Radius Support for AAA

I have a number of 3500XL and 2950 switches in the Enterprise. I was hoping to get away with MS Radius to control Authentication to the switches. I know these switches supported TACACS+. They do not seem to support Radius. Is there a certain revision of IOS required for these devices to support Radius?
If not, can anyone recommend a TACAS platform other than ACS? I think I read on this forum a shareware version at one time?
Thank you

For the 3500XL use at least 12.0(5)WC11, it's important to supply
"Service-Type = Administrative-User" in the Access-Accept (not
necessary on routers with IOS >= 12.3)
The following test entries are for FreeRADIUS and work with
3500XL [12.0(5)WC1x] and 3550 [12.2]:
lvl15 Auth-Type:= Local, User-Password == 'geheim'
Service-Type = Administrative-User,
cisco-avpair = "shell:priv-lvl=15"
lvl1 Auth-Type:= Local, User-Password == 'geheim'
Service-Type = Administrative-User,
cisco-avpair = "shell:priv-lvl=1"

Similar Messages

  • AAA Radius Authentication for Calling Card Platform

    Hi,
    I am using AS5350 and I am using it for calling card application using Clear Box as my RADIUS Server for AAA. My question now, how would I know if cisco is sending the dtmf for "enter card number.au" on the RADIUS server ? Does the card number included on the VSA ? below are my configurations and the debug info. The problem here is that the card number that I entered doesn't able to match against the configuration on my Clear Box/SQL Database. I want to know what should I expect from CiscoAS5350 to send a vsa for enter_card_number ?
    aaa new-model
    aaa group server radius ClearBox
    server 192.168.1.1 auth-port 1812 acct-port 1813
    aaa authentication login default local
    aaa authentication login h323 group ClearBox
    aaa authorization exec h323 group ClearBox
    aaa accounting exec default start-stop group ClearBox
    aaa accounting network default start-stop group ClearBox
    aaa accounting connection h323 start-stop group ClearBox
    aaa session-id unique
    radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
    radius-server key 7 0355481F031F761D
    radius-server vsa send accounting
    radius-server vsa send authentication
    call application voice prepaid tftp://192.168.1.2/debitcard-multi-lang-Cisco.1.1.0.2.tcl
    call application voice prepaid pin-len 10
    call application voice prepaid warning-time 300
    call application voice prepaid redirect-number 8662195822
    call application voice prepaid language 1 en
    call application voice prepaid language 2 sp
    call application voice prepaid language 3 ch
    call application voice prepaid set-location en 0 tftp://192.168.1.2/prompts/
    call application voice prepaid set-location sp 0 tftp://192.168.1.2/prompts/
    call application voice prepaid set-location ch 0 tftp://192.168.1.2/prompts/
    gw-accounting aaa
    ==================================================
    Getting session id for NET(00003600) : db=6418E654
    AA/ACCT/NET(00003600): add, count 1
    Getting session id for NET(00003601) : db=6410D098
    AAA/ACCT/NET(00003601): add, count 1
    AAA/ACCT/CONN(00003601): Pick method list 'h323'
    AAA/ACCT/SETMLIST(00003601): Handle 94000002, mlist 62D3B124, Name h323
    Getting session id for CONN(00003601) : db=6410D098
    AAA/ACCT/CONN(00003601): Queueing record is START
    AAA/ACCT(00003601): Accouting method=ClearBox (RADIUS)
    AAA/ACCT/EVENT/(00003601): ATTR ADD
    AAA/ACCT/CONN(00003601): START protocol reply PASS
    AAA/ACCT/EVENT/(00003601): VOICE DOWN
    AAA/ACCT/HC(00003601): Update VOICE/000020D3
    AAA/ACCT/HC(00003601): VOICE/000020D3 [sess] (rx/tx) base 0/0 pre 0/0 call 0/0
    AAA/ACCT/HC(00003601): VOICE/000020D3 [sess] (rx/tx) adjusted, pre 0/0 call 0/0
    AAA/ACCT/CONN(00003601): Queueing record is STOP osr 1
    AAA/ACCT(00003601): del node, session 174133
    AAA/ACCT/CONN(00003601): free_rec, count 1
    AAA/ACCT/CONN(00003601): Setting session id 174144 : db=6410D098
    AAA/ACCT/HC(00003601): Update VOICE/000020D3
    AAA/ACCT/HC(00003601): Deregister VOICE/000020D3
    AAA/ACCT/EVENT/(00003601): CALL STOP
    AAA/ACCT/CALL STOP(00003601): Sending stop requests
    AAA/ACCT(00003601): Send all stops
    AAA/ACCT/NET(00003601): STOP
    AAA/ACCT/NET(00003601): Method list not found
    AAA/ACCT/CONN(00003601): STOP protocol reply PASS
    AAA/ACCT/CONN(00003601) Record not present

    VSAs are collected by the RADIUS server during the accounting process when AAA is configured with the Debit Card feature. Data items are collected for each call leg created on the gateway. A call leg is the internal representation of a connection on the gateway. Each call made through the gateway consists of two call legs: incoming and outgoing. The call leg information emitted by the gateways can be correlated by the connection ID, which is the same for all call legs of a connection.
    Use the H.323 VSA method of accounting when configuring the AAA application.
    There are two modes:
    •Overloaded Session-ID
    Use the gw-accounting h323 syslog command to configure this mode.
    •VSA
    Use the gw-accounting h323 vsa command to configure this mode.

  • WAP 121 support for RADIUS COA

    Hi,
    I am looking into purchasing WAP121 AP product and understand it supports 802.1x RADIUS.
    For an intergration with NAC product from Bradford, I need to know if WAP121 supports RADIUS COA standard or at least there is a way to disassociate a client through CLI command.
    Thanks in advance.
    -chang

    Dear Chang,
    Thank you for reaching the Small Business Support Community.
    None of the Small Business access points support the RADIUS CoA nor have CLI access, these are all GUI configurable devices with just the RADIUS feature.
    I suggest you to look for an eterprise device and inquire about this feature on the wireless support community forum;
    https://supportforums.cisco.com/community/netpro/wireless-mobility
    Please do not hesitate to reach me back if there is any further assistance I may help you with.
    Kind regards,
    Jeffrey Rodriguez S. .:|:.:|:.
    Cisco Customer Support Engineer
    *Please rate the Post so other will know when an answer has been found.

  • Secure-ACS: Special RADIUS-Attributes for Enterasys E7

    Hi,
    we were running a pretty old version of the  Cisco Secure ACS for AAA our network devices.
    Unfortunately the  server crashed an we had to install and set it up with a new server.
    Using  TACACS+ for our Cisco devices works fine.
    We have a couple of  switches made by a vendor called Nexans, which only support RADIUS -  this works fine too.
    Furthermore we still have some Enterasys E7  and with those RADIUS doesn't work at all.
    Sniffering the packets,  everything looks good.
    With the old server it worked well.
    Does  anybody know if there are special configurations (e.g. attributes) when  configuring an ACS for Enterasys RADIUS-Clients?
    Thanks,
    Rolf

    We have this configuration and works fine with our network and associate in a good manner also the policy which we have configured it on Enterasys in this way
    Filter-Id===>
    Enterasys:version=1:mgmt=su:policy=Administrator
    After we make the update to ACS 5, the "ASA" consider this filter-id as access-list so it consider the field after the filter-id as the name of the acl, and diconnect the VPN connection.
    Could soneone help me to resolve that.

  • Adobe recommends: Enhanced support for CSS3 in Dreamweaver CS5.5

    Over  the past week, we publicized some high-value content from adobe.com and other community sites. Hopefully you enjoyed these posts and found the resources useful. Today is our last day of the "Adobe Recommends" series.
    Continuing our trip along the CSS highway, we now move to CSS3 with our next recommendation, by Preran Kurnool:
    Enhanced support for CSS3 in Dreamweaver CS5.5
    This blog post takes you through using box shadow, text shadow, border radius, and border image properties in Dreamweaver CS5.5.
    Give it a spin and let us know what you think!
    Previous recommendation threads:
    Use Dreamweaver CS 5.5 to package your web application for iOS and Android devices
    Customizing a Spry Menu Bar widget
    Spry Menu Bar resources
    Layout 101
    CSS page layout basics
    New CSS features in Dreamweaver CS5
    Automatically attaching style sheets to new documents

    Aegis Kleais wrote:
    Sorry, Al, but I couldn't disagree more.  Where I respect the fact that, as coders, we're rather ingrained with our workflow processes and, at times, hesitant to change, I've found LESS' benefits to be very worthwhile.
    No need to apologize. Preprocessing is a topic on which there are differing opinions. You have one. I have one. There are advocates:
    http://blog.urbaninsight.com/2012/04/12/ten-reasons-you-should-be-using-css-preprocessor
    There are those who are not sold:
    http://blog.millermedeiros.com/the-problem-with-css-pre-processors/
    http://www.skybondsor.com/blog/css-preprocessors
    There are those mostly sold:
    http://css-tricks.com/musings-on-preprocessing/
    There are even those who have been converted (but who might reverse at some later point):
    http://cognition.happycog.com/article/preprocess-this
    Heck, even I might be converted someday - or not
    Bottom line for me, right now? I know I can write CSS that is better than most, more efficient than most, and easier to follow than most, and a preprocessor would add unwanted complexity. But that's for me. For someone not able to be organized intutively, or for a large - but carefully coordinated - team, a preprocessor could be a positive.
    But not for me.
    There are evolving trends - popular aspects of the technology that may and should find themselves being adapted into CSS. But I've been around this business as long as CSS has. I've seen buzzwords and trends and I've historically been spot-on in predicting the one that will stick. I think preprocessing will stick - but only insofar as it will be a catalyst for features in future versions of CSS. As a separate technology it makes no sense - to me

  • Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

    Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
    I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
    Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
    Any ideas of what might be the issue or misconfiguration?

    Jim,
    I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
    It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
    May need to open a TAC case to see if this issue is on the 550x controllers also.
    Thanks,
    Tarik

  • Radius server for 802.1x port authentication

    Does anybody know if CiscoSecure for Unix version 2.3.6.2 can be used as a Radius server for 802.1x port authentication? I know the Windows version will do this and can be configured to assign a user to a specific VLAN, but can the UNIX software do the same?
    Thanks

    Check connectivity between the PIX and the server.
    If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
    aaa-server group_tag (if_name) host server_ip key timeout 5
    If you are using TACACS+, verify that the PIX and server are communicating on the same port (Transmission Control Protocol (TCP)/49).
    If you are using RADIUS, verify that the PIX and server are communicating on User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server is using port 1812, verify that the PIX is using software version 6.0 or later, and then issue the aaa-server radius-authport 1812 command to specify port 1812.
    Ensure that the secret key is correct.
    Check the server logs for failed attempts. All servers have some kind of logging function.

  • 802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

    Currently Being Moderated
    802.1X for wired environments  using Radius/ACS for Dynamic Vlan Assignment
    Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
    If possible show:
    1. ACS/Radius Configurations.
    2. End User Switch Configurations
    Variables:
    Switch A
    MAC Address aaaa.bbbb.cccc     Vlan 10
                bbbb.cccc.dddd     Vlan 20
    Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
    Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
    Thanks in advance. .

    Hi Guys,
        Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
       So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
       Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
        Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
        If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

  • Cannot get SG300 switch to send RADIUS messages for 802.1x

    I  want to eventually configure the SG300 to authenticate wired clients with 802.1x and Microsoft NPS (RADIUS). I am currently testing this setup using a single port (Port 7) on my SG300, a test machine, and an AD based Network Policy Server.
    The problem I have is that when I change the Administrative Port Control for Port 7 to Force Authorized, I see this log entry:
    Informational %SEC-I-PORTAUTHORIZED: Port gi7 is Authorized
    And then when I change the port control to Auto the port immediately changes to Unauthorized and I see this log entry:
    Warning %SEC-W-PORTUNAUTHORIZED: Port gi7 is unAuthorized
    However I never see any RADIUS messages being sent from the SG300 to my RADIUS server or from the SG300 to the test machine plugged into port 7. I am using WireShark on my RADIUS server to watch for messages from the SG300 IP Address and I'm using WireShark on a second test machine that is configured to monitor the NIC card in the test machine plugged into port 7 (I'm using Hyper-V and its facilities for this NIC monitoring setup.)
    Here is my configuration:
    Switch - 10.1.1.3
    RADIUS (Microsoft NPS)- 10.1.1.15
    Switch Usage Type - All (Login and 802.1x)
    Port 7 configuration:
    VLAN Mode is General
    Host Authentication is Single Host Authentication
    Administrative Port Control is Auto
    RADIUS VLAN Assignment is Disabled
    Guest VLAN is Enabled
    802.1x Based Authentication is Enabled
    Additional Configurations under Security - 802.1x/MAC/Web Authentication:
    Port Based Authentication is Enabled
    Authentication Method is RADIUS
    Guest VLAN is Enabled
    Guest VLAN ID is 2
    All of my VLANs are enabled for Authentication
    I've got to be missing something but I do not know what that something is.
    One last note:
    The SG300 uses the same RADIUS server for management console access and it works without problem. When I log into the switch, WireShark shows the RADIUS messages from the switch to the RADIUS server and back. So I know RADIUS is configured correctly on the switch.

    Hi,
    This is my working configuration where port gi3 has DVA configured as well. You might skip port gi3 but please compare to your config:
    interface  gi3
    dot1x host-mode multi-sessions
    exit
    vlan database
    vlan 30,100
    exit
    interface vlan 100
    dot1x guest-vlan
    exit
    dot1x system-auth-control
    interface range gi1,gi3
    dot1x reauthentication
    exit
    interface range gi1,gi3
    dot1x mac-authentication mac-only
    exit
    interface  gi3
    dot1x radius-attributes vlan
    exit
    interface range gi1,gi3
    dot1x guest-vlan enable
    exit
    interface gigabitethernet1
    dot1x port-control auto
    exit
    interface gigabitethernet3
    dot1x port-control auto
    exit
    radius-server host 192.168.1.122 priority 1
    radius-server key testing123
    aaa authentication dot1x default radius
    switch3ba5e1#
    Regards,
    Aleksandra

  • RADIUS Authentication for Enable PW

    Hi Everyone,
    I have my RADIUS authentication working for login passwords but not for the enable password. My config is below;
    aaa new-model
    aaa authentication login default group radius local
    aaa accounting network default start-stop group radius
    When I add the command;
    aaa authentication enable default group radius enable
    I would expect it to allow me to enter my RADIUS pw for the enable one to, but it doesnt. Nor does it allow me to enter the locally configured one?
    Any help would be great,
    Thanks,
    Dan

    Thanks for your reply Rick,
    The debug output is below;
    L2-SW01>
    00:03:02: RADIUS: Authenticating using $enab15$
    00:03:02: RADIUS: ustruct sharecount=1
    00:03:02: RADIUS: Initial Transmit tty0 id 3 x.x.x.x:1812, Access-Request,
    len 72
    00:03:02: Attribute 4 6 AC14024F
    00:03:02: Attribute 5 6 00000000
    00:03:02: Attribute 61 6 00000000
    00:03:02: Attribute 1 10 24656E61
    00:03:02: Attribute 2 18 524FB069
    00:03:02: Attribute 6 6 00000006
    00:03:02: RADIUS: Received from id 3
    x.x.x.x:1812, Access-Reject, len 20
    00:03:02: RADIUS: saved authorization data for user E49424 at 93C6DC
    L2-SW01>
    L2-SW01>
    I am using IAS for RADIUS authentication and I cannot find any option to say "allow enable access".
    Any ideas?
    Cheers,
    Dan

  • Radius authentication for privileged access

    Hello,
              I have configured Cisco 6513 for radius authentication with following commands.
    aaa new-model
    aaa authentication login authradius group radius line
    aaa accounting exec acctradius start-stop group radius
    radius-server host <radius-ip> auth-port 1812 acct-port 1646 key 6912911
    line vty 0 4
    accounting exec acctradius
    login authentication authradius
         This is working pretty fine. I want to configure radius authentication for priviledged access / for enable access.
         I am using TeKRadius as Radius server.
         Please help.
    Thanks and Regards,
    Pratik

    Hi Pratik
    Sorry I mostly use only TACACS+ for AAA as it provides better granularity of access controls.
    You'll need to make some specific changes to your RADIUS config so that nominated users ( the ones you want to be able to go to enable mode ) get put straight into enable mode upon login.
    There's a guide here http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ which details the steps if you're using the Microsoft IAS radius server - you should be able to figure out that changes you need to make to your own server from there.
    Nick
    Message was edited by: NickNac79 - Spelt the OP's name wrong, sorry.

  • WLC 5500 support for Diameter protocol?

    We have been having issues with wireless user authentication (sessions start/die). Multiple authentications are sometimes needed for end users to connect. We use 802.1x to Microsoft Radius in server 2008 R2, and it's flaky. I've read up on the Diameter protocol, and it looks like it would be very good to use. However, our WLC 5508's only support the normal (and very old UDP version) of Radius.
    Does Cisco plan on enhancing the software to be able to support Diameter in the future?

    That is something you would need to ask your Cisco SE about. I haven't heard anything regarding future support for that, but that doesn't mean it will not happen. 
    Mad far as your current deployment, I have many customers who are using Microsoft IAS and NPS for radius with no issues like what you are having. It's something you need to understand why they are not connecting right away. Many times it can be how the WLAN is configured or driver related issues. 
    -Scott

  • Identity Services Engine (ISE) support for the WLC 2500

    Is the ISE going to support the 2500 series Wireless LAN Controller WLC? If yes in what release and appriximately when is that due to be released?

    Your question is disturbing. ISE is (amongst other things) a radius server. WLC 2500 can use radius servers for authentication. So it's supported.
    Any device doing radius is supported with ISE ...
    Now you are maybe referring to a particular feature in ISE ?

  • ACS Server - Support for three separate company networks

    I looking into purchasing a ACS 3.3 server to support 3 networks in my organization. Here are my requirements:
    - One ACS server running TACACS and RADIUS supporting three networks
    - each network has a common group of administrators that require various level of access
    - some adminstrators require access to all three networks, some one, some two
    How can I configure each group of users to only have access to their respective networks. What attributes do I use to destinguish the networks for each group of users.
    I think ACS can do this from the reading I have done but need assurance.
    Thanks

    You could see the documenation for the configuation examples here : " target="_blank">www.cisco.com/techsupport/--------> guest---------> product support ----------> Security and Vpns -------------> search for ACS 3.3, check for release notes as well as for configuration examples. You can select view all documents.
    Also, " target="_blank">www.cisco.com/techsupport-----> Select ACS from the drop down menu under Security.

  • Radius Attributes for WAP321 AP

    Hi
    Is there a list with the supported radius attributes for wlan-user-authentication? Now I have the following freeradius entry in my users file:
    DEFAULT Ldap-Group == 'wlanusers', Huntgroup-Name == 'accesspoint'
            Service-Type := Login,
            Fall-Through := No
    But it doesn't work. Have I forgotten some attributes?
    thx for any help
    Matthias

    Hi,
    Can you please take a screenshot of your configuiration and attach so that it will be used to root cause the issue.
    Regards,
    Phanikrishna

Maybe you are looking for