TACACS=admin RADIUS=802.1x same ACS?
I have an ACS appliance set up for TACACS auth for administrative users. I need to configure 802.1x with RADIUS as I'm sending the VLAN ID back down when the user authenticates. Is this possible? Doesn't seem to be working for me. Also, I am doing this on both CatOS and IOS so IOS only solutions won't help.
Thanks!
Yes, it's possible. You need to set the following stndard RADIUS attributes via a per-group or per-user basis:
[64] Tunnel-Type ? ?VLAN?
[65] Tunnel-Medium-Type ? ?802?
[81] Tunnel-Private-Group-ID - ""
Hope this helps.
Similar Messages
-
Can ACS run TACACS+ adn RADIUS concurrently?
I know that ACS supports both TACACS+ and RADIUS protocols. My question is can ACS run TACACS+ and RADIUS concurrently?
Once you go into Network Configuration, you enter the Network Device Group you want to add the device to. Select the option to add a client device and input the information, but enter a different client hostname, with the same IP Address in each seperate Network Device Configuration. You can specify which Network Device Group for the client to use, and in the specific group is where you will specify which resources the client members will be able to access. I specified a few different groups with different access restricitions, because I didn't want the Dial -In or Wireless people to have Admin Access to my TACACS+ configured devices...
Let me know if this helps... -
802.1x with ACS 4.2 (RADIUS) problem
HI all!
I am trying to configure AAA authentication and authorization with Cisco 3725 (IOS 12.4(17)) for 802.1x and ACS 4.2 with VLAN assignment to my Windows XP client. (trying to assign VLAN 100 in my scenario).
When user connects to the Router, it passes the authentication process (EAP-MD5). In my debug i see that Router recieves the Radius Attributes BUT does not apply anything!
My running config:
Building configuration...
Current configuration : 1736 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R4
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
memory-size iomem 5
ip cef
no ip domain lookup
ip domain name lab.local
ip device tracking
dot1x system-auth-control
interface FastEthernet0/0
ip address 10.10.0.253 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet1/0
dot1x port-control auto
interface FastEthernet1/1
interface FastEthernet1/2
interface FastEthernet1/3
interface FastEthernet1/4
interface FastEthernet1/5
interface Vlan1
ip address 192.168.1.1 255.255.255.0
interface Vlan100
ip address 192.168.100.1 255.255.255.0
ip forward-protocol nd
no ip http server
no ip http secure-server
mac-address-table static 0800.27b1.b332 interface FastEthernet1/0 vlan 1
radius-server host 10.10.0.2 auth-port 1645 acct-port 1646 key cisco
radius-server vsa send accounting
radius-server vsa send authentication
My Radius debug information:
*Mar 1 00:21:31.487: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0
*Mar 1 00:21:31.491: RADIUS: ustruct sharecount=2
*Mar 1 00:21:31.491: Radius: radius_port_info() success=1 radius_nas_port=1
*Mar 1 00:21:31.491: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"
*Mar 1 00:21:31.491: RADIUS: Request contains 9 byte EAP-message
*Mar 1 00:21:31.491: RADIUS: Added 9 bytes of EAP data to request
*Mar 1 00:21:31.495: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2
*Mar 1 00:21:31.507: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/3, len 127
*Mar 1 00:21:31.511: RADIUS: authenticator 36 68 24 30 F0 CC E8 3C - 69 48 61 E3 DA 28 52 AC
*Mar 1 00:21:31.511: RADIUS: NAS-IP-Address [4] 6 10.10.0.253
*Mar 1 00:21:31.511: RADIUS: NAS-Port [5] 6 0
*Mar 1 00:21:31.511: RADIUS: Vendor, Cisco [26] 23
*Mar 1 00:21:31.515: RADIUS: cisco-nas-port [2] 17 "FastEthernet1/0"
*Mar 1 00:21:31.515: RADIUS: NAS-Port-Type [61] 6 X75 [9]
*Mar 1 00:21:31.515: RADIUS: User-Name [1] 6 "user"
*Mar 1 00:21:31.515: RADIUS: Calling-Station-Id [31] 19 "08-00-27-B1-B3-32"
*Mar 1 00:21:31.515: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 1 00:21:31.515: RADIUS: Framed-MTU [12] 6 1500
*Mar 1 00:21:31.515: RADIUS: EAP-Message [79] 11
*Mar 1 00:21:31.515: RADIUS: 02 1D 00 09 01 75 73 65 72 [?????user]
*Mar 1 00:21:31.515: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.515: RADIUS: B1 8B 8F 4C F1 6D C9 A6 4E 96 B8 3D 53 E9 41 12 [???L?m??N??=S?A?]
*Mar 1 00:21:31.555: RADIUS: Received from id 1645/3 10.10.0.2:1645, Access-Challenge, len 93
*Mar 1 00:21:31.555: RADIUS: authenticator DF 38 A1 1B ED 3C 1E B2 - 1A 92 6A D5 58 CE B8 4A
*Mar 1 00:21:31.555: RADIUS: EAP-Message [79] 28
*Mar 1 00:21:31.555: RADIUS: 01 1E 00 1A 04 10 BE BA B4 B0 26 9D 52 0E 43 BC [??????????&?R?C?]
*Mar 1 00:21:31.555: RADIUS: 33 46 8E A8 C6 45 47 4E 53 33 [3F???EGNS3]
*Mar 1 00:21:31.555: RADIUS: State [24] 27
*Mar 1 00:21:31.555: RADIUS: 45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B [EAP=0.1ff.986.1;]
*Mar 1 00:21:31.559: RADIUS: 53 56 43 3D 30 2E 31 35 3B [SVC=0.15;]
*Mar 1 00:21:31.559: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.559: RADIUS: 22 C8 D5 BB 44 FC FC 14 D3 2C C9 42 A3 9B A4 9E ["???D????,?B????]
*Mar 1 00:21:31.563: RADIUS: Found 26 bytes of EAP data in reply (ofs 0)
*Mar 1 00:21:31.563: RADIUS: Received 26 byte EAP Message in reply
*Mar 1 00:21:31.587: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0
*Mar 1 00:21:31.587: RADIUS: ustruct sharecount=1
*Mar 1 00:21:31.587: Radius: radius_port_info() success=1 radius_nas_port=1
*Mar 1 00:21:31.587: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"
*Mar 1 00:21:31.591: RADIUS: Request contains 26 byte EAP-message
*Mar 1 00:21:31.591: RADIUS: Added 26 bytes of EAP data to request
*Mar 1 00:21:31.591: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2
*Mar 1 00:21:31.591: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/4, len 171
*Mar 1 00:21:31.591: RADIUS: authenticator 0A A2 1F 7C 12 A8 AB F7 - 9F 87 C6 51 A4 0D EA A2
*Mar 1 00:21:31.595: RADIUS: NAS-IP-Address [4] 6 10.10.0.253
*Mar 1 00:21:31.595: RADIUS: NAS-Port [5] 6 0
*Mar 1 00:21:31.595: RADIUS: Vendor, Cisco [26] 23
*Mar 1 00:21:31.595: RADIUS: cisco-nas-port [2] 17 "FastEthernet1/0"
*Mar 1 00:21:31.595: RADIUS: NAS-Port-Type [61] 6 X75 [9]
*Mar 1 00:21:31.595: RADIUS: User-Name [1] 6 "user"
*Mar 1 00:21:31.595: RADIUS: Calling-Station-Id [31] 19 "08-00-27-B1-B3-32"
*Mar 1 00:21:31.595: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 1 00:21:31.595: RADIUS: Framed-MTU [12] 6 1500
*Mar 1 00:21:31.595: RADIUS: State [24] 27
*Mar 1 00:21:31.595: RADIUS: 45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B [EAP=0.1ff.986.1;]
*Mar 1 00:21:31.595: RADIUS: 53 56 43 3D 30 2E 31 35 3B [SVC=0.15;]
*Mar 1 00:21:31.595: RADIUS: EAP-Message [79] 28
*Mar 1 00:21:31.595: RADIUS: 02 1E 00 1A 04 10 AA 09 8E 39 DE 29 E4 CC C6 BC [?????????9?)????]
*Mar 1 00:21:31.595: RADIUS: 7F 01 C8 47 EC 74 75 73 65 72 [???G?tuser]
*Mar 1 00:21:31.595: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.595: RADIUS: 33 57 82 E2 5C 24 A2 8C 67 CC 0D 8C 25 12 74 13 [3W??\$??g?????t?]
*Mar 1 00:21:31.731: RADIUS: Received from id 1645/4 10.10.0.2:1645, Access-Accept, len 90
*Mar 1 00:21:31.731: RADIUS: authenticator A0 0E DF D7 87 FD 9E B6 - BB 64 04 4F 56 2A 03 89
*Mar 1 00:21:31.735: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
*Mar 1 00:21:31.735: RADIUS: EAP-Message [79] 6
*Mar 1 00:21:31.735: RADIUS: 03 1E 00 04 [????]
*Mar 1 00:21:31.735: RADIUS: Tunnel-Type [64] 6 01:VLAN [13]
*Mar 1 00:21:31.739: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]
*Mar 1 00:21:31.739: RADIUS: Tunnel-Private-Group[81] 6 01:"100"
*Mar 1 00:21:31.739: RADIUS: Class [25] 22
*Mar 1 00:21:31.739: RADIUS: 43 41 43 53 3A 30 2F 35 62 31 2F 61 30 61 30 30 [CACS:0/5b1/a0a00]
*Mar 1 00:21:31.739: RADIUS: 66 64 2F 30 [fd/0]
*Mar 1 00:21:31.739: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.739: RADIUS: 75 BC F2 E0 91 07 6C 12 4D 5C BB 50 A4 FD D3 26 [u?????l?M\?P???&]
*Mar 1 00:21:31.739: RADIUS: Found 4 bytes of EAP data in reply (ofs 0)
*Mar 1 00:21:31.739: RADIUS: Received 4 byte EAP Message in reply
As a result the vlan-switch data based does not change.
Any help will be appreciated!
Thanks a lot,
Chelovekov AlexanderI've tried multiple ways to cope with this problem but nothing was helpfull...
Tunnel-Medium-Type [65] 6 01:ALL_802
I use only ACS Radius attributes and chose ony what ACS allows me to choose (Tunnel-medium-type: 802).
Screenshot n attachment.
The same situation occurs when i try to use some Vendor Specific Attributes (Cisco-AV-Pair) - downloadable ACEs to my user, and again, i see Radius attributes in my debug but nothing is applied to my L3 Switch.
What am i missing? -
Cisco ISE with TACACS+ and RADIUS both?
Hello,
I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
BobHello Robert,
I believe NO, they both won't work together as both TACACS and Radius are different technologies.
It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
For your reference, I am sharing the link for the difference between TACACS and Radius.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
Moreover, Please review the information as well.
Compare TACACS+ and RADIUS
These sections compare several features of TACACS+ and RADIUS.
UDP and TCP
RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
TCP transport offers:
TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
TCP is more scalable and adapts to growing, as well as congested, networks.
Packet Encryption
RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
Authentication and Authorization
RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
Multiprotocol Support
RADIUS does not support these protocols:
AppleTalk Remote Access (ARA) protocol
NetBIOS Frame Protocol Control protocol
Novell Asynchronous Services Interface (NASI)
X.25 PAD connection
TACACS+ offers multiprotocol support.
Router Management
RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
Interoperability
Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
Traffic
Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do). -
802.1x with ACS and Windows AD
Hi
Im trying to setup 802.1x with ACS 5.2 but am struggling as its very differnet to ACS 4.2.
I have setup the ACS to be the domain and think i have setup up the External Idnetity Store, however when i try to authenticate a pc using authentication Medthod 'PEAP (EAP-MSCHAPv2), i get a failure reason '22056 Subject not found in the applicable identity store'
MarcoHi Marco,
i guess you've missed a mapping configuration in the Access Policy Section.
Create a Access Service name it AS-802.1x select User Select Service Type and select Network Access. Select the Policy Structure Identity and Authorization. Select PEAP as allowed Protocol. Click Finish
You'll see the new service click Identity.
Select the identity source you've created then save.
Click on authorization
Select a default authorization rule permit access and save.
Create a Service Access Rule name it 802.1x
Select Protocol Radius as Condition and as Compound Condition select RADIUS-IETF:Service-Type match Framed then select the service you created before.
then you can try again.
regards
alex -
Hi,
Can i configured on aironet 1100 RAIDIUS for users and TACACS for administration?
With Cisco ACS i can only add one option.
I want to centralize the AAA for all the equipments and use CISCO ACS!
But the AP's are radio clients already!
TKSYes, you can do both on the AP1100. Use something similar to the configuration below:
aaa new-model
aaa group server radius rad_eap
server x.x.x.x auth-port 1645 acct-port 1646
aaa group server tacacs+ tacacs_here
server x.x.x.x
aaa authentication login default group tacacs+ group tacacs_here
aaa authentication login wireless_client group rad_eap
dot11 ssid SSID4ME
vlan xxx
authentication open eap wireless_client -
Authentication providers for TACACS+ and RADIUS
Does anyone supply WLS 8.1 authentication providers for TACACS+ and/or
RADIUS?
BenSo in the ACS network config you add 2 NASes (or should that be NASi?)
One is of type TACACS+, enter the device ip and secret. The other is RADIUS - unless you need to use some vendor specific trickery you could stick with IETF RADIUS to keep it simple. Again enter the IP and the secret.
Assuming you a have at least 1 user in say, the default group (acs group 0) you then need to do some basic setup. In ACS a single group can have both RADIUS and TACACS+ config :-)
RADIUS will pretty much default to PPP anyway, but you should still set the Service-Type to Framed and set session timeouts etc.
With T+ you tick the boxes for the services that are allowed. For SSH login you might have to define a custom service first (under interface config)
Suggest you first take time to scan through the ACS docs. -
My sister and I share computers, but it's really her Mac because she got it for her birthday. I'm using it because there is no other place to hold my iTunes library, documents, photos, etc.
She complains that I make the computer too slow after I downloaded/installed too many apps from the Mac App Store using my admin account and my iTunes account. However, they show up on her account as well, and she doesn't want to see them or have her computer slow down, so she deletes them. Is there a way to make certain apps unseen and inaccessible from other admin users on the same machine?Only by storing them on an encrypted disk image. Anyone who has an administrator password to a Mac can use it to access all unencrypted data on the system.
(59941) -
Hi guys, i planning to do Radius 802.1x LAB TEST. I got a 2950c switch, what are the application i needed ?? any freeware or shareware recommended to do radius authentication ??
Can some1 share me a configuration guide or any reference for this test... Thanks a lot.......Hi
In the course of eduroam (just some universities worldwide using dot1x - http://www.eduroam.org/) we like http://www.securew2.com/uk/index.htm for windows-pc's
As Opensource we like: http://hostap.epitest.fi/wpa_supplicant/ -
When you install Premiere Pro as the admin on an iMac the audio functionalities work well but a second admin account on the same machine does not work. What can I do to fix this?
It is a bad idea to hack computer passwords when you don't own the computer
Good luck with the school and the parents. -
ACS Solution Engine TACACS+ and Radius
I have an ACS Solutions Engine that is performing TACACS authentication for remote access to Switches and now want to add 802.1X support for port based access control against the ACS server also. For some reason this is not working for me at all. Does anyone have a document that will guide me in this.
http://cisco.biz/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/guide_c07-627531.pdf
There is a lot of reading on the topic. Maybe you could precise what is not working as expected ?
what EAP method are you doing ? how is your switchport configured ? Is there an error message on ACS ? -
Help needed restricting users admin access to devices using ACS 4.2
I have users that access the network via a VPN client to a PIX 515 which authenticates to the ACS (using the default group for unknown users) which uses an external Active Directory Database.
The problem I have is that as the ACS authenticates these users, it now allows them admin access to the PIX. How do I restrict access? I have looked at NARs using the 'All AAA clients, *, *' approach but that just stops their VPN access. ( I have a separate group called 'PIX ACCESS' which will contained only defined users for admin access).
Incidentally I have other devices on the network which are AAA clients, in particular Nortel switches. I can set the group settings for that RADIUS set up to 'Authenticate Only' (RADIUS Nortel option) and that works fine, I was expecting the ACS to have a similar setting for TACACS+.
So how do I allow the unknown users to authenticate to their AD database but restrict them admin access to the AAA clients?Very common problem. I've solved it twice over the last 6 years with ACS. I'm sketchy on the details. But here goes. First option to explore is using RADIUS for VPN access, then TACACS on all the Cisco switches and PIX firewall. That would make it alot easier. I think that with TACACS, you can build a NAR based on TCP port number instead of IP address....
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml
So you'd have a group with 3-4 Administrators that can access PIX CLI, and another group of VPN users that can't access the PIX but can VPN in. So on the VPN group, put a NAR that restricts access to SSH/Telnet TCP ports?
This comes up everytime I install an ACS server, (every 2-3 years), and it's always a trick.
Please let me know if this works for you. And if it doesn't, let us know how you fixed it. I think I can get back into the ACS I last did this with and take a look, but I'd have to call up and make a special trip. -
Hi all,
Currently i'm using an ACS4.2 as radius server, some switch 2960-s ios 12.2.(55)se5, ipphone Alcatel iptouch 4018 and i would like to assign dinamic vlan to some specific users/laptop Daisy-chained to ip phone.
Logic connection is: users laptop---->ipphone---->switch---->radius
What i need is:
if I connect MY laptop to the ipphone port, i receive a specific vlan ( vlan 58 )
if SOMEONE else ( i.e. a consultant ) connect his laptop to the SAME ipphone port (if available) he has to receive a different vlan ( vlan 1).
I've been able to reach the goal using MACRO but it tooks too much time to authenticate ( approx 1 min ) so i give up and tried a different faster way ( 802.1x and MAB ).
i've been able to authenticate the ip-phone using 802.1x auth and to receive the correct vlan when i connect MY laptop (MAB auth) but i was not able to provide the VLAN 1 to the Consultant when he connect his laptop even if the "authentication event fail action authorize vlan 1" is configured.
I used the dot1x auth-fail vlan because i'm not able to use MAB or 802.1x auth on external laptop. I also tried with guest vlan with no luck.
In both case the "consultant" remain in "auth failed"
Here my current configuration
dot1x system-auth-control
dot1x guest-vlan supplicant
identity profile default
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 30
authentication host-mode multi-auth
authentication event fail action authorize vlan 1
authentication order mab dot1x
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x max-reauth-req 1
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
On ACS side i have 2 groups
first Group authenticate the iphone and supply the voice vlan ( vlan 30)
Second Group authenticate using MAB and supply the vlan 58
is there a different way to accomplish this task?
Thank you in advancehi,
any ideas?
thx -
802.1x with ACS does not correctly work
Hello
I have here a WLan setup with a WDS, some 40 Accesspoints, an ACS 4.1 server and a Windows Domain Controller which has the users configured.
I have a group mapping in ACS configured which points to a small group in the ADS.
The groupmapping in ACS points to a specific group in ACS.
There I've configured the following:
[009\001] cisco-av-pair
- ssid=xx-200 (the name of the SSID the clients connect)
[006] Service-Type
- Login
[007] Framed-Protocol
- PPP
[025] Class
- OU=pers; (this is not the special group where those users are in, but they are also in this one)
[064] Tunnel-Type
- Tag 1 Value Vlan
[065] Tunnel-Medium-Type
- Tag 1 Value 802
[081] Tunnel-Private-Group-ID
- Tag 1 Value 200 (the Vlan in which they should go)
The good thing is, authentication with username password works.
The bad thing is, every user can authenticate and get into this SSID instead of only the users in the special group which points to this groupmapping.
The other ADS groups also point to other ACS groups, but they don't have the above values ([009\001] cisco-av-pair, [064] Tunnel-Type, [065] Tunnel-Medium-Type, [081] Tunnel-Private-Group-ID) configured.
The logfile from the ACS also shows that the wrong users are mapped into the correct group like they should, but they still get access.
Here the WDS configuration:
aaa group server radius RADIUS_GROUP_WDS_RADIOMANAGEMENT
server 10.1.1.30 auth-port 1645 acct-port 1646
server 10.1.2.30 auth-port 1645 acct-port 1646
aaa authentication login METHOD_WDS_RADIOMANAGEMENT group RADIUS_GROUP_WDS_RADIOMANAGEMENT
aaa authentication enable default enable
aaa session-id common
radius-server host 10.1.1.30 auth-port 1645 acct-port 1646 key 7 xxxx
radius-server host 10.1.2.30 auth-port 1645 acct-port 1646 key 7 xxxx
radius-server retransmit 2
radius-server timeout 18
radius-server deadtime 1
radius-server vsa send accounting
wlccp authentication-server infrastructure METHOD_WDS_RADIOMANAGEMENT
wlccp authentication-server client any METHOD_WDS_RADIOMANAGEMENT
ssid xx-200
The accesspoint config:
aaa authentication login METHOD_RAD_WDS_CLIENT group radius
aaa authentication enable default enable
aaa session-id common
dot11 ssid xx-200
vlan 200
authentication open eap METHOD_RAD_WDS_CLIENT
authentication network-eap METHOD_RAD_WDS_CLIENT
authentication key-management wpa
interface Dot11Radio0
encryption vlan 200 mode ciphers aes-ccm
broadcast-key vlan 200 change 60
ssid xx-200
interface Dot11Radio0.200
description
encapsulation dot1Q 200
no ip route-cache
no cdp enable
bridge-group 200
bridge-group 200 subscriber-loop-control
bridge-group 200 block-unknown-source
no bridge-group 200 source-learning
no bridge-group 200 unicast-flooding
bridge-group 200 spanning-disabled
interface FastEthernet0.200
description
encapsulation dot1Q 200
no ip route-cache
bridge-group 200
no bridge-group 200 source-learning
bridge-group 200 spanning-disabled
I hope you can find why any user can authenticate and not just the ones in the groupmapping which has the radius attributes configured.
Thanks,
patoI have finally found something to look into :/
000619: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: ssid [263] 6
000620: Jan 18 16:50:11 A: RADIUS: 48 53 52 2D [xxx-]
000621: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: interface [156] 4
000622: Jan 18 16:50:11 A: RADIUS: 32 35 [25]
This is with various debugging active on the WDS. And this might be the reason why it doesn't work. -
802.1x with ACS 3.3 and windowsXP
We are using RADIUS IETF in ACS and EAP MD5.
My switch is 2950 whith this commands:
radius-server host a.b.c.d
radius-server key cisco
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
int fa 0/1
dot1x port-control auto
When we try authenticate appears this error: "CS user unknown" in ACS reports.
Has somethings that we forget?
Where I configure the respective VLAN to user when he authenticate?
ThanksI`m using 2950 and Cisco ACS. In my Windows XP, I did only this"Ativar authenticaçao IEEE 802.1x para esta rede -->MD5 Challenge". I create one user in ACS database and assign the following IETF RADIUS attributes to this user:
[64] Tunnel-Type = VLAN
[65] Tunnel-Medium-Type = 802
[81] Tunnel-Private-Group-Id = teste
At my network icon apears: Authentication Fail
See some debug message on my switch:
03:09:14: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D607DC
03:09:14: dot1x-ev:Managed Timer in sub-block attached as leaf to master
03:09:14: dot1x-ev:Going to Send Request to AAA Client on RP for id = 0 and length = 25
03:09:14: dot1x-ev:Got a Request from SP to send it to Radius with id 7
03:09:14: dot1x-ev:Couldn't Find a process thats already handling the request for this id 0
03:09:14: dot1x-ev:Inserted the request on to list of pending requests
03:09:14: dot1x-ev:Found a free slot at slot 0
03:09:14: dot1x-ev:Found a free slot at slot 0
03:09:14: dot1x-ev:Request id = 7 and length = 25
03:09:14: dot1x-ev:The Interface on which we got this AAA Request is FastEthernet0/1
03:09:14: dot1x-ev:Username is SMSTESTE\joe
03:09:14: dot1x-ev:MAC Address is 0026.540f.5555
03:09:14: dot1x-ev:MAC Address copied is 0026.540f.4c43
03:09:15: dot1x-ev:dot1x_post_message_to_auth_sm: Skipping tx for req_id for default supplicant
03:09:34: dot1x-err:EAP packet not recvd
03:09:34: dot1x-ev:going to send to backend on SP, length = 4
03:09:34: dot1x-ev:Received VLAN is No Vlan
03:09:34: dot1x-ev:Enqueued the response to BackEnd
03:09:34: dot1x-ev:Received QUEUE EVENT in response to AAA Request
03:09:34: dot1x-ev:Dot1x matching request-response found
03:09:34: dot1x-ev:Length of recv eap packet from radius = 4
03:09:34: dot1x-ev:Received VLAN Id -1
03:09:34: dot1x-ev:dot1x_bend_fail_enter:0026.540f.5555: Current ID=0
Can you help me?
Thanks,
Maybe you are looking for
-
Issue in using parseescapedXML()
HI, Please help me on the below mentioned issue. I am trying to use parseescapedXML function in assign activity on below input and gettong the following error message: <bpelFault><faultType>0</faultType><subLanguageExecutionFault xmlns="http://schema
-
An error was encountered by the CAS Security Provider: Error Code: SVR_ER
Hi Everybody, when i open dimension library that time i get a error An error was encountered by the CAS Security Provider: Error Code: SVR_ERR_SESSION_MGR_CAS_SECURITY_ERROR How i can resolve i donot know ,pleas any body know help me. Regards, Ashis
-
SSLException: New session creation is disabled
Hi All, I am writting a javaclient to talk to my back-end SSL IBMHTTP server. With my codeing, I can successfully go through the handshake part, and also get the inputStream, outputStream, and even try to print sth out through the outputstrem without
-
Deski 6.x and 3.0 side by side
I'm just wondering if anyone knows if this, installing Deski 3.0 on a machine that already has 6.x installed, is supported, or whether it inflicts certain conflicts?
-
Can I Change My Eye Color with iPhoto?
Suppose I have a close up picture of someones face. Lets say their eye color ir brown. can iphoto editing change the color of their eye? Like how photoshop can? or can it even lighten the color of the eyes