Rsa/ace server radius authentication

Hi ,
I am in the process of setting up cisco routers/swithces to authenticate to an RSA/ACE radius server. Basically I would like it to work as follows.
SSH/Telnet to router switch.I have ace side configured. I have added the necessary users to authenticate list on agent host.
Username:joebloggs
Password : ( rsa secure id token here ). Do I have to authenticate then using enable password or what is best practice here ??
router>en
router#
I have the following lines added so far and need some help on the aaa authentication as there seems to be a lot of options
aaa new-model
aaa authentication banner # Connection to this device is for authorized users only #
aaa authentication fail-message # You are not authorized to log on to this device #
radius-server host x.x.x.x auth-port 1645 acct-port 1813
radius-server retransmit 3
radius-server key xxxxxx

francis
if you want users who telnet/SSH to vty ports or who are on the console to authenticate with the radius server you should add something like this to your configuration:
aaa authentication login default group radius line
This will send an authentication request to the configured radius server and if there is an error from the radius server (this is different from a negative response) then the router will authenticate using the configured line password. This will work for both telnet and SSH connections and for login from the console.
You are correct that there are quite a few optional parameters. These are to allow flexibility in what is the primary authentication method and what (if any) fall back methods you wish to use.
From user mode going to enable mode you could configure the router to use the enable password/enable secret or you can configure it to use radius. I believe that best practice is to use radius rather than the local enable password/enable secret.
aaa authentication enable default group radius enable
HTH
Rick

Similar Messages

Wireless WPA2 + AD + RSA ACE Server possible

I have a client that wants to use WPA2 authenticated to the Windows Active Directory and also has an RSA ACE Server. The goal os to provide 802.1x security with these 3 devices. I am NOT looking to USE the RSA tokens for this, only the underlying RSA RADIUS service to authenticate clients. Is this possible or do I also need a ACS server?
The alternative is to use Wireless WPA2 + AD + Windows IAS RADIUS.
Thanks for any comments,
Chris Serafin
Security Engineer
[email protected]

Hi Chris,
I don't think you can use the RSA's radius server without using tokens. If you are looking to authenticate to Active Directory then either use Wireless + IAS + AD or use Wireless + ACS + AD
There will be no need to bring the RSA into the solution.

Dot1x/ACS3.0/RSA ACE server 5.0

Hi,
I tried to configure dot1x (cat6500) with ACS 3.0 and RSA ACE server. In the first step when I configured static password in ACS everything was OK, but when I changed to the external user database I got an error: "Auth type not supported by External DB"
Does anyone know why?
Thanks,

The dot1x supplicant on the PC will use Extensible Authentication Protocol (EAP) authentication to send the username/password. This authentication method cannot be used with an external RSA database, RSA has to use PAP authentication which sends the password in the clear (which is OK because it's a one-time password).
See http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs31/acsuser/o.htm#625794 for details on the external DB's and password protocols. Notice how all the one-time password databases can only use PAP.

RSA ACE server SYSLOG collector, Parsing help!

Hi Board.
I am in a very big hurry for developing a RSA ACE collector script. The
already released RSA ACE Collector script is file based and the RSA ACE
server can dump a CSV log report with an interval of a hour as the
fastest possible interval. This is not at all satisfying for the
customer which - due to the latest issue with hacking attacks on EMC's
network both announced in the press and by letter from EMC and to their
customers - is not at all acceptable. They need to have logic for
pattern searches and correlation rules that can respond as close to real
time as possible.
We have with success and without any troubles or big efforts installed
the SNARE agent on the RSA ACE Appliance box. We are receiving the
events from the RSA server correctly (or we are receiving the events as
unsupported events because the events is not parsed correctly, but all
the needed information is there) and I have started development of a new
Collector script based on the Generic Event Collector (Just
doubleclicked on New Collector script in the Ant menu).
So far I have tryed some different approaches. I know that I can totaly
manipulate with the events received from the Source because I can
pre-set values via the protoEvt.map file. Even further have I been able
to set some other values in the Parse function by using the rec2Evt.map
and then hardcode a value to the desired field by using
rec.-input_record_field-.
Therefor I am pretty convinced that I am on the right track.
Now here is my question:
Based on this copy-pasted s_RXBufferString value (IP addresses and
host+domain values changed for protecting the customer):
Code:
Mar 26 05:48:12 192.168.1.100 hostname[tab]MSWinEventLog[tab]4[tab]Application[tab]14765[tab]Sat Mar 26 10:48:12 2011[tab]1011[tab]ACESERVER6.1[tab]Unknown User[tab]N/A[tab]Information[tab]hostname[tab]Devices[tab][tab][tab]Passcode accepted (Login:'jodo'; User Name:'Doe, John'; Token:'000123456789'; Group:''; Site:''; Agent Host:'remotehost.domain.com'; Server:'serverhost').[tab]14617
*NB!* Swap out [tab] with tablulator delimiter!
I have tryed this approach (this is the entire Parse Functiomn):
Code:
var ValueArray = this.s_RXBufferString.split("\\t");
rec.msg = this.s_RXBufferString;
var SourceInfo = ValueArray[0];
rec.sun = ValueArray[1];
//e.InitServiceName = ValueArray[1];
//rec.Service = ValueArray[1];
//e.EventTime = ValueArray[5];
//rec.EvtTime = ValueArray[5];
//e.VendorEventCode = ValueArray[6];
rec.evtCode = ValueArray[6];
e.DeviceName = ValueArray[7];
rec.sun = ValueArray[8];
//e.EffectiveUserID = ValueArray[8];
//var OSInitUser = ValueArray[8];
//e.InitHostName = ValueArray[11];
rec.shd = ValueArray[11];
//ValueArray[12] = ValueArray[12].ltrim();
var AppSpecificMessage = '';
for(var t = 12; t<count(ValueArray); t+1)
AppSpecificMessage += ValueArray[t];
//e.InitIP = SourceInfo.match("[0-9]+.[0-9]+.[0-9].[0-9]");
rec.sip = this.s_RXBufferString.match("\d+\.\d+\.\d+\.\d+");
var A = AppSpecificMessage.search('$.+$');
//e.EventName = 'Debugging RSA';
//e.EventName = AppSpecificMessage.substring(0,A-1).ltrim();
rec.evt = AppSpecificMessage.substring(0,A-1).ltrim();
AppSpecificMessage = AppSpecificMessage.match('$.+$');
// var B = AppSpecificMessage.search(')');
//var B = AppSpecificMessage.search(')');
// var BaseInfo = AppSpecificMessage.substring(A+1,B-1);
// var BaseTmpArray = BaseInfo.split(';');
// var BaseArray = new Array();
/*for(var i = 0; i<count(BaseTmpArray); i+1)
var str = BaseTmpArray[i].ltrim();
var TempAr = str.split(':');
BaseArray.push(TempAr[1].substring(1,-1));
/*var AgentArr = BaseArray[6].split(".");
AgentArr.reverse();
AgentArr.pop();
AgentArr.reverse();
e.InitHostDomain = AgentArr.join(".");
//rec.InitDomain = AgentArr.join(".");
e.InitHostDomain = "corp.ad.local";
if (ValueArray[10] == "Information")
rec.sev = "0";
//e.Severity = "0";
else if (ValueArray[10] == "Warning")
rec.sev = "3";
//e.Severity = "3";
else if (ValueArray[10] == "Error")
rec.sev = "4"
//e.Severity = "4";
else
rec.sev = "1";
//e.Severity = "1";
//e.InitUserID = BaseArray[0];
rec.LoginName = BaseArray[0];
//e.InitUserName = BaseArray[1];
rec.UserName = BaseArray[1];
//e.customerVar35 = BaseArray[2];
//rec.Token = BaseArray[2];
//e.customerVar36 = BaseArray[5];
//rec.Agent = BaseArray[5];
instance.SEND_EVENT = true;
// parsing logic goes here
/*if (1==1) { // set SEND_EVENT to true if your parsing logic worked correctly
instance.SEND_EVENT = true;
// If you can't parse...
//rec.sendUnsupported();
return true;
But it just laughs at me and wont work. It states that there is a
parsing error: match function something with input.
Can you please help me build a logic that will work as intended? It
should be clear what information or which piece of the text that I try
map to which Event fields (look at the outcommented bits right above or
below the ones that point to a rec.something because there I have tryed
just map the information directly).
kkrasmussen
kkrasmussen's Profile: http://forums.novell.com/member.php?userid=20966
View this thread: http://forums.novell.com/showthread.php?t=435715

> - I'm not sure I understand why you replace the tabs with '|' just to do
> the split; why can't you just split on tab? You can also investigate our
> 'safesplit()' method, which understands quoted delimited strings:
> Novell Login
> (not sure that's necessary in this case)
I replaced the tabs with '|' foir easier regex searchess for both
numbers, alphanummeric and spaces in same match cases - but with the
opportunity to index better for those searches because I did not need to
worry about the tabs being recognised as whitespaces anymore.
The safesplit works fine with '|' but not for this one:
Code:
var AppSpecificArray = AppSpecificMessage.safesplit(";");
It reports that: "Cannot find function safesplit".
If I change that to:
Code:
var AppSpecificArray = AppSpecificMessage.split(/\;/);
It reports that: "Cannot find function split".
> - The 'substring()' method is defined as taking two arguments:
> from Required. The index where to start the extraction. First character
> is at index 0
> to Optional. The index where to stop the extraction. If omitted, it
> extracts the rest of the string
> Neither of those two arguments will *ever* be negative - they always
> count from the beginning of the string. What you're really trying to do
> is to extract the substring from the beginning +1 character, to the end
> -2 characters, which is not how substring() works. But you *can* do
> something like:
> this.evt = Msg.substring(1,Msg.length - 2);
>
Aha I see. Thanks for the info. However, I tried the suggested this.evt
= Msg.substring(1,Msg.length - 2); but it reports: Cannot call method
"substring" of null. Remember that I have already testet and verified
that I do have a value in the Msg variable.
Here is the newest code. Please notice that I have outcommented the
desired "result" and is just trying to get something from at least the
part of the string that I want to parse.
Code:
this.msg = this.s_raw_message2;
var TempTxt = this.s_raw_message2.replace(/\t/g,"|");
var ValueArray = TempTxt.safesplit("|");
var SourceInfo = ValueArray[0];
this.evtCode = ValueArray[6];
this.sip = TempTxt.match(/\d+\.\d+\.\d+\.\d+/);
e.DeviceName = ValueArray[7];
//AppSpecificMessage = TempTxt.match(/(?:$).+(?:$)/);
var Msg = ValueArray[14].match(/(?:\|)[^\|]+(?:$)/);
this.evt = Msg.substring(1,Msg.length - 2);
//this.evt = Msg;
AppSpecificMessage = ValueArray[14].match(/(?:\().+(?:$)/);
if (ValueArray[10] == "Information")
this.sev = "0";
else if (ValueArray[10] == "Warning")
this.sev = "3";
else if (ValueArray[10] == "Error")
this.sev = "4"
else
this.sev = "1";
if(TempTxt.match(/(?:Login:\')\S+(?:')/) != false)
//var apptemp = AppSpecificMessage.substring(1,AppSpecificMessage. length - 1);
//var AppSpecificArray = apptemp.safesplit(";");
var AppSpecificArray = AppSpecificMessage.safesplit(";");
for(var c = 0; c<count(AppSpecificArray); c + 1)
var key = AppSpecificArray[c].split(/:/);
if (key[0] == "(Login")
if (key[1] == "''")
this.iuid = ValueArray[8];
else
this.iuid = key[1];
//this.iuid = key[1].substring(1,key[1].length - 1);
if (key[0] == " User Name")
if (key[1] == "''")
this.sun = "System";
else
this.sun = key[1];
//this.sun = key[1].substring(1,key[1].length - 1);
if (key[0] == " Agent Host")
if (key[1] == "'')")
this.shd = "Unknown Host Domain";
else
//var TempArr = key[1].substring(1,key[1].length - 1).safesplit(".");
var TempArr = key[1].plit(/\./);
TempArr.reverse();
TempArr.pop();
TempArr.reverse();
this.shd = TempArr.join(".");
if (key[0] == " Token")
if (key[1] != "''")
e.CustomerVar35 = key[1];
//e.CustomerVar35 = key[1].substring(1,key[1].length - 1);
else
this.shd = "Unknown Host Domain";
this.iuid = ValueArray[8];
this.sun = "System";
instance.SEND_EVENT = true;
return true;
kkrasmussen
kkrasmussen's Profile: http://forums.novell.com/member.php?userid=20966
View this thread: http://forums.novell.com/showthread.php?t=435715

Has anyone every try using the iplanet portal server radius authentication module with cryptoCard?

We are using the easyRadius server from CryptoCARD. When we run the radius server in debug mode, it appears ips is sending multiple access-request message. Also, the server is coming back with a challenge which we are not expecting.

yes,
we did basic integration where the authentication will be done using siteminder. The trick is to protect the portal server web server and not the gateway. You also need to add a new authentication module for siteminder in the portal using ipsadmin. We are protecting the login html page only. We couldn't protect the desktop because it's built using servlets.

RSA Secure ID ACE/Server and gateway IDM

Hi all,
we are trying to integrate and RSA server with IDM 6.0SP2.
I do not understand this phrase on resource references doc.
If SecurID is installed on Windows, the Identity Manager gateway must be running on
the same system where the RSA ACE/Server is installed.it means that the gateway from RSA server must run on the same server where is running RSA ?
Someone has integrated the appliance RSA installing on it the gateway ?
Thanks,
mazant

The port should be 9278. Enable the gateway trace and see if it is logging anything to the trace file.

Remote Access using RSA ACE

Please can anyone help me regarding getting a windows dialup user to get access to internal resourced once authentication to RSA ACE server has been successful.
I have setup AAA authentication & authorization.
I can get the user to authentication to the RSA ACE server but after authentication i cannot get authorization to work but it has been configured in the list.see below
aaa authentication login default group tacacs+ local
aaa authentication login ACE group radius local
aaa authentication enable default group tacacs+ enable
aaa authentication ppp ACE if-needed
aaa authorization network ACE if-authenticated none
aaa accounting commands 15 default start-stop group tacacs+
interface Group-Async1
description ** modem lines **
ip unnumbered GigabitEthernet0/0
encapsulation ppp
ip route-cache policy
dialer in-band
dialer idle-timeout 600
dialer-group 1
autodetect encapsulation ppp
async mode interactive
peer default ip address pool DIALIN
ppp authentication pap ms-chap ms-chap-v2 ACE
ppp authorization ACE
group-range 1/0 1/7
line 1/0 1/7
login authentication ACE
modem InOut
transport input all
autoselect during-login
autoselect ppp
flowcontrol hardware
the debug message i get is as follows
AAA/AUTHOR (000000A3): Method list id=0 not configured. Skip author
The username/password window on the client PC just sits there and then times out...
Any help is welcome

Under the group Async you have:
interface Group-Async1
ppp authorization ACE
This line is normally not needed and I presume it is the cause of your trouble because there is no corresponding line in the aaa-section. This sample is from a working configuration:
interface Group-Async1
bandwidth 56
ip unnumbered Loopback1
encapsulation ppp
ip tcp header-compression passive
dialer in-band
dialer idle-timeout 300
dialer enable-timeout 8
dialer-group 1
async mode interactive
peer default ip address pool ippool
no keepalive
ppp authentication chap pap
group-range 65 76
regards,
Leo

SecureID / ACE Server different applications

Dear all
Is there a way to have more than one SecureId-Profile?
We have a client asking for for different profiles while using a RSA ACE Server a login authority for example:
PowerUsers: should have access to the full desktop and all applications
StandardUsers: should have Outlook only in a seamless window
Any ideas / help really appreciated....
Thank you
Support

Found the solution. Problem was the acecInt.dll in the System32 folder was mismatching with the one in the RSA install folder. I copied the dll from the RSA install folder to the System32 and it started to work fine.
The error i was getting was "Get file operation with no or unknown handle aborted".

Managing roles for ACE RADIUS authentication

Hi,
I have an ACE module running virtual contexts. I have configured the ACE contexts to authenticate against a RADIUS server (Windows IAS).
When I log in, I am always given the role of 'network-monitoring'. I would like to configure the RADIUS server so it authenticates users as 'Admin'.
Attached is a screeprint of the RADIUS clients set up on IAS (client names and IP addresses removed). The question here is if they should be configured as 'RADIUS Standard' or 'Cisco' in the 'Client-Vendor' field.
Also attached is a screenshot of the IAS 'Remote Access Policy' that i have set up for the network devices (these include the ACE contexts aswell as Switches and FWSM contexts). The question here is whether I need both the 'Vendor-Specific' and 'Cisco-AV-Pair' attributes. Also, how do I need to configure these attributes so they will authenticate the Switches, Routers and FWSM contexts (allowing enable level 15) and authenticate the ACE contexts (allowing the 'Admin' role).
I have also attached the RADIUS config lines that have been configured on the ACE contexts (IP address of server removed).
I would appreciate any input.

Hi Roble,
That makes sense. I will configure the other contexts aswell.
By the way, I noticed you have some 6513s using the RADIUS server with the same settings. I also have some 6513s and 6509s. I have configured them as follows:-
aaa new-model
aaa group server radius radius-grp
server auth-port 1645 acct-port 1646
aaa authentication attempts login 5
aaa authentication fail-message ^CCCFailed login. Five consecutive fails will revoke.^C
aaa authentication login default group radius-grp local
aaa authentication enable default group radius-grp enable
aaa session-id common
radius-server host auth-port 1645 acct-port 1646 key
radius-server source-ports 1645-1646
line con 0
password 7
logging synchronous
line vty 0 4
exec-timeout 30 0
password 7
transport input telnet ssh
line vty 5 15
exec-timeout 30 0
password 7
transport input telnet ssh
For some strange reason, when I log in, I can authenticate against the RADIUS server on IAS. When I try to go into enable mode, I am prompted for the password but the authentication fails. When I check the IAS server logs, I see the initial login request is coming into the IAS server with my username, however the enable request is coming into the IAS server with the user $enable15$.
Do you know why this is the case? How do I configure the switches to insert the username in the enable authentication request?
I have attached a screenshot of my current IAS attributes.
I would really appreciate any input you may have on this second issue.

ACS5.2 with Radius to RSA token server

I have a test lab with the eval version of ACS5.2. I am running 802.1x on my switch to the ACS usinf radius and want to use my RSA token server to authenticate my users. I have setup my RSA server under "Radius Identiny Servers" in the external identity stores section of the ACS5.2. I have only selected this RSA server in access policies -> identity. When I plug in my 802.1x enabled laptop into the switch I can see the packets going to my ACS but I cannot see any communication from my ACS to the RSA server. And the error I get in the ACS is 22056 Subject not found in the applicable identity store(s). . It works fine with AD. Any reason why the ACS is not talking to the RSA token server?

It looks like the RSA token server is not one of the identity stores used by the authentication policies you set up, I would start troubleshooting by looking at them and see what identity store or identity store sequence they are using.

Using Lion Server Radius for authenticating "other" clients

Hi I've been trying to get the Radius service in Lion Server to authenticate users of my SQUID web proxy. I have followed the squid wiki's instructions to configure the squid server as a radius client and pass authentication requests to the Lion Server Radius (I hope). However I'm trying to configure and test the Lion Server Radius. As Lions Server Admin GUI for radius only lets to add Airport Basestations, I've been trying to dig around for what underlying config files to edit. I have tried 2 methods of adding the client details to radius:
1. By editing the /etc/raddb/client.conf, and adding/changing (for example):
client localhost {
     secret     = mysecretpassphrase
client 192.168.0.0/24 {
     secret              = mysecretpassphrase
     shortname       = local-lan-clients
and restarting squid. Nothing seems to get mentioned in the radius log file! So I'm not completely convinced that the Lion Radius took any notice of this!
2. Instead of above, added the same client info using radiusconfig:
$ sudo radiusconfig -addclient 192.168.0.0/24 local-lan-clients other <return>
- then it prompts for the secret. With this command I notice the entry/event is recognised in the radius log file, and also looks like some SQL activity. If I dont specify "other" for the nas-type, it defaults to "Aiport Base Station" or similar.
OK, so forgetting about SQUID for a minute, I can't even get that far as I'm just trying to test the config using the "radclient" utility from the Lion Server and the squid server:
$ sudo radclient localhost auth mysecretpassphrase <return>
and... no response, just hangs, nothing in radius log either.
The Lion Firewall allows TCP and UDP requests into the Radius authentication port.
Any ideas what else I need to do? Scratching my head, I'm wondering if it is anything to do with SSL? e.g. do I need to make the authentication using the self-signed certificate that Open Directory has? I presume any Airport Base Stations added to radius will use this certificate to establish a secure connection for authentication.

The RADIUS server in OS X Server is a standard FreeRADIUS implementation with Apple's own custom GUI frontend for configuring it and which only allows adding AirPort base-stations. In Mountain Lion Server it is even limited to a specific configuration for the AirPort base-station.
However if you follow the normal command-line instructions and steps for configuring FreeRADIUS then it will be possible to add any type of RADIUS client.
While as far as I can see by manually configuring the FreeRADIUS server in OS X Server should enable you to do what you want, most people chose to configure Squid to use either a PAM or the LDAP modules for Squid to in this case authenticate directly to Open Directory (which is of course based on LDAP).
I myself have used a PAM in the past with Squid to successfully configure Squid to authenticate users via Open Directory. I was even able to specific an Open Directory group and only allow members of that group access via the Squid Proxy Server. I then went a bit OTT and set up another open-source tool (which was discontinued and I had to fix to get working) to process the Squid logs and store them in MySQL, and then setup FileMaker Pro to connect to the MySQL database via ODBC to allow producing reports.
Unfortunately the AFP458 website had a major redesign a while ago and many previous technical articles on it are now hard to find. I had used two articles on that site to guide me through setting up Squid and the PAM on a Mac server. I believe the two articles I used are the ones listed below.
http://afp548.com/2004/09/08/using-os-x-open-directory-to-authenticate-squid-pro xy-server/
http://afp548.com/2004/12/13/squid-server-using-ldap-authentication/

RSA SecureID ACE/Server 6.1.2 integration issue with IDM2005Q4M3

I tried the SecureID adapter with the following steps:
1.setup the idm gateway on SecureID Server
2.copy SecureID's apidemon.exe to gateway.exe folder
3.add the administrator on secureid server and use it on idm resource adapter
4.run gateway.exe -d -fsso.log -l6
5.configure the SecureID adapter resource and test configuration is ok
6.add a rsa_test user on IDM, then assign the SecureID resource to the user
before step 6 every thing is fine, but the step 6 cause the IDM hangup, nothing response from gateway.
while I assign the user with SecureID resource in IDM, the gateway trace log print the trace log below and then hanged up:
01/09/2008 17.44.55.234000 [2464] (../../../../src/wps/agent/securid/SecurIdExtension.cpp,1439): Enter: login
01/09/2008 17.44.55.234000 [2464] (../../../../src/wps/agent/connect/RAEncryptor.cpp,69): RAEncryptor::Decrypt3DES: input length (8) moded to 1
my environment:
idm 2005Q4M3 on linux
gateway: Sun Java System Identity Manager 6.0 SP1 HF82 on windows 2003 sp1
RSA SecureID ACE/Server: 6.1.2 on windows 2003 sp1
Any help on RSA SecureID ACE/Server 6.1.2 integration with IDM2005Q4M3 is greatly appreciated.
Or anybody can send me some more docs on the integration process and the check point?
My email: [email protected]
Please help!
Edited by: Brave on Jan 9, 2008 4:36 AM

Found the solution. Problem was the acecInt.dll in the System32 folder was mismatching with the one in the RSA install folder. I copied the dll from the RSA install folder to the System32 and it started to work fine.
The error i was getting was "Get file operation with no or unknown handle aborted".

RADIUS Authentication Problems with NPS Server Eventid 6274

Hi,
We have struggled for a while with RADIUS auth for some clients against an NPS Server when the user or computer tries to connect to the wireless network the following error can be seen on the NPS server:
Network Policy Server discarded the request for a user
Contact the Network Policy Server administrator for more information.
User:
   Security ID:           NULL SID
   Account Name:           host/hostname.domainname.com
   Account Domain:           -
   Fully Qualified Account Name:   -
Client Machine:
   Security ID:           NULL SID
   Account Name:           -
   Fully Qualified Account Name:   -
   OS-Version:           -
   Called Station Identifier:       40-20-B1-F4-BB-15:Wireless-SSID
   Calling Station Identifier:       C1-18-85-08-10-E1
NAS:
   NAS IPv4 Address:       192.168.10.10
   NAS IPv6 Address:       -
   NAS Identifier:            AP name
   NAS Port-Type:           Wireless - IEEE 802.11
   NAS Port:           0
RADIUS Client:
   Client Friendly Name:        name
   Client IP Address:            192.168.10.10
Authentication Details:
   Connection Request Policy Name:   Secure Wireless Connections
   Network Policy Name:       -
   Authentication Provider:       Windows
   Authentication Server:        NPS servername
   Authentication Type:       -
   EAP Type:           -
   Account Session Identifier:       -
   Reason Code:           3
   Reason:               The RADIUS Request message that Network Policy Server received from the network access server was malformed.
Network Policy Server discarded the request for a user.
Contact the Network Policy Server administrator for more information.
User:
   Security ID:           NULL SID
   Account Name:            domainname\username
   Account Domain:           -
   Fully Qualified Account Name:   -
Client Machine:
   Security ID:           NULL SID
   Account Name:           -
   Fully Qualified Account Name:   -
   OS-Version:           -
   Called Station Identifier:        20-18-B1-F4-BB-15:Wireless-SSID
   Calling Station Identifier:       09-3E-8E-3E-5A-C9
NAS:
   NAS IPv4 Address:        192.168.10.10
   NAS IPv6 Address:       -
   NAS Identifier:            AP name
   NAS Port-Type:           Wireless - IEEE 802.11
   NAS Port:           0
RADIUS Client:
   Client Friendly Name:        name
   Client IP Address:            192.168.10.10
Authentication Details:
   Connection Request Policy Name:   Secure Wireless Connections
   Network Policy Name:       -
   Authentication Provider:       Windows
   Authentication Server:        NPS server name
   Authentication Type:       -
   EAP Type:           -
   Account Session Identifier:       -
   Reason Code:           3
   Reason:               The RADIUS Request message that Network Policy Server received from the network access server was malformed.
Message seen from the AP's logs:
(317)IEEE802.1X auth is starting (at if=wifi0.2)
(318)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=157 length=162, User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
(319)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=157 length=90
(320)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=158 length=286, User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
(321)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=161 length=162, User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
(322)Receive message from RADIUSServer: code=11 (Access-Challenge) identifier=161 length=90 BASIC
Output omitted
(330)Sta(at if=wifi0.2) is de-authenticated because of notification of driver
We have other NPS Servers with corresponding policy settings which are working so I am having trouble to understand why this errors occurs.
Initally the problem seemed to be related to the Cert on the NPS server cause it used the cert generated from the Somputer template. Now it uses the template for Domain controller just as the other NPS servers so this should not be the issue(Not sure if
this matters?)
Please guide me on how to take this further
Thank you :)
//Cris

Hi,
NPS Event ID: 6274.
This condition occurs when the NPS discards accounting requests because the structure of the accounting request message that was sent by a RADIUS client does not comply with the RADIUS protocol. You should reconfigure, upgrade, or replace the RADIUS client.
Detailed information reference：
Event ID 6274 — NPS Accounting Request Message Processing
https://technet.microsoft.com/en-us/library/cc735339(v=WS.10).aspx
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Radius server web authentication using ISE

Hi,
Can anyone point me in the direction of a guide to implement radius server web authentication using ISE?
I need this to be layer 3 Web Auth with all authentication requests coming from the wireless anchor controller, therefore don't think I can implement central web auth on ISE as detailed in the user guide as its layer 2 and auth requests come from the foreign controller.
The following link explains "Radius Server Web Authentication" using ACS. I need to find something similar for ISE - http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html
Thanks,

Hi,
Please check these:
Central Web Authentication on the WLC and ISE Configuration Example
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
Regards
Dont forget to rate helpful posts

NAC guest server with RADIUS authentication for guests issue.

Hi all,
We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
-----START QUOTE-----
Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
•Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
•Self Service—This option allows guest self service. After selection proceed to Step 8.
•Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
----- END QUOTE-----
Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
Regards
Kevin Woodhouse

Well I will try to answer your 2nd questions.... will it work... yes. It is like any other radius server (high end:)) But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD. Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right. Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that. That is my opinion.

Rsa/ace server radius authentication

Similar Messages

Maybe you are looking for