.556 PST: RADIUS: Class [25] 32
350577: Feb 8 14:11:14.556 PST: RADIUS: 59 6D 06 B1 00 00 01 37 00 01 0A DC 1E 18 01 CB C7 B8 82 D7 CA E2 00 00 00 00 00 00 00 0B [ Ym7]
350578: Feb 8 14:11:14.556 PST: RADIUS: Vendor, Cisco [26] 25
350579: Feb 8 14:11:14.556 PST: RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"
350580: Feb 8 14:11:14.556 PST: RADIUS(000155BC): Received from id 1645/222
Note that in the example above, the NAS-IP-Address is populating properly (I've just changed it for security reasons)
If anyone has any advice, it would be greatly appreciated. Does the switch need a restart? A RADIUS server process kick?
Thanks,
Thanks Jatin, I believe you're correct.
I tried this command
radius-server attribute 4 10.2.1.1
As specified in this document:
http://www.cisco.com/en/US/docs/ios/12_3/12_3b/feature/guide/gt_siara.html
Unfortunately, it doesn't seem to be available. The only command I have is radius-server attribute 4 npr.
The release notes which describe the bug here:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11000series/v5.00.0.63/release/note/Reln5b63.html
Also describe a workaround with the radius-server source-interface command. This, too, is unavailable, unfortunately.
I've been able to create a workaround policy tied to the "RADIUS-Client-IP" attribute, and have the functionality I require for the time being.
Thanks again for your help.
Similar Messages
-
R12: Requester not populated on Invoice lines
Hi,
I am having a problem in populating the field "Reqester" for an AP invoice at line level. In the List of value available, no result is found when i query for a requester name. I need this field for the Approval workflow process...
Is there a specific setup that need to be done so that i can get the Requester field populated?
Thanks,
vikModify the dynamic query in Attributes in AME
-
The RADIUS request did not match any configured connection request policy (CRP)
I setup NPS server and added a RADIUS Client access point, my project is to get a wireless user to authenticate using his/her AD credientials, my problem is i can't seem to authenticate my user
my NPS server is giving me this error log under Event Viewer > Server Logs > Network Policy and Access Services
Reason: The RADIUS request did not match any configured connection request policy (CRP).
but from my understanding i don't need to setup Connection Request Policies because i am using Network Policy
Please Help!thanks for your reply, i setup a new NPS policy here is my error log
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: csdomain\rsingh
Account Domain: csdomain
Fully Qualified Account Name: csdomain\rsingh
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 0026.992f.6761
Calling Station Identifier: 2477.0392.b0f8
NAS:
NAS IPv4 Address: 192.50.2.2
NAS IPv6 Address: -
NAS Identifier: MYWAP
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 35290
RADIUS Client:
Client Friendly Name: MYWAP
Client IP Address: 192.50.2.2
Authentication Details:
Connection Request Policy Name: PEAP
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: MYSERVER.csdomain.com
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server. -
ISE 1.3 not receiving Radius requests from WLC 5508 ver 8.0.110.0
Hello all. I just implemented ISE 1.3 at a customer site. added a WLC running 8.0.110.0 using its mgmt address with a RADIUS preshared key. On the WLC, I created to SSIDs, corp and guest.
For corp I configured WPA2 and AES and forwarded Radius requests to my 2 ISE node PSN interfaces
For the guest I configured MAC filter with advanced features AAA overide and Radius NAC - per Cisco's documents
The corp forwards Radius requests to ISE, the guest does not. I get nothing from the guest.
I configured the WLC step by step from the Cisco document. I have completed over 10 ISE implementations in the last year using ISE 1.2 and WLC 7.x and have never run into this issue before.
Any help will be much appreciated.This issue has been resolved. The issue was that for the guest SSID MAC filtering was enabled as required, but they had the test PCs on a mac filter bypass list for that SSID in the WLC. This was automatically authenticating the PC, and therefore not forwarding the RADIUS to ISE.
Once we removed the PC from the MAC filter list in the WLC, the authentications were forwarded to ISE as desired. -
User details are not populating in access request
Hello All,
We have configured GRC 10 with LDAP and we are able to search the users in LDAP tcode(find option) and in the access request. But when i select the user and click on ok in the access request, user information is not populating to user details tab. I have followed the SAP Standard doc and configuration is fine. When i select data source as SAP system, user details are population as expected. But when i use LDAP as data source, i am having the issue. I hope this is an field mapping issue but i tried all different options but no solution i found. Kindly help me with your expert suggestions.
Field mapping is as follows:
LASTNAME
SN
FIRSTNAME
GIVENNAME
USERID
SAMACCOUNTNAME
ROLE_NAME
NAME
MEMBER_OF
MEMBEROF
EMAIL
MAIL
MANAGERID
MANAGER
Regards,
Jai Reddy.I know the path, but how to check it? is it using metaverse search?
Look at the Runs. Are they succeeding, or failing to connect?
Remove the Bit 17 and try again.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Entity Attributes are not populating while creating EO using EO wizard.
Hi,
I am using JDeveloper version 10.1.3.3.0.3 and E-Business suite12.1.2.
I am facing problem while creating EO using EO wizard.
In Entity Object Editor Entity Attributes are not populating while creating EO.
Please help me resolve this issue.
Thanks & Regards,
SagarikaPlease ensure you click on Tables and Synonyms check box and select proper schema.
Try to select the table from the list after this instead of writing as in 10.1.3 when we write table name it automatically selects from the list if it exists in the list.
Thanks
AJ -
Info-Object Master Data is not populated using Attribute View
Hi Colleagues,
I have one info-Object 'Resource', compounded with client, resource type and scenario.
I want to fill its master data using an attribute view. In Master data tab, i have mentioned the package and attibute view (SAP HANA MODEL).
Assigned all the attributes to respective fields in attribute view.
I can see data using the 'Data Preview' in my attribute view.
Two issues --
1. Maintain master data option is disabled in the context menu of 'Resource' Info-Object.
2. Also the data available in attribute view is not populating in master data of info-Object ( I tried seeing by creating a report).
Please suggest what is wrong here.
Thanks in advance.
Regards,
RohitHi,
When you are loading data from DSO to IO, seems like some filtering is happening. Just check the active table of DSO and make sure that you have all the 59 records available.
Another important thing is check the primary key of your master data i.e. if there is any compounding attribute if not then records from DSO might be getting overwritten in the master data. i.e. only 6 unique records.
Regards,
Durgesh. -
Transport Request No is not population while doing changes in DEV system
Hi When I doing some changes in DEV system , its not populating Transport Request No . Could you please help me here..
Hi Its solved now.I just changed the settings in transport connection. Here are the steps..
go to RSA1 --> Transport connection--> EDIT-->TRANSPORT-->SWITCH _ON_STANDARD.
It now populating tr req no all the time if there is a change in DEV.
Thank you. -
Custom Attribute in OIM user Form is not populated.
Hi Friends,
I am new to this Identity Manager Technology. I really all ur support.
I am using oracle Identity Manager 9.1.0.2 version with JBoss server. The Target System is Sun One directory.
1. I added the custom field street in Resource Object--Object Reconciliation Tab for Xellerate User and also for Iplanet Users objects.
2. In Process definition, for iplanet user provisioning Process and Xellerate Users provisioning process, in Reconciliation Field Mappings. I mapped the street field to the UDF(street) and also for UD_iplanet_Street .
3. When I run the task schedular for Iplanet User Recon, the string associated with the field in Iplanet is reflecting in resource profile of the user view/Edit. However, it is not populated in OIM User Form Field.
Can you please help me in resolving the issue. I will provide any further needed information.
Thanks and Regards,
ManjulaThank you for your prompt reply.
Yes. I tested it.. I can see the street field in the process form is populated with the string. However, I cannot see the same in the OIM User Profile Form. That Means, When I go to User folder in Admin and User Console, Manage Users and then select the user associated with the street field, the street field for the user is not populating and is empty without any string.
Please clarify me.
Thanks and Regards,
Manjula. -
ISE v1.2 - Status-Server - 5405 RADIUS Request dropped
Just a note:
Some devices send regular RADIUS status messages;
The ISE drops these as
Event: 5405 RADIUS Request dropped
Failure Reason: 11031 RADIUS packet type is not a valid Request
Root cause: RADIUS packet type is not a valid Request.
Wireshark shows:-
Code: Status-Server (12)
Attribute Value Pairs:
AVP: l=6 t=Service-Type(6): Shell-User(6)
AVP: l=18 t=Message-Authenticator(80): df48bb4b50f0a772bd7c891ef6548c68
AVP: l=6 t=NAS-IP-Address(4): 10.1.1.1
I believe that ISE should accept and respond to these messages RFC5997 up2866.
A RADIUS server or proxy implementing this specification SHOULD respond to a Status-Server packet with an Access-Accept (authentication port) or Accounting-Response (accounting port). An Access-Challenge response is NOT RECOMMENDED. An Access-Reject response MAY be used.Neno
Nothing to do with that,
The devices will use RADIUS to authenticate fine; databass, credentials, etc fine.
However they send keepalives to validate the RADIUS server is still there. ISE doesn't implement this and ISE logs get full of rejections. The end devices are unable to prioritise which ISE to used based on up/down. But still work.
This was just a note to everyone so they are aware of the issue, -
Windows Radius / NPS not working with mac book pro 10.9.4 wired
Hi,
I'm trying to get my Radius windows server 2012 working with the correct setting for using 802.1x wired connection for the mac book pro. The only issue I'm having is there is not much setting in the mac book pro. I'm not sure what need to setup on the sever to make it connect correctly and assign it to the correct vlan when it's authenticated.
Here are some screen shoots for my mac book pro
So I've got it up to a point where I have this issue and here is my screen shots setting:
So the above are my windows 2012 screen shot settings.
On the mac book pro, I'm getting a prompted about adding certificate and I've added that into the laptop and then I need to put the username and password information. I put the following:
[email protected] and the password.
I'm current working with someone at HP on the switch settings, everything looks good.
I know the following:
1. Wireshark: shows server is getting request from the switch but it's not accepting them here are my logs on the NPS:
RAD01 6274 Information Microsoft Windows security auditing. Security 2014-08-21 12:40:24 PM
Here is the detail of the machine:
Network Policy Server discarded the request for a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: S-1-5-21-2690993882-1154983957-2264505580-1328
Account Name: [email protected]
Account Domain: LCS
Fully Qualified Account Name: LCS\username
Client Machine:
Security ID: S-1-0-0
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: b4-39-d6-ec-2c-00
Calling Station Identifier: ac-7f-3e-e6-32-34
NAS:
NAS IPv4 Address: xx.xx.xx.xx
NAS IPv6 Address: -
NAS Identifier: 5412zl-xxx-xxxxswithname
NAS Port-Type: Ethernet
NAS Port: 170
RADIUS Client:
Client Friendly Name: HP Procurve 5412zl switch
Client IP Address: xx.xx.xx.xx
Authentication Details:
Connection Request Policy Name: Secure Wired (Ethernet) Connections
Network Policy Name: Secure Wired (Ethernet) Connections
Authentication Provider: Windows
Authentication Server: rad01.xxx.xxx.ca
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
Again I don't know what's the correct setting the default 802.1x for mac book pro, but it should correct.
I'm also not sure what the internal error message is regarding about. The switch should automatically put me to vlan 7
Can you some please help out what the correct authentication method for mac 10.9.4.
ThanksFlash Player is a browser add-on, not a standalone application.
You can test if the player is correctly installed at http://www.adobe.com/software/flash/about/ -
Contract Source of Supply Not Populating in SC
Hello:
We are in a classic scenario of SRM 5.0 and the source of supply in the SC is not populating (either from an existing local contract or backend contract). Our expected result is to see the contract(s) associated with that material under the "source of supply" grouping.
- Side note: When creating a local contract in SRM, we get a dialog box with the error message "ordering party could not be determined" Not sure if this is related to the big issue, but it looks like an org structure error and we can't figure out the related attribute.
Can you help shed some light on the situation?
Much appreciation,
Edgar
Message was edited by:
Edgar AlconeraMaster data conflict
-
Return order BUS2102 Workflow container data not populated
Hi All,
Please requesting you to provide your advise on the below issue.
I have created a custom workflow with business object BUS2102
In the Workflowtemplate (E.g. WS90000XXX)
i have included the triggering event for BUS2102 with EVENT "CREATED" and
added a container element SDReturnCN of type BUS2102
Once the Return Order is created the Workflow is getting triggered successfully
but data is not populated into the container SDReturnCN.
Do i need to write and EXIT to populate container UNLIKE as in Credit memo bussiness object :BUS2094
if yes please let me know which part i am missing.
Thanks & Regards,
Veeru.Hello,
"but data is not populated into the container SDReturnCN."
Check the bindings. Where is the value coming from?
regards
Rick Bakker
hanabi technology -
Message type is not populating in the Inbound idoc control record
Hi,
I have created an Inbound Idoc function module and have done the necessary Idoc settings. But, while testing in WE19, I observed that control record is not getting populated with message type and it is dumping.
The settings which I have done in WEDI as follows:
1. Created Idoc segments with necessary fields and released
2. Created Idoc type for the segment type
3. Created message type
4. Assigned message type to basic type
5. In the inbound processing settings,
filled the ALE attributes with the Idoc function module name and input value '0'
6. Assigned FM to basic type and message type
7. Created process code and assigned the process code to message type
Please let me know, the reason for the message type not populating in the control record. Useful answers will be surely rewarded.
Best Regards,
MallikaHi,
Maintain partner profile (Transaction code WE20) for the message type you defined in WE81 and put your process code in partner profile and check your logical system settings also in transaction SALE.
Thanks
Rahul -
Process scheduler server list is not populating in SERVER LIST page.
Need urgent help.
We have PeopleSoft Campus Solution 8.52,9.0 application. We had two Process Scheduler server one in Linux and one in NT. There was one issue that all the jobs which processed were getting into success and reports were also posted,however it was not updating the database with data. In order to solve it I created a new Process Scheduler server at onther NT machine. This time when I navigated to Process Monitor --> Server List pages it has no data there. I ran COBOL job but it went to successful and report posetd but nothing was updated into the database.
Please help me out of this situation.
Thanks
VikrantThanks a lot RCC for your response.
There is actually three issues
1)Process Monitor Server List page has no data.
2)As I go to run a process in the system process request I see that the Server Name,Reccurence,Type and Format are not workin or they are disabled.
3)Cobol jobs which I am running through PSNT is not updating database,however the Process is getting successful and reports are having posted status,but when I go to see Reports it is not having any output file its blank.I tried to check the reports at webserver,there were also no reports were published,However it works properly for all other Process.
For the first problem it has got resolved the solution is in this "Process Monitor Server List Not Populating With Data (Doc ID 615323.1)"( for those who face this problem in future :)).
For your query RCC, I have named same name of PSNT which was earlier in the different machine.
Please help
Thanks
Vikrant.
Maybe you are looking for
-
Apple Mail in iOS 8 is broken on my iPad 3
Hi all. I don't know what is happening with my iOS Mail App after upgrading to iOS8. I even did a full restore of my device (iPad3) configuring it as a new iPad and the problem persists. There is a strong delay in pulling data from the email accounts
-
What quicktime movie settings for use in Logic
Hi, I'm working on a 50 track mix of a live gig which was also filmed and I have to work to picture. I was advised to ask the video editor to give me the following: Quicktime Sorenson codec (or Sorenson3). Limit data rate to 500 kbps, 320 x 240. But,
-
Dispaly setting in web dynpro abap
Hi expart, My required is i want to display the data in TABLE and i change the dispaly setting for the output table . path is setting->HIDE GROUP i want to change this properties. THANK'S AND REGARD'S. VIKASH.
-
ESS pages coming in english in Chinese language
Hi All, The ESS page (personal information, travel & expense) is coming in English though the language is changed to Chinese. The page is part of a custom role which is copied from standard employee self service role. Please help me to resolve the i
-
Iphoto book printing outside US
I want to order an iPhoto book in The Netherlands. When I press Buy Book I only get the option to buy in the US. I created a new Apple ID with an address in The Netherlands. Still I can only enter a shipping address in the US when I press Buy Book.