Radius server for lab work

I am studying Routing & Switching, but I also need to have a general understanding of the security features: AAA authentication, dot1x etc. It is probably the weakest link in my chain of knowledge because I have never used those
features.
I really need to play with the protocols in the lab to get a basic understanding of them. Is there some cut-down Radius server, preferably freeware running on a PC, that can be used for basic lab work? Can someone guide me through obtaining and installing it?
Kevin Dorrell
Luxembourg

Hi Kevin
You should be able to get an eval license for Cisco's Secure ACS that you could use in the lab. It is free for download on the Cisco site.
It does run out after 3 months so it depends on how long you need it for.
The other option is to use the Microsoft Radius server (IAS) which comes with the W2K Advanced server. I haven't used it so i can't really comment other than that.
HTH
Jon

Similar Messages

  • Radius server for 802.1x port authentication

    Does anybody know if CiscoSecure for Unix version 2.3.6.2 can be used as a Radius server for 802.1x port authentication? I know the Windows version will do this and can be configured to assign a user to a specific VLAN, but can the UNIX software do the same?
    Thanks

    Check connectivity between the PIX and the server.
    If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
    aaa-server group_tag (if_name) host server_ip key timeout 5
    If you are using TACACS+, verify that the PIX and server are communicating on the same port (Transmission Control Protocol (TCP)/49).
    If you are using RADIUS, verify that the PIX and server are communicating on User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server is using port 1812, verify that the PIX is using software version 6.0 or later, and then issue the aaa-server radius-authport 1812 command to specify port 1812.
    Ensure that the secret key is correct.
    Check the server logs for failed attempts. All servers have some kind of logging function.

  • Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

    Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
    I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
    Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
    Any ideas of what might be the issue or misconfiguration?

    Jim,
    I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
    It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
    May need to open a TAC case to see if this issue is on the 550x controllers also.
    Thanks,
    Tarik

  • Wrv200 and radius server does not work

    I am "upgrading" from a dlink di-524 to a wrv200 because I want multiple ssid's. I have my old ssid configured to use the same radius server, port, password, etc. on the wrv200 as on the dlink. When I try to connect it does not authenticate. (Using certificates - wpa2 Enterprise.) The dlink will still authenticate if I plug that back in. The wrv200 seems to be getting to the radius server since it will complain if I change the ip address of the wrv200 to something unexpected. However, the authentication never finishes. It's as if something just does not pass through the router or is dropped. There are no messages on the radius server, not even a rejected or successful message. Does anyone have any ideas on this? I'd hate to have to use 2 routers to add an ssid (I already have 3 in my network.)
    Message Edited by Howlie on 12-11-2007 06:48 PM

    Sorry to take so long to reply. I'm using freeradius under Fedora 7. Thanks for the url but I already saw that when I was setting up the radius server. I chatted with tech support about the issue and, since I'm using a wrvs4400n with the same radius settings and working, it is probably a firmware issue. I guess I'll have to just wait for the firmware to catch up.
    Message Edited by Howlie on 12-15-2007 03:44 AM

  • Radius server for Sun Java directory Server?

    I want to know what products does offer Sun for provide a radius server using the Sun Java Directory Server..
    I have only seen Sun Access Manager, but it is a complex/expensive product for use only the radius server
    Regards

    Nope
    This is part of the Oracle Lifetime Support policy:
    http://www.oracle.com/us/support/lifetime-support/index.html
    'OLD' products can/may still be supported under *SPECIAL* support contracts. So if you're entitled to its support, you can access it. Otherwise, I'm afraid the answer is no.
    HTH,
    Marco

  • Setting Radius server for Airport Extreme

    Hi all,
    I have AP Airport Extreme. I updated it to the latest version of firmware and Airport utility.
    I am trying to set the AP to connect to Microsoft Radius server (Windows server 2003). The problem is that in the security, I don't have WPA/WPA2 Enterprise. I only have WPA/WPA2 personal. I do have option to configure the radius properties (IP, Port, etc'...).
    What should I do in order to set my AP to connect to Microsoft Windows server 2003?
    Thanks for your help.

    About the only one I'm aware of is the D-Link DPR-1260, which supports up to 4 printers. I have the predecessor to this print server, but it was horribly unreliable, requiring a reboot at least once a day, so YMMV. I settled on a Buffalo WLI-TX4-G54HP wireless-to-Ethernet bridge (with built-in 4-port Ethernet switch) and use my Belkin F1UP0001 in Ethernet mode. This combination gives me the option of adding network-enabled printers at a later date.

  • Using root bridge as a fallback radius server for WPA and EAP

    From reading the different documentation out there, it seems that one should be able to configure a root bridge as a fallback radius server in case a primary radius server were to be unreachable. Has anyone encountered this situation? And could they share the steps and configuration statements to apply the bridges (1310 or 1410) in order to make this happen?
    Many Thanks and Regards,
    Giles -

    Yes, you have to first configure a root bridge as a fallback radius server in case a primary radius server were to be unreachable

  • Outputting a 16/9 sequence to tape for lab work

    Hi to all,
    this is probably going to sound like an awfully stupid question to most of you. But i need to find the answer before morning, so your help is greatly appreciated.
    I need to output a 16/9 sequence to DVCAM. it is being sent to a lab tomorrow for color correction, mastering and encoding.
    The lab specifically needs the footage on tape.
    My first intuition was to export to tape the 720x576 quicktime movie. The frame size would be the original captured size, and then would be flagged as anamorphic at the lab.
    Or should i output as a letterboxed 4/3 film.
    see what i mean?
    thanks for your help.
    tee.

    That seems to make a lot of sense!
    thanks Jerry.
    tee

  • Is it possible to map a Sponsor Group in Cisco ISE to a user group in Active Directory, through a RADIUS server?

    Hi!!
    We are working on a mapping between a Sponsor Group in Cisco ISE and a user group in Active Directory....but the client wants the mapping to be through a RADIUS SERVER, for avoiding ISE querying directly the Active Directory.
    I know it is possible to use a RADIUS SERVER as an external identity source for ISE.....but, is it possible to use this RADIUS SERVER for this sponsor group handling?
    Thanks and regards!!

    Yes It is possible to map Sponser group to user group in AD and if you want to know how to do please open the below link and go to Mapping Active Directory Groups to Sponsor Groups heading.
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1096365

  • WLC not integrating with Radius Server

    Hello world,
    I have the following situation:
    One WLC 2000 Series (software version 7.0.230.0) with multiple SSID`s, one is with 802.1x integrated with a Radius Server.
    Everything worked fine until fiew days ago, when users were unable to logon via they`re certificates on Windows XP.
    The infrastracture didn`t suffer modifications.
    What i have checked: Radius certification isn`t expired, client certification isn`t expired, the password between controller and Radius is correct.
    There are no ACL`s between the WLC and the remote Server. I can ping the devices, other SSIDs on the same controller (wpa/psk) are working correct.
    The AP`s are 1242.
    I have tried deleting the SSID, configure it back. The OS on Windows Server is  2003 Standard. The AP`s are configured H-Reap.
    I have increased the Server Timeout from Radius Authentication Servers from 2 to 30 sec.
    The message logs recived on WLC Trap Logs:
    RADIUS server X.X.X.X:1812 failed to respond to request (ID 161) for client xx.xx.xx.xx.xx.xx/ user 'unknown'
    The message from the debug dot1x aaa enable:
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLING_STATION_ID(31) index=1
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLED_STATION_ID(30) index=2
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT(5) index=3
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_VAP_ID(1) index=7
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_SERVICE_TYPE(6) index=8
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_FRAMED_MTU(12) index=9
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_EAP_MESSAGE(79) index=11
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_RAD_STATE(24) index=12
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_MESS_AUTH(80) index=13
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df AAA EAP Packet created request = 0x1cff348c.. !!!!
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Sending EAP Attribute (code=2, length=6, id=10) for mobile xx.xx.xx.xx.xx.xx.
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00000000: 02 0a 00 06 0d 00                                 ......
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
    *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] AAA response 'Interim Response'
    *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] Returning AAA response
    *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df AAA Message 'Interim Response' received for mobile xx.xx.xx.xx.xx.xx.
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.329: 00:15:e9:33:75:df Skipping AVP (0/27) for mobile xx.xx.xx.xx.xx.xx.
    The messages on Windows 2003 Standard:
    User Y was denied access.
    Fully-Qualified-User-Name = xx.domain.com/Users_T/user
    NAS-IP-Address = X.X>X.X
    NAS-Identifier = Cisco_
    Called-Station-Identifier = ---------------------
    Calling-Station-Identifier = ---------------------
    Client-Friendly-Name = ---------------------
    Client-IP-Address = ---------------------
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 1
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = Wireless Policy
    Authentication-Type = EAP
    EAP-Type = Smart Card or other certificate
    Reason-Code = 262
    Reason = The supplied message is incomplete.  The signature was not verified.User Y was denied access.
    Fully-Qualified-User-Name = xx.domain.com/Users_T/user
    NAS-IP-Address = X.X>X.X
    NAS-Identifier = Cisco_
    Called-Station-Identifier = ---------------------
    Calling-Station-Identifier = ---------------------
    Client-Friendly-Name = ---------------------
    Client-IP-Address = ---------------------
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 1
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = Wireless Policy
    Authentication-Type = EAP
    EAP-Type = Smart Card or other certificate
    Reason-Code = 262
    Reason = The supplied message is incomplete.  The signature was not verified.
    Can anyone help why i cannot log the users via 802.1x ?

    Okay that is good..... this is what I would do next.  I would create a test ssid that uses PEAP MSchapv2 and create a new policy in IAS that is basic.  Allow 802.1x wireless and user group only and see if you can reconfigure one of the XP machines for PEAP.  Can you also post a screen shot of your polices (connection and network) so we can review it. 

  • Web authentication with Radius server problem

    Hello,
    I'm having problem to web authenticate users via radius server for one WLC. Here is the outpu from WLC:
    *emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created for mobile, length = 7
    *emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created in mscb for mobile, length = 7
    *aaaQueueReader: Mar 26 14:17:31.537: Unable to find requested user entry for aaaaaa
    *aaaQueueReader: Mar 26 14:17:31.537: ReProcessAuthentication previous proto 8, next proto 1
    *aaaQueueReader: Mar 26 14:17:31.537: AuthenticationRequest: 0x1e08eb94
    *aaaQueueReader: Mar 26 14:17:31.538:   Callback.....................................0x10908d90
    *aaaQueueReader: Mar 26 14:17:31.538:   protocolType.................................0x00000001
    *aaaQueueReader: Mar 26 14:17:31.538:   proxyState...................................20:7D:xx:xx:D8:F0-00:00
    *aaaQueueReader: Mar 26 14:17:31.538:   Packet contains 11 AVPs (not shown)
    *aaaQueueReader: Mar 26 14:17:31.538: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *aaaQueueReader: Mar 26 14:17:31.538: 20:7d:xx:xx:d8:f0 Successful transmission of Authentication Packet (id 67) to 10.xx.33.249:1645, proxy state 20:7d:xx:xx:d8:f0-00:01
    *aaaQueueReader: Mar 26 14:17:31.538: 00000000: 01 43 00 8c 48 7c a7 ff  df 06 53 30 c0 be e1 8e  .C..H|....S0....
    *aaaQueueReader: Mar 26 14:17:31.538: 00000010: d7 fd 8b d3 01 09 73 65  66 72 73 76 65 02 12 7b  ......aaaaaa..{
    *aaaQueueReader: Mar 26 14:17:31.538: 00000020: ae 2e f5 eb fa cf f5 cc  3b 08 65 d7 04 0e ba 06  ........;.e.....
    *aaaQueueReader: Mar 26 14:17:31.538: 00000030: 06 00 00 00 01 04 06 0a  2e 09 14 05 06 00 00 00  ................
    *aaaQueueReader: Mar 26 14:17:31.538: 00000040: 0d 20 0d 73 65 76 73 74  2d 6c 77 63 31 30 3d 06  ...xxxxx-lwc10=.
    *aaaQueueReader: Mar 26 14:17:31.538: 00000050: 00 00 00 13 1a 0c 00 00  37 63 01 06 00 00 00 01  ........7c......
    *aaaQueueReader: Mar 26 14:17:31.538: 00000060: 1f 0e 31 39 32 2e 31 36  38 2e 31 2e 36 31 1e 0c  ..192.168.1.61..
    *aaaQueueReader: Mar 26 14:17:31.538: 00000070: 31 30 2e 34 36 2e 39 2e  32 30 50 12 95 11 7c d9  10.xx.9.20P...|.
    *aaaQueueReader: Mar 26 14:17:31.538: 00000080: 75 8e 01 6e bf 62 38 f8  38 ab 68 4a              u..n.b8.8.hJ
    *radiusTransportThread: Mar 26 14:17:31.603: 00000000: 03 43 00 14 e5 8c e7 75  52 04 af e0 07 b7 fb 96  .C.....uR.......
    *radiusTransportThread: Mar 26 14:17:31.603: 00000010: c1 4a fb 40                                       .J.@
    *radiusTransportThread: Mar 26 14:17:31.603: ****Enter processIncomingMessages: response code=3
    *radiusTransportThread: Mar 26 14:17:31.603: ****Enter processRadiusResponse: response code=3
    *radiusTransportThread: Mar 26 14:17:31.603: 20:7d:xx:xx:d8:f0 Access-Reject received from RADIUS server 10.xx.33.249 for mobile 20:7d:xx:xx:d8:f0 receiveId = 0
    *radiusTransportThread: Mar 26 14:17:31.603: ReProcessAuthentication previous proto 1, next proto 2
    *radiusTransportThread: Mar 26 14:17:31.603: AuthenticationRequest: 0x1da9fa4c
    *radiusTransportThread: Mar 26 14:17:31.603:    Callback.....................................0x10908d90
    *radiusTransportThread: Mar 26 14:17:31.603:    protocolType.................................0x00000002
    *radiusTransportThread: Mar 26 14:17:31.603:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
    *radiusTransportThread: Mar 26 14:17:31.603:    Packet contains 11 AVPs (not shown)
    *radiusTransportThread: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Returning AAA Error 'No Server' (-7) for mobile 20:7d:xx:xx:d8:f0
    *radiusTransportThread: Mar 26 14:17:31.605: AuthorizationResponse: 0x2dd03648
    *radiusTransportThread: Mar 26 14:17:31.605:    structureSize................................32
    *radiusTransportThread: Mar 26 14:17:31.605:    resultCode...................................-7
    *radiusTransportThread: Mar 26 14:17:31.605:    protocolUsed.................................0x00000002
    *radiusTransportThread: Mar 26 14:17:31.605:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
    *radiusTransportThread: Mar 26 14:17:31.605:    Packet contains 0 AVPs:
    *emWeb: Mar 26 14:17:31.605: Authentication failed for aaaaaa
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Username entry deleted for mobile
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Plumbing web-auth redirect rule due to user logout
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Deleting mobile policy rule 42461
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Adding Web RuleID 42464 for mobile 20:7d:xx:xx:d8:f0
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Web Authentication failure for station
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Reached ERROR: from line 5069
    That was pretty clear for me that Radius is refusing to give user access.
    Fully-Qualified-User-Name = NMEA\aaaaaa
    NAS-IP-Address = 10.xx.9.20
    NAS-Identifier = xxxxx-lwc10
    Called-Station-Identifier = 10.xx.9.20
    Calling-Station-Identifier = 192.168.1.61
    Client-Friendly-Name = YYY10.xx
    Client-IP-Address = 10.xx.9.20
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 13
    Proxy-Policy-Name = Use Windows authentication forall users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = YYYYY Wireless Users
    Authentication-Type = PAP
    EAP-Type = <undetermined>
    Reason-Code = 66
    Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy
    That output is from WLC 5508 version 7.0.235
    What is strange, that user was able to authenticate from other before refresh WLC 4402 ver 4.2.207. I cannot change WLC because of AP which cannot run old version.
    this is output from working client connection from old WLC
    NAS-IP-Address = 10.xx.9.13
    NAS-Identifier = xxxxx-lwc03
    Client-Friendly-Name = YYY10.46
    Client-IP-Address = 10.xx.9.13
    Calling-Station-Identifier = 192.168.19.246
    NAS-Port-Type = <not present>
    NAS-Port = <not present>
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = YYYYY Wireless Guest Access
    Authentication-Type = PAP
    EAP-Type = <undetermined>
    I know there is different Policy Name used, but my question is why it is not using the same as on old WLC when configuration is same.
    Is there any way I can force users to use different policy from WLC or AP configuration or is this solely configuration of Radius?
    Is it maybe problem of version 7.0.235?
    Any toughts would be much appriciated.

    Scott,
    You are probably right. The condition that is checked for the first policy name (we have 2) is to match
    NAS-Port-Type = Wireless - IEEE 802.11, and this is basically used to differentiate guests from other company users.
    as you can see from the logs the one that is working correctly is not sending NAS-Port-Type. The question is why.
    As I said before.
    WLC 5508 ver. 7.0.235 is sending NAS-Port-Type
    WLC 4402 ver. 4.2.207 is not.
    The same user was working OK on 4402 WLC and after refresh and associating APs to 5508 it all broke, so client did not changed anything on adapter.

  • Radius configuration for 802.1X on Radiator

    Greetings:
    We are using Radiator 3.16 (http://www.open.com.au/radiator/) as our Radius server. Its working fine for VPN authentication.
    We're trying to use 802.1X on our wireless network. Does anyone have a Radiator config for using EAP-PEAP? We can't seem to figure the Radiator part out.
    Thanks.

    The IEEE 802.1x standard defines a client-server-based access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated.Refer URL
    http://www.cisco.com/en/US/partner/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00805a64d7.html#wp1205506

  • Cannot get SG300 switch to send RADIUS messages for 802.1x

    I  want to eventually configure the SG300 to authenticate wired clients with 802.1x and Microsoft NPS (RADIUS). I am currently testing this setup using a single port (Port 7) on my SG300, a test machine, and an AD based Network Policy Server.
    The problem I have is that when I change the Administrative Port Control for Port 7 to Force Authorized, I see this log entry:
    Informational %SEC-I-PORTAUTHORIZED: Port gi7 is Authorized
    And then when I change the port control to Auto the port immediately changes to Unauthorized and I see this log entry:
    Warning %SEC-W-PORTUNAUTHORIZED: Port gi7 is unAuthorized
    However I never see any RADIUS messages being sent from the SG300 to my RADIUS server or from the SG300 to the test machine plugged into port 7. I am using WireShark on my RADIUS server to watch for messages from the SG300 IP Address and I'm using WireShark on a second test machine that is configured to monitor the NIC card in the test machine plugged into port 7 (I'm using Hyper-V and its facilities for this NIC monitoring setup.)
    Here is my configuration:
    Switch - 10.1.1.3
    RADIUS (Microsoft NPS)- 10.1.1.15
    Switch Usage Type - All (Login and 802.1x)
    Port 7 configuration:
    VLAN Mode is General
    Host Authentication is Single Host Authentication
    Administrative Port Control is Auto
    RADIUS VLAN Assignment is Disabled
    Guest VLAN is Enabled
    802.1x Based Authentication is Enabled
    Additional Configurations under Security - 802.1x/MAC/Web Authentication:
    Port Based Authentication is Enabled
    Authentication Method is RADIUS
    Guest VLAN is Enabled
    Guest VLAN ID is 2
    All of my VLANs are enabled for Authentication
    I've got to be missing something but I do not know what that something is.
    One last note:
    The SG300 uses the same RADIUS server for management console access and it works without problem. When I log into the switch, WireShark shows the RADIUS messages from the switch to the RADIUS server and back. So I know RADIUS is configured correctly on the switch.

    Hi,
    This is my working configuration where port gi3 has DVA configured as well. You might skip port gi3 but please compare to your config:
    interface  gi3
    dot1x host-mode multi-sessions
    exit
    vlan database
    vlan 30,100
    exit
    interface vlan 100
    dot1x guest-vlan
    exit
    dot1x system-auth-control
    interface range gi1,gi3
    dot1x reauthentication
    exit
    interface range gi1,gi3
    dot1x mac-authentication mac-only
    exit
    interface  gi3
    dot1x radius-attributes vlan
    exit
    interface range gi1,gi3
    dot1x guest-vlan enable
    exit
    interface gigabitethernet1
    dot1x port-control auto
    exit
    interface gigabitethernet3
    dot1x port-control auto
    exit
    radius-server host 192.168.1.122 priority 1
    radius-server key testing123
    aaa authentication dot1x default radius
    switch3ba5e1#
    Regards,
    Aleksandra

  • WLC Radius Server Load Balance

    Hi,
    Can someone provide me detailed description on how WLC Radius Server Load balance works.
    Becuase, I encounted a problem of User Authenticated with the 1st Radius Server, but Accounting Records are actually on 2nd Server .
    Any response will be very appreciated
    -Angela

    Hi Angela,
    I pasted below the part of config guide explaining the different modes. In summary :
    -Fallback off means : when 1st radius server shows dead , WLC moves to the second. And will only change again when the 2nd is dead too.
    -Passive means : whent 1st radius is dead, WLC moves to the second. If there is a new authentication coming in, it will try the 1st radius server again
    -Active means : WLC constantly sends radius probes to detect when primary is back up.
    config radius fallback-test mode {off | passive | active}
    where
    •off disables RADIUS server fallback.
    •passive causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller simply ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
    •active causes the controller to revert to a server with a lower priority from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller simply ignores all inactive servers for all active RADIUS requests. Once the primary server receives a response from the recovered ACS server, the active fallback RADIUS server no longer sends probe messages to the server requesting the active probe authentication.

  • WPA2 and Radius server configuration

    On the page: http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml
    is described how to setup a WPA2 and Radius server.
    If I follow this, the Radius server does not work. In the document they descibe that I need to use 10.0.0.1 as the IP, but my AP has a 192.168.1.251 address. Even if I enter that adres, or the 10.0.0.1, it does not work.
    Normal WPA2 personal, without Radius does work.
    I use a 1100 series AP, (AIR-AP1120B-E-K9) with a AIR-MP21G and the firmware of the radio module is 5.90.11.
    The IOS version is 12.3(8)JA2.
    Does anyone know what to do?
    Haik

    Hello,
    I understand that. I have given the AP a fixed address, 192.168.1.251. This is outside the DHCP pool, from the router.
    Even if I use this address in th Radius configuration, it still does not work. My client (laptop with Intel Pro Wireless 2200 card), detects that there is a Radius server, and asks for a username / password.
    But even if I fill it in correctly (copy / paste) it does not work.
    So what can be wrong with this configuration?
    Haik

Maybe you are looking for

  • Upload the data from excel sheet to form 6i

    hi all, i am using Forms [32 Bit] Version 6.0.8.24.1 (Production) my requirement is to import data from excel to forms. i have gone through the help, they have mentioned as below To build this demo: 1     Create a spreadsheet containing the initial d

  • Error while trying to configure DirectAccess with OTP

    hi you all I have a working environment of DirectAccess 2012 R2 for Win8.1 clients (One DA Server) I have both Vasco and Azure MFA for OTP authentication and I wanted to add any of them to my DA topology I installed a new dedicated Enterprise-CA and

  • Changing OS language

    Dear friends, I just bought a used MacBook Pro 15 which currently comes Mountain Lion in Italian. It will be possible to change it to English from the System Preferences or do I need a different OS X version ? Thank you. PS Does the warranty remain v

  • Imported iPhoto library into Aperture - one problem so far

    Why are all the pictures that I imported that had been edited in iPhoto using PSE8 shown as blurry globs instead of being sharp?

  • Hyperion Capital Expenditure Application

    When loading the existing fixed assets...what is the recommended granularity? Is the proper technique to load all the assets from the existing asset management system? Thanks...John