SSL VPN IP Address Assignment from IAS radius server

Can I use SSL VPN IP Address Assignment from IAS radius server?it can be done with acs server.are there some differ from the acs and IAS?

Hi,
I will suggest to setup a sniffer capture with ACS and look for the attribute that ACS sends for IP Address Assignment, once you know the attribute apply it on the IAS.
If you have any question do not hesitate to contact me.

Similar Messages

  • WLC WLAN Authentication from External RADIUS Server

    Dears,
    How to make WLC Receive PoD (Packet of Disconnect) from the RADIUS server to terminate the session and disconnect authenticating clients.
    Thanks,

    Hi Ahmed,
    Its not documented well, but here is it:
    CSCso52532 No Documentation for sending RADIUS Disconnect-Request (RFC 3576)
    . If a user has to be logged out then, following attributes are expected
      - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value.
             SSH_RADIUS_SERVICE_TYPE_LOGIN(1)
           - SSH_RADIUS_AVP_CALLING_STATION_ID(31) - this is needed, if
                  we want to delete  particular user  session via particular device
                  (like PDA, Phone or PC)
           - SSH_RADIUS_AVP_USER_NAME(1)
    . If a management user has to be logged out then, following attributes
    are expected
      - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value
      - SSH_RADIUS_SERVICE_TYPE_ADMINISTRATIVE
                          OR
       - SSH_RADIUS_SERVICE_TYPE_NAS_PROMPT
       - SSH_RADIUS_AVP_USER_NAME(1)
       - SSH_RADIUS_AVP_FRAMED_IP_ADDRESS(8)
    Eg:
    *Dec 17 12:59:08.926:   Packet contains 14 AVPs:
    *Dec 17 12:59:08.926:       AVP[01] User-Name................................user@domain (17 bytes)
    *Dec 17 12:59:08.926:       AVP[02] Nas-Port.................................0x0000000d (13) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[03] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[04] Framed-IP-Address........................0x0a003f1b (167788315) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[05] NAS-Identifier...........................wlcRM_1 (7 bytes)
    *Dec 17 12:59:08.926:       AVP[06] Airespace / WLAN-Identifier..............0x00000004 (4) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[07] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
    *Dec 17 12:59:08.926:       AVP[08] Acct-Authentic...........................0x00000001 (1) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[11] Tunnel-Group-Id..........................0x3633 (13875) (2 bytes)
    *Dec 17 12:59:08.926:       AVP[12] Acct-Status-Type.........................0x00000001 (1) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[13] Calling-Station-Id.......................10.0.63.27 (10 bytes)
    *Dec 17 12:59:08.926:       AVP[14] Called-Station-Id........................10.0.71.251 (11 bytes)
    *Dec 17 12:59:10.943: 00:1c:26:cb:27:71 Accounting-Response received from RADIUS server 10.0.71.249 for mobile 00:1c:26:cb:27:71 receiveId = 0
    *Dec 17 12:59:34.044: Received a 'RFC-3576 Disconnect-Request' from 10.0.71.249
    *Dec 17 12:59:34.044:   Packet contains 6 AVPs:
    *Dec 17 12:59:34.044:       AVP[01] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
    *Dec 17 12:59:34.044:       AVP[02] User-Name................................user@domain (17 bytes)
    *Dec 17 12:59:34.044:       AVP[03] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
    *Dec 17 12:59:34.044:       AVP[04] Calling-Station-Id.......................10.0.63.27 (10 bytes)
    *Dec 17 12:59:34.044:       AVP[05] Called-Station-Id........................10.0.71.251 (11 bytes)
    *Dec 17 12:59:34.044:       AVP[06] Service-Type.............................0x00000001 (1) (4 bytes)
    *Dec 17 12:59:34.044: Error cause 503 generated for 'RFC-3576 Disconnect-Request' from 10.0.71.249 (Session Identification attributes not valid)
    *Dec 17 12:59:34.045: Sent a 'RFC-3576 Disconnect-Nak' to 10.0.71.249:3799
    *Dec 17 12:59:36.561: ****Enter processIncomingMessages: response code=5
    **Share your knowledge. It’s a way to achieve immortality.
    --Dalai Lama**
    Please Rate if helpful.
    Regards
    Ed

  • Ip address assignment from IP Pool to common Username

    Hello
    Does anyone know if it is possible to assign IP addresses from an IP Address pool to a common username connected to the same NAS device multiple times?
    The scenario is that there are multiple GPRS devices with a "common" configuration connecting to the network using a common username. The IP address assignment is being done via IP Address Pools.
    It looks like the same IP address is being assigned each time the common user logs in, causing routing issues.
    Thanks
    Mark

    With CiscoSecure GRS, the ISP can assign the IP address. When the ISP assigns the IP address, the IP address is the same regardless of the NAS into which the user dials.

  • 802.1x authetication with dynamic Vlan assignment by a radius server

    Hi
    At school I want to start using 802.1x authentication with dynamic Vlan assignment by a Windows Server 2012R2 Radius server.
    When a student logs in, I want it to be placed in the "Students" Vlan, when a Administrative employee logs in, I want it to be placed in the "Administative" vlan and when the client is unknown I want to place it in the "Guest" Vlan.
    I have several SG200 switches and I configured everything as mentioned in the administrative guide but I cannot get it to work as desired.
    What does work:
    - If the client is permitted, the switch changes to "authorized" state. (before anyone logs on to the domain with that client)
    - When a User logs on that is part of the Administrative employees, the switch changes to "authorized" and when a student logs on, it changes to "unauthorized". 
    So far so good.
    But what doesn't work:
    - it does not put the administrative employee in the Vlan "Administrative", it just enables the port on the switch but leaves it in the default vlan 1.
    - I can not find the Guest VLAN.
    Any help would be appriciated.

    Hi Wouter,
    Can you see in the packet capture Radius accept message VLAN attribute? Also please ensure you have the latest firmware and boot code:
    http://www.cisco.com/c/en/us/support/switches/sg200-26-26-port-gigabit-smart-switch/model.html#~rdtab1
    I would recommend you to open ticket with Small Business team so they can go with you through packet capture and configuration steps:
    http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
    Regards,
    Aleksandra 

  • Problem establishing SSL VPN from only 1 IP address

    Hi,
    I'm experiencing strange problem.
    I can't establish SSL VPN connection from 1 IP address, but I don't have problem establishing SSL VPN from any other IP address.
    Remote IP address: 10.0.0.1
    ASA's public IP address: 192.168.1.1
    Output of packet-tracer:
    1. with problematic source IP address:
    packet-tracer input wan tcp 10.0.0.1 50601 192.168.1.1 443 detailed
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.1.1   255.255.255.255 identity
    Phase: 2
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff37573f00, priority=119, domain=permit, deny=false
            hits=861, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0
            input_ifc=wan, output_ifc=identity
    Phase: 3
    Type: CONN-SETTINGS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff38a10a50, priority=8, domain=conn-set, deny=false
            hits=4069, user_data=0x7fff38770910, cs_id=0x0, reverse, flags=0x0, protocol=6
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
            input_ifc=wan, output_ifc=identity
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff395c7d70, priority=0, domain=inspect-ip-options, deny=true
            hits=4044934, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
            input_ifc=wan, output_ifc=any
    Phase: 5
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff37560700, priority=13, domain=ipsec-tunnel-flow, deny=true
            hits=2268518, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
            input_ifc=wan, output_ifc=any
    Phase: 6
    Type: TCP-MODULE
    Subtype: webvpn
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff38a10cc0, priority=13, domain=soft-np-tcp-module, deny=false
            hits=4627, user_data=0x7fff38c14300, cs_id=0x0, reverse, flags=0x0, protocol=6
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
            input_ifc=wan, output_ifc=identity
    Phase: 7
    Type: VPN
    Subtype: encrypt
    Result: DROP
    Config:
    Additional Information:
    Reverse Flow based lookup yields rule:
    out id=0x7fff375504a0, priority=69, domain=encrypt, deny=false
            hits=40747, user_data=0x0, cs_id=0x7fff3754fa40, reverse, flags=0x0, protocol=0
            src ip/id=192.168.1.1, mask=255.255.255.255, port=0
            dst ip/id=10.0.0.1, mask=255.255.255.255, port=0, dscp=0x0
            input_ifc=any, output_ifc=wan
    Result:
    input-interface: wan
    input-status: up
    input-line-status: up
    output-interface: NP Identity Ifc
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    If I run packet-tracer with any other source IP address, let's say 10.0.0.2, everything is OK:
    packet-tracer input wan tcp 10.0.0.2 50601 192.168.1.1 443 de
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.1.1   255.255.255.255 identity
    Phase: 2
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff37573f00, priority=119, domain=permit, deny=false
            hits=862, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0
            input_ifc=wan, output_ifc=identity
    Phase: 3
    Type: CONN-SETTINGS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff38a10a50, priority=8, domain=conn-set, deny=false
            hits=4090, user_data=0x7fff38770910, cs_id=0x0, reverse, flags=0x0, protocol=6
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
            input_ifc=wan, output_ifc=identity
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff395c7d70, priority=0, domain=inspect-ip-options, deny=true
            hits=4047886, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
            input_ifc=wan, output_ifc=any
    Phase: 5
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff37560700, priority=13, domain=ipsec-tunnel-flow, deny=true
            hits=2270040, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
            input_ifc=wan, output_ifc=any
    Phase: 6
    Type: TCP-MODULE
    Subtype: webvpn
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x7fff38a10cc0, priority=13, domain=soft-np-tcp-module, deny=false
            hits=4648, user_data=0x7fff38c14300, cs_id=0x0, reverse, flags=0x0, protocol=6
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
            input_ifc=wan, output_ifc=identity
    Phase: 7
    Type: USER-STATISTICS
    Subtype: user-statistics
    Result: ALLOW
    Config:
    Additional Information:
    Reverse Flow based lookup yields rule:
    out id=0x7fff3a1cc320, priority=0, domain=user-statistics, deny=false
            hits=4902651, user_data=0x7fff3a0043c0, cs_id=0x0, reverse, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
            input_ifc=any, output_ifc=wan
    Phase: 8
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 4384689, packet dispatched to next module
    Module information for forward flow ...
    snp_fp_tracer_drop
    snp_fp_inspect_ip_options
    snp_fp_tcp_normalizer
    snp_fp_tcp_mod
    snp_fp_adjacency
    snp_fp_fragment
    snp_fp_drop
    Module information for reverse flow ...
    snp_fp_tracer_drop
    snp_fp_inspect_ip_options
    snp_fp_tcp_normalizer
    snp_fp_adjacency
    snp_fp_fragment
    snp_ifc_stat
    Result:
    input-interface: wan
    input-status: up
    input-line-status: up
    output-interface: NP Identity Ifc
    output-status: up
    output-line-status: up
    Action: allow
    I run packet capture on WAN interface - and I can only see incoming packets (SYN) with destination to tcp/443 but there isn't any outgoing packet (SYN/ACK).
    I even can't open web page from internet browser (url https://192.168.1.1) when source IP is 10.0.0.1, but I can open "SSL VPN Service" web page from any other source IP address.
    The only thing different with this IP address is that there's configured site-to-site (IPsec) vpn tunnel from same source to same destination IP address.
    Here is the configuration of the tunnel:
    group-policy GroupPolicy_10.0.0.1 internal
    group-policy GroupPolicy_10.0.0.1 attributes
    vpn-filter value VPN-ACL
    vpn-tunnel-protocol ikev1 ssl-client
    access-list VPN-ACL:
    access-list VPN-ACL extended permit ip object-group DM_INLINE_NETWORK_83 object-group DM_INLINE_NETWORK_84
    object-group network DM_INLINE_NETWORK_83
    network-object 10.11.217.0 255.255.255.0
    network-object 192.168.201.0 255.255.255.0
    object-group network DM_INLINE_NETWORK_84
    network-object 10.11.217.0 255.255.255.0
    network-object 192.168.201.0 255.255.255.0
    tunnel local & remote networks:
    access-list wan_cryptomap_5 extended permit ip 10.11.217.0 255.255.255.0 192.168.201.0 255.255.255.0
    crypto map wan_map 5 match address wan_cryptomap_5
    crypto map wan_map 5 set connection-type answer-only
    crypto map wan_map 5 set peer 10.0.0.1
    crypto map wan_map 5 set ikev1 transform-set ESP-3DES-SHA
    I've configured the same setup in my lab and I can't reproduce the error.
    The SW version running on ASA is asa861-12.
    I'm out of ideas.

    Just collected some other information:
    1. traceroute shows that traffic is not leaving ASA at all
    1   *  *  *
    2   *  *  *
    3   *  *  *
    I double checked that there is no "strange" entry for remote public IP in routing. Traffic with destination to remote IP should be sent via default gateway like all other traffic.
    2. debug crypto ipsec shows this information when I ping public IP address of the remote host (with VPN
    IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.1.1, sport=30647, daddr=10.0.0.1, dport=30647
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 1: skipping because 5-tuple does not match ACL wan_cryptomap_1.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 2: skipping because 5-tuple does not match ACL wan_cryptomap_2.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 3: skipping because 5-tuple does not match ACL wan_cryptomap_3.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 4: skipping because 5-tuple does not match ACL wan_cryptomap_4.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 5: skipping dormant map.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 5: skipping dormant map.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 6: skipping because 5-tuple does not match ACL wan_cryptomap_6.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 7: skipping because 5-tuple does not match ACL wan_cryptomap_7.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 8: skipping because 5-tuple does not match ACL wan_cryptomap_8.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 9: skipping because 5-tuple does not match ACL wan_cryptomap_9.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 10: skipping because 5-tuple does not match ACL wan_cryptomap_10.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 11: skipping because 5-tuple does not match ACL wan_cryptomap_11.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 13: skipping because 5-tuple does not match ACL wan_cryptomap_13.
    IPSEC(crypto_map_check)-5: Checking crypto map wan_map 65535: skipping dynamic_link.
    IPSEC(crypto_map_check)-1: Error: No crypto map matched.
    It really seems that the whole problem is that ASA is trying to encrypt traffic sent from public IP address of one VPN endpoint and targeted to public IP address of another VPN endpoint and send it to remote VPN endpoint via IPcec tunel.
    There is indeed VPN tunnel established between both VPN endpoints, but there are just local and remote networks defined with private IP address space for this tunnel, VPN endpoint's public IP addresses are not included in the definition of this IPsec VPN tunnel.
    And there are at least two more IPsec VPN tunnels configured the same way and I can't reprodure this error on there two VPN tunnels.
    Any idea?

  • Cannot ping IAS RADIUS from WLC 2504

    I'm having some weird issues where I cannot ping from the WLC to the IAS RADIUS server.  All of my clients cannot connect, but from the switch, router, RADIUS server, and hard wired clients, I can ping to the WLC and RADIUS server.  The only thing that cannot ping the RADIUS server is the WLC itself.  Nothing in the FW is blocking connectivity.  Any ideas?
    (Cisco Controller) >show radius summ
    Vendor Id Backward Compatibility................. Disabled
    Call Station Id Case............................. lower
    Call Station Id Type............................. IP Address
    Aggressive Failover.............................. Disabled
    Keywrap.......................................... Disabled
    Fallback Test:
        Test Mode.................................... Off
        Probe User Name.............................. cisco-probe
        Interval (in seconds)........................ 300
    MAC Delimiter for Authentication Messages........ none
    MAC Delimiter for Accounting Messages............ hyphen
    Authentication Servers
    Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
    1    NM    10.10.50.63       1645    Enabled   5     Enabled   Disabled - none/unknown/group-0/0 none/none
    2    NM    10.10.50.130      1645    Enabled   5     Enabled   Disabled - none/unknown/group-0/0 none/none
    Accounting Servers
    Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
    1      N     10.10.50.63       1646    Enabled   5     N/A       Disabled - none/unknown/group-0/0 none/none
    2      N     10.10.50.130      1646    Enabled   5     N/A       Disabled - none/unknown/group-0/0 none/none

    It's in the arp cache through the default router
    (Cisco Controller) >show interface detailed management
    Interface Name................................... management
    MAC Address...................................... d0:c2:82:df:5b:c0
    IP Address....................................... 10.30.72.250
    IP Netmask....................................... 255.255.255.0
    IP Gateway....................................... 10.30.72.1
    External NAT IP State............................ Disabled
    External NAT IP Address.......................... 0.0.0.0
    VLAN............................................. untagged
    Quarantine-vlan.................................. 0
    Active Physical Port............................. 1
    Primary Physical Port............................ 1
    Backup Physical Port............................. Unconfigured
    Primary DHCP Server.............................. 10.10.10.65
    Secondary DHCP Server............................ Unconfigured
    DHCP Option 82................................... Disabled
    ACL.............................................. Unconfigured
    AP Manager....................................... Yes
    Guest Interface.................................. No
    L2 Multicast..................................... Disabled
    (Cisco Controller) >show arp switch
    Number of arp entries................................ 19
        MAC Address        IP Address     Port   VLAN   Type
    50:57:A8:D6:DE:C0   10.10.19.1       1      5      Host
    50:57:A8:D6:DE:C0   10.10.20.138     1      5      Host
    50:57:A8:D6:DE:C0   10.10.50.63      1      5      Host
    64:00:F1:08:A0:D0   10.30.72.1       1      0      Host
    50:57:A8:9E:B5:CD   10.30.72.40      1      0      Host
    50:57:A8:A1:7B:C5   10.30.72.44      1      0      Host
    50:57:A8:9E:99:78   10.30.72.48      1      0      Host
    50:57:A8:3B:66:E3   10.30.72.49      1      0      Host
    00:07:7D:43:23:DA   10.30.72.58      1      0      Host
    50:57:A8:9E:B6:1D   10.30.72.59      1      0      Host
    50:57:A8:9E:95:C5   10.30.72.60      1      0      Host
    50:57:A8:A1:7C:0D   10.30.72.61      1      0      Host
    00:07:7D:65:36:DD   10.30.72.62      1      0      Host
    50:57:A8:44:57:0C   10.30.72.63      1      0      Host
    50:57:A8:CA:CC:01   10.30.72.64      1      0      Host

  • Managing Prime Infrastructure 1.2 with MS IAS Radius

    HI,
    I have configured the PI 1.2il MS IAS radius server to authenticate machine with the management domain credentials.
    When I needed to migrate the atuthenticatione from local to radius mode and I went to AAA and I select "with Radius server."
    On the MS IAS I imported the tasks for users with role lobby ambassador and when I turned on the authentication mode in PI 1.2 with AAA Radius Server, the user was able to authenticate properly.
    When I imported Admin or Root tasks on the server could not let the user management interface in Prime.
    there is a documentation update?
    Regards
    Andrea

    I wrote about this some time ago.  Its based on NPS but you should be able to tweak it for IAS as well.
    http://technologyordie.com/windows-nps-radius-authentication-of-cisco-prime-infrastructure
    - Be sure to rate all helpful posts

  • EAP-TLS on WLC 5508 agains IAS RADIUS

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin-top:0cm;
    mso-para-margin-right:0cm;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0cm;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Hi, anyone experienced issue like this?
    I am installing a WLC 5508 using EAP-TLS authentication with an IAS Radius server.
    I got “Access-Accept” debug message received from RADIUS server.
    However the wireless client failed to connect.
    Below is partially the debug message from the WLC
    Any feedbacks are welcome
    *Oct 07 15:08:24.403:     Callback.....................................0x10c527d0
    *Oct 07 15:08:24.403:     protocolType.................................0x00140001
    *Oct 07 15:08:24.403:     proxyState...................................00:19:7D:72:B4:3B-09:00
    *Oct 07 15:08:24.403:     Packet contains 12 AVPs (not shown)
    *Oct 07 15:08:24.403: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *Oct 07 15:08:24.404: 00:19:7d:72:b4:3b Successful transmission of Authentication Packet (id 101) to 10.86.8.105:1812, proxy state 00:19:7d:72:b4:3b-00:00
    *Oct 07 15:08:24.404: 00000000: 01 65 00 d2 d0 bc 95 1b  f7 c9 71 dd 32 cb b7 0a  .e........q.2...
    *Oct 07 15:08:24.404: 00000010: 52 eb 0c 3e 01 22 68 6f  73 74 2f 49 44 31 30 2d  R..>."host/ID10-
    *Oct 07 15:08:24.404: 00000020: 30 41 46 4a 30 33 31 2e  65 75 63 2e 6e 65 73 74  0AFJ031.euc.test
    *Oct 07 15:08:24.404: 00000030: 6c 65 2e 63 6f 6d 1f 13  30 30 2d 31 39 2d 37 64  01.com..00-19-7d
    *Oct 07 15:08:24.404: 00000040: 2d 37 32 2d 62 34 2d 33  62 1e 1a 30 30 2d 33 61  -72-b4-3b..00-3a
    *Oct 07 15:08:24.404: 00000050: 2d 39 38 2d 39 35 2d 34  36 2d 35 30 3a 57 57 53  -98-95-46-50:TES
    *Oct 07 15:08:24.404: 00000060: 33 30 30 05 06 00 00 00  01 04 06 0a 56 0c d2 20  300.........V...
    *Oct 07 15:08:24.404: 00000070: 0c 49 44 48 4f 4a 58 43  30 30 31 1a 0c 00 00 37  .IDHOJXC001....7
    *Oct 07 15:08:24.404: 00000080: 63 01 06 00 00 00 01 06  06 00 00 00 02 0c 06 00  c...............
    *Oct 07 15:08:24.404: 00000090: 00 05 14 3d 06 00 00 00  13 4f 27 02 03 00 25 01  ...=.....O'...%.
    *Oct 07 15:08:24.404: 000000a0: 68 6f 73 74 2f 49 44 31  30 2d 30 41 46 4a 30 33  host/ID10-0AFJ03
    *Oct 07 15:08:24.404: 000000b0: 31 2e 65 75 63 2e 6e 65  73 74 6c 65 2e 63 6f 6d  1.euc.nestle.com
    *Oct 07 15:08:24.404: 000000c0: 50 12 80 be 54 a7 26 52  8e 63 0f 2f 87 a5 78 53  P...T.&R.c./..xS
    *Oct 07 15:08:24.404: 000000d0: 68 6e                                             hn
    *Oct 07 15:08:24.405: 00000000: 02 65 00 34 3e c1 67 35  f7 be 57 75 43 ce 19 ca  .e.4>.g5..WuC...
    *Oct 07 15:08:24.405: 00000010: 83 5d 83 95 19 20 31 b1  03 a2 00 00 01 37 00 01  .]....1......7..
    *Oct 07 15:08:24.405: 00000020: 0a 56 08 69 01 cb 63 8b  13 1e 16 37 00 00 00 00  .V.i..c....7....
    *Oct 07 15:08:24.405: 00000030: 00 00 00 5f                                       ..._
    *Oct 07 15:08:24.405: ****Enter processIncomingMessages: response code=2
    *Oct 07 15:08:24.405: ****Enter processRadiusResponse: response code=2
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Access-Accept received from RADIUS server 10.86.8.105 for mobile 00:19:7d:72:b4:3b receiveId = 9
    *Oct 07 15:08:24.405: AuthorizationResponse: 0x1524b3d8
    *Oct 07 15:08:24.405:     structureSize................................78
    *Oct 07 15:08:24.405:     resultCode...................................0
    *Oct 07 15:08:24.405:     protocolUsed.................................0x00000001
    *Oct 07 15:08:24.405:     proxyState...................................00:19:7D:72:B4:3B-09:00
    *Oct 07 15:08:24.405:     Packet contains 1 AVPs:
    *Oct 07 15:08:24.405:         AVP[01] Class....................................DATA (30 bytes)
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Applying new AAA override for station 00:19:7d:72:b4:3b
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
        source: 4, valid bits: 0x0
        qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
        dataAvgC: -1, rTAvgC
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Inserting new RADIUS override into chain for station 00:19:7d:72:b4:3b
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
        source: 4, valid bits: 0x0
        qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
        dataAvgC: -1, rTAvgC
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:24.405: 00000000: 01 00 00 04 03 ff 00 04                           ........
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:24.405: 00000000: 01 03 00 5f fe 00 89 00  20 00 00 00 00 00 00 00  ..._............
    *Oct 07 15:08:24.405: 00000010: 00 3e 5d 2a e3 2a c2 22  71 0b 06 e8 42 6c 3c bf  .>]*.*."q...Bl<.
    *Oct 07 15:08:24.405: 00000020: 45 1e 5c e7 a1 68 ae 0c  c0 9f 22 ce 0c 3e 96 45  E.\..h...."..>.E
    *Oct 07 15:08:24.405: 00000030: ee 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:24.405: 00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:24.405: 00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:24.405: 00000060: 00 00 00                                          ...
    *Oct 07 15:08:25.316: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:25.317: 00000000: 01 03 00 5f fe 00 89 00  20 00 00 00 00 00 00 00  ..._............
    *Oct 07 15:08:25.317: 00000010: 01 3e 5d 2a e3 2a c2 22  71 0b 06 e8 42 6c 3c bf  .>]*.*."q...Bl<.
    *Oct 07 15:08:25.317: 00000020: 45 1e 5c e7 a1 68 ae 0c  c0 9f 22 ce 0c 3e 96 45  E.\..h...."..>.E
    *Oct 07 15:08:25.317: 00000030: ee 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:25.317: 00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:25.317: 00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:25.317: 00000060: 00 00 00                                          ...
    *Oct 07 15:08:26.317: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:26.317: 00000000: 01 03 00 5f fe 00 89 00  20 00 00 00 00 00 00 00  ..._............
    *Oct 07 15:08:26.317: 00000010: 02 3e 5d 2a e3 2a c2 22  71 0b 06 e8 42 6c 3c bf  .>]*.*."q...Bl<.
    *Oct 07 15:08:26.317: 00000020: 45 1e 5c e7 a1 68 ae 0c  c0 9f 22 ce 0c 3e 96 45  E.\..h...."..>.E
    *Oct 07 15:08:26.317: 00000030: ee 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:26.317: 00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:26.317: 00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:26.317: 00000060: 00 00 00                                          ...
    *Oct 07 15:08:27.753: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:27.753: 00000000: 01 00 00 30 01 01 00 30  01 00 6e 65 74 77 6f 72  ...0...0..networ
    *Oct 07 15:08:27.753: 00000010: 6b 69 64 3d 57 57 53 33  30 30 2c 6e 61 73 69 64  kid=TES300,nasid
    *Oct 07 15:08:27.753: 00000020: 3d 49 44 48 4f 4a 58 43  30 30 31 2c 70 6f 72 74  =IDHOJXC001,port
    *Oct 07 15:08:27.753: 00000030: 69 64 3d 31                                            id=1
    *Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 5) from mobile 00:19:7d:72:b4:3b
    *Oct 07 15:08:27.760: 00000000: 01 01 00 00 00                                    .....
    *Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:27.760: 00000000: 01 00 00 30 01 02 00 30  01 00 6e 65 74 77 6f 72  ...0...0..networ
    *Oct 07 15:08:27.760: 00000010: 6b 69 64 3d 57 57 53 33  30 30 2c 6e 61 73 69 64  kid=TES300,nasid
    *Oct 07 15:08:27.760: 00000020: 3d 49 44 48 4f 4a 58 43  30 30 31 2c 70 6f 72 74  =IDHOJXC001,port
    *Oct 07 15:08:27.760: 00000030: 69 64 3d 31                                       id=1
    *Oct 07 15:08:27.762: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
    *Oct 07 15:08:27.762: 00000000: 01 00 00 25 02 01 00 25  01 68 6f 73 74 2f 49 44  ...%...%.host/ID
    *Oct 07 15:08:27.762: 00000010: 31 30 2d 30 41 46 4a 30  33 31 2e 65 75 63 2e 6e  10-0AFJ031.euc.t
    *Oct 07 15:08:27.762: 00000020: 65 73 74 6c 65 2e 63 6f  6d                       est01.com
    *Oct 07 15:08:27.764: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
    *Oct 07 15:08:27.764: 00000000: 01 00 00 25 02 02 00 25  01 68 6f 73 74 2f 49 44  ...%...%.host/ID
    *Oct 07 15:08:27.764: 00000010: 31 30 2d 30 41 46 4a 30  33 31 2e 65 75 63 2e 6e  10-0AFJ031.euc.t
    *Oct 07 15:08:27.764: 00000020: 65 73 74 6c 65 2e 63 6f  6d                       est01.com
    *Oct 07 15:08:27.765: AuthenticationRequest: 0x1ad0b36c

    Thanks for your reply jedubois
    Really appreciate it.
    I have tried to change the value for EAPOL-Key Timeout, still the client won't connect.
    Below are the outputs for the eap advanced config
    (Cisco Controller) >show advanced eap
    EAP-Identity-Request Timeout (seconds)........... 30
    EAP-Identity-Request Max Retries................. 2
    EAP Key-Index for Dynamic WEP.................... 0
    EAP Max-Login Ignore Identity Response........... enable
    EAP-Request Timeout (seconds).................... 30
    EAP-Request Max Retries.......................... 2
    EAPOL-Key Timeout (milliseconds)................. 5000
    EAPOL-Key Max Retries............................ 2
    (Cisco Controller) >
    Any other suggestion?

  • Waiting ACK from Radius Server before sending traffic

    Hello,
    After receiving the access accept from the Radus, the AS give the IP address to the client/user and send a Accounting Start to the Radus Server.
    I just want to know if is possible for the AS to wait the Ack of the Accounting Start from the Radius Server, before forwarding the client traffic to the destination.
    I see some documentation in the web and I find:
    aaa dnis map xxx accounting network wait-start group YYY..
    Is this the right thing to do? If I use ? after network this option doesn't appear.
    The IOS is: 5300-j-mz.122-11.T2.bin
    Thanks a lot
    Ira
    Ira

    Yes, I think its possible to start the accounting after receiving ack from radius server.For this, the command will be,
    router(config)#aaa accounting "what-to-track info" wait-start "where-to-send info".
    This wait-start cmd says that wait for receiving the ack from server before staring the accounting process.

  • Cisco AAA authentication with windows radius server

    Cisco - Windows Radius problems
    I need to created a limited access group through radius that I can have new network analysts log into
    and not be able to commit changes or get into global config.
    Here are my current radius settings
    aaa new-model
    aaa group server radius IAS
     server name something.corp
    aaa authentication login USERS local group IAS
    aaa authorization exec USERS local group IAS
    radius server something.corp
     address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
     key mypassword
    line vty 0 4
     access-class 1 in
     exec-timeout 0 0
     authorization exec USERS
     logging synchronous
     login authentication USERS
     transport input ssh
    When I log in to the switch, the radius server is passing the corrrect attriubute
    ***Jan 21 13:59:51.897: RADIUS:   Cisco AVpair       [1]   18  "shell:priv-lvl=7"
    The switch is accepting it and putting you in the correct priv level.
    ***Radius-Test#sh priv
       Current privilege level is 7
    I am not sure why it logs you in with the prompt for  privileged EXEC mode when
    you are in priv level 7. This shows that even though it looks like your in priv exec
    mode, you are not.
    ***Radius-Test#sh run
                    ^
       % Invalid input detected at '^' marker.
       Radius-Test#
    Now this is where I am very lost.
    I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
    global config mode.
    ***Radius-Test#enable
       Radius-Test#
    Debug log -
    Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
    ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
    Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
    ***Radius-Test#sh priv
       Current privilege level is 15
       Radius-Test#
    I have tried to set
    ***privilege exec level 15 enable
    It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
    Even if I try to do
    ***privilege exec level 7 show running-config (or other variations)
    It will allow you to type sh run without errors, but it doest actually run the command.
    What am I doing wrong?
    I also want to get PKI working with radius.

    I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
    Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch?

  • Radius server not returning Filter-id information to access device

    I have set up a Radius server (v. 4.15 16 april 2003) on NW65sp2 server
    and I'm trying to use it to authenticate to a Watchguard Firebox II
    firewall. The authentication functions but apparently the firewall is
    not getting (or not parsing) the Filter-Id information to assign access
    rights via groups. When I login to the firewall with "user1", the
    response is "Authenticationsucceeded, but no access grantedfor user". If
    I define "user1" on the firewall and assign it to an access policy, then
    everything works. But if I define an access group "group1" and assign
    it to an access policy on the firewall and then assign "group1" to the
    eDir Access Profile object that is assigned to "user1", (Filter-Id =
    group1) I get the above authentication succesful, but no access granted.
    Is there a way to identify exactly what information is being sent from
    the Radius server to the access device so I can determine if the problem
    is on the Novell Radius server side or the Watchguard Firewall side?
    I've activated the Radius Debug Log, but that only tells me that it
    finds all the relevant objects in eDirectory and that authentication is
    successfull, but there is no indication that any other information is
    being sent to the access device.
    As I understand it, the filer-id's are supposed to allow a link between
    the eDir user objects and what access rights are allowed on the access
    device (firewall). Essentially this is how I define group memberships on
    the firewall using eDir user. Is this assumption correct?
    The goal of course is to allow access over the firewall without having
    to type in 500 user names on the firewall.
    Any ideas or tips on what I could check or configure differently would
    be helpful. thanks
    bill reading

    thanks for the feedback. I will take a look at the thread you mentioned
    and I'll get back to you with the trace as soon as I can arrange it.
    Scott Kiester wrote:
    > There is a thread titled "RADIUS Group with VASCO Digipass" in this group
    > from November where someone else was trying to use the filter-Id attribute
    > with their firewall. The customer was able to get this attribute to working
    > after tweaking his RADIUS configuration.
    >
    > Your understanding of the filter-Id attribute is correct. Either the RADIUS
    > server is not sending this attribute for some reason, or something on your
    > firewall has been misconfigured. A good starting point would be to take a
    > sniffer trace to see if the filter-Id attribute is in the access-request
    > packet. (You can use Ethereal, which is a free download from
    > www.ethereal.com, for the trace.) Post the trace here or send it to me at
    > [email protected] and I'll take a look at it.
    >
    >
    >>>>bill reading<[email protected]> 12/07/04 8:36 AM >>>
    >
    > I have set up a Radius server (v. 4.15 16 april 2003) on NW65sp2 server
    > and I'm trying to use it to authenticate to a Watchguard Firebox II
    > firewall. The authentication functions but apparently the firewall is
    > not getting (or not parsing) the Filter-Id information to assign access
    > rights via groups. When I login to the firewall with "user1", the
    > response is "Authenticationsucceeded, but no access grantedfor user". If
    > I define "user1" on the firewall and assign it to an access policy, then
    > everything works. But if I define an access group "group1" and assign
    > it to an access policy on the firewall and then assign "group1" to the
    > eDir Access Profile object that is assigned to "user1", (Filter-Id =
    > group1) I get the above authentication succesful, but no access granted.
    > Is there a way to identify exactly what information is being sent from
    > the Radius server to the access device so I can determine if the problem
    > is on the Novell Radius server side or the Watchguard Firewall side?
    > I've activated the Radius Debug Log, but that only tells me that it
    > finds all the relevant objects in eDirectory and that authentication is
    > successfull, but there is no indication that any other information is
    > being sent to the access device.
    >
    > As I understand it, the filer-id's are supposed to allow a link between
    > the eDir user objects and what access rights are allowed on the access
    > device (firewall). Essentially this is how I define group memberships on
    > the firewall using eDir user. Is this assumption correct?
    >
    > The goal of course is to allow access over the firewall without having
    > to type in 500 user names on the firewall.
    >
    > Any ideas or tips on what I could check or configure differently would
    > be helpful. thanks
    >
    > bill reading
    >
    >

  • Cisco ISE: External RADIUS Server

    Hi,
    I would like to forward RADIUS from PSN to another PSN. I already defined "External RADIUS Servers".
    So, how can I use this external RADIUS server to process my request ?
    Looking at the user guide but didn't find any information about this setting (For rule based not simple rule)
    If anyone use this, please suggest this to me.
    Thanks,
    Pongsatorn

    Defining an External RADIUS Server
    The Cisco Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.
    The Cisco Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description or both.
    To create an external RADIUS server, complete the following steps:
    Step 1 Choose Administration > Network Resources > External RADIUS Servers.
    The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.
    Step 2 Click Add to add an external RADIUS server.
    Step 3 Enter the values as described:
    •Name—(Required) Enter the name of the external RADIUS server.
    •Description—Enter a description of the external RADIUS server.
    •Host IP—(Required) Enter the IP address of the external RADIUS server.
    •Shared Secret—(Required) Enter the shared secret between Cisco Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.
    •Enable KeyWrap—This option increases RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.
    •Key Encryption Key—This key is used for session encryption (secrecy).
    •Message Authenticator Code Key—This key is used for keyed HMAC calculation over RADIUS messages.
    •Key Input Format—Specify the format you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.)
    –ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.
    –Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.
    •Authentication Port—(Required) Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.
    •Accounting Port—(Required) Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.
    •Server Timeout—(Required) Enter the number of seconds that the Cisco Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.
    •Connection Attempts—(Required) Enter the number of times that the Cisco Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.
    Step 4 Click Submit to save the external RADIUS server configuration.

  • Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

    Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
    I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
    Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
    Any ideas of what might be the issue or misconfiguration?

    Jim,
    I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
    It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
    May need to open a TAC case to see if this issue is on the 550x controllers also.
    Thanks,
    Tarik

  • WLC cannot reach Radius server

    I am currently configuring Radius server with Cisco Wireless Controller 5508.  Using debug aaa at the CLI, I can see the controller receive radius client message but nothing coming back from the radius server.
    For some reason, Wireless Controller 5508 cannot ping the Radius server using CLI.  Yet, I can ping the 5508 controller from the Radius server.  The Radius server is running Windows 2008 NPS with firewall turned off.  There are no antivirus firewall installed on the Radius server.  NPS is installed and configured on Windows 2008.  Nothing shows up in the NPS log.
    Any idea?  

    if you put a PC onto WLC management subnet can you ping your NPS from that PC ? 
    Also are you using service port of your WLC ?
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • Radius server 00.00.00.00 deactivated in global list

    Hi
    we unable to authenticate the users connecting to WLC over EAP-FAST from the ACS 5.1.
    AD is integrated with the acs....
    The error msg coming in wlc is :Radius server deactivated in global list
    Radius server failed to respond to request(ID:xx) for client xx:xx;xx:xx:xx:xx:xx
    I find that problem with time skew error happen between the AD and ACS. But after i configured ntp server in acs the problem
    still exist.
    I removed the controller from the acs and added back, same thing done in controller(reconfigured aaa settings).
    But the problem not resolved
    Thanks
    Subhash

    After working with TAC, I resolved this issue recently.  Increasing the timeout value did not help. On the WLC, try:
    config radius aggressive-failover disable
    As per http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml :
    If the aggressive failover feature is enabled in WLC, the WLC is too aggressive to mark the AAA server as not responding. But, this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. But, the WLC can still mark the AAA server as not responding and not functional.
    In order to overcome this, disable the aggressive failover feature. Issue the config radius aggressive-failover disable command from the controller GUI in order to perform this. If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server.

Maybe you are looking for