Radius Support for AAA
I have a number of 3500XL and 2950 switches in the Enterprise. I was hoping to get away with MS Radius to control Authentication to the switches. I know these switches supported TACACS+. They do not seem to support Radius. Is there a certain revision of IOS required for these devices to support Radius?
If not, can anyone recommend a TACAS platform other than ACS? I think I read on this forum a shareware version at one time?
Thank you
For the 3500XL use at least 12.0(5)WC11, it's important to supply
"Service-Type = Administrative-User" in the Access-Accept (not
necessary on routers with IOS >= 12.3)
The following test entries are for FreeRADIUS and work with
3500XL [12.0(5)WC1x] and 3550 [12.2]:
lvl15 Auth-Type:= Local, User-Password == 'geheim'
Service-Type = Administrative-User,
cisco-avpair = "shell:priv-lvl=15"
lvl1 Auth-Type:= Local, User-Password == 'geheim'
Service-Type = Administrative-User,
cisco-avpair = "shell:priv-lvl=1"
Similar Messages
-
AAA Radius Authentication for Calling Card Platform
Hi,
I am using AS5350 and I am using it for calling card application using Clear Box as my RADIUS Server for AAA. My question now, how would I know if cisco is sending the dtmf for "enter card number.au" on the RADIUS server ? Does the card number included on the VSA ? below are my configurations and the debug info. The problem here is that the card number that I entered doesn't able to match against the configuration on my Clear Box/SQL Database. I want to know what should I expect from CiscoAS5350 to send a vsa for enter_card_number ?
aaa new-model
aaa group server radius ClearBox
server 192.168.1.1 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication login h323 group ClearBox
aaa authorization exec h323 group ClearBox
aaa accounting exec default start-stop group ClearBox
aaa accounting network default start-stop group ClearBox
aaa accounting connection h323 start-stop group ClearBox
aaa session-id unique
radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
radius-server key 7 0355481F031F761D
radius-server vsa send accounting
radius-server vsa send authentication
call application voice prepaid tftp://192.168.1.2/debitcard-multi-lang-Cisco.1.1.0.2.tcl
call application voice prepaid pin-len 10
call application voice prepaid warning-time 300
call application voice prepaid redirect-number 8662195822
call application voice prepaid language 1 en
call application voice prepaid language 2 sp
call application voice prepaid language 3 ch
call application voice prepaid set-location en 0 tftp://192.168.1.2/prompts/
call application voice prepaid set-location sp 0 tftp://192.168.1.2/prompts/
call application voice prepaid set-location ch 0 tftp://192.168.1.2/prompts/
gw-accounting aaa
==================================================
Getting session id for NET(00003600) : db=6418E654
AA/ACCT/NET(00003600): add, count 1
Getting session id for NET(00003601) : db=6410D098
AAA/ACCT/NET(00003601): add, count 1
AAA/ACCT/CONN(00003601): Pick method list 'h323'
AAA/ACCT/SETMLIST(00003601): Handle 94000002, mlist 62D3B124, Name h323
Getting session id for CONN(00003601) : db=6410D098
AAA/ACCT/CONN(00003601): Queueing record is START
AAA/ACCT(00003601): Accouting method=ClearBox (RADIUS)
AAA/ACCT/EVENT/(00003601): ATTR ADD
AAA/ACCT/CONN(00003601): START protocol reply PASS
AAA/ACCT/EVENT/(00003601): VOICE DOWN
AAA/ACCT/HC(00003601): Update VOICE/000020D3
AAA/ACCT/HC(00003601): VOICE/000020D3 [sess] (rx/tx) base 0/0 pre 0/0 call 0/0
AAA/ACCT/HC(00003601): VOICE/000020D3 [sess] (rx/tx) adjusted, pre 0/0 call 0/0
AAA/ACCT/CONN(00003601): Queueing record is STOP osr 1
AAA/ACCT(00003601): del node, session 174133
AAA/ACCT/CONN(00003601): free_rec, count 1
AAA/ACCT/CONN(00003601): Setting session id 174144 : db=6410D098
AAA/ACCT/HC(00003601): Update VOICE/000020D3
AAA/ACCT/HC(00003601): Deregister VOICE/000020D3
AAA/ACCT/EVENT/(00003601): CALL STOP
AAA/ACCT/CALL STOP(00003601): Sending stop requests
AAA/ACCT(00003601): Send all stops
AAA/ACCT/NET(00003601): STOP
AAA/ACCT/NET(00003601): Method list not found
AAA/ACCT/CONN(00003601): STOP protocol reply PASS
AAA/ACCT/CONN(00003601) Record not presentVSAs are collected by the RADIUS server during the accounting process when AAA is configured with the Debit Card feature. Data items are collected for each call leg created on the gateway. A call leg is the internal representation of a connection on the gateway. Each call made through the gateway consists of two call legs: incoming and outgoing. The call leg information emitted by the gateways can be correlated by the connection ID, which is the same for all call legs of a connection.
Use the H.323 VSA method of accounting when configuring the AAA application.
There are two modes:
â¢Overloaded Session-ID
Use the gw-accounting h323 syslog command to configure this mode.
â¢VSA
Use the gw-accounting h323 vsa command to configure this mode. -
WAP 121 support for RADIUS COA
Hi,
I am looking into purchasing WAP121 AP product and understand it supports 802.1x RADIUS.
For an intergration with NAC product from Bradford, I need to know if WAP121 supports RADIUS COA standard or at least there is a way to disassociate a client through CLI command.
Thanks in advance.
-changDear Chang,
Thank you for reaching the Small Business Support Community.
None of the Small Business access points support the RADIUS CoA nor have CLI access, these are all GUI configurable devices with just the RADIUS feature.
I suggest you to look for an eterprise device and inquire about this feature on the wireless support community forum;
https://supportforums.cisco.com/community/netpro/wireless-mobility
Please do not hesitate to reach me back if there is any further assistance I may help you with.
Kind regards,
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found. -
Secure-ACS: Special RADIUS-Attributes for Enterasys E7
Hi,
we were running a pretty old version of the Cisco Secure ACS for AAA our network devices.
Unfortunately the server crashed an we had to install and set it up with a new server.
Using TACACS+ for our Cisco devices works fine.
We have a couple of switches made by a vendor called Nexans, which only support RADIUS - this works fine too.
Furthermore we still have some Enterasys E7 and with those RADIUS doesn't work at all.
Sniffering the packets, everything looks good.
With the old server it worked well.
Does anybody know if there are special configurations (e.g. attributes) when configuring an ACS for Enterasys RADIUS-Clients?
Thanks,
RolfWe have this configuration and works fine with our network and associate in a good manner also the policy which we have configured it on Enterasys in this way
Filter-Id===>
Enterasys:version=1:mgmt=su:policy=Administrator
After we make the update to ACS 5, the "ASA" consider this filter-id as access-list so it consider the field after the filter-id as the name of the acl, and diconnect the VPN connection.
Could soneone help me to resolve that. -
Adobe recommends: Enhanced support for CSS3 in Dreamweaver CS5.5
Over the past week, we publicized some high-value content from adobe.com and other community sites. Hopefully you enjoyed these posts and found the resources useful. Today is our last day of the "Adobe Recommends" series.
Continuing our trip along the CSS highway, we now move to CSS3 with our next recommendation, by Preran Kurnool:
Enhanced support for CSS3 in Dreamweaver CS5.5
This blog post takes you through using box shadow, text shadow, border radius, and border image properties in Dreamweaver CS5.5.
Give it a spin and let us know what you think!
Previous recommendation threads:
Use Dreamweaver CS 5.5 to package your web application for iOS and Android devices
Customizing a Spry Menu Bar widget
Spry Menu Bar resources
Layout 101
CSS page layout basics
New CSS features in Dreamweaver CS5
Automatically attaching style sheets to new documentsAegis Kleais wrote:
Sorry, Al, but I couldn't disagree more. Where I respect the fact that, as coders, we're rather ingrained with our workflow processes and, at times, hesitant to change, I've found LESS' benefits to be very worthwhile.
No need to apologize. Preprocessing is a topic on which there are differing opinions. You have one. I have one. There are advocates:
http://blog.urbaninsight.com/2012/04/12/ten-reasons-you-should-be-using-css-preprocessor
There are those who are not sold:
http://blog.millermedeiros.com/the-problem-with-css-pre-processors/
http://www.skybondsor.com/blog/css-preprocessors
There are those mostly sold:
http://css-tricks.com/musings-on-preprocessing/
There are even those who have been converted (but who might reverse at some later point):
http://cognition.happycog.com/article/preprocess-this
Heck, even I might be converted someday - or not
Bottom line for me, right now? I know I can write CSS that is better than most, more efficient than most, and easier to follow than most, and a preprocessor would add unwanted complexity. But that's for me. For someone not able to be organized intutively, or for a large - but carefully coordinated - team, a preprocessor could be a positive.
But not for me.
There are evolving trends - popular aspects of the technology that may and should find themselves being adapted into CSS. But I've been around this business as long as CSS has. I've seen buzzwords and trends and I've historically been spot-on in predicting the one that will stick. I think preprocessing will stick - but only insofar as it will be a catalyst for features in future versions of CSS. As a separate technology it makes no sense - to me -
Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS
Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication. I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user" along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
Any ideas of what might be the issue or misconfiguration?Jim,
I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
May need to open a TAC case to see if this issue is on the 550x controllers also.
Thanks,
Tarik -
Radius server for 802.1x port authentication
Does anybody know if CiscoSecure for Unix version 2.3.6.2 can be used as a Radius server for 802.1x port authentication? I know the Windows version will do this and can be configured to assign a user to a specific VLAN, but can the UNIX software do the same?
ThanksCheck connectivity between the PIX and the server.
If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
aaa-server group_tag (if_name) host server_ip key timeout 5
If you are using TACACS+, verify that the PIX and server are communicating on the same port (Transmission Control Protocol (TCP)/49).
If you are using RADIUS, verify that the PIX and server are communicating on User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server is using port 1812, verify that the PIX is using software version 6.0 or later, and then issue the aaa-server radius-authport 1812 command to specify port 1812.
Ensure that the secret key is correct.
Check the server logs for failed attempts. All servers have some kind of logging function. -
802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment
Currently Being Moderated
802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment
Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
If possible show:
1. ACS/Radius Configurations.
2. End User Switch Configurations
Variables:
Switch A
MAC Address aaaa.bbbb.cccc Vlan 10
bbbb.cccc.dddd Vlan 20
Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
Thanks in advance. .Hi Guys,
Hmmm, well if your just looking for Mac based authentication the good news is that is very easy. Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc. Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address. Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password. Then check the Separate(Chap/MS-Chap/ARAP) box. Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward. -
Cannot get SG300 switch to send RADIUS messages for 802.1x
I want to eventually configure the SG300 to authenticate wired clients with 802.1x and Microsoft NPS (RADIUS). I am currently testing this setup using a single port (Port 7) on my SG300, a test machine, and an AD based Network Policy Server.
The problem I have is that when I change the Administrative Port Control for Port 7 to Force Authorized, I see this log entry:
Informational %SEC-I-PORTAUTHORIZED: Port gi7 is Authorized
And then when I change the port control to Auto the port immediately changes to Unauthorized and I see this log entry:
Warning %SEC-W-PORTUNAUTHORIZED: Port gi7 is unAuthorized
However I never see any RADIUS messages being sent from the SG300 to my RADIUS server or from the SG300 to the test machine plugged into port 7. I am using WireShark on my RADIUS server to watch for messages from the SG300 IP Address and I'm using WireShark on a second test machine that is configured to monitor the NIC card in the test machine plugged into port 7 (I'm using Hyper-V and its facilities for this NIC monitoring setup.)
Here is my configuration:
Switch - 10.1.1.3
RADIUS (Microsoft NPS)- 10.1.1.15
Switch Usage Type - All (Login and 802.1x)
Port 7 configuration:
VLAN Mode is General
Host Authentication is Single Host Authentication
Administrative Port Control is Auto
RADIUS VLAN Assignment is Disabled
Guest VLAN is Enabled
802.1x Based Authentication is Enabled
Additional Configurations under Security - 802.1x/MAC/Web Authentication:
Port Based Authentication is Enabled
Authentication Method is RADIUS
Guest VLAN is Enabled
Guest VLAN ID is 2
All of my VLANs are enabled for Authentication
I've got to be missing something but I do not know what that something is.
One last note:
The SG300 uses the same RADIUS server for management console access and it works without problem. When I log into the switch, WireShark shows the RADIUS messages from the switch to the RADIUS server and back. So I know RADIUS is configured correctly on the switch.Hi,
This is my working configuration where port gi3 has DVA configured as well. You might skip port gi3 but please compare to your config:
interface gi3
dot1x host-mode multi-sessions
exit
vlan database
vlan 30,100
exit
interface vlan 100
dot1x guest-vlan
exit
dot1x system-auth-control
interface range gi1,gi3
dot1x reauthentication
exit
interface range gi1,gi3
dot1x mac-authentication mac-only
exit
interface gi3
dot1x radius-attributes vlan
exit
interface range gi1,gi3
dot1x guest-vlan enable
exit
interface gigabitethernet1
dot1x port-control auto
exit
interface gigabitethernet3
dot1x port-control auto
exit
radius-server host 192.168.1.122 priority 1
radius-server key testing123
aaa authentication dot1x default radius
switch3ba5e1#
Regards,
Aleksandra -
RADIUS Authentication for Enable PW
Hi Everyone,
I have my RADIUS authentication working for login passwords but not for the enable password. My config is below;
aaa new-model
aaa authentication login default group radius local
aaa accounting network default start-stop group radius
When I add the command;
aaa authentication enable default group radius enable
I would expect it to allow me to enter my RADIUS pw for the enable one to, but it doesnt. Nor does it allow me to enter the locally configured one?
Any help would be great,
Thanks,
DanThanks for your reply Rick,
The debug output is below;
L2-SW01>
00:03:02: RADIUS: Authenticating using $enab15$
00:03:02: RADIUS: ustruct sharecount=1
00:03:02: RADIUS: Initial Transmit tty0 id 3 x.x.x.x:1812, Access-Request,
len 72
00:03:02: Attribute 4 6 AC14024F
00:03:02: Attribute 5 6 00000000
00:03:02: Attribute 61 6 00000000
00:03:02: Attribute 1 10 24656E61
00:03:02: Attribute 2 18 524FB069
00:03:02: Attribute 6 6 00000006
00:03:02: RADIUS: Received from id 3
x.x.x.x:1812, Access-Reject, len 20
00:03:02: RADIUS: saved authorization data for user E49424 at 93C6DC
L2-SW01>
L2-SW01>
I am using IAS for RADIUS authentication and I cannot find any option to say "allow enable access".
Any ideas?
Cheers,
Dan -
Radius authentication for privileged access
Hello,
I have configured Cisco 6513 for radius authentication with following commands.
aaa new-model
aaa authentication login authradius group radius line
aaa accounting exec acctradius start-stop group radius
radius-server host <radius-ip> auth-port 1812 acct-port 1646 key 6912911
line vty 0 4
accounting exec acctradius
login authentication authradius
This is working pretty fine. I want to configure radius authentication for priviledged access / for enable access.
I am using TeKRadius as Radius server.
Please help.
Thanks and Regards,
PratikHi Pratik
Sorry I mostly use only TACACS+ for AAA as it provides better granularity of access controls.
You'll need to make some specific changes to your RADIUS config so that nominated users ( the ones you want to be able to go to enable mode ) get put straight into enable mode upon login.
There's a guide here http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ which details the steps if you're using the Microsoft IAS radius server - you should be able to figure out that changes you need to make to your own server from there.
Nick
Message was edited by: NickNac79 - Spelt the OP's name wrong, sorry. -
WLC 5500 support for Diameter protocol?
We have been having issues with wireless user authentication (sessions start/die). Multiple authentications are sometimes needed for end users to connect. We use 802.1x to Microsoft Radius in server 2008 R2, and it's flaky. I've read up on the Diameter protocol, and it looks like it would be very good to use. However, our WLC 5508's only support the normal (and very old UDP version) of Radius.
Does Cisco plan on enhancing the software to be able to support Diameter in the future?That is something you would need to ask your Cisco SE about. I haven't heard anything regarding future support for that, but that doesn't mean it will not happen.
Mad far as your current deployment, I have many customers who are using Microsoft IAS and NPS for radius with no issues like what you are having. It's something you need to understand why they are not connecting right away. Many times it can be how the WLAN is configured or driver related issues.
-Scott -
Identity Services Engine (ISE) support for the WLC 2500
Is the ISE going to support the 2500 series Wireless LAN Controller WLC? If yes in what release and appriximately when is that due to be released?
Your question is disturbing. ISE is (amongst other things) a radius server. WLC 2500 can use radius servers for authentication. So it's supported.
Any device doing radius is supported with ISE ...
Now you are maybe referring to a particular feature in ISE ? -
ACS Server - Support for three separate company networks
I looking into purchasing a ACS 3.3 server to support 3 networks in my organization. Here are my requirements:
- One ACS server running TACACS and RADIUS supporting three networks
- each network has a common group of administrators that require various level of access
- some adminstrators require access to all three networks, some one, some two
How can I configure each group of users to only have access to their respective networks. What attributes do I use to destinguish the networks for each group of users.
I think ACS can do this from the reading I have done but need assurance.
ThanksYou could see the documenation for the configuation examples here : " target="_blank">www.cisco.com/techsupport/--------> guest---------> product support ----------> Security and Vpns -------------> search for ACS 3.3, check for release notes as well as for configuration examples. You can select view all documents.
Also, " target="_blank">www.cisco.com/techsupport-----> Select ACS from the drop down menu under Security. -
Radius Attributes for WAP321 AP
Hi
Is there a list with the supported radius attributes for wlan-user-authentication? Now I have the following freeradius entry in my users file:
DEFAULT Ldap-Group == 'wlanusers', Huntgroup-Name == 'accesspoint'
Service-Type := Login,
Fall-Through := No
But it doesn't work. Have I forgotten some attributes?
thx for any help
MatthiasHi,
Can you please take a screenshot of your configuiration and attach so that it will be used to root cause the issue.
Regards,
Phanikrishna
Maybe you are looking for
-
I have videos on my ipod that wont show up in itunes!!!
There are two videos on my ipod that I want deleted but they wont show up in itunes. Can anyone help me? They take up too much space on my ipod and I want them gone without having to restore everything.
-
Encountered the error while installing Maintenance Wizard 2.18
Hi, I'm trying to install Maintenance Wizard on 11.1.0.6 RDBMS home. I encountered the following error : create_enc_wallet Calling mwwmpro.jar....File /u01/acc/oramw/product/11.1.0/db_2/eof/config/encr_wallet/cwallet.sso does not exists. Installation
-
Signing or securing XML sent via https
Hi there, I have designed a form which uses Javascript to submit XML via https to a server. The https provides the appropriate transport level security, but is there a way to sign or encrypt the xml sent using Javascript? Thanks!
-
How to create a master detail form using single table
Hi, how to create a master detail form using single table. Regards, M. Satish
-
Adding Components And There Value Bindings Programmatically
Dear Friends , In One of assignment I have requirement of creating JSF Components and There Value Bindings Programmatically on valuechange event of a SelectOneListBox I need to create some componenet and add them to a panelGrid...up to this it's okay