Using CHAP with RADIUS authentication
Hi
I have configured a Cisco 877 router to send RADIUS requests when a user logs in to the console (Line Console or Line VTY) using the following config:
aaa new-model
aaa authentication login default group radius
aaa authentication ppp default group radius
radius-server host 10.0.0.1 auth-port 1812 acct-port 1812 key mysharedkey
When I log the RADIUS packets I see that the Cisco router is sending the initial AccessRequest using PAP.
How can I configure the router to send it's inial AccessRequest packet using CHAP?
Apologies if this has already been discussed, I have searched high and low for an answer.
Thanks in advance.
John
Hi Carlos
Thanks for your response. I understand what it says in the RFC:
The NAS then sends an Access-Request
packet to the RADIUS server with the CHAP username as the User-Name
and with the CHAP ID and CHAP response as the CHAP-Password
(Attribute 3).
But, by default the NAS (in this case the Cisco 877 router) is sending a RADIUS packet with a PAP encoded password by default. As the NAS initiates the AccessRequest I need to configure it to send the correct attributes for the CHAP challenge. This is configured on the RADIUS server so it knows the NAS is going to send CHAP but the NAS initiates the request and I guess needs to be configured to do so.
Is this possible on a Cisco 877? How?
Thanks
John
Similar Messages
-
ASA , Cisco VPN client with RADIUS authentication
Hi,
I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
Thank you.
Kind regards,
AlexHi Alex,
It is working as it should.
You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
thanks
John -
NAC guest server with RADIUS authentication for guests issue.
Hi all,
We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
-----START QUOTE-----
Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
•Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
•Self Service—This option allows guest self service. After selection proceed to Step 8.
•Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
----- END QUOTE-----
Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
Regards
Kevin WoodhouseWell I will try to answer your 2nd questions.... will it work... yes. It is like any other radius server (high end:)) But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD. Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right. Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that. That is my opinion. -
Cisco PI 1.3 - Internal Server Error with RADIUS-authentication
Hi,
I have a problem with a Cisco Prime Infrastructure 1.3 (Appliance, fully patched) that I'm trying to authenticate against a Radiator RADIUS-server.
From the RADIUS-server's point of view it looks fine, but I just get an HTTP Status 500 internal error (see attached image) when trying to log in.
I'm not the one managing the RADIUS-server but I got the following debug sent from them:
Wed Oct 30 08:52:06 2013: DEBUG: Packet dump:
*** Received from 10.36.0.132 port 17235 ....
Code: Access-Request
Identifier: 102
Authentic: REMOVED
Attributes:
User-Name = "test-user"
User-Password = REMOVED
NAS-IP-Address = 10.36.0.132
Message-Authenticator = REMOVED
Wed Oct 30 08:52:06 2013: DEBUG: Handling request with Handler 'Client-Identifier=/^prime[.]net[.]REMOVED[.]se$/', Identifier 'Network-Prime-AAA'
Wed Oct 30 08:52:06 2013: DEBUG: Deleting session for test-user, 10.36.0.132,
Wed Oct 30 08:52:06 2013: DEBUG: Handling with Radius::AuthUNIX:
Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthUNIX looks for match with test-user [test-user]
Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthUNIX ACCEPT: : test-user [test-user]
Wed Oct 30 08:52:06 2013: DEBUG: AuthBy UNIX result: ACCEPT,
Wed Oct 30 08:52:06 2013: DEBUG: Handling with Radius::AuthFILE:
Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthFILE looks for match with test-user [test-user]
Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthFILE ACCEPT: : test-user [test-user]
Wed Oct 30 08:52:06 2013: DEBUG: AuthBy FILE result: ACCEPT,
Wed Oct 30 08:52:06 2013: DEBUG: Access accepted for test-user
Wed Oct 30 08:52:06 2013: DEBUG: Packet dump:
*** Sending to 10.36.0.132 port 17235 ....
Code: Access-Accept
Identifier: 102
Authentic: REMOVED
Attributes:
cisco-avpair = "NCS:virtual-domain0=ROOT-DOMAIN"
cisco-avpair = "NCS:role0=Admin"
cisco-avpair = "NCS:task0=View Alerts and Events"
cisco-avpair = "NCS:task1=Device Reports"
..the rest of the AV-pairs removed
Does anyone have any idea on what the the problem is, or some tips on how to troubleshoot? (rebooting and ncs stop/start has no impact on the issue)
//CharlieI ran into a similar issue this morning in my lab. After I issued ncs status - the database service came back as not running. I stop/started the Prime services and it came up. Once all the services were running my WLC imported with no issues. I also deployed another server for another lab and it had issues with the clocking being out of sync.
-
Exchange Server 2013 with RADIUS authentication
Hello,
I am a student and doing an internship. I have to test Microsoft Exchange Server 2013.
I am using Windows Server 2012, I already installed Exchange Server 2013 on it and everything works as intended.
But I couldn't find out how to configure my Windows Server 2012 in order to authenticate my mailbox users from Exchange Server 2013 with a RADIUS server which is not on my Windows Server 2012. I have to use their RADIUS server, the RADIUS server from the
company where I am doing my internship.
I already created a NPS and added the RADIUS Client + Remote RADIUS Server Groups. I created a Connection Request Policies with the condition:
User Name *
I forwarded the Connection Request to the Remote RADIUS server that I created in Remote RADIUS Server Groups and then I registered the NPS in th AD. But it's still not working.
Maybe I did something wrong or I misunderstood something or does this even work with Exchange Server 2013? To authenticate mailbox users with a RADIUS server before they can login into their mailbox and use their mailbox?
Thanks in advance.On Wed, 26 Mar 2014 09:21:25 +0000, DavidIntern wrote:
I already put the NPS as a RADIUS proxy. I followed this check list http://technet.microsoft.com/en-us/library/cc772591.aspx
But the things is I want to make it work with our freeRADIUS2 that we have in place here. Without changing our freeRADIUS2. But I found out this is not possible since we are not using any Active Directory with it. Since I am still a newbie in this environment,
I am not sure if it is possible.
But my main question was if it was possible to use freeRADIUS2 and that my NPS would be the RADIUS proxy. So my question is answered, if I understood right, without making any changes to our freeRADIUS2 this is not going to be possible right? Because we have
no AD?
Our setup is freeRADIUS2 + MySQL database where all the users are stored.
As I mentioned in my previous response this really isn't the right place
for this question but why would you want to try to use a MySQL store for
authenticating against Exchange in the first place when you've already got
an authentication store (Active Directory) that is tightly integrated with
Exchange?
I still really don't understand what it is you're trying to accomplish nor
why you're trying to use such a complicated, convoluted method to
authenticate Exchange users.
Paul Adare - FIM CM MVP
Any sufficiently advanced bug is indistinguishable from a feature. -
Auto-Signon issue with RADIUS authentication
Hi all, i post again a question Posted by ronin2307 on Nov 27, 2007, 9:40am PST
I HAVE THE SAME ISSUE WITH 8.0.3 release!
Hi,
we have a fairly simple configuration running on our ASA and try to make use of the webvpn on occasion. The feature used to work great with 7.2, but after we upgraded to 8.0 we started having problems.
Basically an user (network admin) can log in through the webvpn interface (authenticated by a RADIUS server) and see the links to network shares we provide, click on them and at that point the user is promptedfor credentials again. upon entering them then message comes up that the access to the resources has been blocked due to security reasons.
Now to me that makes no sense whatsoever. I have already run the following command:
auto-signon allow ip 192.168.1.0 255.255.255.0 auth-type ntlm
to try to prevent the second credentials prompt but to doesn't do anything.
I also tried to capture the webvpn traffic, according to the user manual, but now i have a zip file that contains bunch of files, I cannot read (except notepad, but that doesn't help a lot). Ethereal will not open the files. I couldn't get to display the capture in the browser as described in the manual.
can anybody give me an idea on what to do to troubleshoot this problem? Thank you very much.For single sign on using NTLM on a webVPN set up, you need to ensure you configure it through the command line. Did you use the ASDM for this single sign on? To configure auto-signon for all WebVPN users to servers with IP addresses ranging from
10.1.1.0 to 10.1.1.255 using NTLM authentication, for example, enter the following
commands:
hostname(config)# webvpn
hostname(config-webvpn)# auto-signon allow ip 10.1.1.1 255.255.255.0 auth-type ntlm
http://www.cisco.com/en/US/docs/security/asa/asa71/asdm51/selected_procedures/asdmsso.html -
Radius authentication with ISE - wrong IP address
Hello,
We are using ISE for radius authentication. I have setup a new Cisco switch stack at one of our locations and setup the network device in ISE. Unfortunately, when trying to authenticate, the ISE logs show a failure of "Could not locate Network Device or AAA Client" The reason for this failure is the log shows it's coming from the wrong IP address. The IP address of the switch is 10.xxx.aaa.241, but the logs show it is 10.xxx.aaa.243. I have removed and re-added the radius configs on both ISE and the switch, but it still comes in as .243. There is another switch stack at that location (same model, IOS etc), that works properly.
The radius config on the switch:
aaa new-model
aaa authentication login default local
aaa authentication login Comm group radius local
aaa authentication enable default enable
aaa authorization exec default group radius if-authenticated
ip radius source-interface Vlanyy
radius server 10.xxx.yyy.zzz
address ipv4 10.xxx.yyy.zzz auth-port 1812 acct-port 1813
key 7 abcdefg
The log from ISE:
Overview
Event 5405 RADIUS Request dropped
Username
Endpoint Id
Endpoint Profile
Authorization Profile
Authentication Details
Source Timestamp 2014-07-30 08:48:51.923
Received Timestamp 2014-07-30 08:48:51.923
Policy Server ise
Event 5405 RADIUS Request dropped
Failure Reason 11007 Could not locate Network Device or AAA Client
Resolution Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices
Root cause Could not find the network device or the AAA Client while accessing NAS by IP during authentication.
Username
User Type
Endpoint Id
Endpoint Profile
IP Address
Identity Store
Identity Group
Audit Session Id
Authentication Method
Authentication Protocol
Service Type
Network Device
Device Type
Location
NAS IP Address 10.xxx.aaa.243
NAS Port Id tty2
NAS Port Type Virtual
Authorization Profile
Posture Status
Security Group
Response Time
Other Attributes
ConfigVersionId 107
Device Port 1645
DestinationPort 1812
Protocol Radius
NAS-Port 2
AcsSessionID ise1/186896437/1172639
Device IP Address 10.xxx.aaa.243
CiscoAVPair
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11007 Could not locate Network Device or AAA Client
5405
As a test, I setup a device using the .243 address. While ISE claims it authenticates, it really doesn't. I have to use my local account to access the device.
Any advice on how to resolve this issue would be appreciated. Please let me know if more information is needed.Well from the debug I would say there may be an issue with the addressing of the radius server on the switch.
radius-server host 10.xxx.xxx.xxx key******** <--- Make sure this address and Key matches what you have in ISE PSN and that switch. Watch for spaces in your key at the begining or end of the string.
What interface should your switch be sending the radius request?
ip radius source-interface VlanXXX vrf default
Here is what my debug looks like when it is working correctly.
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265): ask "Password: "
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265):Orig. component type = EXEC
Aug 4 15:58:47 EST: RADIUS(00000265): Config NAS IP: 10.xxx.xxx.251
Aug 4 15:58:47 EST: RADIUS/ENCODE(00000265): acct_session_id: 613
Aug 4 15:58:47 EST: RADIUS(00000265): sending
Aug 4 15:58:47 EST: RADIUS(00000265): Send Access-Request to 10.xxx.xxx.35:1645 id 1645/110, len 104
Aug 4 15:58:47 EST: RADIUS: authenticator 97 FB CF 13 2E 6F 62 5D - 5B 10 1B BD BA EB C9 E3
Aug 4 15:58:47 EST: RADIUS: User-Name [1] 9 "admin"
Aug 4 15:58:47 EST: RADIUS: Reply-Message [18] 12
Aug 4 15:58:47 EST: RADIUS: 50 61 73 73 77 6F 72 64 3A 20 [ Password: ]
Aug 4 15:58:47 EST: RADIUS: User-Password [2] 18 *
Aug 4 15:58:47 EST: RADIUS: NAS-Port [5] 6 3
Aug 4 15:58:47 EST: RADIUS: NAS-Port-Id [87] 6 "tty3"
Aug 4 15:58:47 EST: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Aug 4 15:58:47 EST: RADIUS: Calling-Station-Id [31] 15 "10.xxx.xxx.100"
Aug 4 15:58:47 EST: RADIUS: Service-Type [6] 6 Login [1]
Aug 4 15:58:47 EST: RADIUS: NAS-IP-Address [4] 6 10.xxx.xxx.251
Aug 4 15:58:47 EST: RADIUS(00000265): Started 5 sec timeout
Aug 4 15:58:47 EST: RADIUS: Received from id 1645/110 10.xxx.xxx.35:1645, Access-Accept, len 127
Aug 4 15:58:47 EST: RADIUS: authenticator 1B 98 AB 4F B1 F4 81 41 - 3D E1 E9 DB 33 52 54 C1
Aug 4 15:58:47 EST: RADIUS: User-Name [1] 9 "admin"
Aug 4 15:58:47 EST: RADIUS: State [24] 40
Aug 4 15:58:47 EST: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61 [ReauthSession:0a]
Aug 4 15:58:47 EST: RADIUS: 30 63 66 65 32 33 30 30 30 31 46 37 30 37 35 33 [0cfe230001F70753]
Aug 4 15:58:47 EST: RADIUS: 44 46 45 35 46 37 [ DFE5F7]
Aug 4 15:58:47 EST: RADIUS: Class [25] 58
Aug 4 15:58:47 EST: RADIUS: 43 41 43 53 3A 30 61 30 63 66 65 32 33 30 30 30 [CACS:0a0cfe23000]
Aug 4 15:58:47 EST: RADIUS: 31 46 37 30 37 35 33 44 46 45 35 46 37 3A 50 52 [1F70753DFE5F7:PR]
Aug 4 15:58:47 EST: RADIUS: 59 49 53 45 30 30 32 2F 31 39 33 37 39 34 36 39 [YISE002/19379469]
Aug 4 15:58:47 EST: RADIUS: 38 2F 32 30 36 33 31 36 [ 8/206316]
Aug 4 15:58:47 EST: RADIUS(00000265): Received from id 1645/110
---------------------------------------------------------------------------------------------------------------This is after I added the incorrect Radius server address.
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268): ask "Password: "
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268):Orig. component type = EXEC
Aug 4 16:05:19 EST: RADIUS(00000268): Config NAS IP: 10.xxx.xxx.251
Aug 4 16:05:19 EST: RADIUS/ENCODE(00000268): acct_session_id: 616
Aug 4 16:05:19 EST: RADIUS(00000268): sending
Aug 4 16:05:19 EST: RADIUS(00000268): Send Access-Request to 10.xxx.xxx.55:1645 id 1645/112, len 104
Aug 4 16:05:19 EST: RADIUS: authenticator FC 94 BA 5D 75 1F 84 08 - E0 56 05 3A 7F BC FB BB
Aug 4 16:05:19 EST: RADIUS: User-Name [1] 9 "admin"
Aug 4 16:05:19 EST: RADIUS: Reply-Message [18] 12
Aug 4 16:05:19 EST: RADIUS: 50 61 73 73 77 6F 72 64 3A 20 [ Password: ]
Aug 4 16:05:19 EST: RADIUS: User-Password [2] 18 *
Aug 4 16:05:19 EST: RADIUS: NAS-Port [5] 6 7
Aug 4 16:05:19 EST: RADIUS: NAS-Port-Id [87] 6 "tty7"
Aug 4 16:05:19 EST: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Aug 4 16:05:19 EST: RADIUS: Calling-Station-Id [31] 15 "10.xxx.xxx.100"
Aug 4 16:05:19 EST: RADIUS: Service-Type [6] 6 Login [1]
Aug 4 16:05:19 EST: RADIUS: NAS-IP-Address [4] 6 10.xxx.xxx.251
Aug 4 16:05:19 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:23 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:23 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:23 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:29 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:29 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:29 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:33 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:33 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
Aug 4 16:05:33 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
Aug 4 16:05:33 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:33 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:38 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:38 EST: RADIUS: Fail-over to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:38 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:43 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:43 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:43 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:48 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:48 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:48 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:53 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:53 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
Aug 4 16:05:53 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
Aug 4 16:05:53 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:53 EST: RADIUS(00000268): Started 5 sec timeout
Aug 4 16:05:57 EST: RADIUS(00000268): Request timed out
Aug 4 16:05:57 EST: RADIUS: No response from (10.xxx.xxx.55:1645,1646) for id 1645/112
Aug 4 16:05:57 EST: RADIUS/DECODE: parse response no app start; FAIL
Aug 4 16:05:57 EST: RADIUS/DECODE: parse response; FAIL
This is a default template I use for all my devices routers or switches hope it helps. I have two PSN's that is why we have two radius-server host commands..
aaa authentication login vty group radius local enable
aaa authentication login con group radius local enable
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting system default start-stop group radius
ip radius source-interface VlanXXX vrf default
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
radius-server vsa send accounting
radius-server vsa send authentication
You can use this in the switch to test radius
test aaa group radius server 10.xxx.xxx.xxx <username> <password> -
Cisco ACS 4.2 and Radius authentication?
Hi,
I have a Cisco ACS 4.2 installed and using it to authenticate users that log on to switches using TACACS+, when I use local password database, everything is working. But if i try to use external database authentication using a windows 2008 radius server, I have problem that I can only use PAP, not CHAP. Anyone who know if it's possible to use CHAP with external radius authentication?To access network devices for administrative purpose, we have only three methods available :
[1] Telnet : Which uses PAP authentication protocol between client and the NAS device. So the communication between Client and NAS is unencrypted, and when this information flows from NAS to IAS server gets encrypted using the shared secret key configured on device/IAS server.
[2] SSH : Which uses public-key cryptography for encrypting information between client and the NAS device, i.e, information sent between client
and NAS is fully secure. And the communication between NAS and IAS is encrypted using shared secret same as above. Good point on SSH side is that commincation channel is secure all the time.Again the authentication type would remain same that is PAP.
[3] Console:Which is also the same it will not allow to use MSCHAP as there is no need to secure it as you laptop is connected directly to the NAS and then if you are using TACACS it will encrypt the payload .
Summarizing, we cannot use CHAP, MS-CHAP, MS-CHAP V2 for communication between client and NAS device or administrative access.
And the most secure way to administer a device is to use SSH.
Rgds, Jatin
Do rate helpful post~ -
SMB 300 switch - RADIUS authentication
Did anybody have any luck configuring radius authentication with SMB 300 managed switches? I just deployed one and struggling with radius authentication with AD. Radius server works because there are 10 other Catalyst switches and routers working fine.
Any pointers on how to setup radius authentication for administrative connection? I need it for http, telnet and ssh management session to the switch.
Thanks in advance,
Samyes, PAP always use plain text and that doesn't provide any kind of security. However, administrative session with radius doesn't support chap/mschap.we can't configure firewall/IOS devices for aministration session like telnet/ssh to authenticate users on mschapv2 authentication method.
If you need secure communication then you may implement TACACS.
TACACS+ and RADIUS use a shared secret key to provide encryption for communication between the client and the server. RADIUS encrypts the user's password when the client made a request to the server. This encryption prevents someone from sniffing the user's password using a packet analyzer. However other information such as username and services that is being performed can be analyzed. TACACS+ encrypts not just only the entire payload when communicating, but it also encrypts the user's password between the client and the server. This makes it more difficult to decipher information about the communication between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.
~BR
Jatin Katyal
**Do rate helpful posts** -
BBSM and RADIUS Authenticated Session Limits
I have setup a BBSM System with RADIUS authentication, the authentication traffic is passed to a seperate RSA Box to authenticate user using fobs and everything works fine.
My question is how do I limited the time a user can have a onnection to the BBSM without having to re-authenticationIf you are using the 'Access Code' pageset, when the 'Stop Date and Time' of the Access
Code is reached, all currently connected users who have used that Access Code, are
disconnected.
When you define an Access Code, you define a 'Start Date and Time' and a 'Stop Date and
Time' for the Access Code. All users who have Connected by using that Access Code will be disconnected when that Date/Time is reached.
Please refer to
http://www.cisco.com/en/US/products/sw/netmgtsw/ps533/products_user_guide_ch
apter09186a0080192294.html#1038530
for more information on Access Codes.
HTH,
-Joe -
HTTPS with Client Authentication in SOAP sender Adapter
Hi All,
In SOAP Sender communication channel. When I generate WSDL with HTTP Security Level = HTTP: it works when third party tries to send data to XIwebservice.
But when I tried with HTTPS with Client Authentication option its giving error
InfoPath either cannot connect to the data source, the service has timed out, or the server has an invalid certificate.
Please guide how to use HTTPS with Client Authentication option, and what all configuration need to apply in XI & in third party to use this.
RegardsRohan,
With spy you can trace the entire route, since you are using client authentication using certificate, it would be a better option to verify with the certificate.
You also have the option of using a username/pwd combo though that is not advocated as it lowers security levels and is permeable to passive sniffing.
So the answer to your question is yes, after importing the certificate with sender and third party reciever a test would reveal the complete scenario along with any issues that you could encounter..
Regards
Ravi Raman -
RADIUS Authentication for Enable PW
Hi Everyone,
I have my RADIUS authentication working for login passwords but not for the enable password. My config is below;
aaa new-model
aaa authentication login default group radius local
aaa accounting network default start-stop group radius
When I add the command;
aaa authentication enable default group radius enable
I would expect it to allow me to enter my RADIUS pw for the enable one to, but it doesnt. Nor does it allow me to enter the locally configured one?
Any help would be great,
Thanks,
DanThanks for your reply Rick,
The debug output is below;
L2-SW01>
00:03:02: RADIUS: Authenticating using $enab15$
00:03:02: RADIUS: ustruct sharecount=1
00:03:02: RADIUS: Initial Transmit tty0 id 3 x.x.x.x:1812, Access-Request,
len 72
00:03:02: Attribute 4 6 AC14024F
00:03:02: Attribute 5 6 00000000
00:03:02: Attribute 61 6 00000000
00:03:02: Attribute 1 10 24656E61
00:03:02: Attribute 2 18 524FB069
00:03:02: Attribute 6 6 00000006
00:03:02: RADIUS: Received from id 3
x.x.x.x:1812, Access-Reject, len 20
00:03:02: RADIUS: saved authorization data for user E49424 at 93C6DC
L2-SW01>
L2-SW01>
I am using IAS for RADIUS authentication and I cannot find any option to say "allow enable access".
Any ideas?
Cheers,
Dan -
WLC 4402 RADIUS Authentication with IAS
Hello
I configured a WLAN with PEAP (CHAP v2)and Radius authentication to a Win 2003 IAS Radius Server.
On the controller 4402 the layer 2 security is set to WPA1+WPA2 with 802.1x authentication.
The IAS server don't use the configured policy when a authentication reguest arrive.
I there an issue with special RADIUS attributes or configuration items on the IAS Server?
The following event appear in the windows logs:
User STANS\kaesmr was denied access.
Fully-Qualified-User-Name = STANS\kaesmr
NAS-IP-Address = 172.17.25.6
NAS-Identifier = keynet-01
Called-Station-Identifier = 00-18-74-FB-CA-20:keynet
Calling-Station-Identifier = 00-16-CE-52-C8-EB
Client-Friendly-Name = Wireless-Controller
Client-IP-Address = 172.17.25.6
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Windows-Authentifizierung f?r alle Benutzer verwenden
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = Extension
EAP-Type = <undetermined>
Reason-Code = 21
Reason = The request was rejected by a third-party extension DLL file.What I understand from your post is that the authentication is not handled by your IAS server. IF I am correct, the problem might be with the "Allow AA override" option disabled in your WLAN. If it is enabled, then the AAA server or your IAS server will override the security parameters set locally on the controller.
So, first ensure whether "Allow AAA override" is enabled under Controller--->WLAN field.
Also, chek out the logs of the IAS server for obtaining more info on this. -
Wireless with PEAP Authentication not working using new NPS server
All,
We are planning to migrate from our old IAS server to new NPS server. We are testing the new NPS server with our wireless infrastructure using WISM. We are using PEAP with server Cert for authentication. For testing purpose we are doing user authentication but our goal is to do machine authentication. On client side we are using Windows XP, Windows 7 & iPAD’s
I believe I have configured the NPS & CA server as per the documents I found on Cisco support forum & Microsoft’s site.
But it is not working for me. I am getting the following error message on the NPS server.
Error # 1
=======
Cryptographic operation.
Subject:
Security ID: SYSTEM
Account Name: MADXXX
Account Domain: AD
Logon ID: 0x3e7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: XXX-Wireless-NPS
Key Type: Machine key.
Cryptographic Operation:
Operation: Decrypt.
Return Code: 0x80090010
Error # 2
======
An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
I was wondering if anyone has any insight on what is going on.
Thanks, DsScott,
I have disabled MS-CHAP v1 & only MS-CHAP v2 is enabled on Network Policies > Constraints.
I disabled validate Certificate on Windows 7 and tried to authenticate, it is still failing. Here is the output from the event viewer:
Cryptographic operation.
Subject:
Security ID: SYSTEM
Account Name: MADHFSVNPSPI01$
Account Domain: AD
Logon ID: 0x3e7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: DOT-Wireless-NPS
Key Type: Machine key.
Cryptographic Operation:
Operation: Decrypt.
Return Code: 0x80090010
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: AD\mscdzs
Account Name: AD\mscdzs
Account Domain: AD
Fully Qualified Account Name: AD\mscdzs
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 64-ae-0c-00-de-f0:DOT
Calling Station Identifier: a0-88-b4-e2-79-cc
NAS:
NAS IPv4 Address: 130.47.128.7
NAS IPv6 Address: -
NAS Identifier: WISM2B
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 29
RADIUS Client:
Client Friendly Name: WISM2B
Client IP Address: 130.47.128.7
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Secure Wireless Connections
Authentication Provider: Windows
Authentication Server: MADHFSVNPSPI01.AD.DOT.STATE.WI.US
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
Attached are EAP logs & debug logs from the controller.
Thanks for all the help. I really appreciate. -
ACS 5.3 Radius authentication with ASA and DACL
Hi,
I am trying to do Radius authentication on the ACS 5.3 for VPN access (cisco client) using a downloadable ACL with AD identity
Clients are connecting to an ASA 5510 with image asa843-K8.bin
I followed the configuration example on the Cisco site, but I am having some problems
First : AD identity is not triggered, I put a profile :
Status
Name
Conditions
Results
Hit Count
NDG:Location
Time And Date
AD1:memberOf
Authorization Profiles
1
TestVPNDACL
-ANY-
-ANY-
equals Network Admin
TEST DACL
0
But if I am getting no hits on it, Default Access is being used (Permit Access)
So I tried putting the DACL in the default profile, but when connecting I am immediately disconnected.
I can see the DACL/ASA being authenticated in the ACS log but no success
I am using my user which is member of the Network Admin Group.
Am I missing something?
Any help greatly appreciated!
WimHello Stephen,
As per the IP Pools feature, the ACS 5.x does not include such functionality. It is not on the ACS 5.x roadmap either as the recommended scenario would be to use a dedicated DHCP server.
ACS 4.x included that functionality, however, it was not the best solution as the ACS returned the IP Address value as a RADIUS Attribute instead of acting as a real DCHP server.
As per the IMEI and MISDN I am assuming you are referring to International Mobile Equipment Identity and Mobile Subscriber ISDN. Correct me if I am wrong.
In that case it seems that the ACS 5.x should be able to Allow or Deny access based on Radius Attribute 30 (Called-Station-Id) and 31 (Calling-Station-Id).
In that case you might want to use the End-Station Filters feature and use it as the condition for the Rule. The End-Station Filter feature uses CLI/DNIS where CLI is Radius Attribute 31 and DNIS is Attribute 30.
I am assuming a Generic Username will be embedded on the devices request. In that case you will define which end-user devices will be granted access based on the above attributes.
Here is a snapshot of the section:
Maybe you are looking for
-
Ordered a New 8 Core - OWC Memory OK?
I finally bit the bullet and ordered the new 8 core Mac Pro. I need more memory, and while I normally do Crucial.com I used OWC in this case because it was substantially cheaper. I was able to get 4GB of OWC for less than the cost of 2GB from Crucial
-
Just got my 30g ipod as a gift. First I downloaded the software with the supplied disk. I have a Dell XPS computer with lots of space. When connected to my pc The "do not disconnect" screen stays on. I have downloaded songs onto my pc using limewire.
-
Convert varchar HH:MM AM in date HH24
I have two column (varchar) with these format values HH:MM AM or PM , I have need of two columns date because I have to try the differents between them. example column1(date finish) column2 (date start) result (minutes) 16:30 17:45 75 Someone can hel
-
Kind of misleading. If a promotion is for $19, $29, or whatever for a year, that is what the customer is expecting to pay for a year regardless if the internet rates go up.
-
Hi, When i am saving a form it is giving the following error : ROS Error: -200 I dont understand where the problem is. My forms version is 6.0.8.24.1 Any help in this regard is highly appreciated. Thanks in advance. Venkat.