When WLC authenticate users with secondary RADIUS server?

Similar Messages

• Authenticate Users against external RADIUS-Server

  Hi,
  i have some users in the local LDAP database of an 10.5 Server.
  Is there a way to store their passwords on an external RADIUS-Server?
  Thank you very much,
  macservo
  Message was edited by: macservo

  CryptoCard does this.
  We use it at one customer for L2TP VPN authentication.
  This way the VPN user get's a yes or no to use the VPN server and then has to give his credentials: name and VPN shared secret or certificate (support for CryptoCard is in the OS X VPN client) to get on the network. The password is in 2 halves, one half is static and the rest is added to it from the Token.
  You then have to authenticate to any service you want to use (Kerberos?).
  We only had to alter a PPP config file on the OS X server and add a small file to both server (and client) to make it contact their Radius server instead of it using Apples regular internal VPN authentication (not the Radius one). And we had to add a shared secret corresponding to what was setup for the customer at CryptoCard (in the server only) for the OS X Server (Radius client) to CryptoCard server (Radius server) communication. You can't use Server Admin to alter VPN settings afterwards without messing up the PPP settings file.
  Maybe possible to us it for Ethernet/Wireless 802.1X authentication too?
  For just AFP server auth I don't know.

• WLC Web-auth fail with external RADIUS server

  I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"
  My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user.
  WLC 4402 version 4.1.171.0
  http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.html

  Hi,
  I am having some issues when I try to authenticate an AD account against a NAP Radius Server on Windows 2008.
  In fact, I own a WLC 2106 and I configured it to authenticate users againts a radius Server with Active Directory. I set the Web Radius Authentication to CHAP on the controller tab from the WLC 2106 and i am getting the error below  
  : Authentication failed for gcasanova. When I set the controller to  Web Radius Authentication to PAP, everything is working fine. I am able to connect to through the controller using an AD Account. But my purpose is not use PAP which is an unsecure protocol since password are sent as plaintext on the network.
  Can someone tell me what's wrong?
  *radiusTransportThread: Oct 26 11:02:13.975:    proxyState......................                                                                                                 .............00:24:D7:40:E5:00-00:00
  *radiusTransportThread: Oct 26 11:02:13.975:    Packet contains 0 AVPs:
  *emWeb: Oct 26 11:02:13.977: Authentication failed for gcasanova
  *aaaQueueReader: Oct 26 11:02:29.985: AuthenticationRequest: 0xb6564634
  *aaaQueueReader: Oct 26 11:02:29.985:   Callback.....................................0x8576720
  *aaaQueueReader: Oct 26 11:02:29.985:   protocolType.................................0x00000001
  *aaaQueueReader: Oct 26 11:02:29.985:   proxyState...................................00:24:D7:40:E5:00-00:00
  *aaaQueueReader: Oct 26 11:02:29.986:   Packet contains 11 AVPs (not shown)
  *aaaQueueReader: Oct 26 11:02:29.986: apfVapRadiusInfoGet: WLAN(4) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *aaaQueueReader: Oct 26 11:02:29.986: 00:24:d7:40:e5:00 Successful transmission of Authentication Packet (id 86) to 10.2.0.15:1812, proxy state 00:24:d7:40:e5:00-00:00
  *aaaQueueReader: Oct 26 11:02:29.987: 00000000: 01 56 00 9a 8e 48 e7 20  1d ef be 29 e6 3a 61 6d  .V...H.....).:am
  *aaaQueueReader: Oct 26 11:02:29.987: 00000010: 2b de 07 24 01 0b 67 63  61 73 61 6e 6f 76 61 3c  +..$..gcasanova<
  *aaaQueueReader: Oct 26 11:02:29.987: 00000020: 12 3c ce a0 87 ac df 7a  a5 35 af 7c ef 83 c7 58  .<.....z.5.|...X
  *aaaQueueReader: Oct 26 11:02:29.987: 00000030: ed 03 13 28 a7 5a 0d 26  6d ab 49 ea da 7c 5a 8e  ...(.Z.&m.I..|Z.
  *aaaQueueReader: Oct 26 11:02:29.987: 00000040: 1d 94 70 69 06 06 00 00  00 01 04 06 0a 02 00 06  ..pi............
  *aaaQueueReader: Oct 26 11:02:29.987: 00000050: 05 06 00 00 00 01 20 0a  50 41 52 2d 57 4c 43 31  ........PAR-WLC1
  *aaaQueueReader: Oct 26 11:02:29.987: 00000060: 3d 06 00 00 00 13 1a 0c  00 00 37 63 01 06 00 00  =.........7c....
  *aaaQueueReader: Oct 26 11:02:29.988: 00000070: 00 04 1f 0c 31 30 2e 32  2e 30 2e 31 35 36 1e 0a  ....10.2.0.156..
  *aaaQueueReader: Oct 26 11:02:29.988: 00000080: 31 30 2e 32 2e 30 2e 36  50 12 7f 86 5a c5 61 ad  10.2.0.6P...Z.a.
  *aaaQueueReader: Oct 26 11:02:29.988: 00000090: af 54 fa fa 42 e7 f6 16  9e 10                    .T..B.....
  *radiusTransportThread: Oct 26 11:02:29.988: 00000000: 03 56 00 14 a9 10 07 84  83 00 87 83 b9 10 64 e1  .V............d.
  *radiusTransportThread: Oct 26 11:02:29.988: 00000010: 66 b3 c5 5e                                       f..^
  *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processIncomingMessages: response code=3
  *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processRadiusResponse: response code=3
  *radiusTransportThread: Oct 26 11:02:29.988: 00:24:d7:40:e5:00 Access-Reject received from RADIUS server 10.2.0.15 for mobile 00:24:d7:40:e5:00 receiveId = 0
  *radiusTransportThread: Oct 26 11:02:29.989: 00:24:d7:40:e5:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d7:40:e5:00
  *radiusTransportThread: Oct 26 11:02:29.989: AuthorizationResponse: 0xb97fe774
  *radiusTransportThread: Oct 26 11:02:29.989:    structureSize................................32
  *radiusTransportThread: Oct 26 11:02:29.989:    resultCode...................................-4
  *radiusTransportThread: Oct 26 11:02:29.989:    protocolUsed.................................0xffffffff
  *radiusTransportThread: Oct 26 11:02:29.989:    proxyState...................................00:24:D7:40:E5:00-00:00
  *radiusTransportThread: Oct 26 11:02:29.989:    Packet contains 0 AVPs:

• Exchange Server 2013 with a RADIUS server (freeRADIUS).

  Hello,
  I am a student and doing an internship. I have to test Microsoft Exchange Server 2013.
  I am using Windows Server 2012, I already installed Exchange Server 2013 on it and everything works as intended.
  But I couldn't find out how to configure my Windows Server 2012 in order to authenticate my mailbox users from Exchange Server 2013 with a RADIUS server which is not on my Windows Server 2012. I have to use their RADIUS server (freeRADIUS), the RADIUS server
  from the company where I am doing my internship.
  I already created a NPS and added the RADIUS Client + Remote
  RADIUS Server Groups. I created a Connection Request Policies with the condition:
  User Name *
  I forwarded the Connection Request to the
  Remote RADIUS server that I created in Remote RADIUS Server Groups and then I registered the NPS in th AD. But it's still not working. 
  Maybe I did something wrong or I misunderstood something or does this even work with Exchange Server 2013? To authenticate mailbox users with a RADIUS server before they can login into their mailbox and use their mailbox?
  Thanks in advance.

  Hi,
  I suggest we refer to the following article to double confirm the Network Policy Server is registered properly.
  http://technet.microsoft.com/library/cc732912.aspx
  Thanks,
  Simon Wu
  TechNet Community Support

• Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

  Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
  I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
  Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
  Any ideas of what might be the issue or misconfiguration?

  Jim,
  I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
  It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
  May need to open a TAC case to see if this issue is on the 550x controllers also.
  Thanks,
  Tarik

• Failed to create a user with Mac Mini Server, the message "Failed to process the command writesettings" in the module "servermgr_sharing"

  Failed to create a user with Mac Mini Server, the message "Failed to process the command writesettings" in the module "servermgr_sharing"

  I have a Mac Mini with OS X Server 10.8.5 and Server 2.2.1 and have a problem to share the public folder.
  When I enter the Server application to indicate that I want to share the public folder on the network and assign user I get the following message appears
  And I can not share the folder.
  If I go from my i-mac get mac mini server view and access the public folder, but I can not open any of the files there.
  That I can do to fix this?
  thank you very much

• Authenticate Users Using an LDAP Server

  Hi,
  I did implement 'Authenticate Users Using an LDAP Server' according the link blow below.
  [http://www.oracle.com/technology/products/database/application_express/howtos/how_to_ldap_authenticate.html]
  It works OK to specific DN String, example 'cn=%LDAP_USER%,OU=Menahel,OU=Cmp,DC=ho,DC=discount'.
  We have a lot of domain rules, mean the users not located at the same DN.
  Is it possibale to use general DN string (base root) like 'cn=%LDAP_USER%,*,*,DC=ho,DC=discount?
  Thanks in advance,
  Shay

  Augusto, one thing to check (since it caught me out) is that your LDAP entries conform to the right format, namely
  "cn=Bob" etc
  When I was integrating HTMLDB LDAP against a Sun One Directory Server, it had me scratching my head for ages, until I realised that the LDAP entries had been created in the format of -
  "uid=bob" rather than "cn=bob"
  This might not be your problem, but it's worth checking anyway ;)

• Dynamic WEP with Win2k3 Radius server

  Can someone provide information as how to configure AP350 and AP1200 to use dynamic WEP with Win2k3 Radius server.
  What security feature should be configured
  If possible provide information for configuration of Win2k3 Radius server.

  PEAP CHAPS,128-BIT or WPA

• Authentication Policy ISE with External RADIUS Server

  Hi All,
  I would like to authenticate client by using External RADIUS. Once I create authentication policy using the new compound condition (wireless dot1x + Radius Username Matches "domainB\") I would like to forward the user authentication who make an authen using domainB\username to the External RADIUS Server Sequence. But when I check on the authentication dashboard, it still authenticate using the default authentication rule.
  Please suggest about this scenario.
  Regards,
  Sent from Cisco Technical Support Android App

  Hi jrabinow,
  Which details you would like to see ?
  Here is some infos.
  ISEs are deployed in 2 domains such as "acme.com" and "sub.acme.com"
  Each domain does not make a trusted relationship so these 2 domains cannot communicate between them.
  Each domain has owned Enterprise Root CA (Microsoft)
  Client who need to access the network need to authenticate with EAP-TLS.
  My environment
  My ISE node joined into domain "acme.com"
  User will be "[email protected]"
  Once the user from "[email protected]" try to authenticate, I would like to forward the RADIUS request from ISEs (acme.com) to other ISEs (sub.acme.com)
  After ISEs in "sub.acme.com" return RADIUS-ACCEPT then ISEs in "acme.com" will process an authorization policy.
  Regards,
  Pongsatorn

• Configuring Cisco ISE for Authorization with External Radius Server attribute

  Hi,
  I'm trying to integrate an external radius server with Cisco ISE.
  I created an External Identity Store>Radius Token Server.
  I created a Identity Store sequence with just one identity store just as creadted above.
  And I was able to authenticate successfully.
  But when it comes to authorization.
  I observed we just have one tab named Authorization while creating Radius Token server.
  And it always refers to ACS:attribute_name.
  If I want to define a IETF radius attribute, (lets say class with attribute id as 25), how could I do it.
  In Cisco ACS we have a direct entry option in authorization tab where we can define the radius (IETF) attribute within Radius token server creation (within radius token server>Directory attribute tab).
  How ever I try to define the IETF attribute here (class,IETF:Class) I am not able to authorize with this attribute value.
  I tried with just one single authorization rule where it could hit.But observed it to go the default(as none of the rules defined matches the condition).
  Can anyone guide me how can we define a IETF radius attribute for authorization within Cisco ISE and what policy could we set it to work as authorization.
  Thanks in advance
  Senthil K

  This is the step of Creating and Editing RADIUS Vendors
  To create and edit a RADIUS vendor, complete the following steps:
  Step 1 From the Administration mega menu, choose Resources > RADIUS  Vendors.
  The RADIUS Vendors page appears with a list of RADIUS vendors that ISE  supports.
  Step 2 Click Create to create a new RADIUS vendor or click the radio  button next to the RADIUS vendor that
  you want to edit and click Edit.
  Step 3 Enter the following information:
  • Name—(Required) Name of the RADIUS vendor.
  • Description—An optional description for the vendor.
  • Vendor ID—(Required) The Internet Assigned Numbers Authority  (IANA)-approved ID for the
  vendor.
  • Vendor Attribute Type Field Length—(Required) The number of bytes  taken from the attribute value
  to be used to specify the attribute type. Valid values are 1, 2, and 4.  The default value is 1.
  • Vendor Attribute Size Field Length—(Required) The number of bytes  taken from the attribute value
  to be used to specify the attribute length. Valid values are 0 and 1.  The default value is 1.
  Step 4 Click Submit to save the RADIUS vendor.

• WLC WLAN Authentication from External RADIUS Server

  Dears,
  How to make WLC Receive PoD (Packet of Disconnect) from the RADIUS server to terminate the session and disconnect authenticating clients.
  Thanks,

  Hi Ahmed,
  Its not documented well, but here is it:
  CSCso52532 No Documentation for sending RADIUS Disconnect-Request (RFC 3576)
  . If a user has to be logged out then, following attributes are expected
    - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value.
           SSH_RADIUS_SERVICE_TYPE_LOGIN(1)
         - SSH_RADIUS_AVP_CALLING_STATION_ID(31) - this is needed, if
                we want to delete  particular user  session via particular device
                (like PDA, Phone or PC)
         - SSH_RADIUS_AVP_USER_NAME(1)
  . If a management user has to be logged out then, following attributes
  are expected
    - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value
    - SSH_RADIUS_SERVICE_TYPE_ADMINISTRATIVE
                        OR
     - SSH_RADIUS_SERVICE_TYPE_NAS_PROMPT
     - SSH_RADIUS_AVP_USER_NAME(1)
     - SSH_RADIUS_AVP_FRAMED_IP_ADDRESS(8)
  Eg:
  *Dec 17 12:59:08.926:   Packet contains 14 AVPs:
  *Dec 17 12:59:08.926:       AVP[01] User-Name................................user@domain (17 bytes)
  *Dec 17 12:59:08.926:       AVP[02] Nas-Port.................................0x0000000d (13) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[03] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[04] Framed-IP-Address........................0x0a003f1b (167788315) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[05] NAS-Identifier...........................wlcRM_1 (7 bytes)
  *Dec 17 12:59:08.926:       AVP[06] Airespace / WLAN-Identifier..............0x00000004 (4) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[07] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
  *Dec 17 12:59:08.926:       AVP[08] Acct-Authentic...........................0x00000001 (1) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[11] Tunnel-Group-Id..........................0x3633 (13875) (2 bytes)
  *Dec 17 12:59:08.926:       AVP[12] Acct-Status-Type.........................0x00000001 (1) (4 bytes)
  *Dec 17 12:59:08.926:       AVP[13] Calling-Station-Id.......................10.0.63.27 (10 bytes)
  *Dec 17 12:59:08.926:       AVP[14] Called-Station-Id........................10.0.71.251 (11 bytes)
  *Dec 17 12:59:10.943: 00:1c:26:cb:27:71 Accounting-Response received from RADIUS server 10.0.71.249 for mobile 00:1c:26:cb:27:71 receiveId = 0
  *Dec 17 12:59:34.044: Received a 'RFC-3576 Disconnect-Request' from 10.0.71.249
  *Dec 17 12:59:34.044:   Packet contains 6 AVPs:
  *Dec 17 12:59:34.044:       AVP[01] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
  *Dec 17 12:59:34.044:       AVP[02] User-Name................................user@domain (17 bytes)
  *Dec 17 12:59:34.044:       AVP[03] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
  *Dec 17 12:59:34.044:       AVP[04] Calling-Station-Id.......................10.0.63.27 (10 bytes)
  *Dec 17 12:59:34.044:       AVP[05] Called-Station-Id........................10.0.71.251 (11 bytes)
  *Dec 17 12:59:34.044:       AVP[06] Service-Type.............................0x00000001 (1) (4 bytes)
  *Dec 17 12:59:34.044: Error cause 503 generated for 'RFC-3576 Disconnect-Request' from 10.0.71.249 (Session Identification attributes not valid)
  *Dec 17 12:59:34.045: Sent a 'RFC-3576 Disconnect-Nak' to 10.0.71.249:3799
  *Dec 17 12:59:36.561: ****Enter processIncomingMessages: response code=5
  **Share your knowledge. It’s a way to achieve immortality.
  --Dalai Lama**
  Please Rate if helpful.
  Regards
  Ed

• 1100 with Local Radius Server problems Atheros Client

  I have Local authentication turned on for the 1100 and am using the Atheros Client Utility configuring LEAP with username/password and it is failing, here is the debug from the 1100.Any help much appreciated.
  Xcon-ap1100#conf t
  Enter configuration commands, one per line. End with CNTL/Z.
  Xcon-ap1100(config)#radius
  Xcon-ap1100(config)#radius-server local
  Xcon-ap1100(config-radsrv)#no nas 10.201.1.5
  Xcon-ap1100(config-radsrv)#nas 10.201.1.5 key thiskey
  Xcon-ap1100(config-radsrv)#end
  Xcon-ap1100#debug radius
  Radius protocol debugging is on
  Radius protocol brief debugging is off
  Radius protocol verbose debugging is off
  Radius packet hex dump debugging is off
  Radius packet protocol debugging is on
  Radius packet retransmission debugging is off
  Radius server fail-over debugging is off
  Xcon-ap1100#term mon
  Xcon-ap1100#
  *Apr 3 16:26:26.961: RADIUS: AAA Unsupported [248] 10
  *Apr 3 16:26:26.961: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
  *Apr 3 16:26:26.962: RADIUS: AAA Unsupported [150] 3
  *Apr 3 16:26:26.962: RADIUS: 32 [2]
  *Apr 3 16:26:26.962: RADIUS(000000FC): Storing nasport 246 in rad_db
  *Apr 3 16:26:26.962: RADIUS(000000FC): Config NAS IP: 10.201.1.5
  *Apr 3 16:26:26.963: RADIUS/ENCODE(000000FC): acct_session_id: 251
  *Apr 3 16:26:26.963: RADIUS(000000FC): Config NAS IP: 10.201.1.5
  *Apr 3 16:26:26.963: RADIUS(000000FC): sending
  *Apr 3 16:26:26.963: RADIUS(000000FC): Send Access-Request to 10.201.1.5:1645 id 21645/158, len 130
  *Apr 3 16:26:26.963: RADIUS: authenticator 74 20 7D 86 32 7B 1A 65 - 88 DE A7 58 51 91 FA 5D
  *Apr 3 16:26:26.963: RADIUS: User-Name [1] 6 "test"
  *Apr 3 16:26:26.964: RADIUS: Framed-MTU [12] 6 1400
  *Apr 3 16:26:26.964: RADIUS: Called-Station-Id [30] 16 "000f.f751.7970"
  *Apr 3 16:26:26.964: RADIUS: Calling-Station-Id [31] 16 "0090.963d.7bf6"
  *Apr 3 16:26:26.964: RADIUS: Service-Type [6] 6 Login [1]
  *Apr 3 16:26:26.965: RADIUS: Message-Authenticato[80] 18 *
  *Apr 3 16:26:26.965: RADIUS: EAP-Message [79] 11
  *Apr 3 16:26:26.965: RADIUS: 02 02 00 09 01 74 65 73 74 [?????test]
  *Apr 3 16:26:26.965: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
  *Apr 3 16:26:26.965: RADIUS: NAS-Port [5] 6 246
  *Apr 3 16:26:26.965: RADIUS: NAS-IP-Address [4] 6 10.201.1.5
  *Apr 3 16:26:26.965: RADIUS: Nas-Identifier [32] 13 "Xcon-ap1100"
  *Apr 3 16:26:31.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:36.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:41.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:46.965: RADIUS: No response from (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:46.965: RADIUS/DECODE: parse response no app start; FAIL
  *Apr 3 16:26:46.965: RADIUS/DECODE: parse response; FAIL
  *Apr 3 16:26:46.966: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
  *Apr 3 16:26:50.070: RADIUS: AAA Unsupported [248] 10
  *Apr 3 16:26:50.070: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
  *Apr 3 16:26:50.071: RADIUS: AAA Unsupported [150] 3
  *Apr 3 16:26:50.071: RADIUS: 32 [2]
  *Apr 3 16:26:50.071: RADIUS(000000FD): Storing nasport 247 in rad_db
  *Apr 3 16:26:50.072: RADIUS(000000FD): Config NAS IP: 10.201.1.5
  *Apr 3 16:29:29.041: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
  *Apr 3 16:29:52.253: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed

  I have a very similar situation here. Took me a while to figure out why existing user certificates are OK but no new users can enroll. I checked all certificates for expiry. No go. It was not the expiry ("Valid to") time, but rather the "Valid From" time that is messed up.
  This is what happens: The rollover gets created and replaces the original one (which remains in memory, no flash) But the new one is valid from the expiry of the old one - in my case TOMORROW and after a power-outage the day before yesterday (the most definitive way to get a reboot!) I only have the new NOT YET VALID certificate.
  OK, I can wait until tomorrow and see if it works. But the design is far from intelligent. The industry standard is that when you renew a certificate, the validity of the new one is immediate - even if it means it runs for a few days longer than the designated lifetime.
  So much for the overlap period of 30 days (as you can see from your own post) if the old certificate goes away after a reboot and the new one is not yet valid! (The CA certificate expiration timer gets reset to some Unix time-zero ( 01:00:00 CEST Jan 1 1970) which I take to mean "not valid yet".)
  I only have a few days of trouble - and just one to go after finally working it out, but it could have been up to 30 days if I for any reason had rebooted after the roll-over certificate got created.
  Cheers
  Bernhard

• Cisco AAA authentication with windows radius server

  Cisco - Windows Radius problems
  I need to created a limited access group through radius that I can have new network analysts log into
  and not be able to commit changes or get into global config.
  Here are my current radius settings
  aaa new-model
  aaa group server radius IAS
   server name something.corp
  aaa authentication login USERS local group IAS
  aaa authorization exec USERS local group IAS
  radius server something.corp
   address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
   key mypassword
  line vty 0 4
   access-class 1 in
   exec-timeout 0 0
   authorization exec USERS
   logging synchronous
   login authentication USERS
   transport input ssh
  When I log in to the switch, the radius server is passing the corrrect attriubute
  ***Jan 21 13:59:51.897: RADIUS:   Cisco AVpair       [1]   18  "shell:priv-lvl=7"
  The switch is accepting it and putting you in the correct priv level.
  ***Radius-Test#sh priv
     Current privilege level is 7
  I am not sure why it logs you in with the prompt for  privileged EXEC mode when
  you are in priv level 7. This shows that even though it looks like your in priv exec
  mode, you are not.
  ***Radius-Test#sh run
                  ^
     % Invalid input detected at '^' marker.
     Radius-Test#
  Now this is where I am very lost.
  I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
  global config mode.
  ***Radius-Test#enable
     Radius-Test#
  Debug log -
  Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
  ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
  Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
  ***Radius-Test#sh priv
     Current privilege level is 15
     Radius-Test#
  I have tried to set
  ***privilege exec level 15 enable
  It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
  Even if I try to do
  ***privilege exec level 7 show running-config (or other variations)
  It will allow you to type sh run without errors, but it doest actually run the command.
  What am I doing wrong?
  I also want to get PKI working with radius.

  I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
  Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch?

• CWMS v.2 - how to configure CWMS to authenticate user with CUCM

  Hi,
  I have a CUCM with no LDAP or AD integration. I already configured the directory integration with CUCM and it synchronized the user accounts to CWMS. When trying to login with end user account, password configured in CUCM doesn't work. What is the process to configure CWMS to authenticate with CUCM user database? Thanks.
  -Alan

  Hi Alan,
  CUCM and LDAP integration is a prerequisite for using Directory Integration on CWMS.
  http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/1_5/Administration_Guide/Administration_Guide_chapter_01011.html#task_DB0D271D6EB1459EB4DA269461E93B36
  Before You Begin
   You must configure AXL and LDAP directory service on CUCM before you can use the directory integration feature. CUCM is required to import users into your Cisco WebEx Meetings Server system. Use CUCM to do the following:
   Enable Cisco AXL Web Service
   Enable Cisco directory synchronization
   Configure LDAP integration
   Configure LDAP authentication
  -Dejan

• Primary/secondary RADIUS server

  Hey all,
  I've been trying to discover for a while how primary and secondary RADIUS servers work on WLC 4400s. If the primary RADIUS server goes down, and the secondary is used, at what point does the controller go back to the primary once it's back up? Does it wait until the secondary goes down, or does it immediately switch back to the primary once it becomes available?
  Thanks in advance!
  Jeff

  On 4.2 and previous versions, if the primary goes down, then the secondary is used until the secondary is not available. So if you want to froce the primay to be the radius server to be used, reboot the secondary. Then the tertiary then back to the primary. 5.0 has a feature in which you can set a keep alive so that when the primary comes back up, the primary will be used again. 5.0 code in not a good code version though.