Radius Server w/ appleTV

i have searched extensively for a setup that is similar to mine unfortunately i have not found a solution. I am using server 10.10 for radius auth. from an airport extreme.
since its now "one click" that works great for my computer users, but trying to set up an apple tv wirelessly is a pain. what/where is the cert. i need to install in the profile? do i need it still? the wireless profile gives the options for user/pass, is this all i need? thanks
server 10.10.2
3rd gen apple tv

Hi Keith,
You need to use Apple Configurator to install you Enterprise Wifi settings on your apple tv. See How to install a configuration profile on Apple TV - Apple Support for some basic instructions.

Similar Messages

  • ISE 1.2 Patch 2 External RADIUS Server Sequence Broken?

    Hi community,
    We have upgraded our proof of concept ISE 1.2 lab to Patch level 2.
    Our lab design includes the use of external RADIUS servers which we off-load certain authentication rules to.
    To ensure resiliency of the external RADIUS service, we have two of these which we add to a RADIUS Server Sequence, the idea being that if the first in the list is unavailable, ISE will try the second and all will be well.
    Now this worked for us in testing ISE 1.2, but I have noticed that after the upgrade to Patch 2 ISE is sending the majority RADIUS traffic to the first (failed) external RADIUS server, with only the odd RADIUS Access-Request to thte next in the list.
    Anybody else come across this??
    All helpful comments rated!
    Many thanks, Ash.

    I couldn't find any known issues with this feature. Could you please paste the screen shot of external radius sequence and configuration. Also, how are we determing that the first server in the sequence is DEAD?
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • EAP-FAST on Local Radius Server : Can't Get It Working

    Hi all
    I'm using an 877w router (flash:c870-advsecurityk9-mz.124-24.T4.bin) as local radius server and have followed various config guides on CCO. LEAP works fine but I just can't get EAP-FAST to work.
    I'm testing with win7 client using anyconnect secure mobility client, and also a mac book pro but without luck.
    the router sees unknown auth type, and when I run some debugs it talks of unknown eap type 3
    sh radius local-server s
    Successes              : 1           Unknown usernames      : 0        
    Client blocks          : 0           Invalid passwords      : 0        
    Unknown NAS            : 0           Invalid packet from NAS: 17      
    NAS : 172.27.44.1
    Successes              : 1           Unknown usernames      : 0        
    Client blocks          : 0           Invalid passwords      : 0        
    Corrupted packet       : 0           Unknown RADIUS message : 0        
    No username attribute  : 0           Missing auth attribute : 0        
    Shared key mismatch    : 0           Invalid state attribute: 0        
    Unknown EAP message    : 0           Unknown EAP auth type  : 17       
    Auto provision success : 0           Auto provision failure : 0        
    PAC refresh            : 0           Invalid PAC received   : 0       
    Can anyone suggest what I might be doing wrong?
    Regs, Tim

    Thanks Nicolas, relevant snippets from config:
    aaa new-model
    aaa group server radius rad_eap
    server 172.27.44.1 auth-port 1812 acct-port 1813
    aaa authentication login eap_methods group rad_eap
    aaa authorization exec default local
    aaa session-id common
    dot11 ssid home
    vlan 3
    authentication open eap eap_methods
    authentication network-eap eap_methods
    authentication key-management wpa
    ip dhcp pool home
       import all
       network 192.168.1.0 255.255.255.0
       default-router 192.168.1.1
       dns-server 194.74.65.68 194.74.65.69
    ip inspect name ethernetin tcp
    ip inspect name ethernetin udp
    ip inspect name ethernetin pop3
    ip inspect name ethernetin ssh
    ip inspect name ethernetin dns
    ip inspect name ethernetin ftp
    ip inspect name ethernetin tftp
    ip inspect name ethernetin smtp
    ip inspect name ethernetin icmp
    ip inspect name ethernetin telnet
    interface Dot11Radio0
    no ip address
    encryption vlan 1 mode ciphers aes-ccm tkip
    encryption vlan 2 mode ciphers aes-ccm tkip
    encryption vlan 3 mode ciphers aes-ccm tkip
    broadcast-key vlan 1 change 30
    broadcast-key vlan 2 change 30
    broadcast-key vlan 3 change 30
    ssid home
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    interface Dot11Radio0.3
    encapsulation dot1Q 3
    no cdp enable
    bridge-group 3
    bridge-group 3 subscriber-loop-control
    bridge-group 3 spanning-disabled
    bridge-group 3 block-unknown-source
    no bridge-group 3 source-learning
    no bridge-group 3 unicast-flooding
    interface Vlan3
    no ip address
    bridge-group 3
    interface BVI3
    ip address 192.168.1.1 255.255.255.0
    ip inspect ethernetin in
    ip nat inside
    ip virtual-reassembly
    radius-server local
    no authentication mac
    nas 172.27.44.1 key 0 123456
    user test1 nthash 0 B151E8FF684B4F376C018E632A247D84
    user test2 nthash 0 F2EEAE1D895645B819C9FD217D0CA1F9
    user test3 nthash 0 0CB6948805F797BF2A82807973B89537
    radius-server host 172.27.44.1 auth-port 1812 acct-port 1813 key 123456
    radius-server vsa send accounting

  • ISE 1.1.1 (Fallback to local Vlan if radius server is found to be dead) not working

    We have configured following commands on switch to fallback to local Vlan if both radius server (policy persona's) is found dead. For test purpose we shutdown both servers (policy persona's) but fallback didn't work. We have 3750 switch running image 12.2(55)SE6 having following configuration.
    We do not know whether we configured switch in proper way or do we need to modify it.
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting update periodic 5
    aaa accounting auth-proxy default start-stop group radius
    aaa accounting dot1x default start-stop group radius
    aaa accounting system default start-stop group radius
    aaa server radius dynamic-author
    client 10.10.10.10 server-key 7 12345678 (Policy Persona 1)
    client 10.10.10.11 server-key 7 12345678 (Policy Persona 2)
    server-key 7 12345678
    ip device tracking
    epm logging
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 30 tries 3
    radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 1)
    radius-server host 10.10.10.11 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 2)
    radius-server vsa send accounting
    radius-server vsa send authentication
    Port Configuration
    interface GigabitEthernet0/1
    switchport access vlan 305
    switchport mode access
    ip access-group ACL-DEFAULT in
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 305
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication open
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 10
    spanning-tree portfast
    Please help....
    Thanks

    Tabish-
    The pre-auth ACL that you have on your port is used for what's called a "Low-Impact" mode type of setup. With Low-Impact mode you are allowing services defined in the pre-auth ACL until the user/devices is authenticated. Once authenticated the pre-auth ACL gets replaced with the dACL/authorization policy that you have defined in the authorization profile. As a result, it is not possible to use "fail-open" configuration with low-impact as there is nothing to replace that pre-auth ACL since your NAD device(s) are unavailable.
    If you want to use the "fail-open" features you will have to use the "High Securty/Closed Mode." In that mode you cannot utilize the pre-auth ACL and essentially only EPoL traffic is allowed on port until authenticated.
    For more info you should reference the TrustSec design guide located at:
    http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
    Thank you for rating!

  • Can't authenticate Mac VPN client from RADIUS server

    Hello,
    I'm a real noob here so please bear with me.
    I have been able to configure my PIX 515E to allow VPN connections onto my network, but what I need to do is set up some sort of user authentication to control access at a user level. From what I've read here and in the Configuration Guide I should be able to do this authentication with a RADIUS server. I'm running a Corriente Networks Elektron Security server which has RADIUS server capabilities. It is running on my (inside) interface at IP 192.168.10.26.
    I thought that I had everything configured properly but it never seems to authenticate. I connect, the XAUTH window pops up, I add my username and password as it's configured on my RADIUS server, but when I click OK it just cycles the progress bar at the bottom and eventually times out. The client log doesn't show me anything and the log on the RADIUS server shows me nothing. Any ideas? this seems like it should be simple because I can connect until I attempt to authenticate to the RADIUS server.
    TIA for any direction you can provide me.
    Christine

    If it helps, here is my config with a some of the non-related bits deleted:
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security50
    enable password ********* encrypted
    passwd ******* encrypted
    hostname pixfirewall
    domain-name acme.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol http 82
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    access-list inside_outbound_nat0_acl permit ip any 192.168.10.0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip host 192.168.10.26 192.168.10.192 255.255.255.224
    access-list inside_outbound_nat0_acl permit ip host 192.168.10.69 192.168.10.192 255.255.255.224
    access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.0
    access-list outside_cryptomap_dyn_40 permit ip any 192.168.10.192 255.255.255.224
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip address outside 207.XXX.XXX.130 255.255.255.0
    ip address inside 192.168.10.1 255.255.255.0
    ip address DMZ 192.168.100.1 255.255.255.0
    multicast interface inside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool CBI_VPN_Pool 192.168.10.201-192.168.10.220
    pdm location 192.168.10.50 255.255.255.255 inside
    pdm group CBI_Servers inside
    pdm logging warnings 100
    pdm history enable
    arp timeout 14400
    global (outside) 200 interface
    global (DMZ) 200 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 200 192.168.10.0 255.255.255.0 0 0
    static (inside,outside) 207.XXX.XXX.150 192.168.10.27 netmask 255.255.255.255 0 0
    static (inside,outside) 207.XXX.XXX.132 192.168.10.26 dns netmask 255.255.255.255 0 0
    access-group 100 in interface outside
    route outside 0.0.0.0 0.0.0.0 207.XXX.XXX.129 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server radius-authport 1812
    aaa-server radius-acctport 1812
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 192.168.10.26 ************* timeout 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.10.3 255.255.255.255 inside
    no floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
    crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication RADIUS
    crypto map outside_map interface outside
    crypto map inside_map interface inside
    isakmp enable outside
    isakmp nat-traversal 3600
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup Test_VPN address-pool CBI_VPN_Pool
    vpngroup Test_VPN dns-server 142.77.2.101 142.77.2.36
    vpngroup Test_VPN default-domain acme.com
    vpngroup Test_VPN idle-time 1800
    vpngroup Test_VPN authentication-server RADIUS
    vpngroup Test_VPN user-authentication
    vpngroup Test_VPN user-idle-timeout 1200
    vpngroup Test_VPN password ********
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.10.100-192.168.10.254 inside
    dhcpd dns 142.77.2.101 142.77.2.36
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside

  • SSL VPN IP Address Assignment from IAS radius server

    Can I use SSL VPN IP Address Assignment from IAS radius server?it can be done with acs server.are there some differ from the acs and IAS?

    Hi,
    I will suggest to setup a sniffer capture with ACS and look for the attribute that ACS sends for IP Address Assignment, once you know the attribute apply it on the IAS.
    If you have any question do not hesitate to contact me.

  • Radius server not returning Filter-id information to access device

    I have set up a Radius server (v. 4.15 16 april 2003) on NW65sp2 server
    and I'm trying to use it to authenticate to a Watchguard Firebox II
    firewall. The authentication functions but apparently the firewall is
    not getting (or not parsing) the Filter-Id information to assign access
    rights via groups. When I login to the firewall with "user1", the
    response is "Authenticationsucceeded, but no access grantedfor user". If
    I define "user1" on the firewall and assign it to an access policy, then
    everything works. But if I define an access group "group1" and assign
    it to an access policy on the firewall and then assign "group1" to the
    eDir Access Profile object that is assigned to "user1", (Filter-Id =
    group1) I get the above authentication succesful, but no access granted.
    Is there a way to identify exactly what information is being sent from
    the Radius server to the access device so I can determine if the problem
    is on the Novell Radius server side or the Watchguard Firewall side?
    I've activated the Radius Debug Log, but that only tells me that it
    finds all the relevant objects in eDirectory and that authentication is
    successfull, but there is no indication that any other information is
    being sent to the access device.
    As I understand it, the filer-id's are supposed to allow a link between
    the eDir user objects and what access rights are allowed on the access
    device (firewall). Essentially this is how I define group memberships on
    the firewall using eDir user. Is this assumption correct?
    The goal of course is to allow access over the firewall without having
    to type in 500 user names on the firewall.
    Any ideas or tips on what I could check or configure differently would
    be helpful. thanks
    bill reading

    thanks for the feedback. I will take a look at the thread you mentioned
    and I'll get back to you with the trace as soon as I can arrange it.
    Scott Kiester wrote:
    > There is a thread titled "RADIUS Group with VASCO Digipass" in this group
    > from November where someone else was trying to use the filter-Id attribute
    > with their firewall. The customer was able to get this attribute to working
    > after tweaking his RADIUS configuration.
    >
    > Your understanding of the filter-Id attribute is correct. Either the RADIUS
    > server is not sending this attribute for some reason, or something on your
    > firewall has been misconfigured. A good starting point would be to take a
    > sniffer trace to see if the filter-Id attribute is in the access-request
    > packet. (You can use Ethereal, which is a free download from
    > www.ethereal.com, for the trace.) Post the trace here or send it to me at
    > [email protected] and I'll take a look at it.
    >
    >
    >>>>bill reading<[email protected]> 12/07/04 8:36 AM >>>
    >
    > I have set up a Radius server (v. 4.15 16 april 2003) on NW65sp2 server
    > and I'm trying to use it to authenticate to a Watchguard Firebox II
    > firewall. The authentication functions but apparently the firewall is
    > not getting (or not parsing) the Filter-Id information to assign access
    > rights via groups. When I login to the firewall with "user1", the
    > response is "Authenticationsucceeded, but no access grantedfor user". If
    > I define "user1" on the firewall and assign it to an access policy, then
    > everything works. But if I define an access group "group1" and assign
    > it to an access policy on the firewall and then assign "group1" to the
    > eDir Access Profile object that is assigned to "user1", (Filter-Id =
    > group1) I get the above authentication succesful, but no access granted.
    > Is there a way to identify exactly what information is being sent from
    > the Radius server to the access device so I can determine if the problem
    > is on the Novell Radius server side or the Watchguard Firewall side?
    > I've activated the Radius Debug Log, but that only tells me that it
    > finds all the relevant objects in eDirectory and that authentication is
    > successfull, but there is no indication that any other information is
    > being sent to the access device.
    >
    > As I understand it, the filer-id's are supposed to allow a link between
    > the eDir user objects and what access rights are allowed on the access
    > device (firewall). Essentially this is how I define group memberships on
    > the firewall using eDir user. Is this assumption correct?
    >
    > The goal of course is to allow access over the firewall without having
    > to type in 500 user names on the firewall.
    >
    > Any ideas or tips on what I could check or configure differently would
    > be helpful. thanks
    >
    > bill reading
    >
    >

  • How to set two radius servers one is window NPS another is cisco radius server

    how to set two radius servers one is window NPS another is cisco radius server
    when i try the following command, once window priority is first , i type cisco radius user name, it authenticated fail
    i can not use both at the same time
    radius-server host 192.168.1.3  is window NPS
    radius-server host 192.168.1.1 is cisco radius
    http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/
    conf t
    no aaa authentication login default line
    no aaa authentication login local group radius
    no aaa authorization exec default group radius if-authenticated
    no aaa authorization network default group radius
    no aaa accounting connection default start-stop group radius
    aaa new-model
    aaa group server radius IAS
     server 192.168.1.1 auth-port 1812 acct-port 1813
     server 192.168.1.3 auth-port 1812 acct-port 1813
    aaa authentication login userAuthentication local group IAS
    aaa authorization exec userAuthorization local group IAS if-authenticated
    aaa authorization network userAuthorization local group IAS
    aaa accounting exec default start-stop group IAS
    aaa accounting system default start-stop group IAS
    aaa session-id common
    radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
    radius-server host 192.168.1.2 auth-port 1812 acct-port 1813
    radius-server host 192.168.1.3 auth-port 1645 acct-port 1646
    radius-server host 192.168.1.3 auth-port 1812 acct-port 1813
    privilege exec level 1 show config
    ip radius source-interface Gi0/1
    line vty 0 4
     authorization exec userAuthorization
     login authentication userAuthentication
     transport input telnet
    line vty 5 15
     authorization exec userAuthorization
     login authentication userAuthentication
     transport input telnet
    end
    conf t
    aaa group server radius IAS
     server 192.168.1.3 auth-port 1812 acct-port 1813
     server 192.168.1.1 auth-port 1812 acct-port 1813
    end

    The first AAA server listed in your config will always be used unless/until it becomes unavailable. At that point the NAD would move down to the next AAA server defined on the list and use that one until it becomes unavailable and then move to third one, and so on. 
    If you want to use two AAA servers at the same time then you will need to put a load balancer in front of them. Then the virtual IP (vip) will be listed in the NADs vs the individual AAA servers' IPs. 
    I hope this helps!
    Thank you for rating helpful posts!

  • Authenticated on ISE 1.2 (as admin) against an external radius server

    Hello
    Our customer wants to be authenticated on ISE 1.2 (as admin) against an external radius server (like ACS not microsoft). How could i do that ?
    Is it possible while retaining internal admin users database in a sequence "external_radius or internal"
    thank you in advance.
    Best regards

    External authentication is supported only with internal authorization:
    External Authentication + Internal Authorization
    When configuring Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from External Authentication + External Authorization:
    You do not need to specify any particular external administrator groups for the administrator.
    You must configure the same username in both the external identity store and the local Cisco ISE database.
    To create a new Cisco ISE administrator that authenticates via the external identity store, complete the following steps:
    Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.
    The Administrators window appears, listing all existing locally defined administrators.
    Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.
    Note Remember: you do not need to specify a password for this external administrator user ID, nor are you required to apply any specially configured external administrator group to the associated RBAC policy.
    Step 3 Click Save .

  • Cisco ISE with both internal and External RADIUS Server

    Hi
    I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
    I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
    So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
    I will like to know if it is possible to configure it and how I can do it ?
    Thanks in advance for your help
    Regards
    Blaise

    Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
    Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
    The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

  • Using RSA RADIUS Server and WLC 7.4 to dynamically asssign users to VLAN

    Hello,
    What we are trying to do:
    John logs on to wifi using RSA fob for password. RSA sends back auth request with attibutes to WLC 7.4 that magically knows how to interpret the attributes and puts John on vlan 10. Mary logs on with her fob and gets put on VLAN 20.
    We dont have ISE. We dont have ACS. We have RSA Authentication Manager 7.0
    We have looked high and low for documentation for this kind of setup and we find stuff that is close to a match but not quite.
    Here is what we are seeing
    1. dynamic vlan assignment is not working -- radius server is set with the attributes
    2. RSA authentication works
    3. John and Mary are always put into the VLAN where the MGMT interface is
    4. I can see that attributes are making it back to the WLC by sniffing
    We are stuck at this point. Any help would be much appreciated,
    P.

    Here is a little more background:
    We have created a dynamic interface in VLAN 157
    Wireless LAN has been assigned to MGMT interface which is on VLAN 35
    This is a VWLC ver 7.4.100
    AP is attached to VWLC (only FlexConnect mode is supported)
    RADIUS Server has been configured
    Users are getting assigned to VLAN 35
    Also I have attached some screenshots and two packet captures so you can see what the RSA is sending back with your own eyes
    I dont see any atttributes in the capture when RSA sends to the VWLC
    I see attributes in the capture when RSA send to my local RADIUS Client (My PC)
    And to answer your question we have sending a VLAN ID (157)

  • Exchange Server 2013 and RADIUS server(freeRADIUS2)

    I am a student and doing an internship. I have to test Microsoft Exchange Server 2013.
    I am using Windows Server 2012, I already installed Exchange
    Server 2013 on it and everything works as intended.
    But I couldn't find out how to configure my Windows Server 2012 in order to authenticate my mailbox users from Exchange Server 2013 with a RADIUS
    server which is not on my Windows Server 2012. I have to use their RADIUS server ( freeRADIUS2 ), the RADIUS server from
    the company where I am doing my internship.
    I already did the checklist that is on http://technet.microsoft.com/en-us/library/cc772591.aspx. I configured the NPS as
    a RADIUS proxy, because that's what I need.
    So after doing everything that is on that checklist, my question is:
    Is it possible that the Exchange Server 2013 will use my NPS which is now configured as a NPS RADIUS proxy to authenticate my mailbox users that I have on my Exchange Server 2013?

    thanks for such a quick response.
    Just a small question about the link that you put. Does member server mean other server other than domain controller?
    Regards,
    Yes, Also the server on which you are installing Exchange should have exchange installed.
    Cheers,
    Gulab Prasad
    Technology Consultant
    Blog:
    http://www.exchangeranger.com    Twitter:
      LinkedIn:
       Check out CodeTwo’s tools for Exchange admins
    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  • Exchange Server 2013 with a RADIUS server (freeRADIUS).

    Hello,
    I am a student and doing an internship. I have to test Microsoft Exchange Server 2013.
    I am using Windows Server 2012, I already installed Exchange Server 2013 on it and everything works as intended.
    But I couldn't find out how to configure my Windows Server 2012 in order to authenticate my mailbox users from Exchange Server 2013 with a RADIUS server which is not on my Windows Server 2012. I have to use their RADIUS server (freeRADIUS), the RADIUS server
    from the company where I am doing my internship.
    I already created a NPS and added the RADIUS Client + Remote
    RADIUS Server Groups. I created a Connection Request Policies with the condition:
    User Name *
    I forwarded the Connection Request to the
    Remote RADIUS server that I created in Remote RADIUS Server Groups and then I registered the NPS in th AD. But it's still not working. 
    Maybe I did something wrong or I misunderstood something or does this even work with Exchange Server 2013? To authenticate mailbox users with a RADIUS server before they can login into their mailbox and use their mailbox?
    Thanks in advance.

    Hi,
    I suggest we refer to the following article to double confirm the Network Policy Server is registered properly.
    http://technet.microsoft.com/library/cc732912.aspx
    Thanks,
    Simon Wu
    TechNet Community Support

  • Trying to implement EAP/TLS using java (as part of RADIUS server)

    Hi
    This is a cross port since I didn't know which forum to post in!
    I'm trying to implement a RADIUS server (EAP/TLS) as part of my master thesis. I'm not used to Java SSL libraries and can't get it to work. The server will respond to an accesspoint that uses 802.1x. I have created certificates using openssl and imported the "cert-clt.pl2"and "root.pem" to a laptop trying to connect to the accesspoint. On the server side i imported the "cacert.pem" and "cert-srv.der" using keytool to a keystore. In my code I read the keystore and create the SSLEngine with following code:
              KeyStore ksKeys = KeyStore.getInstance("JKS");
                ksKeys.load(new FileInputStream("certs/FeebeeCommunity.keystore"), passphrase);
                KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
                kmf.init(ksKeys, passphrase);
                KeyStore ksTrust = KeyStore.getInstance("JKS");
                ksTrust.load(new FileInputStream("FeebeeCommunity.keystore"), passphrase);
                TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
                tmf.init(ksKeys);
                sslContext = SSLContext.getInstance("TLS");
                sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
                sslEngine = sslContext.createSSLEngine();
                sslEngine.setUseClientMode(false);
                sslEngine.setNeedClientAuth(true);
                sslEngine.setWantClientAuth(true);
                sslEngine.setEnableSessionCreation(true);
                appBuffer = ByteBuffer.allocate(sslEngine.getSession().getApplicationBufferSize());
                appBuffer.clear();
                netBuffer = ByteBuffer.allocate(sslEngine.getSession().getPacketBufferSize());
                netBuffer.clear();All I want to do with TLS is a handshake.
    I'm not talking ssl using sockets instead I receive and send all TLS data encapsulated in EAP packet that are incapsulated in RADIUS packets. I start off with sending TLS-Start upon I recive TLS data. I handle it with the following code:
           SSLEngineResult result = null;
            SSLEngineResult.HandshakeStatus hsStatus = null;
            if( internalState != EAPTLSState.Handshaking ) {
                if( internalState == EAPTLSState.None ) {
                    TLSPacket tlsPacket = new TLSPacket( packet.getData() );
                    peerIdentity = tlsPacket.getData();
                    internalState = EAPTLSState.Starting;
                    try {
                        sslEngine.beginHandshake();
                    } catch (SSLException e) {
                        e.printStackTrace();
                    return;
                else if(internalState == EAPTLSState.Starting ) {
                    internalState = EAPTLSState.Handshaking;
                    try {
                        sslEngine.beginHandshake();
                    } catch (SSLException e) {
                        e.printStackTrace();
            TLSPacket tlsPacket = new TLSPacket( packet.getData() );
            netBuffer.put( tlsPacket.getData() );
            netBuffer.flip();
            while(true) {
                hsStatus = sslEngine.getHandshakeStatus();
                if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                    Runnable task;
                    while((task=sslEngine.getDelegatedTask()) != null) {
                        new Thread(task).start();
                else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP) {
                    try {
                        result = sslEngine.unwrap( netBuffer, appBuffer );
                    } catch (SSLException e) {
                        e.printStackTrace();
                else {
                    return;
            }When I try to send data I use the following code:
               SSLEngineResult.HandshakeStatus hsStatus = null;
                SSLEngineResult result = null;
    //            netBuffer = ByteBuffer.allocate(EAPTLSMethod.BUFFER_SIZE);
                netBuffer.clear();
                while(true) {
                    hsStatus = sslEngine.getHandshakeStatus();
                    if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                        Runnable task;
                        while((task=sslEngine.getDelegatedTask()) != null) {
                            new Thread(task).start();
                    else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
                        try {
                            result = sslEngine.wrap( dummyBuffer, netBuffer );
                        } catch (SSLException e) {
                            e.printStackTrace();
                    else {
                        if( result != null && result.getStatus() == SSLEngineResult.Status.OK ) {
                            int size = Math.min(result.bytesProduced(),this.MTU);
                            byte [] tlsData = new byte[size];
                            netBuffer.flip();
                            netBuffer.get(tlsData,0,size);
                            TLSPacket tlsPacket = new TLSPacket((byte)0,tlsData);
                            if( size < result.bytesProduced() ) {
                                tlsPacket.setFlag(TLSFlag.MoreFragments);
                            return new EAPTLSRequestPacket( ID,
                                    (short)(tlsPacket.getData().length + 6),
                                    stateMachine.getCurrentMethod(), tlsPacket );
                        else {
                            return null;
                    }After I sent TLS-Start I receive data and manage to process it but when then trying to produce TLS data I get the following error:
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:992)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1054)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1026)
    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
    at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.java:125)
    at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStateMachine.java:358)
    at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.java:262)
    at java.lang.Thread.run(Thread.java:595)
    Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
    at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:930)
    Any help wold be most greatfull, if any questions or anything unclear plz let me know.
    add some additional information here is a debug output
    Before this I have sent a TLS-star package and this is when I receive new information and then try to create the answer
    [Raw read]: length = 5
    0000: 16 03 01 00 41 ....A
    [Raw read]: length = 65
    0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
    0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
    0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
    0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
    0040: 00 .
    Thread-2, READ: TLSv1 Handshake, length = 65
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1084488726 bytes = { 168, 20, 137, 240, 89, 129, 200, 201, 4
    1, 194, 9, 209, 10, 112, 24, 88, 220, 46, 176, 200, 20, 144, 212, 253, 164, 198,
    50, 201 }
    Session ID: {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH
    _3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA,
    SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EX
    PORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DE
    S_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
    Compression Methods: { 0 }
    [read] MD5 and SHA1 hashes: len = 65
    0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
    0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
    0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
    0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
    0040: 00 .
    Thread-5, fatal error: 40: no cipher suites in common
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
    Thread-5, SEND TLSv1 ALERT: fatal, description = handshake_failure
    Thread-5, WRITE: TLSv1 Alert, length = 2
    Thread-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeEx
    ception: no cipher suites in common
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:9
    92)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineI
    mpl.java:459)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineIm
    pl.java:1054)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:10
    26)
    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
    at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.ja
    va:153)
    at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStat
    eMachine.java:358)
    at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.j
    ava:262)
    at java.lang.Thread.run(Thread.java:595)
    Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1
    352)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(Serve
    rHandshaker.java:638)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHands
    haker.java:450)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHa
    ndshaker.java:178)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:4
    95)
    at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.
    java:930)
    ... 1 more

    I am developing a simple client/server SSL app using sdk 1.4 (no SSLEngine) and am faced with the same problem. Could anybody track down the problem further?

  • Can dot1x authetication relayed by ACSv4.2 to another RADIUS Server ?

    Dear all,
    I'm doing dot1x authentication with ACSv4.2 , my goal is the dot1x authentication request (EAP-MD5) is relayed to another RADIUS Server by ACSv4.2.
    I'd configured the ACS to use External Database with Radius Token Server, but it did not work. With the same configuration , the login authentication is relayed correctly.
    Can dot1x authetication relayed by ACSv4.2 to another RADIUS Server ?
    Jerry

    I think it is possible because Extensible Authentication Protocol (EAP), provides the ability to deploy RADIUS into Ethernet network environments. The 802.1x standard, also known as EAP over LAN (EAPoL), concerns the part of the wider EAP standard that relates to broadcast media networks. Upon connection, EAPoL provides a communications channel between an end user on a client LAN device to the AAA server through the LAN switch. The functionality is similar to what Point-to-Point Protocol (PPP) servers on point-to-point links provide.
    Hope the following URL helps you:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/deploy.html
    Following URL explains about enhanced login features in ACS 4.2
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/new_feats.html#wp1011240

Maybe you are looking for

  • TimeMachine refuses to make backups (backup volume could not be found)

    Let me start by saying that I'm new to Macs, so if you're going to make suggestions involving strange and arcane steps in Terminal (which I'm completely open to trying), please try to be as clear as possible When I set up my new iMac, everthing worke

  • 404 Not Found, the requested resource does not exist

    Hi gurus, We're faciing an issue where when we submit data back to the SRM shopping cart from the MDM catalog UI, we intermittently get a "404 Not Found, the request resource does not exist" error page. Below is the HTTP trace upon item checkout: POS

  • IMessage is disabled automatically

    Hey all, My iMessage service will disable itself after I turn on. The scenario is like this: 1. I registerd my iMessage with my Apple ID and toggled iMessage on in Setting 2. I am able to send the iMessage. 3. After few week, I found out the iMessage

  • NW04s SR2 Install error on Linux Fedora 7

    Hello I'm trying to install a Netweaver 04s SR2 (Java Stack, EP, EP Core ...) on a Fedora 7 box. I know it's not a supported platform but anyway, during phase 24 (Start central services instance), the installer stopped with the following error trace

  • New Macbook Pro - no quantise in my GB3!

    Hi - I just upgraded to MBP, got an audio interface that works, and now to get busy with GarageBand... first thing is to put down a rhythm track. The only thing is, I'm prone to making the odd timing error and when I went for the 'quantise'/'align to