Radius
I've just added Radius Server to the list of services my OSX 10.6 Server provides. It sort of works, but I could do with some further advice from anyone who has more experience of this stuff.
What is WPA/WPA2 Enterprise? I do know what WPA is and also what the Enterprise bit means, but what is the full explanation of the above option. AFAIK, WPA uses TKIP, but WPA2 instead uses AES. So does WPA/WPA2 Enterprise mean Radius authenticated and either TKIP OR AES can be used?
How can I allow Guest access to the network?
The latest AirPorts have a Guest access option, but having configured them from the Radius server, I can no longer see that option. Does configuring them for Radius authentication eliminate that as an option within the AirPort Itself?
I would think that allowing Guest access is done on the Radius server and I'd be really grateful for some advice on how to do this as Apple's documentation totally fails to mention it.
Anyone advise how to connect a Windows Mobile (6.5) device to this wireless network? On the iPhone tried to join the network of the correct name, filled in the dialog asking for login name and password and then accepted the suggested certificate and that was that - connected. Typically Windows Mobile is somewhat different. I got to the point of it asking for the user name and password, but it also asks for the domain and I don't know what it is expecting there. I'm sure it's not the domain name, but tried it anyway and sure enough, it fails to connect. Leaving the domain field empty is no better. Again, anyone have any experience of connecting a Windows Mobile device to a network authenticated by a Radius server?
Thanks.
Just in case anybody is interested, after working with Cisco we have a temporary fix for this. The problem started happening after the Radius (AD) account password was changed.
I tried the following to fix it, remove the Fabric’s and re-discovered them with the new password but that failed. Re-installed DCNM and tried Radius Vs Local but neither worked.
The CLI still worked but both Fabric & Device Manager failed, after running the hidden command “
sync-snmp-password”. It worked for both FM & DM for Radius but it seems that I might have to do this every month when my password expires. Hopefully a full fix will be released in the future.
Similar Messages
-
Hello:
I am trying to setup remote access vpn on IOS router with cisco Radius or CAR.
the vpn client user needs to be authenticated by group id and password, and user id and password.
How should I setup CAR, could someone provides me an example?
I saw this sample, but there is no relationship between user and group.
Any suggestions?
thx
[ //localhost/RADIUS/UserLists/Default/joe-coke ]
Name = joe-coke
Description =
Password = <encrypted>
AllowNullPassword = FALSE
Enabled = TRUE
Group~ =
BaseProfile~ =
AuthenticationScript~ =
AuthorizationScript~ =
UserDefined1 =
[ //localhost/RADIUS/UserLists/Default/group1 ]
Name = group1
Description =
Password = <encrypted> (would be "cisco")
AllowNullPassword = FALSE
Enabled = TRUE
Group~ =
BaseProfile~ = group1profile
AuthenticationScript~ =
AuthorizationScript~ =
UserDefined1 =
Define the group attributes such as pre-shared key, IP address pool name, etc. using Cisco
AV-pairs:
[ //localhost/RADIUS/Profiles/group1profile/Attributes ]
cisco-avpair = ipsec:key-exchange=ike
cisco-avpair = ipsec:tunnel-password=cisco123
cisco-avpair = ipsec:addr-pool=pool1
Service-Type = Outboundyou can define the group locally on the router to define the values which the client will use to build the tunnel (pre-shared key, etc). The client's username/pw can then be defined within AAA server to allow access to the network once the tunnel has been established.
The link below should show how to setup the group config in IOS and you should change the AAA method to point to radius instead of local to authenticate the client at your AAA server.
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml -
ISE 1.2 Patch 2 External RADIUS Server Sequence Broken?
Hi community,
We have upgraded our proof of concept ISE 1.2 lab to Patch level 2.
Our lab design includes the use of external RADIUS servers which we off-load certain authentication rules to.
To ensure resiliency of the external RADIUS service, we have two of these which we add to a RADIUS Server Sequence, the idea being that if the first in the list is unavailable, ISE will try the second and all will be well.
Now this worked for us in testing ISE 1.2, but I have noticed that after the upgrade to Patch 2 ISE is sending the majority RADIUS traffic to the first (failed) external RADIUS server, with only the odd RADIUS Access-Request to thte next in the list.
Anybody else come across this??
All helpful comments rated!
Many thanks, Ash.I couldn't find any known issues with this feature. Could you please paste the screen shot of external radius sequence and configuration. Also, how are we determing that the first server in the sequence is DEAD?
~BR
Jatin Katyal
**Do rate helpful posts** -
How do I get on-screen keyboard to work in tablet mode for Satellite Radius?
I have a Radius P55W-B5318. I love it, but when I use it in tablet mode, I can't seem to figure out how to get the on-screen touch keyboard to come up, which is necessary if I'm going to use it as a tablet. Any solutions? What am I missing here?
Satellite Radius14 E45W-C4200
Right-click the desktop, point to New, and click Shortcut. Type osk, click Next, type On-Screen Keyboard, and click Finish. -
Windows Radius / NPS not working with mac book pro 10.9.4 wired
Hi,
I'm trying to get my Radius windows server 2012 working with the correct setting for using 802.1x wired connection for the mac book pro. The only issue I'm having is there is not much setting in the mac book pro. I'm not sure what need to setup on the sever to make it connect correctly and assign it to the correct vlan when it's authenticated.
Here are some screen shoots for my mac book pro
So I've got it up to a point where I have this issue and here is my screen shots setting:
So the above are my windows 2012 screen shot settings.
On the mac book pro, I'm getting a prompted about adding certificate and I've added that into the laptop and then I need to put the username and password information. I put the following:
[email protected] and the password.
I'm current working with someone at HP on the switch settings, everything looks good.
I know the following:
1. Wireshark: shows server is getting request from the switch but it's not accepting them here are my logs on the NPS:
RAD01 6274 Information Microsoft Windows security auditing. Security 2014-08-21 12:40:24 PM
Here is the detail of the machine:
Network Policy Server discarded the request for a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: S-1-5-21-2690993882-1154983957-2264505580-1328
Account Name: [email protected]
Account Domain: LCS
Fully Qualified Account Name: LCS\username
Client Machine:
Security ID: S-1-0-0
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: b4-39-d6-ec-2c-00
Calling Station Identifier: ac-7f-3e-e6-32-34
NAS:
NAS IPv4 Address: xx.xx.xx.xx
NAS IPv6 Address: -
NAS Identifier: 5412zl-xxx-xxxxswithname
NAS Port-Type: Ethernet
NAS Port: 170
RADIUS Client:
Client Friendly Name: HP Procurve 5412zl switch
Client IP Address: xx.xx.xx.xx
Authentication Details:
Connection Request Policy Name: Secure Wired (Ethernet) Connections
Network Policy Name: Secure Wired (Ethernet) Connections
Authentication Provider: Windows
Authentication Server: rad01.xxx.xxx.ca
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
Again I don't know what's the correct setting the default 802.1x for mac book pro, but it should correct.
I'm also not sure what the internal error message is regarding about. The switch should automatically put me to vlan 7
Can you some please help out what the correct authentication method for mac 10.9.4.
ThanksFlash Player is a browser add-on, not a standalone application.
You can test if the player is correctly installed at http://www.adobe.com/software/flash/about/ -
Dot1x with port security and redundant radius servers
I have a strange issue with my dot1x port authentication. I have two radius servers configured in my switch for redundancy, and on my switchport I have a Cisco IP phone and a PC. Testing redundnacy with the radius servers, when I have both servers active and running, the port authentication works fine for both phone and pc. When I fail the radius servers in the configuration, by disconnecting the NIC on it, the switch goes to the surviving radius server and authenticates, (I can see it in the running log) both the phone and PC get an access-accept, but only the phone works on the network and the port light stays amber showing it's blocking for the pc. Strange, since it showed an accept on the radius server.
This only seems to happen when the first one on the list is failed. When the second one is failed, it obviously won't need to try it, so there's not an issue. Any ideas?
Here's the setup and configs:
freeradius 2.1.12-4
cisco 3560
Switch Ports Model SW Version SW Image
* 1 52 WS-C3560G-48PS 12.2(53)SE2 C3560-IPBASEK9-M
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
interface GigabitEthernet0/1
switchport access vlan 100
switchport mode access
switchport voice vlan 110
authentication event no-response action authorize vlan 901
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 1
no mdix auto
spanning-tree portfast
radius-server host 10.90.1.88 auth-port 1645 acct-port 1646 key 7 xxx
radius-server host 10.90.1.85 auth-port 1645 acct-port 1646 key 7 xxx
Here's an authentication string from the radius server:
(there are two mac address. The first one 00.13 is the PC and the second 30.37 is the phone)
rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=204, length=160
User-Name = "001372b639a6"
User-Password = "001372b639a6"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "9C-AF-CA-23-D9-01"
Calling-Station-Id = "00-13-72-B6-39-A6"
Message-Authenticator = 0xfeef777a8033c24934306b3cce78c8f1
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "GigabitEthernet0/1"
NAS-IP-Address = 10.90.100.7
Wed Sep 18 10:48:06 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:06 2013 : Info: +- entering group authorize {...}
Wed Sep 18 10:48:06 2013 : Info: ++[preprocess] returns ok
Wed Sep 18 10:48:06 2013 : Info: ++[chap] returns noop
Wed Sep 18 10:48:06 2013 : Info: ++[mschap] returns noop
Wed Sep 18 10:48:06 2013 : Info: ++[digest] returns noop
Wed Sep 18 10:48:06 2013 : Info: [suffix] No '@' in User-Name = "001372b639a6", looking up realm NULL
Wed Sep 18 10:48:06 2013 : Info: [suffix] No such realm "NULL"
Wed Sep 18 10:48:06 2013 : Info: ++[suffix] returns noop
Wed Sep 18 10:48:06 2013 : Info: [eap] No EAP-Message, not doing EAP
Wed Sep 18 10:48:06 2013 : Info: ++[eap] returns noop
Wed Sep 18 10:48:06 2013 : Info: [sql] expand: %{User-Name} -> 001372b639a6
Wed Sep 18 10:48:06 2013 : Info: [sql] sql_set_user escaped user --> '001372b639a6'
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 3
Wed Sep 18 10:48:06 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '001372b639a6' ORDER BY id
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '001372b639a6' ORDER BY id
Wed Sep 18 10:48:06 2013 : Info: [sql] User found in radcheck table
Wed Sep 18 10:48:06 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '001372b639a6' ORDER BY id
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '001372b639a6' ORDER BY id
Wed Sep 18 10:48:06 2013 : Info: [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '001372b639a6' ORDER BY priority
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '001372b639a6' ORDER BY priority
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Released sql socket id: 3
Wed Sep 18 10:48:06 2013 : Info: ++[sql] returns ok
Wed Sep 18 10:48:06 2013 : Info: ++[expiration] returns noop
Wed Sep 18 10:48:06 2013 : Info: ++[logintime] returns noop
Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns updated
Wed Sep 18 10:48:06 2013 : Info: Found Auth-Type = PAP
Wed Sep 18 10:48:06 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:06 2013 : Info: +- entering group PAP {...}
Wed Sep 18 10:48:06 2013 : Info: [pap] login attempt with password "001372b639a6"
Wed Sep 18 10:48:06 2013 : Info: [pap] Using clear text password "001372b639a6"
Wed Sep 18 10:48:06 2013 : Info: [pap] User authenticated successfully
Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns ok
Wed Sep 18 10:48:06 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:06 2013 : Info: +- entering group post-auth {...}
Wed Sep 18 10:48:06 2013 : Info: ++[exec] returns noop
Sending Access-Accept of id 204 to 10.90.100.7 port 1645
Wed Sep 18 10:48:06 2013 : Info: Finished request 0.
Wed Sep 18 10:48:06 2013 : Debug: Going to the next request
Wed Sep 18 10:48:06 2013 : Debug: Waking up in 4.9 seconds.
Wed Sep 18 10:48:11 2013 : Info: Cleaning up request 0 ID 204 with timestamp +77
Wed Sep 18 10:48:11 2013 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=205, length=160
User-Name = "3037a616cd49"
User-Password = "3037a616cd49"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "9C-AF-CA-23-D9-01"
Calling-Station-Id = "30-37-A6-16-CD-49"
Message-Authenticator = 0xc9173e759dd759b9d414d192783e8a8e
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "GigabitEthernet0/1"
NAS-IP-Address = 10.90.100.7
Wed Sep 18 10:48:13 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:13 2013 : Info: +- entering group authorize {...}
Wed Sep 18 10:48:13 2013 : Info: ++[preprocess] returns ok
Wed Sep 18 10:48:13 2013 : Info: ++[chap] returns noop
Wed Sep 18 10:48:13 2013 : Info: ++[mschap] returns noop
Wed Sep 18 10:48:13 2013 : Info: ++[digest] returns noop
Wed Sep 18 10:48:13 2013 : Info: [suffix] No '@' in User-Name = "3037a616cd49", looking up realm NULL
Wed Sep 18 10:48:13 2013 : Info: [suffix] No such realm "NULL"
Wed Sep 18 10:48:13 2013 : Info: ++[suffix] returns noop
Wed Sep 18 10:48:13 2013 : Info: [eap] No EAP-Message, not doing EAP
Wed Sep 18 10:48:13 2013 : Info: ++[eap] returns noop
Wed Sep 18 10:48:13 2013 : Info: [sql] expand: %{User-Name} -> 3037a616cd49
Wed Sep 18 10:48:13 2013 : Info: [sql] sql_set_user escaped user --> '3037a616cd49'
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 2
Wed Sep 18 10:48:13 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '3037a616cd49' ORDER BY id
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '3037a616cd49' ORDER BY id
Wed Sep 18 10:48:13 2013 : Info: [sql] User found in radcheck table
Wed Sep 18 10:48:13 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '3037a616cd49' ORDER BY id
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '3037a616cd49' ORDER BY id
Wed Sep 18 10:48:13 2013 : Info: [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '3037a616cd49' ORDER BY priority
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '3037a616cd49' ORDER BY priority
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Released sql socket id: 2
Wed Sep 18 10:48:13 2013 : Info: ++[sql] returns ok
Wed Sep 18 10:48:13 2013 : Info: ++[expiration] returns noop
Wed Sep 18 10:48:13 2013 : Info: ++[logintime] returns noop
Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns updated
Wed Sep 18 10:48:13 2013 : Info: Found Auth-Type = PAP
Wed Sep 18 10:48:13 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:13 2013 : Info: +- entering group PAP {...}
Wed Sep 18 10:48:13 2013 : Info: [pap] login attempt with password "3037a616cd49"
Wed Sep 18 10:48:13 2013 : Info: [pap] Using clear text password "3037a616cd49"
Wed Sep 18 10:48:13 2013 : Info: [pap] User authenticated successfully
Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns ok
Wed Sep 18 10:48:13 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:13 2013 : Info: +- entering group post-auth {...}
Wed Sep 18 10:48:13 2013 : Info: ++[exec] returns noop
Sending Access-Accept of id 205 to 10.90.100.7 port 1645
Cisco-AVPair = "device-traffic-class=voice"
Wed Sep 18 10:48:13 2013 : Info: Finished request 1.
Wed Sep 18 10:48:13 2013 : Debug: Going to the next request
Wed Sep 18 10:48:13 2013 : Debug: Waking up in 4.9 seconds.
Wed Sep 18 10:48:18 2013 : Info: Cleaning up request 1 ID 205 with timestamp +84
Wed Sep 18 10:48:18 2013 : Info: Ready to process requests.
Thanks!802.1X support requires an authentication server that is configured for Remote Authentication Dial-In User Service (RADIUS). 802.1X authentication does not work unless the network access switch can route packets to the configured RADIUS server.
Please check the below links which can be helpful in configurations:
Link-1
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html -
EAP-FAST on Local Radius Server : Can't Get It Working
Hi all
I'm using an 877w router (flash:c870-advsecurityk9-mz.124-24.T4.bin) as local radius server and have followed various config guides on CCO. LEAP works fine but I just can't get EAP-FAST to work.
I'm testing with win7 client using anyconnect secure mobility client, and also a mac book pro but without luck.
the router sees unknown auth type, and when I run some debugs it talks of unknown eap type 3
sh radius local-server s
Successes : 1 Unknown usernames : 0
Client blocks : 0 Invalid passwords : 0
Unknown NAS : 0 Invalid packet from NAS: 17
NAS : 172.27.44.1
Successes : 1 Unknown usernames : 0
Client blocks : 0 Invalid passwords : 0
Corrupted packet : 0 Unknown RADIUS message : 0
No username attribute : 0 Missing auth attribute : 0
Shared key mismatch : 0 Invalid state attribute: 0
Unknown EAP message : 0 Unknown EAP auth type : 17
Auto provision success : 0 Auto provision failure : 0
PAC refresh : 0 Invalid PAC received : 0
Can anyone suggest what I might be doing wrong?
Regs, TimThanks Nicolas, relevant snippets from config:
aaa new-model
aaa group server radius rad_eap
server 172.27.44.1 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa session-id common
dot11 ssid home
vlan 3
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
ip dhcp pool home
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 194.74.65.68 194.74.65.69
ip inspect name ethernetin tcp
ip inspect name ethernetin udp
ip inspect name ethernetin pop3
ip inspect name ethernetin ssh
ip inspect name ethernetin dns
ip inspect name ethernetin ftp
ip inspect name ethernetin tftp
ip inspect name ethernetin smtp
ip inspect name ethernetin icmp
ip inspect name ethernetin telnet
interface Dot11Radio0
no ip address
encryption vlan 1 mode ciphers aes-ccm tkip
encryption vlan 2 mode ciphers aes-ccm tkip
encryption vlan 3 mode ciphers aes-ccm tkip
broadcast-key vlan 1 change 30
broadcast-key vlan 2 change 30
broadcast-key vlan 3 change 30
ssid home
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.3
encapsulation dot1Q 3
no cdp enable
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
interface Vlan3
no ip address
bridge-group 3
interface BVI3
ip address 192.168.1.1 255.255.255.0
ip inspect ethernetin in
ip nat inside
ip virtual-reassembly
radius-server local
no authentication mac
nas 172.27.44.1 key 0 123456
user test1 nthash 0 B151E8FF684B4F376C018E632A247D84
user test2 nthash 0 F2EEAE1D895645B819C9FD217D0CA1F9
user test3 nthash 0 0CB6948805F797BF2A82807973B89537
radius-server host 172.27.44.1 auth-port 1812 acct-port 1813 key 123456
radius-server vsa send accounting -
We have configured following commands on switch to fallback to local Vlan if both radius server (policy persona's) is found dead. For test purpose we shutdown both servers (policy persona's) but fallback didn't work. We have 3750 switch running image 12.2(55)SE6 having following configuration.
We do not know whether we configured switch in proper way or do we need to modify it.
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
client 10.10.10.10 server-key 7 12345678 (Policy Persona 1)
client 10.10.10.11 server-key 7 12345678 (Policy Persona 2)
server-key 7 12345678
ip device tracking
epm logging
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 1)
radius-server host 10.10.10.11 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 2)
radius-server vsa send accounting
radius-server vsa send authentication
Port Configuration
interface GigabitEthernet0/1
switchport access vlan 305
switchport mode access
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 305
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
Please help....
ThanksTabish-
The pre-auth ACL that you have on your port is used for what's called a "Low-Impact" mode type of setup. With Low-Impact mode you are allowing services defined in the pre-auth ACL until the user/devices is authenticated. Once authenticated the pre-auth ACL gets replaced with the dACL/authorization policy that you have defined in the authorization profile. As a result, it is not possible to use "fail-open" configuration with low-impact as there is nothing to replace that pre-auth ACL since your NAD device(s) are unavailable.
If you want to use the "fail-open" features you will have to use the "High Securty/Closed Mode." In that mode you cannot utilize the pre-auth ACL and essentially only EPoL traffic is allowed on port until authenticated.
For more info you should reference the TrustSec design guide located at:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
Thank you for rating! -
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
Issue:
Cisco firewalls require only one level of password i.e. the domain username and password are used for both logging in as well as reaching global configuration mode.
Background:
We have multiple Cisco network devices set up which authenticate to our Windows domain controller using NPS (Windows 2008 R2). The switches we have set up all function exactly as we would hope as they require your domain username and password to login to the device. They then require a separate password when you use the enable command, this is stored in Active Directory:
Switches:
Username:domain-username
Password:domain-password
SWITCH>enable
Password:enable-password-in-Active-Directory
SWITCH#
Firewalls (as they currently are):
Username:domain-username
Password:domain-password
FIREWALL>enable
Password:domain-password
FIREWALL #
With the firewalls however, they require your domain username and password first, and then your domain password again when using the enable command. I want the firewalls to use the enable level password that the switches currently use instead of the domain password again. The current configuration look like the following:
Current switch configuration:
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
aaa session-id common
radius-server host 192.168.0.1 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key 7 1234abcd
Current firewall configuration:
aaa-server DC01 protocol radius
aaa-server DC01 (outside) host 192.168.0.1
aaa authentication ssh console DC01 LOCAL
aaa authentication enable console DC01 LOCAL
key 1234abcd
Any help would be great, thanks!Cisco ASA works that way by design. You could remove "aaa authentication enable" and then you could use the "enable password" command to set your enable password.
But if you do that, then ASA would change your username to "enable_15". That would break Authorization and Accounting if you're using them. Let me clarify with an example
Firewalls :
Username:domain-username
Password:domain-password
FIREWALL>show curpriv
Username : domain-username
Current privilege level : 1
Current Mode/s : P_UNPR
FIREWALL>enable
Password:enable-password-from-running-config
FIREWALL #show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV
If you're using Authorization and Accounting it's recommended to stick with your current behavior. -
ACS 5.3.0.40 with Bluecoat Packetshaper via Radius Auth using PAP/CHAP
Hi,
We have a strange issue may be an known issue. We have the ACS 5.3.0.40 with Bluecoat Packetshaper (Packeteer) as the Radius Client and tried with PAP as well as CHAP with the suggested VSA. But once we try to authenticate with GUI in the PS end we get authentication failed. i.e its says invalid password but in the ACS end we get it as the Auth success log. We are not able to login to the PS as well. Anyone have any idea what is the issue anything to be done with the patch upgrade or any issue with the packetshaper??????
below is the logs in ACS server.
Logged At: September 4,2012 4:10:26.250 PM
RADIUS Status: Authentication succeeded
NAS Failure:
Username: knpdtf
MAC/IP Address:
Network Device: Test-PS : 10.187.115.83:
Access Service: Radius Network
Identity Store: Internal Users
Authorization Profiles: Permit Access
CTS Security Group:
Authentication Method: PAP_ASCII
By
KarthikHi,
Do you have any special characters in the password? I would see if you can create an internal user in ACS and use a basic password (like cisco123) and see if the authentication will succeed. I have seen with some GUI based products that some special characters can cause some headaches.
thanks,
Tarik Admani
*Please rate helpful posts* -
ACS 5.3 Radius authentication with ASA and DACL
Hi,
I am trying to do Radius authentication on the ACS 5.3 for VPN access (cisco client) using a downloadable ACL with AD identity
Clients are connecting to an ASA 5510 with image asa843-K8.bin
I followed the configuration example on the Cisco site, but I am having some problems
First : AD identity is not triggered, I put a profile :
Status
Name
Conditions
Results
Hit Count
NDG:Location
Time And Date
AD1:memberOf
Authorization Profiles
1
TestVPNDACL
-ANY-
-ANY-
equals Network Admin
TEST DACL
0
But if I am getting no hits on it, Default Access is being used (Permit Access)
So I tried putting the DACL in the default profile, but when connecting I am immediately disconnected.
I can see the DACL/ASA being authenticated in the ACS log but no success
I am using my user which is member of the Network Admin Group.
Am I missing something?
Any help greatly appreciated!
WimHello Stephen,
As per the IP Pools feature, the ACS 5.x does not include such functionality. It is not on the ACS 5.x roadmap either as the recommended scenario would be to use a dedicated DHCP server.
ACS 4.x included that functionality, however, it was not the best solution as the ACS returned the IP Address value as a RADIUS Attribute instead of acting as a real DCHP server.
As per the IMEI and MISDN I am assuming you are referring to International Mobile Equipment Identity and Mobile Subscriber ISDN. Correct me if I am wrong.
In that case it seems that the ACS 5.x should be able to Allow or Deny access based on Radius Attribute 30 (Called-Station-Id) and 31 (Calling-Station-Id).
In that case you might want to use the End-Station Filters feature and use it as the condition for the Rule. The End-Station Filter feature uses CLI/DNIS where CLI is Radius Attribute 31 and DNIS is Attribute 30.
I am assuming a Generic Username will be embedded on the devices request. In that case you will define which end-user devices will be granted access based on the above attributes.
Here is a snapshot of the section: -
ACS 5.3 Stripping Radius User Prefix
Hi,
I have configure my ACS 5.3 to strip the prefix of the radius username (Domain\weekwang) it received and I also configured my ACS as the External Radius Server. However, this does not seem to work. The authentication protocol that I am using is PEAP Mschap v2.
I have read inside this forum that due to the fact that the radius username and password is transited inside the TLS tunnel of the PEAP MsChap v2 thus ACS is not able to do the stripping as it is not allow to touch anything inside the TLS tunnel. Please advice if I have get the concept correctly.
RgdsHi Steven,
this is unfortunately correct. Using yourself as radius proxy is a great workaround to strip things.
However, by design if you use an external database (LDAP or proxy radius server), the mschapv2 encryption of the password makes it impossible to authenticate the user since the tunnel is ended on the first ACS. It will work with PEAP-GTC but all mschapv2 methods will fail.
Nicolas -
RADIUS in 10.6 to authenticate Cisco ASA 5505 Strange Error
I have followed the steps as discussed: http://discussions.apple.com/thread.jspa?threadID=2177670&tstart=0
It did work for a number of weeks without any problem.
Did not change anything on the Firewall or server, regarding updates etc.
But now something really strange is happening:
If I test the Radius server from the firewall, the test comes back successful and I see a line in the password server log:
Jan 10 2011 12:58:16 AUTH2: {0x4c3c0bfd77981d110000000600000006, <username>} DIGEST-MD5 authentication succeeded.
So I think everything is happy..... Not.
Whenever I try to connect via a vpn client (regardless if using the Mac OS X Cisco client or using Cisco native client), the user is rejected and the following 2 lines appear in the password server log:
Jan 10 2011 12:58:57 AUTH2: {0x4c3c0bfd77981d110000000600000006, <username>} DIGEST-MD5 authentication succeeded.
Jan 10 2011 12:58:57 AUTH2: {0x4c3c0bfd77981d110000000600000006, <username>} DIGEST-MD5 authentication failed, SASL error -13 (password incorrect).
At the same time the process is run twice, and one is always failing....
Tried sofar:
Update to latest versions, ASA and Mac Server.
Removed and added the radius client on the server
Changed the hashing on the IPSec tunnel from SHA to MD5.
Added a new AAA server using LDAP to communicate directly with OD without going trough the RADIUS service. Same kind of error, using LDAP directly I see the following log lines:
Jan 10 2011 13:27:00 AUTH2: {0x4c3c0bfd77981d110000000600000006, <username>} CRAM-MD5 authentication succeeded.
Jan 10 2011 13:27:00 AUTH2: {0x4c3c0bfd77981d110000000600000006, <username>} DIGEST-MD5 authentication failed, SASL error -13 (password incorrect).
Remarkable is the fact that using radius is a DIGEST-MD5 authentication and using the LDAP is a CRAM-MD5 authentication methods.
Removed the Radius server from the FW and re-added it.
Rebooted the server/fw a number of times.
Does anyone else experience the same issue? Do I need to go deeper into the config of the fw or keep on looking in Mac OS X Server?
I hope someone can help.
Cheers,
ArnoldI think I may have figured out how to get this to work. Can someone else test this?
This is still based on the discussion referenced in the first post.
-Stop RADIUS
-For this test of 10.6 I did not change the default /etc/raddb/users. I think the thing that I have missed in trying to get this to work is that there is no default to "system" in the current file to change to opendirectory.
-One change required to /etc/raddb/clients.conf, same as before:
Add your ASA to the list of accepted clients. Entry should look something like:
client IPaddressof_yourASA {
secret = ServerSecretKey
shortname = Common_Password
ServerSecretKey is contents of "Server Secret Key" in the ASDM for the ASA
Common_Password is contents of "Common Password" in the ASDM for the ASA
-Restart RADIUS
I just tested this change alone and ran the "Test" from the AAA Servers page in the ASA ASDM and was able to authenticate as a OD user. If someone else can get this to happen, I think we have an answer.
-Erich -
Vpn client radius ad password change
Hi
I've read a few posts about this on the forum and it seems like very few people are able to resolve the issues they are having.
I have a working remote access vpn and I'm trying to add the password-expiry functionality. I've set a test user in AD to "change password at next logon" and when I logon using this user in the vpn client (5.0.07.0410) I am prompted for a box to type my new password twice. This is never written back to the server and the original authentication box pops up again. The password change box has the codes E=648, R=0, V=3 as in the attached image.
Does anyone have this working with radius and AD? A windows password change would normally request the old password to reauthenticate and then the new password twice.
Thanks
CammyCammy,
Are you using radius to authenticate the vpn session or are you using ldap which is pointing to AD for authentication? This will work with radius since you can use mschap v2, however i want to be sure how you have your ASA setup first.
Thanks,
Tarik Admani -
Radius AAA and Windows VPN Client
Hi,
Im using an ASA 5510 running 8.2(3) and ASDM 6.3(4). I have been trying to get the Windows VPN to connect to the ASA rather than the Cisco VPN client. I have managed to get this working but i have come accross a strange issue.
When using the Cisco VPN Client we authenticate through RADIUS using a policy that checks the user is in a specifice security group.
I have applied the same settings to the new Windows VPN settings and it doesnt work. The VPN dials in correctly and passes authentication to the RADIUS server which grants access according to the Event logs. The client then gets rejected claiming that username\password is not recognised.
If i remove the user from the security group it works fine using the using another Radius policy.
Any ideas what i can check?
Thanks
DavidWhen you say it grant access (as per event logs) having security group defined as a condition. What remote policy you see in the events? Can you post the o/p of event logs. Because even after removing the security group from the remote policy, it didn't let user connect using same policy and worked with the other policy in sequence.
Jatin Katyal
- Do rate helpful posts - -
Can't authenticate Mac VPN client from RADIUS server
Hello,
I'm a real noob here so please bear with me.
I have been able to configure my PIX 515E to allow VPN connections onto my network, but what I need to do is set up some sort of user authentication to control access at a user level. From what I've read here and in the Configuration Guide I should be able to do this authentication with a RADIUS server. I'm running a Corriente Networks Elektron Security server which has RADIUS server capabilities. It is running on my (inside) interface at IP 192.168.10.26.
I thought that I had everything configured properly but it never seems to authenticate. I connect, the XAUTH window pops up, I add my username and password as it's configured on my RADIUS server, but when I click OK it just cycles the progress bar at the bottom and eventually times out. The client log doesn't show me anything and the log on the RADIUS server shows me nothing. Any ideas? this seems like it should be simple because I can connect until I attempt to authenticate to the RADIUS server.
TIA for any direction you can provide me.
ChristineIf it helps, here is my config with a some of the non-related bits deleted:
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password ********* encrypted
passwd ******* encrypted
hostname pixfirewall
domain-name acme.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol http 80
fixup protocol http 82
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
access-list inside_outbound_nat0_acl permit ip any 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.10.26 192.168.10.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip host 192.168.10.69 192.168.10.192 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.10.192 255.255.255.224
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 207.XXX.XXX.130 255.255.255.0
ip address inside 192.168.10.1 255.255.255.0
ip address DMZ 192.168.100.1 255.255.255.0
multicast interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool CBI_VPN_Pool 192.168.10.201-192.168.10.220
pdm location 192.168.10.50 255.255.255.255 inside
pdm group CBI_Servers inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 200 interface
global (DMZ) 200 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 200 192.168.10.0 255.255.255.0 0 0
static (inside,outside) 207.XXX.XXX.150 192.168.10.27 netmask 255.255.255.255 0 0
static (inside,outside) 207.XXX.XXX.132 192.168.10.26 dns netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 207.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1812
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.10.26 ************* timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.10.3 255.255.255.255 inside
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
crypto map inside_map interface inside
isakmp enable outside
isakmp nat-traversal 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Test_VPN address-pool CBI_VPN_Pool
vpngroup Test_VPN dns-server 142.77.2.101 142.77.2.36
vpngroup Test_VPN default-domain acme.com
vpngroup Test_VPN idle-time 1800
vpngroup Test_VPN authentication-server RADIUS
vpngroup Test_VPN user-authentication
vpngroup Test_VPN user-idle-timeout 1200
vpngroup Test_VPN password ********
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.100-192.168.10.254 inside
dhcpd dns 142.77.2.101 142.77.2.36
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
Maybe you are looking for
-
Cannot update my move app because of unknown error when entering my password for my apple id
I am having problems updating my iMovie app. I saw the new update at my work place when finishing up the work day, so i thought i'd update it. But soon i relaised that it too some time as the file being downloaded was quite large, so i decided to pau
-
I have a file with 64 pages in it. How do I save and email one specific page out of that file?
-
WebDAV - I can't turn this off
I just began getting this and it won't let me use my computer, except strangely, it is now allowing me to type this question. I am looking at it now: WebDAV File System Authentication Enter your user name and password to access the server at the URL"
-
Macbook Pro 8gb or 16gbRAM? 128gb or 256gb Flash?
Hi, I am buying a macbook pro for the first time ever and I was wondering what I should get. I am set with the macbook pro with Retina display but do not know if to upgrade to 16gb Ram or leave it as it is. Also, how about flash, 128gb or 256gb? What
-
EHP 6.0 While creating Po , profit center not pickup
We have updated EHP 6.0 form ECC 6.0, we are creating import PO , We have asssign WBS elelment in this wbs element assign Profit center.while creting po profit center nop pickup. Note We can not assign profit center material master. Please tell me ho