SMB 300 switch - RADIUS authentication

Similar Messages

• STP Root Guard support on SMB 300 switches

  Hi,
  Does anybody know if STP Root Guard feature is supportted on SMB 300 switches? I was not able to find anything related to Root Guard on the administration guide.
  Thanks in advance,
  Burcu

  Hello Ayse,
  Currently the 300 series switches do not support Root Guard. One option is to set the Bridge priority on your switch to be higher, though this is not a guarantee.

• Help w/Voice VLAN on SMB 300-10p

  We have purchased serveral new SMB 300 switches to support our VoIP rollout and save cost. I'm use to using the CLI on cisco devices, but now i'm stuck figuring out the GUI that comes with these switches.
  I have setup the Voice VLAN to be 100, i have setup the port type as general, and i have added the port to VLAN 4 (data vlan). when i plug the NEC phone into the switchport and the computer into the phone, the computer gets an IP in VLAN 4 but the phone gets an IP from VLAN 1 not VLAN 100.
  Like i said i set the Voice VLAN to 100, but when i look at the Macro for the smartport it is saying the voice vlan is 1. Do i have to manually change the macro somehow? can i change the macro somehow?
  Sorry i don't have a lot of info in this post. If you need to know how anything else is configured just ask i'll post it up.
  Thanks
  Karl                  

  Hi Karl,
  You can use the serial db9 console cable that came with it for a hardwired connection (I use putty):
  Also you can enable telnet and/or ssh: Status and Statistics -> System Summary, look for TCP/UDP services status and then hit Edit, enable what you want, hit apply, and remember to save the config. Also, you can go right to Security -> TCP/UDP services to enable:
  Best,
  David
  Please remember to rate helpful posts and identify correct answers.

• Radius Authentication Cisco Switch

  Hi,
  I have a cisco 2960 switch and currently trying to setup radius authentication. My microsoft guy does the server side we have matching keys and he says there is no problem on his side, but we still canno get it to work.
  Config on switch
  aaa new-model
  aaa authentication login default group radius local
  radius-server host 10.0.0.13 auth-port 1812
  radius-server key 0 test
  line vty 0 4
  login authentication default
  switch and radius server are on the same network. I have done a debug and confused on the output. Can anyone point me in the right direction.
  I have done a debug aaa authentication and debug radius
  AccessSwitch#
  RADIUS/ENCODE(00001586):Orig. component type = Exec
  RADIUS:  AAA Unsupported Attr: interface         [221] 4   92269176
  RADIUS/ENCODE(00001586): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
  RADIUS(00001586): Config NAS IP: 0.0.0.0
  RADIUS(00001586): Config NAS IPv6: ::
  RADIUS/ENCODE(00001586): acct_session_id: 20
  RADIUS(00001586): sending
  RADIUS/ENCODE: Best Local IP-Address 10.0.0.56 for Radius-Server 10.0.0.13
  RADIUS(00001586): Sending a IPv4 Radius Packet
  RADIUS(00001586): Send Access-Request to 10.0.0.13:1812 id 1645/18,len 77
  RADIUS:  authenticator 7C B1 A0 55 62 45 7B AF - F2 E2 48 4C C3 F0 72 98
  RADIUS:  User-Name           [1]   15  "james.hoggard"
  RADIUS:  User-Password       [2]   18  *
  RADIUS:  NAS-Port            [5]   6   2
  RADIUS:  NAS-Port-Id         [87]  6   "tty2"
  RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  RADIUS:  NAS-IP-Address      [4]   6   10.0.0.56
  RADIUS(00001586): Started 5 sec timeout
  RADIUS: Received from id 1645/18 10.0.0.13:1812, Access-Reject, len 20
  RADIUS:  authenticator 80 CE C9 C2 D6 30 65 A9 - 07 D8 12 4C 9E 80 A9 3C
  RADIUS(00001586): Received from id 1645/18
  AAA/AUTHEN/LOGIN (00001586): Pick method list 'default'
  RADIUS/ENCODE(00001586): ask "Password: "
  RADIUS/ENCODE(00001586): send packet; GET_PASSWORD
  Thanks
  James.

  yes, PAP always use plain text and that doesn't provide any kind of security.  However, administrative session with radius doesn't support chap/mschap.we can't configure firewall/IOS devices for aministration session like telnet/ssh to authenticate users on mschapv2 authentication method.
  If you need secure communication then you may implement TACACS.
  TACACS+ and RADIUS use a shared secret key to provide encryption for communication between the client and the server. RADIUS encrypts the user's password when the client made a request to the server. This encryption prevents someone from sniffing the user's password using a packet analyzer. However other information such as username and services that is being performed can be analyzed. TACACS+ encrypts not just only the entire payload when communicating, but it also encrypts the user's password between the client and the server. This makes it more difficult to decipher information about the communication between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• RADIUS authentication for SGE2010 switch

  I am trying to configure a SGE2010 switch to use RADIUS authentication. At the moment, the NPS (Windows Server 2008r2 RADIUS) server is receiving the access request and is returning an access accept.
  The switch does not let us log in.
  Cisco-sw1(config)# 09-Nov-2009 21:10:35 %AAA-W-REJECT: New telnet connection for
  user P@ssw0rd, source 192.168.10.213 destination   REJECTED
  Note: It is printing the user's password instead of the username.
  I suspect it is something to do with the cisco-AV-pair attribute. I have tried the following values but nothing works:
  Shell:priv-lvl=15
  Shell = 15
  Level = 15
  Relevant lines from switch configuration:
  radius-server host 192.168.1.23 key P@llssw0rd88
  aaa authentication enable default none
  aaa authentication login default radius
  Any help would be more than greatly appreciated.

  The problem isn't that it is rejecting me. Using network monitor I can see it is accepting the request but for some reason just won't log me in.
  A link was sent to me to another website where it show that you have to go into the settings tab of the policy and change the radius attribute
  to Service-Type Administrative.
  After doing that, I was able to log into the switch with any of the windows domain users I had specified.
  This is the link that gave me the answer
  http://wiki.freeradius.org/Linksys

• Is it possible to manage the switch SMB 300 series using Cisco Prime Infrastructure?

  Is it possible to manage the switch SMB 300 series using Cisco Prime Infrastructure 1.2?

  SF300 series is targeted for support in  PI 2.0.

• Radius authentication with ISE - wrong IP address

  Hello,
  We are using ISE for radius authentication.  I have setup a new Cisco switch stack at one of our locations and setup the network device in ISE.  Unfortunately, when trying to authenticate, the ISE logs show a failure of "Could not locate Network Device or AAA Client" The reason for this failure is the log shows it's coming from the wrong IP address.  The IP address of the switch is 10.xxx.aaa.241, but the logs show it is 10.xxx.aaa.243.  I have removed and re-added the radius configs on both ISE and the switch, but it still comes in as .243.  There is another switch stack at that location (same model, IOS etc), that works properly.
  The radius config on the switch:
  aaa new-model
  aaa authentication login default local
  aaa authentication login Comm group radius local
  aaa authentication enable default enable
  aaa authorization exec default group radius if-authenticated
  ip radius source-interface Vlanyy
  radius server 10.xxx.yyy.zzz
   address ipv4 10.xxx.yyy.zzz auth-port 1812 acct-port 1813
   key 7 abcdefg
  The log from ISE:
  Overview
  Event  5405 RADIUS Request dropped 
  Username  
  Endpoint Id  
  Endpoint Profile  
  Authorization Profile  
  Authentication Details
  Source Timestamp  2014-07-30 08:48:51.923 
  Received Timestamp  2014-07-30 08:48:51.923 
  Policy Server  ise
  Event  5405 RADIUS Request dropped 
  Failure Reason  11007 Could not locate Network Device or AAA Client 
  Resolution  Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices 
  Root cause  Could not find the network device or the AAA Client while accessing NAS by IP during authentication. 
  Username  
  User Type  
  Endpoint Id  
  Endpoint Profile  
  IP Address  
  Identity Store  
  Identity Group  
  Audit Session Id  
  Authentication Method  
  Authentication Protocol  
  Service Type  
  Network Device  
  Device Type  
  Location  
  NAS IP Address  10.xxx.aaa.243 
  NAS Port Id  tty2 
  NAS Port Type  Virtual 
  Authorization Profile  
  Posture Status  
  Security Group  
  Response Time  
  Other Attributes
  ConfigVersionId  107 
  Device Port  1645 
  DestinationPort  1812 
  Protocol  Radius 
  NAS-Port  2 
  AcsSessionID  ise1/186896437/1172639 
  Device IP Address  10.xxx.aaa.243 
  CiscoAVPair  
     Steps
    11001  Received RADIUS Access-Request 
    11017  RADIUS created a new session 
    11007  Could not locate Network Device or AAA Client 
    5405  
  As a test, I setup a device using the .243 address.  While ISE claims it authenticates, it really doesn't.  I have to use my local account to access the device.
  Any advice on how to resolve this issue would be appreciated.  Please let me know if more information is needed.

  Well from the debug I would say there may be an issue with the addressing of the radius server on the switch.
  radius-server host 10.xxx.xxx.xxx key******** <--- Make sure this address and Key matches what you have in ISE PSN and that switch. Watch for spaces in your key at the begining or end of the string.
  What interface should your switch be sending the radius request?
  ip radius source-interface VlanXXX vrf default
  Here is what my debug looks like when it is working correctly.
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): ask "Password: "
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265):Orig. component type = EXEC
  Aug  4 15:58:47 EST: RADIUS(00000265): Config NAS IP: 10.xxx.xxx.251
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): acct_session_id: 613
  Aug  4 15:58:47 EST: RADIUS(00000265): sending
  Aug  4 15:58:47 EST: RADIUS(00000265): Send Access-Request to 10.xxx.xxx.35:1645 id 1645/110, len 104
  Aug  4 15:58:47 EST: RADIUS:  authenticator 97 FB CF 13 2E 6F 62 5D - 5B 10 1B BD BA EB C9 E3
  Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 15:58:47 EST: RADIUS:  Reply-Message       [18]  12 
  Aug  4 15:58:47 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
  Aug  4 15:58:47 EST: RADIUS:  User-Password       [2]   18  *
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port            [5]   6   3                        
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty3"
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Aug  4 15:58:47 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
  Aug  4 15:58:47 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
  Aug  4 15:58:47 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
  Aug  4 15:58:47 EST: RADIUS(00000265): Started 5 sec timeout
  Aug  4 15:58:47 EST: RADIUS: Received from id 1645/110 10.xxx.xxx.35:1645, Access-Accept, len 127
  Aug  4 15:58:47 EST: RADIUS:  authenticator 1B 98 AB 4F B1 F4 81 41 - 3D E1 E9 DB 33 52 54 C1
  Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 15:58:47 EST: RADIUS:  State               [24]  40 
  Aug  4 15:58:47 EST: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61  [ReauthSession:0a]
  Aug  4 15:58:47 EST: RADIUS:   30 63 66 65 32 33 30 30 30 31 46 37 30 37 35 33  [0cfe230001F70753]
  Aug  4 15:58:47 EST: RADIUS:   44 46 45 35 46 37            [ DFE5F7]
  Aug  4 15:58:47 EST: RADIUS:  Class               [25]  58 
  Aug  4 15:58:47 EST: RADIUS:   43 41 43 53 3A 30 61 30 63 66 65 32 33 30 30 30  [CACS:0a0cfe23000]
  Aug  4 15:58:47 EST: RADIUS:   31 46 37 30 37 35 33 44 46 45 35 46 37 3A 50 52  [1F70753DFE5F7:PR]
  Aug  4 15:58:47 EST: RADIUS:   59 49 53 45 30 30 32 2F 31 39 33 37 39 34 36 39  [YISE002/19379469]
  Aug  4 15:58:47 EST: RADIUS:   38 2F 32 30 36 33 31 36          [ 8/206316]
  Aug  4 15:58:47 EST: RADIUS(00000265): Received from id 1645/110
  ---------------------------------------------------------------------------------------------------------------This is after I added the incorrect Radius server address.
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): ask "Password: "
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268):Orig. component type = EXEC
  Aug  4 16:05:19 EST: RADIUS(00000268): Config NAS IP: 10.xxx.xxx.251
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): acct_session_id: 616
  Aug  4 16:05:19 EST: RADIUS(00000268): sending
  Aug  4 16:05:19 EST: RADIUS(00000268): Send Access-Request to 10.xxx.xxx.55:1645 id 1645/112, len 104
  Aug  4 16:05:19 EST: RADIUS:  authenticator FC 94 BA 5D 75 1F 84 08 - E0 56 05 3A 7F BC FB BB
  Aug  4 16:05:19 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 16:05:19 EST: RADIUS:  Reply-Message       [18]  12 
  Aug  4 16:05:19 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
  Aug  4 16:05:19 EST: RADIUS:  User-Password       [2]   18  *
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port            [5]   6   7                        
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty7"
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Aug  4 16:05:19 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
  Aug  4 16:05:19 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
  Aug  4 16:05:19 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
  Aug  4 16:05:19 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:23 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:23 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:23 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:29 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:29 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:29 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:33 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
  Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
  Aug  4 16:05:33 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:33 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:38 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:38 EST: RADIUS: Fail-over to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:38 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:43 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:43 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:43 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:48 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:48 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:48 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:53 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
  Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
  Aug  4 16:05:53 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:53 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:57 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:57 EST: RADIUS: No response from (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:57 EST: RADIUS/DECODE: parse response no app start; FAIL
  Aug  4 16:05:57 EST: RADIUS/DECODE: parse response; FAIL
  This is a default template I use for all my devices routers or switches hope it helps. I have two PSN's that is why we have two radius-server host commands..
  aaa authentication login vty group radius local enable
  aaa authentication login con group radius local enable
  aaa authentication dot1x default group radius
  aaa authorization network default group radius 
  aaa accounting system default start-stop group radius
  ip radius source-interface VlanXXX vrf default
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 30 tries 3
  radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
  radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
  radius-server vsa send accounting
  radius-server vsa send authentication
  You can use this in the switch to test radius
  test aaa group radius server 10.xxx.xxx.xxx <username> <password>

• CSS - Radius authentication problem

  Hi,
  for a customer we need to configure Radius authentication working like this:
  - CSS administrator login to device at user level
  - then switch to "enable" mode using a superuser level account.
  First login to CSS with a Radius account at user level works fine, but (after enable command) the login at superuser level doesn't work neighter with Radius account nor with local superuser account.
  Ver.: 08.10.4.01
  This is the configuration:
  radius-server primary 10.113.212.17 secret XXX auth-port 1645
  radius-server source-interface 10.113.212.32
  sntp primary-server 10.113.205.1 version 3
  date european-date
  radius-server secondary 10.113.197.24 secret XXX auth-port 1645
  radius-server dead-time 15
  radius-server retransmit 15
  radius-server timeout 15
  virtual authentication primary radius
  virtual authentication secondary local
  username ZZZ des-password ZZZ superuser
  Any idea?
  Thanks in advance.

  is your server correctly configured as described at :
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/security/guide/Radius.html#wp1108380
  "From the Group Settings section of the Cisco Secure ACS HTML interface, click the IETF RADIUS Attributes, [006] Service-Type checkbox. Then select Administrative. Administrative is required to enable RADIUS authentication for privileged user (SuperUser) connection with the CSS. "
  Gilles.

• RADIUS authentication SF300-24P

  RADIUS authentication SF300-24P
  We have just purchased 20x SF300-24P switches to be installed at our remote offices and we are unable to get RADIUS authentication to work. We already use RADIUS on all our primary network CISCO switches (e.g. 4506s¸ 3560s, 3750s, AP1231Gs,etc) and these work fine so we know the RADIUS server is working.
  We are trying to use RADIUS authentication to gain management access onto these switches. Quite simply although we can see that the RADIUS server is accepting the username and password being sent, however the switch says “authentication failed” when to receives the response. We are using Microsoft NPS RADIUS Clients for authentication purposes.
  We have upgrade the switches to the latest firmware 1.1.2.0, via the console it seems to have a very cut down IOS version so we cannot use the typical CISCO command set to configure the RADIUS as we normally would. Looking at the web GUI there seems to be a number of options missing including the Accounting port. When debugging is switch on there is no indication to say that any of the settings have been misconfigured.
  Any advice you could offer would be gratefully received.
  Mike Lewis

  Here is the documentation excerpt-
  For the RADIUS server to grant access to the web-based switch configuration
  utility, the RADIUS server must return cisco-avpair = shell:priv-lvl=15.
  User authentication occurs in the order that the authentication methods are
  selected. If the first authentication method is not available, the next selected
  method is used. For example, if the selected authentication methods are RADIUS
  and Local, and all configured RADIUS servers are queried in priority order and do
  not reply, the user is authenticated locally.
  If an authentication method fails or the user has insufficient privilege level, the user
  is denied access to the switch. In other words, if authentication fails at an
  authentication method, the switch stops the authentication attempt; it does not
  continue and does not attempt to use the next authentication method.
  Of course the point of interest here is the second paragraph. The initial wording is the behavior you want. The second portion is very open for interpretation (I do agree it is somewhat ambiguous but consistent with the switch behavior). When I read the example and it says the Radius is busy or not responding then you will authenticate locally. Which seems fair enough. But what it doesn't say, is if you can use one or the other, but instead it seems based on preference failure.
  -Tom
  Please rate helpful posts

• Radius Authentication in ACS 5.2 with AD

  Friend,
  I have a questión about radius authenticaction with AD, when I log in into the network with user in AD and I make a mistake in password my radius authenticaction event in ACS 5.2 dont show me this logg. only show the authentication succeeded but dont show me the authentication failed. Maybe i must to enable same service to show the authentiaction failed. The Voice authetication works fine..
  This is the confg in the port of the switch:
  interface FastEthernet0/12
  switchport mode access
  switchport access vlan 2
  switchport voice vlan 10
  authentication port-control auto
  authentication host-mode multi-domain
  authentication violation protect
  authentication event fail action authorize vlan 11
  authentication event fail retry 2 action authorize vlan 11
  authentication event no-response action authorize vlan 11
  authentication periodic
  authentication timer reauthenticate 60
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  dot1x max-reauth-req 3
  spanning-tree portfast
  end
  Vlan 2: DATA
  Vlan 10: VOICE
  Vlan 11: GUEST
  thank...
  Marco

  Hi Marco,
  When you type in the wrong password do you see the login fail on the device you entered it? Depending on how you have configured fallback mechanisms on ACS, an attempt can still be permited eventhough the authentication failed.
  It would be best to take a look at the authentication steps under the RADIUS authentication log for an attempt you beleive should have failed to see what ACS is doing with the request.
  Steve.

• 802.1x RADIUS authentication problem with Cat 2950 to CiscoSecure ACS 3.3

  I wondered if anyone can help or shed any light on the following problem.
  I am getting an authentication error when doing a RADIUS authentication to CiscoSecure ACS 3.3 running on a Windows 2003 server, the authentication request is coming from a Catalyst 2950 switch which is doing 802.1x for Windows XP clients. This problem only happens when the XP client connects to 2950 switches, Cat 3550s and 3560s work fine.
  The Cat2950 is running 12.1.20 (EA1) which is more or less the latest IOS.
  The error I get from ACS 3.3 is "Invalid message authenticator in EAP request" when the 2950 tries to authenticate an XP client for 802.1x to the ACS server using RADIUS.
  Doing a RADIUS and 802.1x debug on the 2950 I see a message about 'Unknown EAP type', I am using PEAP on the XP client doing EAP-MS-CHAPv2 authentication, the same XP client authenticates fine with 3550 and 3560 switches problem only affects 2950s. Can anyone confirm the 2950 supports EAP-MS-CHAPv2?
  I have checked and re-checked the shared secret and it definitely matches on 2950 and ACS.
  One thing I noticed in the RADIUS debug is the 2950 sends 18 bytes for attribute 79 when the RFC defines attribute 79 should be 3 bytes or less, I don't know if this is related to the problem or is correct behaviour.

  Hi, I am new with 802.1x, and was hoping that someone would help with these queries:
  1. How is a certificate requested without being allowed on a network that is not authenticated with 802.1x. I had to first connect to an active network, retrieve a certificate with the proper username and password, and then physically connect to the port on the 2950 switch which was enabled to do 802.1x
  2. My config is as below:
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authenication login default group radius
  dot1x system-auth-control
  interface f0/1
  switchport mode access
  dot1x port-control auto
  end
  I able to login using the radius server, so radius is working (on ports other than f1/0). However when connecting to f1/0, the port on the 2950 remains blocked.
  3. The certificate is issued by the ca server, is viewable via Internet explorer,and is issued to the correct username which is on the active directory.
  I even tried using local authenication with 802.1x, this did not work
  4. If I have a certificate, will this automatically give me access to the 802.1x port?
  5. I have windows 2000, and authenication is set to 'Smart Card or other certificate.
  Am I missing anything?
  Any advise will be greatly appreciated
  Chris

• RADIUS Authentication Error Across the Subnet

  Hi Guyz
  I have configured Microsoft Server 2012 R2 as a RADIUS for Cisco IOS Devices
  Server IP Address :  10.95.6.12
  Router IP Address Fa 0/0.192                    ---->>>    192.193.194.195
  Router IP Address Fa 0/0.6                          --->>>    10.95.6.1
  Switch IP Address VLAN 192                     ---->>>    192.193.194.2010.95.6.11
  Switch IP Address VLAN 6                          ---->>>    10.95.6.11
  When i access the Cisco Devices RADIUS CLIENT with 10.95.6.x Subnet, It works fine 
  When i access the Cisco Devices through RADIUS CLIENT 192.193.194.x Subnet, It does not pass through the RADIUS Authentication.
  Attached in the Picture i can not access the 192.193.194.20 Device but I can access 10.95.6.1 Device.  As soon as I change the IP Address 10.95.6.11 I can access the Device.
  Ping is successful across the  Routers / Switches and Server as well.  Below is unsuccessful debug details as well:
  ===
  Home_Switch#
  01:52:30: RADIUS/ENCODE(00000008): ask "Password: "
  Home_Switch#
  01:52:41: RADIUS/ENCODE(00000008):Orig. component type = EXEC
  01:52:41: RADIUS:  AAA Unsupported Attr: interface         [171] 4   
  01:52:41: RADIUS:   74 74                [ tt]
  01:52:41: RADIUS/ENCODE(00000008): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
  01:52:41: RADIUS(00000008): Config NAS IP: 0.0.0.0
  01:52:41: RADIUS/ENCODE(00000008): acct_session_id: 8
  01:52:41: RADIUS(00000008): sending
  01:52:41: RADIUS/ENCODE: Best Local IP-Address 10.95.6.11 for Radius-Server 10.95.6.12
  01:52:41: RADIUS(00000008): Send Access-Request to 10.95.6.12:1812 id 1645/6, len 85
  Home_Switch#
  01:52:41: RADIUS:  authenticator 95 FB 3F FE 79 BB AA D6 - C9 26 F4 EC 95 32 80 06
  01:52:41: RADIUS:  User-Name           [1]   7   "cisco"
  01:52:41: RADIUS:  User-Password       [2]   18  *
  01:52:41: RADIUS:  NAS-Port            [5]   6   2                         
  01:52:41: RADIUS:  NAS-Port-Id         [87]  6   "tty2"
  01:52:41: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  01:52:41: RADIUS:  Calling-Station-Id  [31]  16  "192.193.194.50"
  01:52:41: RADIUS:  NAS-IP-Address      [4]   6   10.95.6.11                
  01:52:41: RADIUS(00000008): Started 5 sec timeout
  Home_Switch#
  01:52:46: RADIUS(00000008): Request timed out 
  01:52:46: RADIUS: Retransmit to (10.95.6.12:1812,1813) for id 1645/6
  01:52:46: RADIUS(00000008): Started 5 sec timeout
  Home_Switch#
  ===
  Any help will really appreciate. 

  Duplicate posts.  
  Go here:  http://supportforums.cisco.com/discussion/12154866/radius-authentication-error-across-subnet

• RADIUS Authentication

  Hi Everyone,
  I would like to implement RADIUS authentication for my companies Cisco devices. Could anybody give me some configuration examples of how to point my switches and routers at a RADIUS server, and also to attempt authentication against RADIUS. Only using a locally configured account if RADIUS fails?
  My undertsnading would be to use the following configuration;
  aaa new-model
  aaa authentication login default group radius local
  aaa accounting network default start-stop group radius
  radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key radius
  radius-server retransmit 3
  Thanks in advance,
  Dan

  Hello Dan,
  yours configuration seems to be OK..
  more info you can find here
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7ab.html

• RADIUS authentication for IDS admin

  Hi,
  We've decided to centralize our accounts and are using ACS to authenticate admin access to switches, firewalls and to the CS-MARS by RADIUS. I'd like to extend that authentication also to the IDSMs running on our switches and to our CSS1100 boxes. Can this be done? how about network sensor appliances (i.e. 4200)? I've looked into the documentation but haven't found what I'm looking for. Any help is appreciated.
  Thanks, Joe

  The current released versions of IPS does not support RADIUS authentication. However the support is being introduced in later versions like 7.1.x
  Madhu

• RADIUS authentication on IAS server

  I have a 1200 AP configured for RADIUS authentication on Microsoft IAS server but I am experiencing a problem getting clients authenticated. (Association is working fine.)
  The 1200 is connected to the IAS Server via an 837 router (no switch involved) and I am wondering if any RADIUS settings have to be configured on the 837 for AAA communication to pass through to the IAS server or will the requests pass through automatically?

  ScottMac is correct, if you're using IAS you need to use PEAP which requires a security cert. Microsoft provide a very nice toolkit of scripts and documents to simplify the installation and configuration of IAS, Cert Services, etc, etc, you can get it from here:
  http://www.microsoft.com/downloads/details.aspx?FamilyId=CDB639B3-010B-47E7-B234-A27CDA291DAD&displaylang=en