Radius server issue

Similar Messages

• ISA550W RADIUS Server Secret issue

  Dear All,
  I have a Cisco ISA 550W device. I've configured wireless services for WPA2/Entreprise. Everything was fine till I restarted the box.
  After restart our clients cannot connect to the wireless network till I retype the RADIUS Server Shared Secret key. On the admin page I see the IP/port informations, so these information remains. Just I have to retype the secret key and after saving our clients can use wireless network till next Cisco box restart.
  What can I do with this issue?
  Thanks in advance.
  Csaba

  Dear Csaba,
  Thank you for reaching Small Business Support Community.
  I would first suggest you to run the latest firmware release v1.2.17 on the ISA550W;
  http://software.cisco.com/download/release.html?mdfid=283445567&flowid=37022&softwareid=282728525&release=1.2.17&relind=AVAILABLE&rellifecycle=&reltype=latest
  Please double check on this and let me know if the problem persists.  I'll be looking forward to your reply.
  Kind regards,
  Jeffrey Rodriguez S. .:|:.:|:.
  Cisco Customer Support Engineer
  *Please rate the Post so other will know when an answer has been found.

• ISE 1.2 Patch 2 External RADIUS Server Sequence Broken?

  Hi community,
  We have upgraded our proof of concept ISE 1.2 lab to Patch level 2.
  Our lab design includes the use of external RADIUS servers which we off-load certain authentication rules to.
  To ensure resiliency of the external RADIUS service, we have two of these which we add to a RADIUS Server Sequence, the idea being that if the first in the list is unavailable, ISE will try the second and all will be well.
  Now this worked for us in testing ISE 1.2, but I have noticed that after the upgrade to Patch 2 ISE is sending the majority RADIUS traffic to the first (failed) external RADIUS server, with only the odd RADIUS Access-Request to thte next in the list.
  Anybody else come across this??
  All helpful comments rated!
  Many thanks, Ash.

  I couldn't find any known issues with this feature. Could you please paste the screen shot of external radius sequence and configuration. Also, how are we determing that the first server in the sequence is DEAD?
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Connecting AE to a RADIUS server wirelessly

  I have found several posts on this subject, but none that have the same circumstances. I am running a Snow Leopard Server with RADIUS enabled to authenticate users connecting to my AEBS/s. I need to join an AE to the network wirelessly to connect a printer which is in an area where I can't run cabling.
  I have tried numerous times and spent a lot of time on the internet looking for a solution. In most cases the perpetrators are trying to connect to a University network or some such. In my case I control both sides of the equation.
  Does anyone have an idea how I may be able to connect the AE to the AEBS wirelessly using the RADIUS server (802.1X, TTLS)?

  I to have the same issue.  Have Airport Extreme connected to RADIUS server and I want to extend that with an airport express so I can use airplay on my stereo in living room.  Somebody help please.

• Local radius server : one username for several devices ?

  I've just installed a AP 1231g as a local radius server and I've got two devices that are authenticated by the AP with the same username/password .
  is not there a problem?

  Hi,
  Problem ?? no there is no issues. You are using a single user name to access network devices.
  Regards,
  ~JG
  Please rate if helps

• Server 2008 R2 RADIUS Server with a Cisco Aironet 1040 Wireless AP

  I am trying to get Server 2008 R2 RADIUS Server to work with a Cisco Aironet 1040 Wireless AP. I have installed the RADIUS server by MS standards and performed some searches on Google to configure the Cisco Aironet. I see others using a Wireless LAN Controller, which I do not have. I found this post below:
  https://supportforums.cisco.com/discussion/11546056/wlc-2504-radius-2008-r2-server
  But I have yet to locate a good step by step document on how to set it up and I have found so many different ways that others have set it up, but none have yet to work. I am having authentication issues that I have know of and I do not see any errors in the Windows Event Viewer and I do not know where the Acess Point stores it logs for any sort of error. Keep in mind this is the first time I am doing this. I do not have a Wireless LAN Controller and all my network / domain services are on individually built servers and not on one single server as I have seen with most of the documentation they all say the same thing by putting the Certificate Services, Domain Services (AD / ADS, etc), and NPS. I do not want that configuration and my setup should not be any different, but something is not right. I know from reading that this is not rocket science, but from someone who has never done it before this is difficult as I keep reading on and so many people do it different ways including what I have been reading according to what Cisco says to configure in the environment. Does anyone know where I can find good step by step documentation along with where I can look for logs on either device? I find that all the documentation I see on Cisco's website and from searching that it is old and outdated and not been updated in a long time so it is hard to determine what works and what does not work. I am stumped here and have been doing this for several weeks now with no luck. Thank you in advance.

  I did configure the Server 2008 R2 RADIUS Server using this video below: 
  https://www.youtube.com/watch?v=g-0MM_tK-Tk
  I also referenced Technet to make sure it was configured correctly as well. I am still not sure if I am 100% setup correctly on the Windows Server side, but I for sure want to make sure I have the AP side setup correctly. Do you know of a better article for the Windows Server 2008 R2 setup? Does it matter that I do not have all the services installed on the same server? Instead I have them installed on multiple servers.
  I have image number c1140-k9w7-tar.124.25d.JA1 on the AP. The part that confused me in that article, which I have seen before was the part about "Setting up access point must be configured in the authentication server as an AAA client." What is the AAA Client? I also am not aware of having Cisco Secure ACS anywhere built into the AP as that part through me off completely. Do I need to skip these steps? Thank you for help on this.

• Problems with re authentications in a wireless with WLC working with web authentication and a radius server

  Hi everyone, im having problems in a wireless network, the SSID has security layer 2 WPA, layer 3 web authentication (internal default page), and external RADIUS.
  When a client makes a roaming from one AP to another one or when he has a idle time, he needs to re authenticate in the web login page. Somebody knows a solution to avoid this behavior?. Or somebody has a troubleshooting way to determine why the clients have this problems??

  A few things I can share that might help .. Your actually feet on the ground will be importnat to see this issue for yourself.
  I know when a client or if the AP sends a DEAUTH frame the client will need to reestablish its connection and it will 100% of the time require a new web auth. If a client loses connection while roaming and a DEAUTH is sent on either side you will get the page. If youre client isnt romaing cleanly this can be a problem.
  Another problem is your using EAP. Are you using CCK or a device that supports OKC. What does your radius server say when a client roams ?
  You could also simply your config and then reapply your security and see where it breaks. By this I mean. For testing, create a SSID turn off security and leave layer 3 web auth on. Roam and see what happens. If it works, then start to apply the security and see where it breaks.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

  Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
  I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
  Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
  Any ideas of what might be the issue or misconfiguration?

  Jim,
  I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
  It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
  May need to open a TAC case to see if this issue is on the 550x controllers also.
  Thanks,
  Tarik

• Radius server (not elektron!) interacting with mysql DB and LDAP

  I am installing a service that requires a radius server. I have tried to build and install freeradius from source, as well as used the installer packages that are out there. None of them include support for mysql. As soon as you turn on sql in the radiusd.conf you get an error like this:
  rlm_sql: Could not link driver rlmsqlmysql: file not found
  Similar to the problem described here:
  http://www.freeradius.org/faq/#4.14
  Except that I get an error saying that rlmsqlmysql.a is an invalid image. The file exists and freeradius sees it and can find it, it's just not usable by freeradius. Like I said I have tried building this from the latest cvs source, and finally got it to build completely fine, and even except connections.
  I just need it to authenticate to mysql now.
  Anybody have any pointers. I have tried some of the suggestions on the freeradius faq, but I think what I am encountering is an issue specific to os x tiger. I have even tried to install using darwinports, but the installation fails.
  The system I am trying to install this on is running 10.4.2 (I am apprehensive about updating the system, because of issues with mysql being hosed.)
  If anyone thinks or knows that 10.4.2 has specific issues as to why it cannot be installed on 10.4.2 I may need to look into doing a backup and then upgrade of the server, and attempt freeradius install on 10.4.7.
  Thanks in advance for any and all help!

  Big help you OS Xers are. J/P!
  Since this place is supposed to be about education, let's educate!
  I ended up installing OpenRadius and using RADsql (it comes with openradius). It's a bit finicky, but in the end it seems to be working. You also have to install Perl DBI, and Perl DBD Mysql, all of which I installed using darwing ports (also btw, you are better off getting the darwin/macports source and compiling it yourself, rather than using the DMG installer) If you are paranoid about using terminal there is an app out their called PORT AUTHORITY which is basically a gui front end to install darwinport apps.
  You may have to do a little searching, but the key is getting the behaviour file and the config file correct, I found examples of the two I needed here:
  http://www.mirrors.wiretapped.net/security/authentication/radius/openradius/exam ples/0.9.10/
  I am attempting to also have openradius look at ldap if it can't auth to sql, I think this is possible, since it seemed to be in freeradius. So that our users don't need to choose a seperate auth protocol.
  I hope at least part of what I have to say will help someone out there, I will update this as I find out more. Right now I can only auth via clear-password, which is not really much of an issue, since this will all be LAN and WAN behind a firewall. But it would be nice if it was at least MD5 which openradius is supposed to support.

• Lobby ambsssador user authenticatio using a RADIUS server

  I have Wism installed in unified wireless network, MS IAS server is sittign in between enterprise AD and Wism. Wireless clients are getting authentincated via ISA againt enterprise AD without any issue.
  Now I want to authenticate the admin users in WLC ( for example Lobby admin users) also with AD using the same method.
  I tried adding a RADIUS server in WLC on "administraiton>AAA servers" . But the external authentication doesn't seems to be happaning. Does someone has any exmaple on this type of configuraiton ?

  you can use Radius to authenticate management user, but I'm afraid can't use it to authenticate Lobby admin user.
  To authen management user, you need:
  1. in WLC, when creating Radius server, need to enable "management"
  2. In Radius, you need to enable service type[006] to be administrative in user's IETF(Radius) attribute

• Radius server for 802.1x port authentication

  Does anybody know if CiscoSecure for Unix version 2.3.6.2 can be used as a Radius server for 802.1x port authentication? I know the Windows version will do this and can be configured to assign a user to a specific VLAN, but can the UNIX software do the same?
  Thanks

  Check connectivity between the PIX and the server.
  If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
  aaa-server group_tag (if_name) host server_ip key timeout 5
  If you are using TACACS+, verify that the PIX and server are communicating on the same port (Transmission Control Protocol (TCP)/49).
  If you are using RADIUS, verify that the PIX and server are communicating on User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server is using port 1812, verify that the PIX is using software version 6.0 or later, and then issue the aaa-server radius-authport 1812 command to specify port 1812.
  Ensure that the secret key is correct.
  Check the server logs for failed attempts. All servers have some kind of logging function.

• WLC 5508 Radius accounting issue

  I have a WLAN configured with 802.1x PEAP pointing to an external RADIUS server.  It works fine for the most part, but I'm having problem closing accounting sessions in RADIUS.  I've found this is related to the client table in the WLC.  The user session does not end in RADIUS unless the WLC officially removes the client from the db, which takes 5-6 minutes from what I can see (probably due to the default idle timeout of 300 seconds). 
  For example:
  1.  I connect my tablet to the test WLAN.  It associates and authenticates successfully and the WLC sends the accounting info to my RADIUS server, opening up a user session.  If I turn off the wifi in the tablet, the client entry stays in the WLC client table until it times out.  The WLC removes my tablet from the client table after 5-6 minutes, and then the session closes in the accounting table.  I can force the session to close much earlier by manually removing the client from the WLC.
  2.  Same as #1, but this time instead of turning of the wifi in the tablet, I choose to connect to a different WLAN in the WLC.  The user session in the accounting DB never closes.  If I reconnect back to the original test WLAN with 802.1x, it opens up yet another user session in RADIUS accounting.  Now I have a "dead" user session in accounting that is going to be open forever unless I delete it from SQL.
  Is this an issue with the end user client not sending the disassociation frame properly, or a config problem with the WLC?  How can I make it so that every time a client drops from an AP or moves to a different WLAN, the WLC would immediately send accounting updates to my RADIUS server and close the user session properly?
  Thanks,
  Wil

  Well like you said, the WLC will keep the client in the DB until the idle timer expires. This is normal and I don't think you will be able to change this unless you set the idle timer to a lower value.
  Sent from Cisco Technical Support iPhone App

• Not able to remove "radius-server-source-port-1645-1646"

  Hii Guys! I'm trying to remove the "radius-server-source-port -1645-1646" command but it's not happening.. Command executes but it's still showing up in running configuration...... It's on 2960 switch running 12.2 lanbasek9 IOS.

  Hmm..... That's not the case.... Tried this already
  Even I've seen its kinda default command in some old IOS....... But not getting a firm URL or link to confirm it..... So not sure if it's issue with IOS or something else

• Radius Attribute Issue

  Hi,
  I'm having some issues on implementing radius accounting. Below are my configurations
  aaa group server radius ClearBox
  server 192.168.111.8 auth-port 1812 acct-port 1813
  accounting accept ClearBox
  aaa accounting exec default start-stop group ClearBox
  aaa accounting network default start-stop group ClearBox
  aaa accounting connection h323 start-stop group ClearBox
  aaa accounting resource default start-stop group ClearBox
  aaa session-id common
  gw-accounting aaa
  radius-server attribute list ClearBox
  attribute 1,4-6,25-26,28-31,40-41,44,46,49,61
  radius-server host 192.168.111.8 auth-port 1812 acct-port 1813
  radius-server key 7 12481603171B5B55
  radius-server vsa send accounting
  I am using ClearBox as my radius server. It seems that the ff attributes (h323-connect-time,h323-disconnect-time,h323-disconnect-cause,) was not recorded on the ClearBox. See attached file for the screenshot. May be you can help me on this issue.

  Try to enable the following debugs:
  debug isdn q931
  debug ppp negotiation
  debug aaa authen
  debug aaa accounting
  debug radius

• Problems w/config AP1200 - WPA Enterprise/Local RADIUS Server

  I have been attempting to reconfigure a AP1200 in our lab environment from using static WEP keys to WPA/TKIP. I can make the solution work with WPA-PSK, but not enterprise. I believe I have everything configured correctly but cannot "validate identity" on the client. Below are the details to my configuration.
  SSID: labssid (Open authentication with EAP)
  Cipher: TKIP
  Key management: Mandatory (WPA)
  I have a Cisco ACS server but am attempting to get this running intially using the local RADIUS server on the Access Point. I have a user defined locally called "test" with a password of "test".
  I am using an IBM ThinkPad T43 with the built-in wireless (Intel PRO/Wireless 2915ABG NIC) for testing. I have the "Use Windows to configure my wireless network settings" checked so I am using the inherant Windows configuration screens. However, I have also attempted to use the IBM NIC configuration utility and receive the same failures. I have the client device configured as follows:
  1. Network authentication: WPA
  2. Data encryption: TKIP
  3. Authentication: Protected EAP (PEAP) (only option other than smartcard, cert.)
  3a. (PROPERTIES) - AuthMethod: Secured Password (EAP-MSCHAP v2)
  4. Authenticate as computer whe computer information is avail (UNCHECKED)
  5. Authenticate as guest when user or computer is unavailable (UNCHECKED)
  When I attempt to provide my test/test credientials the Access Point logs the following:
  Station 0016.6f77.9ccd Authentication failed
  When I look at the Local RADIUS server stats, for each authentication failure the following stat is recorded:
  "Unknown EAP Type"
  If I try to authenticate 5 times, there will be 5 Unknown EAP Type stats logged.
  What am I missing?

  I didn't realize the local RADIUS couldn't do PEAP. That makes sense now, as in testing I decided to point the AP at my ACS server and was able to authenticate. I'm having an issue authenticating at times because it seems the AP looses it's connection TO the ACS server. The Access Point logs the following:
  1. Station 0016.6f77.9ccd Authentication failed
  2. RADIUS server 192.168.102.82:1645,1646 has returned.
  3. RADIUS server 192.168.102.82:1645,1646 is not responding.
  The "not responding" and "returned" logs are recorded at the exact same time period. In my most recent case, it was "Aug 31 18:19:36.981". Both have that time stamp. It's as if the AP looses some heartbeat to the RADIUS server and doesn't check to see if it's alive until a certain interval. When I'm not able to authenticate, if I log into the ACS and manually "restart" the services through the GUI, I authenticate right away. I'm thinking this is an ACS issue not an AP issue, but am wondering if anyone else has ever noticed this behavior.