Web authentication with Radius server problem

Similar Messages

• Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008

  Hi Guys,
  I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser  
  This is my Configure file on Aironet 2702i
  Aironet2702i#show run
  Building configuration...
  Current configuration : 8547 bytes
  ! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
  version 15.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname Aironet2702i
  logging rate-limit console 9
  aaa new-model
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login default local
  aaa authentication login DTSGROUP group radius
  aaa authentication login webauth group radius
  aaa authentication login weblist group radius
  aaa authentication dot1x default group radius
  aaa authorization exec default local 
  aaa session-id common
  clock timezone +0700 7 0
  no ip source-route
  no ip cef 
  ip admission name webauth proxy http
  ip admission name webauth method-list authentication weblist 
  no ip domain lookup
  ip domain name dts.com.vn
  dot11 syslog
  dot11 activity-timeout unknown default 1000
  dot11 activity-timeout client default 1000
  dot11 activity-timeout repeater default 1000
  dot11 activity-timeout workgroup-bridge default 1000
  dot11 activity-timeout bridge default 1000
  dot11 vlan-name DTSGroup vlan 46
  dot11 vlan-name L6-Webauthen-test vlan 45
  dot11 vlan-name NetworkL7 vlan 43
  dot11 vlan-name SGCTT vlan 44
  dot11 ssid DTS-Group
     vlan 46
     authentication open eap DTSGROUP 
     authentication key-management wpa version 2
     mbssid guest-mode
  dot11 ssid DTS-Group-Floor7
     vlan 43
     authentication open 
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
  dot11 ssid L6-Webauthen-test
     vlan 45
     web-auth
     authentication open 
     dot1x eap profile DTSGROUP
     mbssid guest-mode
  dot11 ssid SaigonCTT-Public
     vlan 44
     authentication open 
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
  dot11 arp-cache optional
  dot11 adjacent-ap age-timeout 3
  eap profile DTSGROUP
   description testwebauth-radius
   method peap
   method mschapv2
   method leap
  username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
  username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
  ip ssh version 2
  bridge irb
  interface Dot11Radio0
   no ip address
   encryption vlan 44 mode ciphers aes-ccm 
   encryption vlan 46 mode ciphers aes-ccm 
   encryption mode ciphers aes-ccm 
   encryption vlan 43 mode ciphers aes-ccm 
   encryption vlan 1 mode ciphers aes-ccm 
   ssid DTS-Group
   ssid DTS-Group-Floor7
   ssid L6-Webauthen-test
   ssid SaigonCTT-Public
   countermeasure tkip hold-time 0
   antenna gain 0
   stbc
   mbssid
   packet retries 128 drop-packet
   channel 2412
   station-role root
   rts threshold 2340
   rts retries 128
   ip admission webauth
  interface Dot11Radio0.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio0.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 subscriber-loop-control
   bridge-group 43 spanning-disabled
   bridge-group 43 block-unknown-source
   no bridge-group 43 source-learning
   no bridge-group 43 unicast-flooding
  interface Dot11Radio0.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 subscriber-loop-control
   bridge-group 44 spanning-disabled
   bridge-group 44 block-unknown-source
   no bridge-group 44 source-learning
   no bridge-group 44 unicast-flooding
   ip admission webauth
  interface Dot11Radio0.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 subscriber-loop-control
   bridge-group 45 spanning-disabled
   bridge-group 45 block-unknown-source
   no bridge-group 45 source-learning
   no bridge-group 45 unicast-flooding
   ip admission webauth
  interface Dot11Radio0.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 subscriber-loop-control
   bridge-group 46 spanning-disabled
   bridge-group 46 block-unknown-source
   no bridge-group 46 source-learning
   no bridge-group 46 unicast-flooding
  interface Dot11Radio1
   no ip address
   shutdown
   encryption vlan 46 mode ciphers aes-ccm 
   encryption vlan 44 mode ciphers aes-ccm 
   encryption vlan 1 mode ciphers aes-ccm 
   encryption vlan 43 mode ciphers aes-ccm 
   encryption vlan 45 mode ciphers ckip-cmic 
   ssid DTS-Group
   ssid DTS-Group-Floor7
   ssid SaigonCTT-Public
   countermeasure tkip hold-time 0
   antenna gain 0
   peakdetect
   dfs band 3 block
   stbc
   mbssid
   packet retries 128 drop-packet
   channel 5745
   station-role root
   rts threshold 2340
   rts retries 128
  interface Dot11Radio1.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio1.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 subscriber-loop-control
   bridge-group 43 spanning-disabled
   bridge-group 43 block-unknown-source
   no bridge-group 43 source-learning
   no bridge-group 43 unicast-flooding
  interface Dot11Radio1.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 subscriber-loop-control
   bridge-group 44 spanning-disabled
   bridge-group 44 block-unknown-source
   no bridge-group 44 source-learning
   no bridge-group 44 unicast-flooding
   ip admission webauth
  interface Dot11Radio1.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 subscriber-loop-control
   bridge-group 45 spanning-disabled
   bridge-group 45 block-unknown-source
   no bridge-group 45 source-learning
   no bridge-group 45 unicast-flooding
   ip admission webauth
  interface Dot11Radio1.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 subscriber-loop-control
   bridge-group 46 spanning-disabled
   bridge-group 46 block-unknown-source
   no bridge-group 46 source-learning
   no bridge-group 46 unicast-flooding
  interface GigabitEthernet0
   no ip address
   duplex auto
   speed auto
   dot1x pae authenticator
   dot1x authenticator eap profile DTSGROUP
   dot1x supplicant eap profile DTSGROUP
  interface GigabitEthernet0.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface GigabitEthernet0.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 spanning-disabled
   no bridge-group 43 source-learning
  interface GigabitEthernet0.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 spanning-disabled
   no bridge-group 44 source-learning
  interface GigabitEthernet0.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 spanning-disabled
   no bridge-group 45 source-learning
  interface GigabitEthernet0.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 spanning-disabled
   no bridge-group 46 source-learning
  interface GigabitEthernet1
   no ip address
   shutdown
   duplex auto
   speed auto
  interface GigabitEthernet1.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface GigabitEthernet1.43
   encapsulation dot1Q 43
   bridge-group 43
   bridge-group 43 spanning-disabled
   no bridge-group 43 source-learning
  interface GigabitEthernet1.44
   encapsulation dot1Q 44
   bridge-group 44
   bridge-group 44 spanning-disabled
   no bridge-group 44 source-learning
  interface GigabitEthernet1.45
   encapsulation dot1Q 45
   bridge-group 45
   bridge-group 45 spanning-disabled
   no bridge-group 45 source-learning
  interface GigabitEthernet1.46
   encapsulation dot1Q 46
   bridge-group 46
   bridge-group 46 spanning-disabled
   no bridge-group 46 source-learning
  interface BVI1
   mac-address 58f3.9ce0.8038
   ip address 172.16.1.62 255.255.255.0
   ipv6 address dhcp
   ipv6 address autoconfig
   ipv6 enable
  ip forward-protocol nd
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1 
  radius-server attribute 32 include-in-access-req format %h
  radius server 172.16.50.99
   address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
   key 7 104A1D0A4B141D06421224
  bridge 1 route ip
  line con 0
   logging synchronous
  line vty 0 4
   exec-timeout 0 0
   privilege level 15
   logging synchronous
   transport input ssh
  line vty 5 15
   exec-timeout 0 0
   privilege level 15
   logging synchronous
   transport input ssh
  end
  This is My Logfile on Radius Win 2008 : 
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
  Account Name: xxxxxxxxxxxxxxxx
  Account Domain: xxxxxxxxxxx
  Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
  Client Machine:
  Security ID: S-1-0-0
  Account Name: -
  Fully Qualified Account Name: -
  OS-Version: -
  Called Station Identifier: -
  Calling Station Identifier: -
  NAS:
  NAS IPv4 Address: 172.16.1.62
  NAS IPv6 Address: -
  NAS Identifier: Aironet2702i
  NAS Port-Type: Async
  NAS Port: -
  RADIUS Client:
  Client Friendly Name: Aironet2702i
  Client IP Address: 172.16.1.62
  Authentication Details:
  Connection Request Policy Name: Use Windows authentication for all users
  Network Policy Name: DTSWIRELESS
  Authentication Provider: Windows
  Authentication Server: xxxxxxxxxxxxxx
  Authentication Type: PAP
  EAP Type: -
  Account Session Identifier: -
  Logging Results: Accounting information was written to the local log file.
  Reason Code: 66
  Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
  So i will explain problems what i have seen:
  SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
  SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
  => I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
  Any idea or recommend for me ?
  Thanks for see my case  

  Hi Dhiresh Yadav,
  Many thanks for your reply me,
  I will explain again for clear my problems.
  At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
  I had login SSID by Account create in AD =>  It's work okay with me. Done
  Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
  dot11 ssid L6-Webauthen-test
     vlan 45
     web-auth
     authentication open 
     dot1x eap profile DTSGROUP
     mbssid guest-mode
  After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
  This is My Logfile on Radius Win 2008 : 
  Network Policy Server denied access to a user.
  NAS:
  NAS IPv4 Address: 172.16.1.62
  NAS IPv6 Address: -
  NAS Identifier: Aironet2702i
  NAS Port-Type: Async
  NAS Port: -
  RADIUS Client:
  Client Friendly Name: Aironet2702i
  Client IP Address: 172.16.1.62
  Authentication Details:
  Connection Request Policy Name: Use Windows authentication for all users
  Network Policy Name: DTSWIRELESS
  Authentication Provider: Windows
  Authentication Server: xxxxxxxxxxxxxx
  Authentication Type: PAP
  EAP Type: -
  Account Session Identifier: -
  Logging Results: Accounting information was written to the local log file.
  Reason Code: 66
  Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
  Im  think ROOT CAUSE is :
  PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet

• Web Authentication with MS IAS Server

  I'm trying to configure my 2106 WLC to authenticate with an MS IAS Radius Server. I had this working, but my boss did not want to do any configuration on the client side and now wants to do all authentication through Web authentication with the Radius server. The wireless client connects and is redirected to the login page like they're supposed to, but when I enter my credentials the login fails. However, if I enter the login of a local user to the controller the authentication works.
  I see in the logs the following error: AAA Authentication Failure for UserName:chevym User Type: WLAN USER. The authentication is reaching the server too, but the logs don't tell you much.
  Here is what is in the server logs: 192.168.0.77,chevym,07/29/2008,05:58:16,IAS,TESTLAB1,25,311 1 192.168.0.221 07/28/2008 17:27:10 48,4127,2,4130,TESTLAB\chevym,4129,TESTLAB\chevym,4154,Use Windows authentication for all users,4155,1,4128,Wireless LAN Controller,4116,9,4108,192.168.0.77,4136,3,4142,19
  I don't really understand any of that and I'm not really sure if I have the server itself configured correctly for what I want to do. Does anyone have instructions on how to do this?

  I had another thread going on this, but since it appears to be an IAS problem, I've been posting on the MS forum instead of here.
  I'm trying to set up wireless laptop-WLC-IAS authentication using PEAP.
  The machine authenticates on boot, but any login by any user results in this message in the Windows Event log on the IAS server:
  Event Type: Warning
  Event Source: IAS
  Event Category: None
  Event ID: 2
  Date: 9/3/2008
  Time: 11:00:55 PM
  User: N/A
  Computer: DC1
  Description:
  User SCOTRNCPQ003.scdl.local was denied access.
  Fully-Qualified-User-Name = SCDL\SCOTRNCPQ003.scdl.local
  NAS-IP-Address = 10.10.10.10
  NAS-Identifier = scohc0ciswlc
  Called-Station-Identifier = 00-21-55-C0-7D-70:Domain Staff
  Calling-Station-Identifier = 00-90-4B-4C-92-B7
  Client-Friendly-Name = WLAN Controller
  Client-IP-Address = 10.10.10.10
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 29
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server =
  Policy-Name =
  Authentication-Type = EAP
  EAP-Type =
  Reason-Code = 8
  Reason = The specified user account does not exist.
  The policy is the default connection policy created when installing IAS.
  In ADUC, I've tried setting both the machine and users Dial-In properties to Allow Access or Control through policy, with the same result.
  I've gone through the policy and there isn't anything there, other than the Day-Time rule which is set to allow access for all hours of the whole day, every day.
  In the last few days, I've read about the Ignore User Dial In properties, but can't find where/how you set this.
  It sounded to me as if this had been resolved in this thread, so I wanted to know how this had been accomplished.

• ISE Web Authentication with Profile

     Hi,
     I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
     The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
     But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
     the Web Authentication cause the endpoint is already in the internal endpoint store.
     What's the better way to solve this problem ?
     Thanks in Advanced
     Andre Gustavo Lomonaco

      Hi Neno, let me clarify my question
      I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers.  I'm using Profile to be able to populate this ISE internet database.
      Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.

• Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points

  Hi Guys,
  I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
  The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
  I go through some references:
  3.5  RADIUS-Based VLAN Access Control
  As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
  There are two different ways to implement RADIUS-based VLAN access control features:
  1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
  2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
  extract from: Wireless Virtual LAN Deployment Guide
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
  ==============================================================
  Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
  ==============================================================
  Controller: Wireless Domain Services Configuration
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
  Any help on this issue is appreicated.
  Thanks.

  I'm not sure if the Autonomous APs have the option for AAA Override.  On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
  I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override".  I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
  Hope this helps

• Error in authentication with ldap server with certificate

  Hi,
  i have a problem in authentication with ldap server with certificate.
  here i am using java API to authenticate.
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
  I issued the new certificate which is having the up to 5 years valid time.
  is java will authenticate up to one year only?
  Can any body help on this issue...
  Regards
  Ranga

  sorry i am gettting ythe same error
  javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
  here when i am using the old certificate and changing the system date means i can get the authentication.
  can you tell where we can concentrate and solve the issue..
  where is the issue
  1. need to check with the ldap server only
  2. problem in java code only.
  thanks in advance

• Not Working-central web-authentication with a switch and Identity Service Engine

  on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
  I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
  The interface configuration looks like this:
  interface FastEthernet0/24
  switchport access vlan 6
  switchport mode access
  switchport voice vlan 20
  ip access-group webauth in
  authentication event fail action next-method
  authentication event server dead action authorize
  authentication event server alive action reinitialize
  authentication order mab
  authentication priority mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  spanning-tree portfast
  end
  The ACL's
  Extended IP access list webauth
      10 permit ip any any
  Extended IP access list redirect
      10 deny ip any host 172.22.2.38
      20 permit tcp any any eq www
      30 permit tcp any any eq 443
  The ISE side configuration I follow it step by step...
  When I conect the XP client, e see the following Autenthication session...
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
             Interface:  FastEthernet0/24
            MAC Address:  0015.c549.5c99
             IP Address:  172.22.3.184
              User-Name:  00-15-C5-49-5C-99
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  single-host
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
       URL Redirect ACL:  redirect
           URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC16011F000000490AC1A9E2
        Acct Session ID:  0x00000077
                 Handle:  0xB7000049
  Runnable methods list:
         Method   State
         mab      Authc Success
  But there is no redirection, and I get the the following message on switch console:
  756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
  756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  I have to mention I'm using an http proxy on port 8080...
  Any Ideas on what is going wrong?
  Regards
  Nuno

  OK, so I upgraded the IOS to version
  SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
  I tweak with ACL's to the following:
  Extended IP access list redirect
      10 permit ip any any (13 matches)
  and created a DACL that is downloaded along with the authentication
  Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
      10 permit ip any any
  I can see the epm session
  swlx0x0x#show epm session ip 172.22.3.74
       Admission feature:  DOT1X
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
  And authentication
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
       Interface:  FastEthernet0/24
       MAC Address:  0015.c549.5c99
       IP Address:  172.22.3.74
       User-Name:  00-15-C5-49-5C-99
       Status:  Authz Success
       Domain:  DATA
       Oper host mode:  multi-auth
       Oper control dir:  both
       Authorized By:  Authentication Server
       Vlan Group:  N/A
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
       Session timeout:  N/A
       Idle timeout:  N/A
       Common Session ID:  AC16011F000000160042BD98
       Acct Session ID:  0x0000001B
       Handle:  0x90000016
       Runnable methods list:
       Method   State
       mab      Authc Success
  on the logging, I get the following messages...
  017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
  017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
  017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
  017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
  017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
  017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
  What I'm I missing?

• 3850 switch configure with radius server

  wifi useres authenticate with radius server configure required
  Posted by WebUser Raja Sekhar from Cisco Support Community App

  Kindly check the following links for configuring 802.1x
               http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/security/configuration_guide/b_sec_1501_3850_cg_chapter_0101.html
               http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/security/configuration_guide/b_sec_1501_3850_cg_chapter_01110.html

• SG300: MAC authentication with Radius VLAN assignment problems

  Hi,
  I just can't get the dynamic vlans working. I've tried everything, switch in L3 mode, switch in L2, several port configs, several tunnel configs in Radius server (freeradius 2.1.1)
  Here's the final switch config:
  config-file-header
  switchf460dc
  v1.3.7.18 / R750_NIK_1_35_647_358
  CLI v1.0
  set system mode switch
  file SSD indicator encrypted
  ssd-control-start
  ssd config
  ssd file passphrase control unrestricted
  no ssd file integrity control
  ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
  no spanning-tree
  vlan database
  vlan 12,100,110,666
  exit
  voice vlan oui-table add 0001e3 Siemens_AG_phone________
  voice vlan oui-table add 00036b Cisco_phone_____________
  voice vlan oui-table add 00096e Avaya___________________
  voice vlan oui-table add 000fe2 H3C_Aolynk______________
  voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
  voice vlan oui-table add 00d01e Pingtel_phone___________
  voice vlan oui-table add 00e075 Polycom/Veritel_phone___
  voice vlan oui-table add 00e0bb 3Com_phone______________
  dot1x system-auth-control
  no bonjour enable
  hostname switchf460dc
  line ssh
  exec-timeout 0
  exit
  encrypted radius-server host 192.168.99.93 key xXx priority 1 usage dot1.x
  logging host 1.2.3.4 severity debugging
  passwords aging 0
  ip ssh server
  snmp-server server
  snmp-server community public ro 192.168.99.93 view Default
  clock timezone " " +1
  clock summer-time web recurring eu
  clock source sntp
  sntp unicast client enable
  sntp server 172.16.1.1
  interface vlan 12
   ip address 192.168.99.170 255.255.255.0
   no ip address dhcp
  interface gigabitethernet5
   dot1x host-mode multi-sessions
   dot1x reauthentication
   dot1x authentication mac
   dot1x radius-attributes vlan static
   dot1x port-control auto
   switchport mode general
   switchport general allowed vlan add 100,110,666 untagged
   no macro auto smartport
  interface gigabitethernet6
   switchport mode access
   switchport access vlan 110
  interface gigabitethernet9
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet10
   switchport trunk allowed vlan add 12,100,110
  exit
  ip default-gateway 192.168.99.1
  On the switch side I would expect VLAN 666 to be set but it's not there:
  switchf460dc#show dot1x users
                            MAC               Auth   Auth   Session        VLAN
  Port     Username         Address           Method Server Time
  gi5      0090dca15880     00:90:dc:a1:58:80 MAC    Remote 01:09:25
  This is the radius users file. It's a simple file for test.
  DEFAULT Auth-Type := Accept
          Tunnel-Type = VLAN,
          Tunnel-Medium-Type = IEEE-802,
          Tunnel-Private-Group-Id = 666
  I am attaching a screenshot of the Radius reply sent by the server.
  I also tried setting "copy_request_to_tunnel = yes" and "use_tunneled_reply = yes" as found in another post, no success.
  It may be that the tag is missing in the Radius reply? If yes, how do I add it?
  Any ideas?
  Thanks.
  Update Dec 11: I tried with FW 1.4.0, and using the same config the switch doesn't perform any Radius requests at all anymore.

  I was wrong when I said that 1.4.0 wouldn't work at all. I simply had a device connected which didn't produce much traffic. My bad.
  So 1.4.0 works as far as the auth is concerned, but no improvement as far as dynamic VLAN is concerned. So there is no improvement over 1.3.7, or there is a config issue.
  I have opened SR 633001533 although the last appointment for WebEx went by without anyone getting back to me. I'll try again on Monday.
  Feel free to get back to me if you need anything to make experiments. I'll keep this thread updated too.

• 1100 with Local Radius Server problems Atheros Client

  I have Local authentication turned on for the 1100 and am using the Atheros Client Utility configuring LEAP with username/password and it is failing, here is the debug from the 1100.Any help much appreciated.
  Xcon-ap1100#conf t
  Enter configuration commands, one per line. End with CNTL/Z.
  Xcon-ap1100(config)#radius
  Xcon-ap1100(config)#radius-server local
  Xcon-ap1100(config-radsrv)#no nas 10.201.1.5
  Xcon-ap1100(config-radsrv)#nas 10.201.1.5 key thiskey
  Xcon-ap1100(config-radsrv)#end
  Xcon-ap1100#debug radius
  Radius protocol debugging is on
  Radius protocol brief debugging is off
  Radius protocol verbose debugging is off
  Radius packet hex dump debugging is off
  Radius packet protocol debugging is on
  Radius packet retransmission debugging is off
  Radius server fail-over debugging is off
  Xcon-ap1100#term mon
  Xcon-ap1100#
  *Apr 3 16:26:26.961: RADIUS: AAA Unsupported [248] 10
  *Apr 3 16:26:26.961: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
  *Apr 3 16:26:26.962: RADIUS: AAA Unsupported [150] 3
  *Apr 3 16:26:26.962: RADIUS: 32 [2]
  *Apr 3 16:26:26.962: RADIUS(000000FC): Storing nasport 246 in rad_db
  *Apr 3 16:26:26.962: RADIUS(000000FC): Config NAS IP: 10.201.1.5
  *Apr 3 16:26:26.963: RADIUS/ENCODE(000000FC): acct_session_id: 251
  *Apr 3 16:26:26.963: RADIUS(000000FC): Config NAS IP: 10.201.1.5
  *Apr 3 16:26:26.963: RADIUS(000000FC): sending
  *Apr 3 16:26:26.963: RADIUS(000000FC): Send Access-Request to 10.201.1.5:1645 id 21645/158, len 130
  *Apr 3 16:26:26.963: RADIUS: authenticator 74 20 7D 86 32 7B 1A 65 - 88 DE A7 58 51 91 FA 5D
  *Apr 3 16:26:26.963: RADIUS: User-Name [1] 6 "test"
  *Apr 3 16:26:26.964: RADIUS: Framed-MTU [12] 6 1400
  *Apr 3 16:26:26.964: RADIUS: Called-Station-Id [30] 16 "000f.f751.7970"
  *Apr 3 16:26:26.964: RADIUS: Calling-Station-Id [31] 16 "0090.963d.7bf6"
  *Apr 3 16:26:26.964: RADIUS: Service-Type [6] 6 Login [1]
  *Apr 3 16:26:26.965: RADIUS: Message-Authenticato[80] 18 *
  *Apr 3 16:26:26.965: RADIUS: EAP-Message [79] 11
  *Apr 3 16:26:26.965: RADIUS: 02 02 00 09 01 74 65 73 74 [?????test]
  *Apr 3 16:26:26.965: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
  *Apr 3 16:26:26.965: RADIUS: NAS-Port [5] 6 246
  *Apr 3 16:26:26.965: RADIUS: NAS-IP-Address [4] 6 10.201.1.5
  *Apr 3 16:26:26.965: RADIUS: Nas-Identifier [32] 13 "Xcon-ap1100"
  *Apr 3 16:26:31.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:36.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:41.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:46.965: RADIUS: No response from (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:46.965: RADIUS/DECODE: parse response no app start; FAIL
  *Apr 3 16:26:46.965: RADIUS/DECODE: parse response; FAIL
  *Apr 3 16:26:46.966: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
  *Apr 3 16:26:50.070: RADIUS: AAA Unsupported [248] 10
  *Apr 3 16:26:50.070: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
  *Apr 3 16:26:50.071: RADIUS: AAA Unsupported [150] 3
  *Apr 3 16:26:50.071: RADIUS: 32 [2]
  *Apr 3 16:26:50.071: RADIUS(000000FD): Storing nasport 247 in rad_db
  *Apr 3 16:26:50.072: RADIUS(000000FD): Config NAS IP: 10.201.1.5
  *Apr 3 16:29:29.041: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
  *Apr 3 16:29:52.253: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed

  I have a very similar situation here. Took me a while to figure out why existing user certificates are OK but no new users can enroll. I checked all certificates for expiry. No go. It was not the expiry ("Valid to") time, but rather the "Valid From" time that is messed up.
  This is what happens: The rollover gets created and replaces the original one (which remains in memory, no flash) But the new one is valid from the expiry of the old one - in my case TOMORROW and after a power-outage the day before yesterday (the most definitive way to get a reboot!) I only have the new NOT YET VALID certificate.
  OK, I can wait until tomorrow and see if it works. But the design is far from intelligent. The industry standard is that when you renew a certificate, the validity of the new one is immediate - even if it means it runs for a few days longer than the designated lifetime.
  So much for the overlap period of 30 days (as you can see from your own post) if the old certificate goes away after a reboot and the new one is not yet valid! (The CA certificate expiration timer gets reset to some Unix time-zero ( 01:00:00 CEST Jan 1 1970) which I take to mean "not valid yet".)
  I only have a few days of trouble - and just one to go after finally working it out, but it could have been up to 30 days if I for any reason had rebooted after the roll-over certificate got created.
  Cheers
  Bernhard

• Problems with Radius Server

  Hi
  I am trying to setup the Radius server on my Mac OSX 10.5.2 server. I have two Airport Extreme 802.11n base stations connected to my network, one which we use normally for wireless access and another that I am using to test and get the Radius Server configured. One has an address of 192.168.10.5 and the other is 192.168.10.6. All my wireless clients can browse the net without any issues.
  When I go into Server Admin and select Radius and then Configure Radius Service, I select the default certificate and am then presented with a screen where I add my base stations. Now, the puzzling thing is that both of my base stations appear, but they are showing 169.254.xxx.xxx addresses. So, my first question is why do they show self assigned IPs? Is it because they are being found using Bonjour?
  If I then back out of this screen and select the Base Stations icon in the menu, I can click browse and again it shows the AEBSs but again with a self assigned IP. Another interesting point is that if I select my normal base station, in the info below it shows the Ethernet and Airport ID info showing V7.3.1 software version but a picture of the old dome shape Airport Extreme Base Station. If I select the test base station, I get the same info but THE RIGHT PICTURE !
  If I then select the test base station and enter the password, it says it's the wrong password, even though I know it's the right one.
  I'd like to get past this point, but can't see how to proceed until the IPs are right. What's going on? Any ideas gratefully received.
  Paul

  I have just purchased a new AirPort Extreme to begin testing to rollout wireless using RADIUS on our Mac OS X 10.5 server.
  I am having a bit of trouble setting up the actual base station. I too was having the same problem with the IP address showing up on the RADIUS server as self-assigned 169. but noticed that when I changed the Primary RADIUS IP address to something different to the AirPorts Ethernet IP address it showed up correctly. Maybe I am wrong but that's what I think happened.
  The problem I am having is this: I have created a wireless RADIUS network. My client was able to log in and connect to the wireless system, but I am not getting any DHCP information from my DHCP server running on Mac OS X Server. What am I doing wrong. What settings should be entered for Primary RADIUS IP Address, Shared Secret, etc. I am a bit confused an Apple hasn't provided technical documentation on this aspect.
  Help!

• How to configure a Cisco 3560 with MAC-based 802.1x authentication by radius server

  Hi dearI 
  How can I configure a Cisco 3560 to authenticate a client based on its mac address with 802.1x and radius server. Many tanks in advance!

  Olivier,
  You can't reference WLP visitor roles in weblogic.xml, but you can
  reference global roles (created using the WLS console):
  - <security-role-assignment>
  <role-name>PortalSystemAdministrator</role-name>
  <externally-defined />
  </security-role-assignment>
  -Phil
  "Olivier" <[email protected]> wrote in message
  news:[email protected]..
  >
  We need to have login page to our portal app.
  When using "form based" authentication is it possible to map the securityon a
  "entitlement role" ?
  Our need is to be abled to give direct url acces to some pages of theportal (for
  exemple by sending urls like"http://server/appcontextpath/appmanager/myportal/mydesktop?_nfpb=true&_page
  Label=mypage")"
  by email to portal users) and need a simple mecanism of authenticationbefore
  redirecting to the portal page.
  Inste

• Web Authentication with RSA SecureID on a Cisco Switch

  Hi,
  I've recently been looking into linking in our Cisco 2960S Gb Switch with RSA SecureID via Radius
  I've already managed to link it in for ssh access
  but I've not managed to get it working for http / web access to the switch
  I think this is because we're using "single use" tokens for maximum security with RSA SecureID
  and the web interface attempts to authenticate multiple times against the Radius part of the RSA SecureID server
  (okay on the first authentication, but each time after it's going to want a different token code)
  I was wondering if anyone knew a way around this? (if there's a way to get the switch to just authenticate once instead of multiple times against the radius server)
  For info the switch is a WS-C2960S-24TS-L with IOS 15.0(1)SE2

  Hello Chris,
  Can you test the following configuration?
  aaa group server radius webtac_grp
  server
  cache expiry 1
  cache authorization profile httpauth
  cache authentication profile httpauth
  aaa authentication login httpauth cache webtac_grp group webtac_grp
  aaa authorization exec httpauth cache webtac_grp group webtac_grp
  aaa authorization network httpauth cache webtac_grp group webtac_grp
  aaa cache profile httpauth
  all
  ip http server
  ip http authentication aaa login-authentication httpauth
  ip http authentication aaa exec-authorization httpauth
  radius-server host key ******
  I know for sure the above configuration works when using TACACS+ instead of RADIUS in order to avoid the multiple prompts due to the JAVA Applets authentication when accessing the IOS GUI. I have not tested it against RSA acting as backend Authentication server.
  NOTE: As "aaa authorization exec" is configured the RSA should be sending Attribute Service-Type with value Administrative for it to work as expected.
  If this was helpful please rate.
  Regards.

• Issue with authentication with RADIUS when using VPN

  Our customer has a problem with auhtentication against Radius vhen he is using VPN or SSL VPN. Authentication on SSH or TELNET via RADIUS is working fine . When I configure on VPN (and SSL VPN) authentication against the local database, everything is working fine and tunnel is established.
  In attachement is running-config of customer's gateway and capture file of communication between RADIUS server and gateway (radius access request starting at 85th line).
  I found in this file at AVP attributes that the gateway is sending ipsec profile name (in this case "VPN") instead of username.

  SSLVPN is configured to use the local database of usernames only in this config. It is not configured to use RADIUS.

• AD Machine Authentication with Cisco ISE problem

  Hi Experts,
  I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
  Authentication policy:
  Allowed protocol = PEAP & TLS
  Authorization Policy:
  Condition for computer to be checked in external identity store (AD) = Permit access
  Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
  All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
  Switchport configuration:
  ===============================================
  ip access-list extended ACL-DEFAULT
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  permit ip any host (AD)
  permit icmp any any
  permit ip any host (ISE-1)
  permit ip any host  (ISE-2)
  permit udp any host (CUCM-1) eq tftp
  permit udp any host (CUCM-2)eq tftp
  deny ip any any
  ===============================================
  switchport config
  ===============================================
  Switchport Access vlan 10
  switchport mode access
  switchport voice vlan 20
  ip access-group ACL-DEFAULT in
  authentication open
  authentication event fail action next-method
  authentication event server dead action authorize vlan 1
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication timer inactivity 180
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 100
  ====================================================
  One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
  Your help will highly appreciated.
  Regards,

  You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab.  If your switch configuration is on auth failure continue to next method, then this makes sense.  The question is why is the user failing auth but the machine is passing, could be something in the policy.  Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched.  Easy way to check is remove that rule from your policy and see if the same thing happens.
  I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time.  The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
  I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining.  This is great because you can do two part authentication.  EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet.  I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.