Using CHAP with RADIUS authentication

Hi
I have configured a Cisco 877 router to send RADIUS requests when a user logs in to the console (Line Console or Line VTY) using the following config:
aaa new-model
aaa authentication login default group radius
aaa authentication ppp default group radius
radius-server host 10.0.0.1 auth-port 1812 acct-port 1812 key mysharedkey
When I log the RADIUS packets I see that the Cisco router is sending the initial AccessRequest using PAP.
How can I configure the router to send it's inial AccessRequest packet using CHAP?
Apologies if this has already been discussed, I have searched high and low for an answer.
Thanks in advance.
John

Hi Carlos
Thanks for your response. I understand what it says in the RFC:
The NAS then sends an Access-Request
   packet to the RADIUS server with the CHAP username as the User-Name
   and with the CHAP ID and CHAP response as the CHAP-Password
   (Attribute 3).
But, by default the NAS (in this case the Cisco 877 router) is sending a RADIUS packet with a PAP encoded password by default. As the NAS initiates the AccessRequest I need to configure it to send the correct attributes for the CHAP challenge. This is configured on the RADIUS server so it knows the NAS is going to send CHAP but the NAS initiates the request and I guess needs to be configured to do so.
Is this possible on a Cisco 877? How?
Thanks
John

Similar Messages

  • ASA , Cisco VPN client with RADIUS authentication

    Hi,
    I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
    All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
    Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
    Thank you.
    Kind regards,
    Alex

    Hi Alex,
    It is working as it should.
    You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
    thanks
    John

  • NAC guest server with RADIUS authentication for guests issue.

    Hi all,
    We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
    The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
    https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
    -----START QUOTE-----
    Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
    •Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
    •Self Service—This option allows guest self service. After selection proceed to Step 8.
    •Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
    ----- END QUOTE-----
    Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
    Regards
    Kevin Woodhouse

    Well I will try to answer your 2nd questions.... will it work... yes.  It is like any other radius server (high end:))  But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD.  Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
    Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right.  Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that.  That is my opinion.

  • Cisco PI 1.3 - Internal Server Error with RADIUS-authentication

    Hi,
    I have a problem with a Cisco Prime Infrastructure 1.3 (Appliance, fully patched) that I'm trying to authenticate against a Radiator RADIUS-server.
    From the RADIUS-server's point of view it looks fine, but I just get an HTTP Status 500 internal error (see attached image) when trying to log in.
    I'm not the one managing the RADIUS-server but I got the following debug sent from them:
    Wed Oct 30 08:52:06 2013: DEBUG: Packet dump:
    *** Received from 10.36.0.132 port 17235 ....
    Code:       Access-Request
    Identifier: 102
    Authentic:  REMOVED
    Attributes:
            User-Name = "test-user"
            User-Password = REMOVED
            NAS-IP-Address = 10.36.0.132
            Message-Authenticator = REMOVED
    Wed Oct 30 08:52:06 2013: DEBUG: Handling request with Handler 'Client-Identifier=/^prime[.]net[.]REMOVED[.]se$/', Identifier 'Network-Prime-AAA'
    Wed Oct 30 08:52:06 2013: DEBUG:  Deleting session for test-user, 10.36.0.132,
    Wed Oct 30 08:52:06 2013: DEBUG: Handling with Radius::AuthUNIX:
    Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthUNIX looks for match with test-user [test-user]
    Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthUNIX ACCEPT: : test-user [test-user]
    Wed Oct 30 08:52:06 2013: DEBUG: AuthBy UNIX result: ACCEPT,
    Wed Oct 30 08:52:06 2013: DEBUG: Handling with Radius::AuthFILE:
    Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthFILE looks for match with test-user [test-user]
    Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthFILE ACCEPT: : test-user [test-user]
    Wed Oct 30 08:52:06 2013: DEBUG: AuthBy FILE result: ACCEPT,
    Wed Oct 30 08:52:06 2013: DEBUG: Access accepted for test-user
    Wed Oct 30 08:52:06 2013: DEBUG: Packet dump:
    *** Sending to 10.36.0.132 port 17235 ....
    Code:       Access-Accept
    Identifier: 102
    Authentic:  REMOVED
    Attributes:
            cisco-avpair = "NCS:virtual-domain0=ROOT-DOMAIN"
            cisco-avpair = "NCS:role0=Admin"
            cisco-avpair = "NCS:task0=View Alerts and Events"
            cisco-avpair = "NCS:task1=Device Reports"
    ..the rest of the AV-pairs removed
    Does anyone have any idea on what the the problem is, or some tips on how to troubleshoot? (rebooting and ncs stop/start has no impact on the issue)
    //Charlie

    I ran into a similar issue this morning in my lab.  After I issued ncs status - the database service came back as not running.  I stop/started the Prime services and it came up.  Once all the services were running my WLC imported with no issues.  I also deployed another server for another lab and it had issues with the clocking being out of sync. 

  • Exchange Server 2013 with RADIUS authentication

    Hello,
    I am a student and doing an internship. I have to test Microsoft Exchange Server 2013.
    I am using Windows Server 2012, I already installed Exchange Server 2013 on it and everything works as intended.
    But I couldn't find out how to configure my Windows Server 2012 in order to authenticate my mailbox users from Exchange Server 2013 with a RADIUS server which is not on my Windows Server 2012. I have to use their RADIUS server, the RADIUS server from the
    company where I am doing my internship.
    I already created a NPS and added the RADIUS Client + Remote RADIUS Server Groups. I created a Connection Request Policies with the condition:
    User Name *
    I forwarded the Connection Request to the Remote RADIUS server that I created in Remote RADIUS Server Groups and then I registered the NPS in th AD. But it's still not working. 
    Maybe I did something wrong or I misunderstood something or does this even work with Exchange Server 2013? To authenticate mailbox users with a RADIUS server before they can login into their mailbox and use their mailbox?
    Thanks in advance.

    On Wed, 26 Mar 2014 09:21:25 +0000, DavidIntern wrote:
    I already put the NPS as a RADIUS proxy. I followed this check list http://technet.microsoft.com/en-us/library/cc772591.aspx
    But the things is I want to make it work with our freeRADIUS2 that we have in place here. Without changing our freeRADIUS2. But I found out this is not possible since we are not using any Active Directory with it. Since I am still a newbie in this environment,
    I am not sure if it is possible.
    But my main question was if it was possible to use freeRADIUS2 and that my NPS would be the RADIUS proxy. So my question is answered, if I understood right, without making any changes to our freeRADIUS2 this is not going to be possible right? Because we have
    no AD?
    Our setup is freeRADIUS2 + MySQL database where all the users are stored.
    As I mentioned in my previous response this really isn't the right place
    for this question but why would you want to try to use a MySQL store for
    authenticating against Exchange in the first place when you've already got
    an authentication store (Active Directory) that is tightly integrated with
    Exchange?
    I still really don't understand what it is you're trying to accomplish nor
    why you're trying to use such a complicated, convoluted method to
    authenticate Exchange users.
    Paul Adare - FIM CM MVP
    Any sufficiently advanced bug is indistinguishable from a feature.

  • Auto-Signon issue with RADIUS authentication

    Hi all, i post again a question Posted by ronin2307 on Nov 27, 2007, 9:40am PST
    I HAVE THE SAME ISSUE WITH 8.0.3 release!
    Hi,
    we have a fairly simple configuration running on our ASA and try to make use of the webvpn on occasion. The feature used to work great with 7.2, but after we upgraded to 8.0 we started having problems.
    Basically an user (network admin) can log in through the webvpn interface (authenticated by a RADIUS server) and see the links to network shares we provide, click on them and at that point the user is promptedfor credentials again. upon entering them then message comes up that the access to the resources has been blocked due to security reasons.
    Now to me that makes no sense whatsoever. I have already run the following command:
    auto-signon allow ip 192.168.1.0 255.255.255.0 auth-type ntlm
    to try to prevent the second credentials prompt but to doesn't do anything.
    I also tried to capture the webvpn traffic, according to the user manual, but now i have a zip file that contains bunch of files, I cannot read (except notepad, but that doesn't help a lot). Ethereal will not open the files. I couldn't get to display the capture in the browser as described in the manual.
    can anybody give me an idea on what to do to troubleshoot this problem? Thank you very much.

    For single sign on using NTLM on a webVPN set up, you need to ensure you configure it through the command line. Did you use the ASDM for this single sign on? To configure auto-signon for all WebVPN users to servers with IP addresses ranging from
    10.1.1.0 to 10.1.1.255 using NTLM authentication, for example, enter the following
    commands:
    hostname(config)# webvpn
    hostname(config-webvpn)# auto-signon allow ip 10.1.1.1 255.255.255.0 auth-type ntlm
    http://www.cisco.com/en/US/docs/security/asa/asa71/asdm51/selected_procedures/asdmsso.html

  • Radius authentication with ISE - wrong IP address

    Hello,
    We are using ISE for radius authentication.  I have setup a new Cisco switch stack at one of our locations and setup the network device in ISE.  Unfortunately, when trying to authenticate, the ISE logs show a failure of "Could not locate Network Device or AAA Client" The reason for this failure is the log shows it's coming from the wrong IP address.  The IP address of the switch is 10.xxx.aaa.241, but the logs show it is 10.xxx.aaa.243.  I have removed and re-added the radius configs on both ISE and the switch, but it still comes in as .243.  There is another switch stack at that location (same model, IOS etc), that works properly.
    The radius config on the switch:
    aaa new-model
    aaa authentication login default local
    aaa authentication login Comm group radius local
    aaa authentication enable default enable
    aaa authorization exec default group radius if-authenticated
    ip radius source-interface Vlanyy
    radius server 10.xxx.yyy.zzz
     address ipv4 10.xxx.yyy.zzz auth-port 1812 acct-port 1813
     key 7 abcdefg
    The log from ISE:
    Overview
    Event  5405 RADIUS Request dropped 
    Username  
    Endpoint Id  
    Endpoint Profile  
    Authorization Profile  
    Authentication Details
    Source Timestamp  2014-07-30 08:48:51.923 
    Received Timestamp  2014-07-30 08:48:51.923 
    Policy Server  ise
    Event  5405 RADIUS Request dropped 
    Failure Reason  11007 Could not locate Network Device or AAA Client 
    Resolution  Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices 
    Root cause  Could not find the network device or the AAA Client while accessing NAS by IP during authentication. 
    Username  
    User Type  
    Endpoint Id  
    Endpoint Profile  
    IP Address  
    Identity Store  
    Identity Group  
    Audit Session Id  
    Authentication Method  
    Authentication Protocol  
    Service Type  
    Network Device  
    Device Type  
    Location  
    NAS IP Address  10.xxx.aaa.243 
    NAS Port Id  tty2 
    NAS Port Type  Virtual 
    Authorization Profile  
    Posture Status  
    Security Group  
    Response Time  
    Other Attributes
    ConfigVersionId  107 
    Device Port  1645 
    DestinationPort  1812 
    Protocol  Radius 
    NAS-Port  2 
    AcsSessionID  ise1/186896437/1172639 
    Device IP Address  10.xxx.aaa.243 
    CiscoAVPair  
       Steps
      11001  Received RADIUS Access-Request 
      11017  RADIUS created a new session 
      11007  Could not locate Network Device or AAA Client 
      5405  
    As a test, I setup a device using the .243 address.  While ISE claims it authenticates, it really doesn't.  I have to use my local account to access the device.
    Any advice on how to resolve this issue would be appreciated.  Please let me know if more information is needed.

    Well from the debug I would say there may be an issue with the addressing of the radius server on the switch.
    radius-server host 10.xxx.xxx.xxx key******** <--- Make sure this address and Key matches what you have in ISE PSN and that switch. Watch for spaces in your key at the begining or end of the string.
    What interface should your switch be sending the radius request?
    ip radius source-interface VlanXXX vrf default
    Here is what my debug looks like when it is working correctly.
    Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): ask "Password: "
    Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265):Orig. component type = EXEC
    Aug  4 15:58:47 EST: RADIUS(00000265): Config NAS IP: 10.xxx.xxx.251
    Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): acct_session_id: 613
    Aug  4 15:58:47 EST: RADIUS(00000265): sending
    Aug  4 15:58:47 EST: RADIUS(00000265): Send Access-Request to 10.xxx.xxx.35:1645 id 1645/110, len 104
    Aug  4 15:58:47 EST: RADIUS:  authenticator 97 FB CF 13 2E 6F 62 5D - 5B 10 1B BD BA EB C9 E3
    Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
    Aug  4 15:58:47 EST: RADIUS:  Reply-Message       [18]  12 
    Aug  4 15:58:47 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
    Aug  4 15:58:47 EST: RADIUS:  User-Password       [2]   18  *
    Aug  4 15:58:47 EST: RADIUS:  NAS-Port            [5]   6   3                        
    Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty3"
    Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
    Aug  4 15:58:47 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
    Aug  4 15:58:47 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
    Aug  4 15:58:47 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
    Aug  4 15:58:47 EST: RADIUS(00000265): Started 5 sec timeout
    Aug  4 15:58:47 EST: RADIUS: Received from id 1645/110 10.xxx.xxx.35:1645, Access-Accept, len 127
    Aug  4 15:58:47 EST: RADIUS:  authenticator 1B 98 AB 4F B1 F4 81 41 - 3D E1 E9 DB 33 52 54 C1
    Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
    Aug  4 15:58:47 EST: RADIUS:  State               [24]  40 
    Aug  4 15:58:47 EST: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61  [ReauthSession:0a]
    Aug  4 15:58:47 EST: RADIUS:   30 63 66 65 32 33 30 30 30 31 46 37 30 37 35 33  [0cfe230001F70753]
    Aug  4 15:58:47 EST: RADIUS:   44 46 45 35 46 37            [ DFE5F7]
    Aug  4 15:58:47 EST: RADIUS:  Class               [25]  58 
    Aug  4 15:58:47 EST: RADIUS:   43 41 43 53 3A 30 61 30 63 66 65 32 33 30 30 30  [CACS:0a0cfe23000]
    Aug  4 15:58:47 EST: RADIUS:   31 46 37 30 37 35 33 44 46 45 35 46 37 3A 50 52  [1F70753DFE5F7:PR]
    Aug  4 15:58:47 EST: RADIUS:   59 49 53 45 30 30 32 2F 31 39 33 37 39 34 36 39  [YISE002/19379469]
    Aug  4 15:58:47 EST: RADIUS:   38 2F 32 30 36 33 31 36          [ 8/206316]
    Aug  4 15:58:47 EST: RADIUS(00000265): Received from id 1645/110
    ---------------------------------------------------------------------------------------------------------------This is after I added the incorrect Radius server address.
    Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): ask "Password: "
    Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268):Orig. component type = EXEC
    Aug  4 16:05:19 EST: RADIUS(00000268): Config NAS IP: 10.xxx.xxx.251
    Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): acct_session_id: 616
    Aug  4 16:05:19 EST: RADIUS(00000268): sending
    Aug  4 16:05:19 EST: RADIUS(00000268): Send Access-Request to 10.xxx.xxx.55:1645 id 1645/112, len 104
    Aug  4 16:05:19 EST: RADIUS:  authenticator FC 94 BA 5D 75 1F 84 08 - E0 56 05 3A 7F BC FB BB
    Aug  4 16:05:19 EST: RADIUS:  User-Name           [1]   9   "admin"
    Aug  4 16:05:19 EST: RADIUS:  Reply-Message       [18]  12 
    Aug  4 16:05:19 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
    Aug  4 16:05:19 EST: RADIUS:  User-Password       [2]   18  *
    Aug  4 16:05:19 EST: RADIUS:  NAS-Port            [5]   6   7                        
    Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty7"
    Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
    Aug  4 16:05:19 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
    Aug  4 16:05:19 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
    Aug  4 16:05:19 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
    Aug  4 16:05:19 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:23 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:23 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:23 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:29 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:29 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:29 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:33 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
    Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
    Aug  4 16:05:33 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:33 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:38 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:38 EST: RADIUS: Fail-over to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:38 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:43 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:43 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:43 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:48 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:48 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:48 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:53 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
    Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
    Aug  4 16:05:53 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:53 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:57 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:57 EST: RADIUS: No response from (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:57 EST: RADIUS/DECODE: parse response no app start; FAIL
    Aug  4 16:05:57 EST: RADIUS/DECODE: parse response; FAIL
    This is a default template I use for all my devices routers or switches hope it helps. I have two PSN's that is why we have two radius-server host commands..
    aaa authentication login vty group radius local enable
    aaa authentication login con group radius local enable
    aaa authentication dot1x default group radius
    aaa authorization network default group radius 
    aaa accounting system default start-stop group radius
    ip radius source-interface VlanXXX vrf default
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 30 tries 3
    radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
    radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
    radius-server vsa send accounting
    radius-server vsa send authentication
    You can use this in the switch to test radius
    test aaa group radius server 10.xxx.xxx.xxx <username> <password>

  • Cisco ACS 4.2 and Radius authentication?

    Hi,
    I have a Cisco ACS 4.2 installed and using it to authenticate users that log on to switches using TACACS+, when I use local password database, everything is working. But if i try to use external database authentication using a windows 2008 radius server, I have problem that I can only use PAP, not CHAP. Anyone who know if it's possible to use CHAP with external radius authentication?

    To access network devices for administrative purpose, we have only three methods available :
    [1] Telnet : Which uses PAP authentication protocol between client and the NAS device. So the communication between Client and NAS is unencrypted,  and when this information flows from NAS to IAS server gets encrypted using the shared secret key configured on device/IAS server.
    [2] SSH : Which uses  public-key cryptography for encrypting information between client and the NAS device, i.e, information sent between client 
    and NAS is fully secure. And the communication between NAS and IAS is encrypted using shared secret same as above. Good point on SSH side is that commincation channel is secure all the time.Again the authentication type would remain same that is PAP.
    [3] Console:Which is also the same it will not allow to use MSCHAP as there is no need to secure it as you laptop is connected directly to the NAS and then if you are using TACACS it will encrypt the payload .
    Summarizing, we cannot use CHAP, MS-CHAP, MS-CHAP V2 for communication between client and NAS device or administrative access.
    And the most secure way to administer a  device is to use SSH.
    Rgds, Jatin
    Do rate helpful post~

  • SMB 300 switch - RADIUS authentication

    Did anybody have any luck configuring radius authentication with SMB 300 managed switches? I just deployed one and struggling with radius authentication with AD. Radius server works because there are 10 other Catalyst switches and routers working fine.
    Any pointers on how to setup radius authentication for administrative connection? I need it for http, telnet and ssh management session to the switch.
    Thanks in advance,
    Sam

    yes, PAP always use plain text and that doesn't provide any kind of security.  However, administrative session with radius doesn't support chap/mschap.we can't configure firewall/IOS devices for aministration session like telnet/ssh to authenticate users on mschapv2 authentication method.
    If you need secure communication then you may implement TACACS.
    TACACS+ and RADIUS use a shared secret key to provide encryption for communication between the client and the server. RADIUS encrypts the user's password when the client made a request to the server. This encryption prevents someone from sniffing the user's password using a packet analyzer. However other information such as username and services that is being performed can be analyzed. TACACS+ encrypts not just only the entire payload when communicating, but it also encrypts the user's password between the client and the server. This makes it more difficult to decipher information about the communication between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • BBSM and RADIUS Authenticated Session Limits

    I have setup a BBSM System with RADIUS authentication, the authentication traffic is passed to a seperate RSA Box to authenticate user using fobs and everything works fine.
    My question is how do I limited the time a user can have a onnection to the BBSM without having to re-authentication

    If you are using the 'Access Code' pageset, when the 'Stop Date and Time' of the Access
    Code is reached, all currently connected users who have used that Access Code, are
    disconnected.
    When you define an Access Code, you define a 'Start Date and Time' and a 'Stop Date and
    Time' for the Access Code. All users who have Connected by using that Access Code will be disconnected when that Date/Time is reached.
    Please refer to
    http://www.cisco.com/en/US/products/sw/netmgtsw/ps533/products_user_guide_ch
    apter09186a0080192294.html#1038530
    for more information on Access Codes.
    HTH,
    -Joe

  • HTTPS with Client Authentication in SOAP sender Adapter

    Hi All,
    In SOAP Sender communication channel. When I generate WSDL with “HTTP Security Level = HTTP:” it works when third party tries to send data to XIwebservice.
    But when I tried with “HTTPS with Client Authentication” option its giving error
    “InfoPath either cannot connect to the data source, the service has timed out, or the server has an invalid certificate.”
    Please guide how to use “HTTPS with Client Authentication” option, and what all configuration need to apply in XI & in third party to use this.
    Regards

    Rohan,
    With spy you can trace the entire route, since you are using client authentication using certificate, it would be a better option to verify with the certificate.
    You also have the option of using a username/pwd combo though that is not advocated as it lowers security levels and is permeable to passive sniffing.
    So the answer to your question is yes, after importing the certificate with sender and third party reciever a test would reveal the complete scenario along with any issues that you could encounter..
    Regards
    Ravi Raman

  • RADIUS Authentication for Enable PW

    Hi Everyone,
    I have my RADIUS authentication working for login passwords but not for the enable password. My config is below;
    aaa new-model
    aaa authentication login default group radius local
    aaa accounting network default start-stop group radius
    When I add the command;
    aaa authentication enable default group radius enable
    I would expect it to allow me to enter my RADIUS pw for the enable one to, but it doesnt. Nor does it allow me to enter the locally configured one?
    Any help would be great,
    Thanks,
    Dan

    Thanks for your reply Rick,
    The debug output is below;
    L2-SW01>
    00:03:02: RADIUS: Authenticating using $enab15$
    00:03:02: RADIUS: ustruct sharecount=1
    00:03:02: RADIUS: Initial Transmit tty0 id 3 x.x.x.x:1812, Access-Request,
    len 72
    00:03:02: Attribute 4 6 AC14024F
    00:03:02: Attribute 5 6 00000000
    00:03:02: Attribute 61 6 00000000
    00:03:02: Attribute 1 10 24656E61
    00:03:02: Attribute 2 18 524FB069
    00:03:02: Attribute 6 6 00000006
    00:03:02: RADIUS: Received from id 3
    x.x.x.x:1812, Access-Reject, len 20
    00:03:02: RADIUS: saved authorization data for user E49424 at 93C6DC
    L2-SW01>
    L2-SW01>
    I am using IAS for RADIUS authentication and I cannot find any option to say "allow enable access".
    Any ideas?
    Cheers,
    Dan

  • WLC 4402 RADIUS Authentication with IAS

    Hello
    I configured a WLAN with PEAP (CHAP v2)and Radius authentication to a Win 2003 IAS Radius Server.
    On the controller 4402 the layer 2 security is set to WPA1+WPA2 with 802.1x authentication.
    The IAS server don't use the configured policy when a authentication reguest arrive.
    I there an issue with special RADIUS attributes or configuration items on the IAS Server?
    The following event appear in the windows logs:
    User STANS\kaesmr was denied access.
    Fully-Qualified-User-Name = STANS\kaesmr
    NAS-IP-Address = 172.17.25.6
    NAS-Identifier = keynet-01
    Called-Station-Identifier = 00-18-74-FB-CA-20:keynet
    Calling-Station-Identifier = 00-16-CE-52-C8-EB
    Client-Friendly-Name = Wireless-Controller
    Client-IP-Address = 172.17.25.6
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 1
    Proxy-Policy-Name = Windows-Authentifizierung f?r alle Benutzer verwenden
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = <undetermined>
    Authentication-Type = Extension
    EAP-Type = <undetermined>
    Reason-Code = 21
    Reason = The request was rejected by a third-party extension DLL file.

    What I understand from your post is that the authentication is not handled by your IAS server. IF I am correct, the problem might be with the "Allow AA override" option disabled in your WLAN. If it is enabled, then the AAA server or your IAS server will override the security parameters set locally on the controller.
    So, first ensure whether "Allow AAA override" is enabled under Controller--->WLAN field.
    Also, chek out the logs of the IAS server for obtaining more info on this.

  • Wireless with PEAP Authentication not working using new NPS server

    All,
    We are planning to migrate from our old IAS server to new NPS server. We are testing the new NPS server with our wireless infrastructure using WISM. We are using PEAP with server Cert for authentication. For testing purpose we are doing user authentication but our goal is to do machine authentication. On client side we are using Windows XP, Windows 7 & iPAD’s
    I believe I have configured the NPS & CA server as per the documents I found on Cisco support forum & Microsoft’s site.
    But it is not working for me. I am getting the following error message on the NPS server.
    Error # 1
    =======
    Cryptographic operation.
    Subject:
                Security ID:                 SYSTEM
                Account Name:                       MADXXX
                Account Domain:                    AD
                Logon ID:                    0x3e7
    Cryptographic Parameters:
                Provider Name:          Microsoft Software Key Storage Provider
                Algorithm Name:         RSA
                Key Name:      XXX-Wireless-NPS
                Key Type:       Machine key.
    Cryptographic Operation:
                Operation:       Decrypt.
                Return Code:  0x80090010
    Error # 2
    ======
    An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
    I was wondering if anyone has any insight on what is going on.
    Thanks, Ds

    Scott,
    I have disabled MS-CHAP v1 & only MS-CHAP v2 is enabled on Network Policies > Constraints.
    I  disabled validate Certificate on Windows 7 and tried to authenticate, it is still failing. Here is the output from the event viewer:
    Cryptographic operation.
    Subject:
    Security ID: SYSTEM
    Account Name: MADHFSVNPSPI01$
    Account Domain: AD
    Logon ID: 0x3e7
    Cryptographic Parameters:
    Provider Name: Microsoft Software Key Storage Provider
    Algorithm Name: RSA
    Key Name: DOT-Wireless-NPS
    Key Type: Machine key.
    Cryptographic Operation:
    Operation: Decrypt.
    Return Code: 0x80090010
    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
    Security ID: AD\mscdzs
    Account Name: AD\mscdzs
    Account Domain: AD
    Fully Qualified Account Name: AD\mscdzs
    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: 64-ae-0c-00-de-f0:DOT
    Calling Station Identifier: a0-88-b4-e2-79-cc
    NAS:
    NAS IPv4 Address: 130.47.128.7
    NAS IPv6 Address: -
    NAS Identifier: WISM2B
    NAS Port-Type: Wireless - IEEE 802.11
    NAS Port: 29
    RADIUS Client:
    Client Friendly Name: WISM2B
    Client IP Address: 130.47.128.7
    Authentication Details:
    Connection Request Policy Name: Secure Wireless Connections
    Network Policy Name: Secure Wireless Connections
    Authentication Provider: Windows
    Authentication Server: MADHFSVNPSPI01.AD.DOT.STATE.WI.US
    Authentication Type: PEAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 23
    Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
    Attached are EAP logs & debug logs from the controller.
    Thanks for all the help. I really appreciate.

  • ACS 5.3 Radius authentication with ASA and DACL

    Hi,
    I am trying to do Radius authentication on the ACS 5.3 for VPN access (cisco client) using a downloadable ACL with AD identity
    Clients are connecting to an ASA 5510 with image asa843-K8.bin
    I followed the configuration example on the Cisco site, but I am having some problems
    First : AD identity is not triggered, I put a profile  :
    Status
    Name
    Conditions
    Results
    Hit Count
    NDG:Location
    Time And   Date
    AD1:memberOf
    Authorization   Profiles
    1
    TestVPNDACL
    -ANY-
    -ANY-
    equals Network Admin
    TEST DACL
    0
    But if I am getting no hits on it, Default Access is being used (Permit Access)
    So I tried putting the DACL in the default profile, but when connecting I am immediately disconnected.
    I can see the DACL/ASA being authenticated in the ACS log but no success
    I am using my user which is member of the Network Admin Group.
    Am I missing something?
    Any help greatly appreciated!
    Wim

    Hello Stephen,
    As per the IP Pools feature, the ACS 5.x does not include such functionality. It is not on the ACS 5.x roadmap either as the recommended scenario would be to use a dedicated DHCP server.
    ACS 4.x included that functionality, however, it was not the best solution as the ACS returned the IP Address value as a RADIUS Attribute instead of acting as a real DCHP server.
    As per the IMEI and MISDN I am assuming you are referring to International Mobile Equipment Identity and Mobile Subscriber ISDN. Correct me if I am wrong.
    In that case it seems that the ACS 5.x should be able to Allow or Deny access based on Radius Attribute 30 (Called-Station-Id) and 31 (Calling-Station-Id).
    In that case you might want to use the End-Station Filters feature and use it as the condition for the Rule. The End-Station Filter feature uses CLI/DNIS where CLI is Radius Attribute 31 and DNIS is Attribute 30.
    I am assuming a Generic Username will be embedded on the devices request. In that case you will define which end-user devices will be granted access based on the above attributes.
    Here is a snapshot of the section:

Maybe you are looking for

  • Ordered a New 8 Core - OWC Memory OK?

    I finally bit the bullet and ordered the new 8 core Mac Pro. I need more memory, and while I normally do Crucial.com I used OWC in this case because it was substantially cheaper. I was able to get 4GB of OWC for less than the cost of 2GB from Crucial

  • Totakky confused!

    Just got my 30g ipod as a gift. First I downloaded the software with the supplied disk. I have a Dell XPS computer with lots of space. When connected to my pc The "do not disconnect" screen stays on. I have downloaded songs onto my pc using limewire.

  • Convert varchar HH:MM AM in date HH24

    I have two column (varchar) with these format values HH:MM AM or PM , I have need of two columns date because I have to try the differents between them. example column1(date finish) column2 (date start) result (minutes) 16:30 17:45 75 Someone can hel

  • Internet Pricing Increase

    Kind of misleading. If a promotion is for $19, $29, or whatever for a year, that is what the customer is expecting to pay for a year regardless if the internet rates go up.

  • ROS Error while saving form

    Hi, When i am saving a form it is giving the following error : ROS Error: -200 I dont understand where the problem is. My forms version is 6.0.8.24.1 Any help in this regard is highly appreciated. Thanks in advance. Venkat.