SG300: MAC authentication with Radius VLAN assignment problems

Similar Messages

• 802.1x authetication with dynamic Vlan assignment by a radius server

  Hi
  At school I want to start using 802.1x authentication with dynamic Vlan assignment by a Windows Server 2012R2 Radius server.
  When a student logs in, I want it to be placed in the "Students" Vlan, when a Administrative employee logs in, I want it to be placed in the "Administative" vlan and when the client is unknown I want to place it in the "Guest" Vlan.
  I have several SG200 switches and I configured everything as mentioned in the administrative guide but I cannot get it to work as desired.
  What does work:
  - If the client is permitted, the switch changes to "authorized" state. (before anyone logs on to the domain with that client)
  - When a User logs on that is part of the Administrative employees, the switch changes to "authorized" and when a student logs on, it changes to "unauthorized". 
  So far so good.
  But what doesn't work:
  - it does not put the administrative employee in the Vlan "Administrative", it just enables the port on the switch but leaves it in the default vlan 1.
  - I can not find the Guest VLAN.
  Any help would be appriciated.

  Hi Wouter,
  Can you see in the packet capture Radius accept message VLAN attribute? Also please ensure you have the latest firmware and boot code:
  http://www.cisco.com/c/en/us/support/switches/sg200-26-26-port-gigabit-smart-switch/model.html#~rdtab1
  I would recommend you to open ticket with Small Business team so they can go with you through packet capture and configuration steps:
  http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
  Regards,
  Aleksandra 

• My Mac mini with my samsung screen, Problem is it not windscreen ?

  My Mac mini with my samsung screen, Problem is it not windscreen ? Help me

  How is it being connected?
  What is resolution of display?
  What OSX version?
  Have you tried different resolution settings in System Preferences>Displays>Scaled

• Mac adress authentication with Radius

  Hello all
  we have an WiFi architecture based on two Radius servers (ACS 3.2)
  We make a Mac adress authentication with WEP on these Radius servers. Ours Wirelless cards are Proxim Orinoco. When we used the user and the passord identified by the mac adress manualy that works.
  But, the authentication by Mac adress with the wireless card don't work. The log on the radius servers are "CS PASSWORD INVALID".
  Ideas ?
  Regards

  First ensure the password on the access point and the authentication server is the same. I have had this trouble getting authenitcated with ACS for admin authentication. Installing it on another machine made it work. So try uninstalling ACS completely using the recovery CD and reinstall it to check if this works.

• Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008

  Hi Guys,
  I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser  
  This is my Configure file on Aironet 2702i
  Aironet2702i#show run
  Building configuration...
  Current configuration : 8547 bytes
  ! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
  version 15.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname Aironet2702i
  logging rate-limit console 9
  aaa new-model
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login default local
  aaa authentication login DTSGROUP group radius
  aaa authentication login webauth group radius
  aaa authentication login weblist group radius
  aaa authentication dot1x default group radius
  aaa authorization exec default local 
  aaa session-id common
  clock timezone +0700 7 0
  no ip source-route
  no ip cef 
  ip admission name webauth proxy http
  ip admission name webauth method-list authentication weblist 
  no ip domain lookup
  ip domain name dts.com.vn
  dot11 syslog
  dot11 activity-timeout unknown default 1000
  dot11 activity-timeout client default 1000
  dot11 activity-timeout repeater default 1000
  dot11 activity-timeout workgroup-bridge default 1000
  dot11 activity-timeout bridge default 1000
  dot11 vlan-name DTSGroup vlan 46
  dot11 vlan-name L6-Webauthen-test vlan 45
  dot11 vlan-name NetworkL7 vlan 43
  dot11 vlan-name SGCTT vlan 44
  dot11 ssid DTS-Group
     vlan 46
     authentication open eap DTSGROUP 
     authentication key-management wpa version 2
     mbssid guest-mode
  dot11 ssid DTS-Group-Floor7
     vlan 43
     authentication open 
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
  dot11 ssid L6-Webauthen-test
     vlan 45
     web-auth
     authentication open 
     dot1x eap profile DTSGROUP
     mbssid guest-mode
  dot11 ssid SaigonCTT-Public
     vlan 44
     authentication open 
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
  dot11 arp-cache optional
  dot11 adjacent-ap age-timeout 3
  eap profile DTSGROUP
   description testwebauth-radius
   method peap
   method mschapv2
   method leap
  username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
  username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
  ip ssh version 2
  bridge irb
  interface Dot11Radio0
   no ip address
   encryption vlan 44 mode ciphers aes-ccm 
   encryption vlan 46 mode ciphers aes-ccm 
   encryption mode ciphers aes-ccm 
   encryption vlan 43 mode ciphers aes-ccm 
   encryption vlan 1 mode ciphers aes-ccm 
   ssid DTS-Group
   ssid DTS-Group-Floor7
   ssid L6-Webauthen-test
   ssid SaigonCTT-Public
   countermeasure tkip hold-time 0
   antenna gain 0
   stbc
   mbssid
   packet retries 128 drop-packet
   channel 2412
   station-role root
   rts threshold 2340
   rts retries 128
   ip admission webauth
  interface Dot11Radio0.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio0.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 subscriber-loop-control
   bridge-group 43 spanning-disabled
   bridge-group 43 block-unknown-source
   no bridge-group 43 source-learning
   no bridge-group 43 unicast-flooding
  interface Dot11Radio0.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 subscriber-loop-control
   bridge-group 44 spanning-disabled
   bridge-group 44 block-unknown-source
   no bridge-group 44 source-learning
   no bridge-group 44 unicast-flooding
   ip admission webauth
  interface Dot11Radio0.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 subscriber-loop-control
   bridge-group 45 spanning-disabled
   bridge-group 45 block-unknown-source
   no bridge-group 45 source-learning
   no bridge-group 45 unicast-flooding
   ip admission webauth
  interface Dot11Radio0.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 subscriber-loop-control
   bridge-group 46 spanning-disabled
   bridge-group 46 block-unknown-source
   no bridge-group 46 source-learning
   no bridge-group 46 unicast-flooding
  interface Dot11Radio1
   no ip address
   shutdown
   encryption vlan 46 mode ciphers aes-ccm 
   encryption vlan 44 mode ciphers aes-ccm 
   encryption vlan 1 mode ciphers aes-ccm 
   encryption vlan 43 mode ciphers aes-ccm 
   encryption vlan 45 mode ciphers ckip-cmic 
   ssid DTS-Group
   ssid DTS-Group-Floor7
   ssid SaigonCTT-Public
   countermeasure tkip hold-time 0
   antenna gain 0
   peakdetect
   dfs band 3 block
   stbc
   mbssid
   packet retries 128 drop-packet
   channel 5745
   station-role root
   rts threshold 2340
   rts retries 128
  interface Dot11Radio1.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio1.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 subscriber-loop-control
   bridge-group 43 spanning-disabled
   bridge-group 43 block-unknown-source
   no bridge-group 43 source-learning
   no bridge-group 43 unicast-flooding
  interface Dot11Radio1.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 subscriber-loop-control
   bridge-group 44 spanning-disabled
   bridge-group 44 block-unknown-source
   no bridge-group 44 source-learning
   no bridge-group 44 unicast-flooding
   ip admission webauth
  interface Dot11Radio1.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 subscriber-loop-control
   bridge-group 45 spanning-disabled
   bridge-group 45 block-unknown-source
   no bridge-group 45 source-learning
   no bridge-group 45 unicast-flooding
   ip admission webauth
  interface Dot11Radio1.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 subscriber-loop-control
   bridge-group 46 spanning-disabled
   bridge-group 46 block-unknown-source
   no bridge-group 46 source-learning
   no bridge-group 46 unicast-flooding
  interface GigabitEthernet0
   no ip address
   duplex auto
   speed auto
   dot1x pae authenticator
   dot1x authenticator eap profile DTSGROUP
   dot1x supplicant eap profile DTSGROUP
  interface GigabitEthernet0.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface GigabitEthernet0.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 spanning-disabled
   no bridge-group 43 source-learning
  interface GigabitEthernet0.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 spanning-disabled
   no bridge-group 44 source-learning
  interface GigabitEthernet0.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 spanning-disabled
   no bridge-group 45 source-learning
  interface GigabitEthernet0.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 spanning-disabled
   no bridge-group 46 source-learning
  interface GigabitEthernet1
   no ip address
   shutdown
   duplex auto
   speed auto
  interface GigabitEthernet1.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface GigabitEthernet1.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 spanning-disabled
   no bridge-group 43 source-learning
  interface GigabitEthernet1.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 spanning-disabled
   no bridge-group 44 source-learning
  interface GigabitEthernet1.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 spanning-disabled
   no bridge-group 45 source-learning
  interface GigabitEthernet1.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 spanning-disabled
   no bridge-group 46 source-learning
  interface BVI1
   mac-address 58f3.9ce0.8038
   ip address 172.16.1.62 255.255.255.0
   ipv6 address dhcp
   ipv6 address autoconfig
   ipv6 enable
  ip forward-protocol nd
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1 
  radius-server attribute 32 include-in-access-req format %h
  radius server 172.16.50.99
   address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
   key 7 104A1D0A4B141D06421224
  bridge 1 route ip
  line con 0
   logging synchronous
  line vty 0 4
   exec-timeout 0 0
   privilege level 15
   logging synchronous
   transport input ssh
  line vty 5 15
   exec-timeout 0 0
   privilege level 15
   logging synchronous
   transport input ssh
  end
  This is My Logfile on Radius Win 2008 : 
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
  Account Name: xxxxxxxxxxxxxxxx
  Account Domain: xxxxxxxxxxx
  Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
  Client Machine:
  Security ID: S-1-0-0
  Account Name: -
  Fully Qualified Account Name: -
  OS-Version: -
  Called Station Identifier: -
  Calling Station Identifier: -
  NAS:
  NAS IPv4 Address: 172.16.1.62
  NAS IPv6 Address: -
  NAS Identifier: Aironet2702i
  NAS Port-Type: Async
  NAS Port: -
  RADIUS Client:
  Client Friendly Name: Aironet2702i
  Client IP Address: 172.16.1.62
  Authentication Details:
  Connection Request Policy Name: Use Windows authentication for all users
  Network Policy Name: DTSWIRELESS
  Authentication Provider: Windows
  Authentication Server: xxxxxxxxxxxxxx
  Authentication Type: PAP
  EAP Type: -
  Account Session Identifier: -
  Logging Results: Accounting information was written to the local log file.
  Reason Code: 66
  Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
  So i will explain problems what i have seen:
  SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
  SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
  => I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
  Any idea or recommend for me ?
  Thanks for see my case  

  Hi Dhiresh Yadav,
  Many thanks for your reply me,
  I will explain again for clear my problems.
  At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
  I had login SSID by Account create in AD =>  It's work okay with me. Done
  Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
  dot11 ssid L6-Webauthen-test
     vlan 45
     web-auth
     authentication open 
     dot1x eap profile DTSGROUP
     mbssid guest-mode
  After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
  This is My Logfile on Radius Win 2008 : 
  Network Policy Server denied access to a user.
  NAS:
  NAS IPv4 Address: 172.16.1.62
  NAS IPv6 Address: -
  NAS Identifier: Aironet2702i
  NAS Port-Type: Async
  NAS Port: -
  RADIUS Client:
  Client Friendly Name: Aironet2702i
  Client IP Address: 172.16.1.62
  Authentication Details:
  Connection Request Policy Name: Use Windows authentication for all users
  Network Policy Name: DTSWIRELESS
  Authentication Provider: Windows
  Authentication Server: xxxxxxxxxxxxxx
  Authentication Type: PAP
  EAP Type: -
  Account Session Identifier: -
  Logging Results: Accounting information was written to the local log file.
  Reason Code: 66
  Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
  Im  think ROOT CAUSE is :
  PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet

• Limti PO with Multiple account assignment Problem

  Hi,
  Can we create limit PO with Multiple account assignment.
  If yes, i have issue with commitment distribution for all the account assignment. when i post service entry sheet the value is posting for only first one cost centre/Order but not all.
  So in the purchase order for the remaining account assignment commitment remain left.
  Reagrds,
  JM

  Hi Summer,
  We have implemented SAP Note 1165524 for multiple account assignment as suggested, and it is working fine for New POs.
  But we have old Purchase order which still have wrong commitment, and GR and IR are already posted for this PO, we have to reduce the commitment to Zero.
  there is one solution for this is set  'No further Invoice expected' check box selected in this PO, but in our case PO  went into error in process after doing this.
  Please help me to reduce commitment to zero for this old PO
  Thanks in advance
  Vikas

• ACS Server MAC Authentication with Windows Database

  Has anyone setup an ACS Server 3.2 for MAC authentication using Windows as the authentication. The documentation I found shows how to set it up using the CiscoSecure database. Any help would be appreciated.

  Here is the link for setting up MAC authentication using CisoSecure database. There may not be a solution for my setup, but maybe I'll keep hacking away at it and find a resolution.
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b3d27.shtml

• Web authentication with Radius server problem

  Hello,
  I'm having problem to web authenticate users via radius server for one WLC. Here is the outpu from WLC:
  *emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created for mobile, length = 7
  *emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created in mscb for mobile, length = 7
  *aaaQueueReader: Mar 26 14:17:31.537: Unable to find requested user entry for aaaaaa
  *aaaQueueReader: Mar 26 14:17:31.537: ReProcessAuthentication previous proto 8, next proto 1
  *aaaQueueReader: Mar 26 14:17:31.537: AuthenticationRequest: 0x1e08eb94
  *aaaQueueReader: Mar 26 14:17:31.538:   Callback.....................................0x10908d90
  *aaaQueueReader: Mar 26 14:17:31.538:   protocolType.................................0x00000001
  *aaaQueueReader: Mar 26 14:17:31.538:   proxyState...................................20:7D:xx:xx:D8:F0-00:00
  *aaaQueueReader: Mar 26 14:17:31.538:   Packet contains 11 AVPs (not shown)
  *aaaQueueReader: Mar 26 14:17:31.538: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *aaaQueueReader: Mar 26 14:17:31.538: 20:7d:xx:xx:d8:f0 Successful transmission of Authentication Packet (id 67) to 10.xx.33.249:1645, proxy state 20:7d:xx:xx:d8:f0-00:01
  *aaaQueueReader: Mar 26 14:17:31.538: 00000000: 01 43 00 8c 48 7c a7 ff  df 06 53 30 c0 be e1 8e  .C..H|....S0....
  *aaaQueueReader: Mar 26 14:17:31.538: 00000010: d7 fd 8b d3 01 09 73 65  66 72 73 76 65 02 12 7b  ......aaaaaa..{
  *aaaQueueReader: Mar 26 14:17:31.538: 00000020: ae 2e f5 eb fa cf f5 cc  3b 08 65 d7 04 0e ba 06  ........;.e.....
  *aaaQueueReader: Mar 26 14:17:31.538: 00000030: 06 00 00 00 01 04 06 0a  2e 09 14 05 06 00 00 00  ................
  *aaaQueueReader: Mar 26 14:17:31.538: 00000040: 0d 20 0d 73 65 76 73 74  2d 6c 77 63 31 30 3d 06  ...xxxxx-lwc10=.
  *aaaQueueReader: Mar 26 14:17:31.538: 00000050: 00 00 00 13 1a 0c 00 00  37 63 01 06 00 00 00 01  ........7c......
  *aaaQueueReader: Mar 26 14:17:31.538: 00000060: 1f 0e 31 39 32 2e 31 36  38 2e 31 2e 36 31 1e 0c  ..192.168.1.61..
  *aaaQueueReader: Mar 26 14:17:31.538: 00000070: 31 30 2e 34 36 2e 39 2e  32 30 50 12 95 11 7c d9  10.xx.9.20P...|.
  *aaaQueueReader: Mar 26 14:17:31.538: 00000080: 75 8e 01 6e bf 62 38 f8  38 ab 68 4a              u..n.b8.8.hJ
  *radiusTransportThread: Mar 26 14:17:31.603: 00000000: 03 43 00 14 e5 8c e7 75  52 04 af e0 07 b7 fb 96  .C.....uR.......
  *radiusTransportThread: Mar 26 14:17:31.603: 00000010: c1 4a fb 40                                       .J.@
  *radiusTransportThread: Mar 26 14:17:31.603: ****Enter processIncomingMessages: response code=3
  *radiusTransportThread: Mar 26 14:17:31.603: ****Enter processRadiusResponse: response code=3
  *radiusTransportThread: Mar 26 14:17:31.603: 20:7d:xx:xx:d8:f0 Access-Reject received from RADIUS server 10.xx.33.249 for mobile 20:7d:xx:xx:d8:f0 receiveId = 0
  *radiusTransportThread: Mar 26 14:17:31.603: ReProcessAuthentication previous proto 1, next proto 2
  *radiusTransportThread: Mar 26 14:17:31.603: AuthenticationRequest: 0x1da9fa4c
  *radiusTransportThread: Mar 26 14:17:31.603:    Callback.....................................0x10908d90
  *radiusTransportThread: Mar 26 14:17:31.603:    protocolType.................................0x00000002
  *radiusTransportThread: Mar 26 14:17:31.603:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
  *radiusTransportThread: Mar 26 14:17:31.603:    Packet contains 11 AVPs (not shown)
  *radiusTransportThread: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Returning AAA Error 'No Server' (-7) for mobile 20:7d:xx:xx:d8:f0
  *radiusTransportThread: Mar 26 14:17:31.605: AuthorizationResponse: 0x2dd03648
  *radiusTransportThread: Mar 26 14:17:31.605:    structureSize................................32
  *radiusTransportThread: Mar 26 14:17:31.605:    resultCode...................................-7
  *radiusTransportThread: Mar 26 14:17:31.605:    protocolUsed.................................0x00000002
  *radiusTransportThread: Mar 26 14:17:31.605:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
  *radiusTransportThread: Mar 26 14:17:31.605:    Packet contains 0 AVPs:
  *emWeb: Mar 26 14:17:31.605: Authentication failed for aaaaaa
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Username entry deleted for mobile
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Plumbing web-auth redirect rule due to user logout
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Deleting mobile policy rule 42461
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Adding Web RuleID 42464 for mobile 20:7d:xx:xx:d8:f0
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Web Authentication failure for station
  *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Reached ERROR: from line 5069
  That was pretty clear for me that Radius is refusing to give user access.
  Fully-Qualified-User-Name = NMEA\aaaaaa
  NAS-IP-Address = 10.xx.9.20
  NAS-Identifier = xxxxx-lwc10
  Called-Station-Identifier = 10.xx.9.20
  Calling-Station-Identifier = 192.168.1.61
  Client-Friendly-Name = YYY10.xx
  Client-IP-Address = 10.xx.9.20
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 13
  Proxy-Policy-Name = Use Windows authentication forall users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = YYYYY Wireless Users
  Authentication-Type = PAP
  EAP-Type = <undetermined>
  Reason-Code = 66
  Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy
  That output is from WLC 5508 version 7.0.235
  What is strange, that user was able to authenticate from other before refresh WLC 4402 ver 4.2.207. I cannot change WLC because of AP which cannot run old version.
  this is output from working client connection from old WLC
  NAS-IP-Address = 10.xx.9.13
  NAS-Identifier = xxxxx-lwc03
  Client-Friendly-Name = YYY10.46
  Client-IP-Address = 10.xx.9.13
  Calling-Station-Identifier = 192.168.19.246
  NAS-Port-Type = <not present>
  NAS-Port = <not present>
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = YYYYY Wireless Guest Access
  Authentication-Type = PAP
  EAP-Type = <undetermined>
  I know there is different Policy Name used, but my question is why it is not using the same as on old WLC when configuration is same.
  Is there any way I can force users to use different policy from WLC or AP configuration or is this solely configuration of Radius?
  Is it maybe problem of version 7.0.235?
  Any toughts would be much appriciated.

  Scott,
  You are probably right. The condition that is checked for the first policy name (we have 2) is to match
  NAS-Port-Type = Wireless - IEEE 802.11, and this is basically used to differentiate guests from other company users.
  as you can see from the logs the one that is working correctly is not sending NAS-Port-Type. The question is why.
  As I said before.
  WLC 5508 ver. 7.0.235 is sending NAS-Port-Type
  WLC 4402 ver. 4.2.207 is not.
  The same user was working OK on 4402 WLC and after refresh and associating APs to 5508 it all broke, so client did not changed anything on adapter.

• Acs and Dynamic vlan assignment problem

  Hi all,
  I'm unable to dinamically pass the Radius attribute , about assigned vlan, to 802.1x clients.
  I'm sure that everything is well configured but the only way to do it is configuring these attributes directly on user or group properties.
  When i try to pass these attributes by appliction of a Shared RAC (acs 4.2) or NAP (ACS 5.0) the only message that i can find on the switch, where the vlan has to be configured, is:
  dot1x-ev:Received VLAN is No Vlan
  dot1x-ev:Received VLAN Id -1
  The user is still authenticated successfully ( and all the profiles correctly assigned) but remain in the vlan statically configured on the interface.
  The logic is working, but transmission do not.
  Is this a bug ?

  test the authentication again.If is still fails, set the logging to full on the ACS server using:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00800afec1.shtml#setting_acs
  Also Check if you are running another RADIUS product on the same server as the ACS services and the same decryption was being used.Reset shared key on switch and radius server.

• Issue with authentication with RADIUS when using VPN

  Our customer has a problem with auhtentication against Radius vhen he is using VPN or SSL VPN. Authentication on SSH or TELNET via RADIUS is working fine . When I configure on VPN (and SSL VPN) authentication against the local database, everything is working fine and tunnel is established.
  In attachement is running-config of customer's gateway and capture file of communication between RADIUS server and gateway (radius access request starting at 85th line).
  I found in this file at AVP attributes that the gateway is sending ipsec profile name (in this case "VPN") instead of username.

  SSLVPN is configured to use the local database of usernames only in this config. It is not configured to use RADIUS.

• IEEE 802.1x Authentication with RADIUS failed

  Hello guys,
  I've a little strange Situation.
  If user start his Computer (Windows 7 enterprise) and computer is connected via LAN it works fine.
  If user start his Computer (Windows 7 enterprise) and computer is connected via WLAN it works also fine.
  But if user start his Computer (Windows 7 enterprise) that is connected via LAN it is not more possible to connect to WLAN (parallel). I've implemented an IEEE 802.1 RADIUS authenticiation.
  It does not work with this special user account. I've tested it already successful with couple other accounts.
  Does someone has experience with such Situation?
  Regards
  Rodik

  It does not work with this special user account. I've tested it already successful with couple other accounts.
  Hi,
  Did you mean that this problem just occures to the single User Account but others works fine at same computer, isn't it?
  When it connect Wlan failed, is there any error message? Have you tried to reinstall the WLan device driver for test?
  it would be better to provide more details about the Wlan connect failed.
  Roger Lu
  TechNet Community Support

• IEEE 802.1x Port based Authentication with Restricted VLAN

  Hi all,
  I have the following configuration:
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization exec default local
  dot1x system-auth-control
  radius-server host 10.10.10.10 key cisco
  interface FastEthernet0/1
  switchport mode access
  authentication event fail retry 1 action authorize vlan 2
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  But it takes quite a while for the user who is not authorized to be switch to vlan 2.
  I would like to know what is best practice when using this kind of configuration  and if it is possible to optimize on how long it takes to switch the unauthorized user to the restricted VLAN?
  Regards,
  Laurent

  Laurent,
  Based on your configuration it looks as if it will take one retry attempt before the client is placed in vlan2. Try to remove the 'retry 1' from command and see if that speeds up the time. Also take the output of the 'show authentication sessions interface '. Please post the output of the 'debug radius authentication' as that will help to see how long it is taking the radius server to respond.
  thanks,
  Tarik Admani

• Toplink Proxy Authentication with 10.1.3 problem

  Hi,
  I'm are using Toplink Proxy Authentication in a JSF application with SessionFacade pattern and have implemented a preLogin() method of oracle.itech.pil.utils.PILSessionEventManager (which implements SessionEventListener) as described in
  http://www.oracle.com/technology/products/ias/toplink/doc/1013/main/_html/dblgcfg008.htm. Due to Class Loader problem while loading of SessionEventManager, I'm explicitly loading the Class by doing this:
  try {
  Thread.currentThread().getContextClassLoader().loadClass("oracle.itech.pil.utils.PILSessionEventManager");
  catch(Exception exp) {
  System.out.println("Exception while loading class oracle.itech.pil.utils.PILSessionEventManager "+exp.toString());
  The SessionEventManager is loaded by doing this:
  session.getEventManager().addListener(new PILSessionEventManager());
  (Encountered while using <event-listener-class>oracle.itech.pil.events.PILSessionEventManager</event-listener-class> in sessions.xml file, so removed and added the same using session.getEventManager().addListener(new PILSessionEventManager()) )
  But now, I'm encountering ClassCastException during the login to my application
  The below pasted exception (oracle.oc4j.rmi.OracleRemoteException: java.lang.ClassCastException: oracle.itech.pil.utils.PILSessionEventManager) is coming when invoking line (Login)session.readObject(oracle.itech.pil.model.Login.class, expression);
  Code :
  XMLSessionConfigLoader xmlLoader =
  new XMLSessionConfigLoader("META-INF/sessions.xml");
  SessionManager sessionMgr = SessionManager.getManager();
  DatabaseSession session =
  (DatabaseSession)sessionMgr.getSession(xmlLoader, "serverSession",
  SessionFacadeEJBBean.class.getClassLoader());
  // Set Listener through Java code
  //session.getEventManager().addListener(new PILSessionEventManager());
  new PILSessionEventManager();
  System.out.println("I am at getLoginDetails after the listner...>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>");
  Login login = null;
  LoggedInBB loggedIn = null;
  ExpressionBuilder builder = new ExpressionBuilder();
  Expression expression = null;
  // If username is not null
  System.out.println("The _uname is "+_uname);
  if (_uname != null) {
  expression = builder.get("uname").equalsIgnoreCase(_uname).and(builder.get("empno").equalsIgnoreCase(_empNo));
  if (expression != null) {
  System.out.println("expression != null >>>>>>>>>>>>>>");
  //login = (Login)session.readObject(oracle.itech.pil.model.Login.class, expression);
  login =(oracle.itech.pil.model.Login) (session.readAllObjects(oracle.itech.pil.model.Login.class, expression)).get(0);
  System.out.println("Login Object is "+login);
  Exception:
  [TopLink Info]: 2006.05.02 05:04:18.703--ServerSession(21707422)--TopLink, version: Oracle TopLink - 10g Release 3 (10.1.3.0.0) (Build 060118)
  [TopLink Info]: 2006.05.02 05:04:22.619--ServerSession(21707422)--serverSession login successful
  06/05/02 17:04:22 I am at getLoginDetails after the listner............>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  06/05/02 17:04:22 The _uname is admin
  06/05/02 17:04:22 expression != null >>>>>>>>>>>>>>
  [TopLink Warning]: 2006.05.02 05:04:22.639--ServerSession(21707422)--java.lang.ClassCastException: oracle.itech.pil.utils.PILSessionEventManager
  oracle.oc4j.rmi.OracleRemoteException: java.lang.ClassCastException: oracle.itech.pil.utils.PILSessionEventManager
       at com.evermind.server.ejb.EJBUtils.getUserException(EJBUtils.java:333)
       at com.evermind.server.ejb.interceptor.system.AbstractTxInterceptor.convertAndHandleMethodException(AbstractTxInterceptor.java:69)
       at com.evermind.server.ejb.interceptor.system.TxSupportsInterceptor.invoke(TxSupportsInterceptor.java:39)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:69)
       at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:69)
       at com.evermind.server.ejb.StatelessSessionEJBObject.OC4J_invokeMethod(StatelessSessionEJBObject.java:86)
       at SessionFacadeEJB_StatelessSessionBeanWrapper2.getLoginDetails(SessionFacadeEJB_StatelessSessionBeanWrapper2.java:172)
       at oracle.itech.pil.backing.LoginBB.LoginButton_action(LoginBB.java:182)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at com.sun.faces.el.MethodBindingImpl.invoke(MethodBindingImpl.java:126)
       at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:72)
       at oracle.adf.view.faces.component.UIXCommand.broadcast(UIXCommand.java:211)
       at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:267)
       at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:381)
       at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:75)
       at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:200)
       at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:90)
       at javax.faces.webapp.FacesServlet.service(FacesServlet.java:197)
       at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64)
       at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl._invokeDoFilter(AdfFacesFilterImpl.java:367)
       at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl._doFilterImpl(AdfFacesFilterImpl.java:336)
       at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl.doFilter(AdfFacesFilterImpl.java:196)
       at oracle.adf.view.faces.webapp.AdfFacesFilter.doFilter(AdfFacesFilter.java:87)
       at com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:15)
       at oracle.itech.pil.utils.PILFilter.doFilter(PILFilter.java:124)
       at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:627)
       at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:376)
       at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:870)
       at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:451)
       at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:299)
       at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:187)
       at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
       at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
       at java.lang.Thread.run(Thread.java:595)
       Nested exception is:
  java.lang.ClassCastException: oracle.itech.pil.utils.PILSessionEventManager
       at oracle.toplink.sessions.SessionEventManager.preExecuteQuery(SessionEventManager.java:508)
       at oracle.toplink.publicinterface.Session.executeQuery(Session.java:976)
       at oracle.toplink.publicinterface.Session.executeQuery(Session.java:938)
       at oracle.toplink.publicinterface.Session.readAllObjects(Session.java:2458)
       at oracle.itech.pil.ejb.SessionFacadeEJBBean.getLoginDetails(SessionFacadeEJBBean.java:399)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at com.evermind.server.ejb.interceptor.joinpoint.EJBJoinPointImpl.invoke(EJBJoinPointImpl.java:35)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:69)
       at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:69)
       at com.evermind.server.ejb.interceptor.system.TxSupportsInterceptor.invoke(TxSupportsInterceptor.java:37)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:69)
       at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:69)
       at com.evermind.server.ejb.StatelessSessionEJBObject.OC4J_invokeMethod(StatelessSessionEJBObject.java:86)
       at SessionFacadeEJB_StatelessSessionBeanWrapper2.getLoginDetails(SessionFacadeEJB_StatelessSessionBeanWrapper2.java:172)
       at oracle.itech.pil.backing.LoginBB.LoginButton_action(LoginBB.java:182)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at com.sun.faces.el.MethodBindingImpl.invoke(MethodBindingImpl.java:126)
       at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:72)
       at oracle.adf.view.faces.component.UIXCommand.broadcast(UIXCommand.java:211)
       at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:267)
       at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:381)
       at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:75)
       at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:200)
       at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:90)
       at javax.faces.webapp.FacesServlet.service(FacesServlet.java:197)
       at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64)
       at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl._invokeDoFilter(AdfFacesFilterImpl.java:367)
       at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl._doFilterImpl(AdfFacesFilterImpl.java:336)
       at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl.doFilter(AdfFacesFilterImpl.java:196)
       at oracle.adf.view.faces.webapp.AdfFacesFilter.doFilter(AdfFacesFilter.java:87)
       at com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:15)
       at oracle.itech.pil.utils.PILFilter.doFilter(PILFilter.java:124)
       at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:627)
       at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:376)
       at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:870)
       at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:451)
       at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:299)
       at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:187)
       at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
       at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
       at java.lang.Thread.run(Thread.java:595)
  Any clue why this error, which i am facing since 10 days to complete my task
  Thanks In Advance
  Prashant

  James, what Venkat and Prashant are trying to do is something like this...
  1. If I connect to the DB using scott/tiger then in the preLogin method of the Toplink Session Listener class, the proxy user will connect using something like admin/welcome1 and in the database audit view, the name that shows up SHOULD BE that of admin and NOT of scott. This is called proxy authentication if it works fine.
  We developed the above scenario but in the audit logs, we still see scott instead of admin as the user who connected.
  2. This feature is available in the DB but our objective is to use it through TopLink
  Also see Toplink Proxy Authentication Not Working
  I hope I was able to explain the scenario clearly.
  Any help will be appreciated
  Regards,
  Amit

• AAA authentication with RADIUS

  Hi,
  aaa authentication login user-list group radius local
  radius-server host 10.1.1.3 auth-port 1645 acct-port 1646 key xxxx
  radius-server deadtime 10
  If i add more radius-server host such as
  radius-server host 10.1.1.4 auth-port 1645 acct-port 1646 key xxxx
  1. Server 10.1.1.4 will be backup for server 10.1.1.3?
  2. Can i configure to be radius group?
  Thanks

  Hi,
  you can try the following:
  Router(config)# aaa group server radius
  Router(config-sg radius)# server 10.1.1.3
  Router(config-sg radius)# server 10.1.1.4
  when you configure the aaa group like this 10.1.1.3 will be primary and 10.1.1.4 is secondary
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

• Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points

  Hi Guys,
  I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
  The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
  I go through some references:
  3.5  RADIUS-Based VLAN Access Control
  As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
  There are two different ways to implement RADIUS-based VLAN access control features:
  1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
  2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
  extract from: Wireless Virtual LAN Deployment Guide
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
  ==============================================================
  Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
  ==============================================================
  Controller: Wireless Domain Services Configuration
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
  Any help on this issue is appreicated.
  Thanks.

  I'm not sure if the Autonomous APs have the option for AAA Override.  On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
  I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override".  I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
  Hope this helps