Wireless local radius authentication

Similar Messages

• Local Radius Authentication - Fails

  Hello all,
  Access Point 1230AG (c1200-k9w7-mx.123-2.JA)
  Client Adapter ABG (PCI)
  I am new to Wireless Lan configuration with Aironet products (first project). I am configuring an Access Point for a small LAN and i can not get local radius authentication working. The password always fails if I try:
  test aaa group radius xxxxx port 1812 new-code
  although the password is matching..........
  another thing is that in the configuration, it always defaults to 'nthash' mode. is this normal? in other words if i type:
  radius-server local
  user dgarnett password xxxx
  when i do a 'show run' it displays as
  user xxxx
  I also get the following during a debug:
  There is no RADIUS DB Some Radius attributes may not be stored
  any help greatly appreciated
  ap#test aaa group radius dgarnett 123456789 port 1812 new-code
  Trying to authenticate with Servergroup radius
  User rejected
  ap#
  Feb 19 20:57:44.535: RADIUS(00000000): Config NAS IP: 10.14.14.14
  Feb 19 20:57:44.535: RADIUS(00000000): Config NAS IP: 10.14.14.14
  Feb 19 20:57:44.535: RADIUS(00000000): sending
  Feb 19 20:57:44.535: RADIUS(00000000): Send Access-Request to 10.14.14.14:1812 id 21645/14, len 64
  Feb 19 20:57:44.535: RADIUS: authenticator 9C C4 E8 64 80 8B 64 8A - E7 5F 0A 64 14 2F 5D B6
  Feb 19 20:57:44.536: RADIUS: User-Password [2] 18 *
  Feb 19 20:57:44.536: RADIUS: User-Name [1] 10 "dgarnett"
  Feb 19 20:57:44.536: RADIUS: Service-Type [6] 6 Login [1]
  Feb 19 20:57:44.536: RADIUS: NAS-IP-Address [4] 6 10.14.14.14
  Feb 19 20:57:44.536: RADIUS: Nas-Identifier [32] 4 "ap"
  Feb 19 20:57:44.537: RADSRV: Client dgarnett password failed
  Feb 19 20:57:44.537: RADIUS: Received from id 21645/14 10.14.14.14:1812, Access-Reject, len 88
  Feb 19 20:57:44.538: RADIUS: authenticator 3C B3 9A 7F 61 27 3A A6 - 84 39 B6 DF 22 DF 45 26
  Feb 19 20:57:44.538: RADIUS: State [24] 50
  Feb 19 20:57:44.538: RADIUS: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF [????????????????]
  Feb 19 20:57:44.539: RADIUS: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF [????????????????]
  Feb 19 20:57:44.539: RADIUS: 6B 7C 18 EA F0 20 A4 E5 B1 28 0E BD 57 61 24 9A [k|??? ???(??Wa$?]
  Feb 19 20:57:44.539: RADIUS: Message-Authenticato[80] 18 *
  Feb 19 20:57:44.539: RADIUS(00000000): Received from id 21645/14
  Feb 19 20:57:44.539: RADIUS(00000000): Unique id not in use
  Feb 19 20:57:44.540: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored

  Just as an update.......I set this up authenticating to an external (ACSNT) Radius server and it authenticates successfully. But still will not for the local dbase. My goal is to use the Corporate ACS as primary and the local as backup. I think my problem has to do with the Radius attributes 24 (State) and 80 (Message Auth). I also think that it points back to the NTHash stuff. Please advise as I am not new security practices and wireless, but I am new to Cisco Wireless networking.

• Configuring a 1230 AP as a "Local Radius Authenticator"

  Configuring a 1230 AP as a "Local Radius Authenticator"
  CCO-URL: Configuring an Access Point as a Local Authenticator
  http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080184a9b.html
  this is the minimal config, i think:
  AP# configure terminal
  AP(config)# radius-server local
  AP(config-radsrv)# nas 1.1.1.1 key 111
  AP(config-radsrv)# group clerks
  AP(config-radsrv-group)# vlan 2
  AP(config-radsrv-group)# ssid batman
  AP(config-radsrv-group)# reauthentication time 1800
  AP(config-radsrv-group)# lockout count 2 time 600
  AP(config-radsrv-group)# exit
  AP(config-radsrv)# user jsmith password twain74 group clerks
  AP(config-radsrv)# end
  whereas 1.1.1.1 is the IP of the AP himself ?
  is there a must for additional config commands like this:
  radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key 111
  aaa group server radius rad_eap
  server 1.1.1.1 auth-port 1812 acct-port 1813
  aaa group server radius rad_admin
  server 1.1.1.1 auth-port 1812 acct-port 1813
  all attempts didn't work
  "station <MAC> authentication failed"
  is there anything else nessecary ???

  You seem to be missing the following commands;
  authentication network-eap eap_methods
  authentication key-management cckm optional
  The following commands are useful for diagnosis;
  • Show radius local statistics
  • show interface dot11Radio 0 aaa client
  • Debug dot11 aaa dot1x state
  • Debug dot11 mgmt interface
  Local authentication is designed as a fall-back service for when the primary RADIUS server fails. We not encourage the use of Local authentication as a replacement for a radius server.
  * With an ACS you get Authentication, Authorization and Accounting. With Local authentication you only get Authentication.
  * ACS scales, supports external user-databases, supports multiple authentication types, supports database backup and replication, etc, etc... Local authentication supports a maximum of 50 users, internal static configuration only, and LEAP only.
  Following is an IOS configuration, that I have tested, and works on an AP1200 (should work on an 1100 too, I just haven’t tested it);
  · This configuration enables a single AP to do local authentication. No WDS is included for fast roaming.
  · This configuration can be cut-and-pasted into an AP that has been write-erased (blank config), and it will configure all the parameters to allow a client to LEAP authenticate to it (even if no Ethernet cable is connected to it)
  · Replace usernames/passwords with your own usernames/passwords
  · Replace ip-addresseswith the APs IP address
  · I added DHCP configuration so you can connect to a stand-alone AP with your DHCP-enabled laptop (with a profile that matches the test APs SSID and LEAP settings).
  conf t
  host loc-auth-ap-name
  enable secret cisco
  no ip domain-lookup
  line vty 0 4
  password cisco
  exec-timeout 0 0
  login
  int bvi 1
  ip address 10.11.12.13 255.255.255.0
  Interface dot11 0
  no ssid tsunami
  encryption mode ciphers ckip-cmic
  ssid test-loc-auth
  authentication network-eap eap_methods
  authentication key-management cckm optional
  ip dhcp excluded-address 10.11.12.13
  ip dhcp pool temp
  network 10.11.12.0 255.255.255.0
  interface BVI1
  ip address 10.11.12.13 255.255.255.0
  no ip route-cache
  aaa new-model
  aaa group server radius rad_eap
  ! add a real AAA server (with auth-port 1645) before
  ! the following statement if you are configuring a
  ! fallback authentication service instead of a
  ! standalone service
  server 10.11.12.13 auth-port 1812 acct-port 1646
  aaa authentication login eap_methods group rad_eap
  ! add a real AAA server (with auth-port 1645) before
  ! the following statement if you are configuring a
  ! fallback authentication service instead of a
  ! standalone service
  radius-server host 10.11.12.13 auth-port 1812 acct-port 1646 key 0 l0cal-key-secret
  radius-server deadtime 10
  dot11 holdoff-time 1
  ip radius source-interface BVI1
  radius-server local
  nas 10.11.12.13 key 0 l0cal-key-secret
  user testuser password 0 testuser-key-secret
  exit
  exit
  wri

• How to set local radius with AP 1240AG series

  Hi,
  I have been trying to set up a AP with AIR-AP1242AG-Ak9 as a local authenticator radius but with no success. I have followed the steps from a lot of posts but no go, even with the most simple and understanable post like this one: 
  https://supportforums.cisco.com/document/101121/configuring-autonomous-ap-local-radius-authentication
  The guy at the end of the post says:
  Configuring AP
  1. Go to Security>Encryption Manager
  2. Specify Encryption (can be WEP or WPA)
  3. Specify that WEP is Mandatory
  4. Specify the key accordingly
  5. Click Apply
  6. Go to Security>SSID Manage
  7. Select the desired SSID
  But when I go via GUI fist of all:
  I dont understand why it says it can be WEP o WPA because if I select WEP and follow the rest of the steps, I got an error message: WPA mandatory is supported only with Cipher TKIP or AES CCMP or AES CCMP +TKIP <see encryption managerpage>
  Besides WEP, as far as I kknow it only works with a password only and I want the PC clients to aunthenticate with the AP itself as a Radius local server so it should ask for a username and password defined in the AP.
  Second of all, the steps from the guy states on item 4, specfy the key acordinly? what this means? I only see keys filed in hexa.
  third of all, if I do the steps in the error above, it allows me to set WPA with key management Mandatory but only by selecting the Cipher drop down menu, so which item should I pick ?there are a lot like AES CCMP, AES CCMP+TKIP, etc
  But whenever another PC tries to login, it asks for the username and password, but it never get passed just saying error on the network.
  I include the debug for the local radius below
  I also included the config of the AP
  All I want is the AP ask for a username and password, login successfully and thats it.
  anybody else or someone that has a function config to share with me? I would appreciate it, cause I have been more than 12 hours in a row trying to set it up but no go 

  Here is a one of my post related to this topic,see if that helps,
  http://mrncciew.com/2013/03/03/autonomous-ap-as-local-radius-server/
  If supported use WPA2 with AES as that is most secure. Do not use WEP. If WPA2/AES is not supported then try to use WAP with TKIP.
  Here is other useful configuration example on the same topic
  https://rscciew.wordpress.com/2014/07/24/autonomous-ap-with-local-radius-server-eap-fast/
  HTH
  Rasika
  **** Pls rate all useful responses ***

• Configuring the Access Point 1602 IOS 15.2(2)JAX as a Local RADIUS for a MAC authenticator

  Hello Everyone,
  I have an issue with my Cisco 1602 WAP. I am trying to configure the WPA-PSK and MAC authentication on local RADIUS but I don't know why it doesn't work and client can bypass the MAC authentication. below is partial configuration:
  dot11 ssid WLAN
     vlan 20
     authentication open
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 XXX
  interface Dot11Radio0
   no ip address
   no ip route-cache
   encryption mode ciphers aes-ccm
   encryption vlan 20 mode ciphers aes-ccm
   ssid WLAN
   antenna gain 0
   stbc
   beamform ofdm
   mbssid
   channel 2462
   station-role root
  interface Dot11Radio0.20
   encapsulation dot1Q 20 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface BVI1
   ip address 10.133.16.2 255.255.255.128
   no ip route-cache
  adius-server local
      nas 10.133.16.2 key 7 10.133.16.2
    group MAC
      vlan 20
      ssid WLAN
      block count 3 time infinite
      reauthentication time 1800
   user 54724f80421c  password 54724f80421c group MAC 
  Further information can be provided by request.
  Cheers,
  Parham

  what are you trying to accomplish?
  With the PSK you aren't telling the client it needs to do .1x auth for the Mac authentication.
  If you are just trying to keep some clients off the wireless, I would take a look at doing a MAC ACL (ACL 700)
  HTH,
  Steve

• Local RADIUS in AP1242 with non-cisco WinXP wireless clients

  I'd like to configure local RADIUS in AP1242 and connect non-cisco WinXP wireless clients (for example notebook with integrated radio) with it. I did configuration (config1.txt) like in instruction: http://cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
  But I can't connect non-cisco WinXP wireless client with AP1242 anyway. At once Cisco wireless client with Aironet Desktop Utility connects with it without any problem. I've done some other configuration (config2.txt), but with the same result. Second configuration is rather then first.
  How can I connect non-cisco WinXP wireless clients with AP1242 with local RADIUS?

  Hi Stephen,
  Thanks for the quick reply. Below is the switchport config. I am able to ping the AP from the switch and connect to its web page from any workstations.
  interface GigabitEthernet0/5
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 151
  switchport mode trunk
  end

• EAP-FAST with local radius on 1242AG

  I'm trying to get EAP-FAST working using the local radius server on a 1242AG autonomous AP using the latest firmware from Cisco. The cypher I'm using is CCMP. LEAP works fine with all my clients, however if I move to EAP-FAST in the radius config my clients fail to authenticate
  I know I need to set PAC to automatic somewhere, but the EAP-FAST configuration in the 1242AG GUI doesn't make this clear what to do.
  Any help or a basic example you be great.
  thanks,
  Simon

  I think this is what you're looking for;
  Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
  HTH
  Regards,
  Jatin
  Do rate helpful posts~

• WLC 4402 RADIUS Authentication with IAS

  Hello
  I configured a WLAN with PEAP (CHAP v2)and Radius authentication to a Win 2003 IAS Radius Server.
  On the controller 4402 the layer 2 security is set to WPA1+WPA2 with 802.1x authentication.
  The IAS server don't use the configured policy when a authentication reguest arrive.
  I there an issue with special RADIUS attributes or configuration items on the IAS Server?
  The following event appear in the windows logs:
  User STANS\kaesmr was denied access.
  Fully-Qualified-User-Name = STANS\kaesmr
  NAS-IP-Address = 172.17.25.6
  NAS-Identifier = keynet-01
  Called-Station-Identifier = 00-18-74-FB-CA-20:keynet
  Calling-Station-Identifier = 00-16-CE-52-C8-EB
  Client-Friendly-Name = Wireless-Controller
  Client-IP-Address = 172.17.25.6
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 1
  Proxy-Policy-Name = Windows-Authentifizierung f?r alle Benutzer verwenden
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = <undetermined>
  Authentication-Type = Extension
  EAP-Type = <undetermined>
  Reason-Code = 21
  Reason = The request was rejected by a third-party extension DLL file.

  What I understand from your post is that the authentication is not handled by your IAS server. IF I am correct, the problem might be with the "Allow AA override" option disabled in your WLAN. If it is enabled, then the AAA server or your IAS server will override the security parameters set locally on the controller.
  So, first ensure whether "Allow AAA override" is enabled under Controller--->WLAN field.
  Also, chek out the logs of the IAS server for obtaining more info on this.

• Problems w/config AP1200 - WPA Enterprise/Local RADIUS Server

  I have been attempting to reconfigure a AP1200 in our lab environment from using static WEP keys to WPA/TKIP. I can make the solution work with WPA-PSK, but not enterprise. I believe I have everything configured correctly but cannot "validate identity" on the client. Below are the details to my configuration.
  SSID: labssid (Open authentication with EAP)
  Cipher: TKIP
  Key management: Mandatory (WPA)
  I have a Cisco ACS server but am attempting to get this running intially using the local RADIUS server on the Access Point. I have a user defined locally called "test" with a password of "test".
  I am using an IBM ThinkPad T43 with the built-in wireless (Intel PRO/Wireless 2915ABG NIC) for testing. I have the "Use Windows to configure my wireless network settings" checked so I am using the inherant Windows configuration screens. However, I have also attempted to use the IBM NIC configuration utility and receive the same failures. I have the client device configured as follows:
  1. Network authentication: WPA
  2. Data encryption: TKIP
  3. Authentication: Protected EAP (PEAP) (only option other than smartcard, cert.)
  3a. (PROPERTIES) - AuthMethod: Secured Password (EAP-MSCHAP v2)
  4. Authenticate as computer whe computer information is avail (UNCHECKED)
  5. Authenticate as guest when user or computer is unavailable (UNCHECKED)
  When I attempt to provide my test/test credientials the Access Point logs the following:
  Station 0016.6f77.9ccd Authentication failed
  When I look at the Local RADIUS server stats, for each authentication failure the following stat is recorded:
  "Unknown EAP Type"
  If I try to authenticate 5 times, there will be 5 Unknown EAP Type stats logged.
  What am I missing?

  I didn't realize the local RADIUS couldn't do PEAP. That makes sense now, as in testing I decided to point the AP at my ACS server and was able to authenticate. I'm having an issue authenticating at times because it seems the AP looses it's connection TO the ACS server. The Access Point logs the following:
  1. Station 0016.6f77.9ccd Authentication failed
  2. RADIUS server 192.168.102.82:1645,1646 has returned.
  3. RADIUS server 192.168.102.82:1645,1646 is not responding.
  The "not responding" and "returned" logs are recorded at the exact same time period. In my most recent case, it was "Aug 31 18:19:36.981". Both have that time stamp. It's as if the AP looses some heartbeat to the RADIUS server and doesn't check to see if it's alive until a certain interval. When I'm not able to authenticate, if I log into the ACS and manually "restart" the services through the GUI, I authenticate right away. I'm thinking this is an ACS issue not an AP issue, but am wondering if anyone else has ever noticed this behavior.

• Local radius question?

  Hi,
  I was just taking a look at the local radius functionality on a router. I've found a strange problem which doesn't make sense to me and I was wondering if someone could explain what I'm seeing. As a basic lab to learn the ropes with local radius I created a local radius server on my router and got the local vty lines to use it for authentication.
  This is my config:
  interface Loopback0
    ip address 192.168.0.1 255.255.255.255
  ip radius source-interface Loopback0
  aaa group server radius LOCAL-RADIUS
  server 192.168.0.1 auth-port 1812 acct-port 1813
  aaa authentication login default group LOCAL-RADIUS
  radius-server local
    nas 192.168.0.1 key 0 <removed>
    user mwhittle nthash 0 <removed>
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key <removed>
  radius-server vsa send accounting
  Now he's the strange thing... If I configure the radius user to "mwhittle" with the password "mwhittle" it works and I get an Access-Accept. If I configure anything another than the username for the password it doesn't work and I get an Access-Reject. I have tried many combinations but as long as the username and password are the same it works and if they aren't it doesn't. This can't be normal behavior unless I'm missing something.
  Any ideas?
  Kind regards,
  Mike

  Hi,
  What kind of RADIUS client application are you using with the IOS local  RADIUS server?  Please note that this server supports *only* wireless  clients,
  and only for the LEAP and EAP-FAST EAP types, and also MAC authentication.  It does not provide support for other kinds of RADIUS clients.
  The fact that username=password happens to seem to work is, I believe, an accidental artifact of the MAC authentication support, where username
  is always equal to password.
  If we are not using the MAC auth, then please feel free to open up a TAC case and we will help you..
  lemme know if this answered your question..
  Regards
  Surendra
  ====
  Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

• Wirelss AP1140 Radius authentication with Microsoft IAS

  Hi,
  I have a Cisco C1140 Ap. I have cnfigured the device. Initially for testing i used WPA and authenticated locally. I have now setup a radius server and added my AP in as a client etc. I have changed my SSID's to authenticate with the radius server and i am having issues authenticating.
  I can connect via a PC and an iphone. They say that i am connected but i get no ip address and the debugs state that the authentication fails:
  000466: Sep 5 14:33:07.074 AEST: %DOT11-7-AUTH_FAILED: Station 40a6.d967.8b13 Authentication failed
  000467: Sep 5 14:33:28.368 AEST: %DOT11-7-AUTH_FAILED: Station bc77.3771.b15f Authentication failed
  000468: Sep 5 14:33:39.837 AEST: %DOT11-7-AUTH_FAILED: Station 40a6.d967.8b13 Authentication failed
  I can see the Radius server as connected
  imc-syd-ap1#show aaa servers
  RADIUS: id 4, priority 1, host 10.10.0.2, auth-port 1645, acct-port 1646
  State: current UP, duration 4337s, previous duration 0s
  Dead: total time 0s, count 0
  Authen: request 0, timeouts 0
  Response: unexpected 0, server error 0, incorrect 0, time 0ms
  Transaction: success 0, failure 0
  Author: request 0, timeouts 0
  Response: unexpected 0, server error 0, incorrect 0, time 0ms
  Transaction: success 0, failure 0
  Account: request 0, timeouts 0
  Response: unexpected 0, server error 0, incorrect 0, time 0ms
  Transaction: success 0, failure 0
  Elapsed time since counters last cleared: 1h12m
  The debugs show:
  000474: Sep 5 14:36:00.969 AEST: %DOT11-7-AUTH_FAILED: Station bc77.3771.b15f Authentication failed
  000475: Sep 5 14:36:01.485 AEST: AAA/BIND(00000109
  show dot11 associations:
  imc-syd-ap1#show dot11 associations
  802.11 Client Stations on Dot11Radio0:
  SSID [IMC-Wireless-Data] :
  MAC Address IP address Device Name Parent State
  bc77.3771.b15f 0.0.0.0 ccx-client DAVID self AAA_Auth
  Any ideas or recomendations would be greatly appreciated
  Thanks
  Below is a copy of my wireless config:
  version 12.4
  no service pad
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname xxxxxxxxxxxxxx
  logging buffered 40960 debugging
  enable secret 5 xxxxxxxxxxxxx
  aaa new-model
  aaa group server tacacs+ IMC
  server 172.16.100.3
  aaa group server radius AUTHVPN
  server 10.10.0.2 auth-port 1645 acct-port 1646
  server 10.11.0.24 auth-port 1645 acct-port 1646
  aaa authentication login default group IMC local enable
  aaa authorization exec default group IMC local if-authenticated
  aaa session-id common
  clock timezone AEST 10
  clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
  no ip domain lookup
  ip domain name imc.net.au
  dot11 syslog
  dot11 ssid IMC-Wireless-Data
  vlan 10
  authentication open eap AUTHVPN
  authentication network-eap AUTHVPN
  guest-mode
  mbssid guest-mode
  infrastructure-ssid optional
  information-element ssidl
  dot11 ssid IMC-Wireless-Voice
  vlan 14
  authentication open eap AUTHVPN
  authentication network-eap AUTHVPN
  mbssid guest-mode
  information-element ssidl
  dot11 aaa authentication attributes service login-only
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode wep mandatory
  ssid IMC-Wireless-Data
  ssid IMC-Wireless-Voice
  antenna gain 0
  mbssid
  station-role root
  interface Dot11Radio0.10
  encapsulation dot1Q 10 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.14
  encapsulation dot1Q 14
  no ip route-cache
  bridge-group 14
  bridge-group 14 subscriber-loop-control
  bridge-group 14 block-unknown-source
  no bridge-group 14 source-learning
  no bridge-group 14 unicast-flooding
  bridge-group 14 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption mode wep mandatory
  ssid IMC-Wireless-Data
  ssid IMC-Wireless-Voice
  antenna gain 0
  no dfs band block
  mbssid
  channel dfs
  station-role root
  interface Dot11Radio1.10
  encapsulation dot1Q 10 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1.14
  encapsulation dot1Q 14
  no ip route-cache
  bridge-group 14
  bridge-group 14 subscriber-loop-control
  bridge-group 14 block-unknown-source
  no bridge-group 14 source-learning
  no bridge-group 14 unicast-flooding
  bridge-group 14 spanning-disabled
  interface GigabitEthernet0
  description IMC-Wireless-Data
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  no keepalive
  interface GigabitEthernet0.10
  description IMC-Wireless-Data
  encapsulation dot1Q 10 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface GigabitEthernet0.14
  description IMC-Wireless-Voice
  encapsulation dot1Q 14
  no ip route-cache
  bridge-group 14
  no bridge-group 14 source-learning
  bridge-group 14 spanning-disabled
  interface BVI1
  description IMC-Wireless-Data
  ip address 10.10.0.245 255.255.255.0
  no ip route-cache
  ip default-gateway 10.10.0.254
  ip http server
  ip http authentication local
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  access-list 111 permit tcp any any eq telnet
  access-list 111 permit tcp any any eq www
  access-list 111 permit tcp any any eq 22
  snmp-server community public RO
  snmp-server enable traps tty
  tacacs-server host 172.16.100.3 key 7 xxxxxxxxxxxxxxxxxxx
  tacacs-server directed-request
  radius-server host 10.10.0.2 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxx
  bridge 1 route ip
  wlccp wds aaa authentication attributes service login-only
  line con 0
  line vty 0 4
  access-class 111 in
  exec-timeout 5 0
  line vty 5 15
  access-class 111 in
  exec-timeout 5 0
  sntp server 10.10.0.254
  end

  Inside the ssid, when you put "authentication open" it's an eap_method that follows. You put your AUTHVPN aaa server group name. that's wrong.
  aaa authentication login  group AUTHVPN
  and adjust your "authentication open eap " to match with that method name.
  Also your group authvpn contains a 2nd server that is undefined in yoru global config ...
  Nicolas

• 1100 with Local Radius Server problems Atheros Client

  I have Local authentication turned on for the 1100 and am using the Atheros Client Utility configuring LEAP with username/password and it is failing, here is the debug from the 1100.Any help much appreciated.
  Xcon-ap1100#conf t
  Enter configuration commands, one per line. End with CNTL/Z.
  Xcon-ap1100(config)#radius
  Xcon-ap1100(config)#radius-server local
  Xcon-ap1100(config-radsrv)#no nas 10.201.1.5
  Xcon-ap1100(config-radsrv)#nas 10.201.1.5 key thiskey
  Xcon-ap1100(config-radsrv)#end
  Xcon-ap1100#debug radius
  Radius protocol debugging is on
  Radius protocol brief debugging is off
  Radius protocol verbose debugging is off
  Radius packet hex dump debugging is off
  Radius packet protocol debugging is on
  Radius packet retransmission debugging is off
  Radius server fail-over debugging is off
  Xcon-ap1100#term mon
  Xcon-ap1100#
  *Apr 3 16:26:26.961: RADIUS: AAA Unsupported [248] 10
  *Apr 3 16:26:26.961: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
  *Apr 3 16:26:26.962: RADIUS: AAA Unsupported [150] 3
  *Apr 3 16:26:26.962: RADIUS: 32 [2]
  *Apr 3 16:26:26.962: RADIUS(000000FC): Storing nasport 246 in rad_db
  *Apr 3 16:26:26.962: RADIUS(000000FC): Config NAS IP: 10.201.1.5
  *Apr 3 16:26:26.963: RADIUS/ENCODE(000000FC): acct_session_id: 251
  *Apr 3 16:26:26.963: RADIUS(000000FC): Config NAS IP: 10.201.1.5
  *Apr 3 16:26:26.963: RADIUS(000000FC): sending
  *Apr 3 16:26:26.963: RADIUS(000000FC): Send Access-Request to 10.201.1.5:1645 id 21645/158, len 130
  *Apr 3 16:26:26.963: RADIUS: authenticator 74 20 7D 86 32 7B 1A 65 - 88 DE A7 58 51 91 FA 5D
  *Apr 3 16:26:26.963: RADIUS: User-Name [1] 6 "test"
  *Apr 3 16:26:26.964: RADIUS: Framed-MTU [12] 6 1400
  *Apr 3 16:26:26.964: RADIUS: Called-Station-Id [30] 16 "000f.f751.7970"
  *Apr 3 16:26:26.964: RADIUS: Calling-Station-Id [31] 16 "0090.963d.7bf6"
  *Apr 3 16:26:26.964: RADIUS: Service-Type [6] 6 Login [1]
  *Apr 3 16:26:26.965: RADIUS: Message-Authenticato[80] 18 *
  *Apr 3 16:26:26.965: RADIUS: EAP-Message [79] 11
  *Apr 3 16:26:26.965: RADIUS: 02 02 00 09 01 74 65 73 74 [?????test]
  *Apr 3 16:26:26.965: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
  *Apr 3 16:26:26.965: RADIUS: NAS-Port [5] 6 246
  *Apr 3 16:26:26.965: RADIUS: NAS-IP-Address [4] 6 10.201.1.5
  *Apr 3 16:26:26.965: RADIUS: Nas-Identifier [32] 13 "Xcon-ap1100"
  *Apr 3 16:26:31.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:36.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:41.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:46.965: RADIUS: No response from (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:46.965: RADIUS/DECODE: parse response no app start; FAIL
  *Apr 3 16:26:46.965: RADIUS/DECODE: parse response; FAIL
  *Apr 3 16:26:46.966: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
  *Apr 3 16:26:50.070: RADIUS: AAA Unsupported [248] 10
  *Apr 3 16:26:50.070: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
  *Apr 3 16:26:50.071: RADIUS: AAA Unsupported [150] 3
  *Apr 3 16:26:50.071: RADIUS: 32 [2]
  *Apr 3 16:26:50.071: RADIUS(000000FD): Storing nasport 247 in rad_db
  *Apr 3 16:26:50.072: RADIUS(000000FD): Config NAS IP: 10.201.1.5
  *Apr 3 16:29:29.041: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
  *Apr 3 16:29:52.253: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed

  I have a very similar situation here. Took me a while to figure out why existing user certificates are OK but no new users can enroll. I checked all certificates for expiry. No go. It was not the expiry ("Valid to") time, but rather the "Valid From" time that is messed up.
  This is what happens: The rollover gets created and replaces the original one (which remains in memory, no flash) But the new one is valid from the expiry of the old one - in my case TOMORROW and after a power-outage the day before yesterday (the most definitive way to get a reboot!) I only have the new NOT YET VALID certificate.
  OK, I can wait until tomorrow and see if it works. But the design is far from intelligent. The industry standard is that when you renew a certificate, the validity of the new one is immediate - even if it means it runs for a few days longer than the designated lifetime.
  So much for the overlap period of 30 days (as you can see from your own post) if the old certificate goes away after a reboot and the new one is not yet valid! (The CA certificate expiration timer gets reset to some Unix time-zero ( 01:00:00 CEST Jan 1 1970) which I take to mean "not valid yet".)
  I only have a few days of trouble - and just one to go after finally working it out, but it could have been up to 30 days if I for any reason had rebooted after the roll-over certificate got created.
  Cheers
  Bernhard

• EAP-FAST on Local Radius Server : Can't Get It Working

  Hi all
  I'm using an 877w router (flash:c870-advsecurityk9-mz.124-24.T4.bin) as local radius server and have followed various config guides on CCO. LEAP works fine but I just can't get EAP-FAST to work.
  I'm testing with win7 client using anyconnect secure mobility client, and also a mac book pro but without luck.
  the router sees unknown auth type, and when I run some debugs it talks of unknown eap type 3
  sh radius local-server s
  Successes              : 1           Unknown usernames      : 0        
  Client blocks          : 0           Invalid passwords      : 0        
  Unknown NAS            : 0           Invalid packet from NAS: 17      
  NAS : 172.27.44.1
  Successes              : 1           Unknown usernames      : 0        
  Client blocks          : 0           Invalid passwords      : 0        
  Corrupted packet       : 0           Unknown RADIUS message : 0        
  No username attribute  : 0           Missing auth attribute : 0        
  Shared key mismatch    : 0           Invalid state attribute: 0        
  Unknown EAP message    : 0           Unknown EAP auth type  : 17       
  Auto provision success : 0           Auto provision failure : 0        
  PAC refresh            : 0           Invalid PAC received   : 0       
  Can anyone suggest what I might be doing wrong?
  Regs, Tim

  Thanks Nicolas, relevant snippets from config:
  aaa new-model
  aaa group server radius rad_eap
  server 172.27.44.1 auth-port 1812 acct-port 1813
  aaa authentication login eap_methods group rad_eap
  aaa authorization exec default local
  aaa session-id common
  dot11 ssid home
  vlan 3
  authentication open eap eap_methods
  authentication network-eap eap_methods
  authentication key-management wpa
  ip dhcp pool home
     import all
     network 192.168.1.0 255.255.255.0
     default-router 192.168.1.1
     dns-server 194.74.65.68 194.74.65.69
  ip inspect name ethernetin tcp
  ip inspect name ethernetin udp
  ip inspect name ethernetin pop3
  ip inspect name ethernetin ssh
  ip inspect name ethernetin dns
  ip inspect name ethernetin ftp
  ip inspect name ethernetin tftp
  ip inspect name ethernetin smtp
  ip inspect name ethernetin icmp
  ip inspect name ethernetin telnet
  interface Dot11Radio0
  no ip address
  encryption vlan 1 mode ciphers aes-ccm tkip
  encryption vlan 2 mode ciphers aes-ccm tkip
  encryption vlan 3 mode ciphers aes-ccm tkip
  broadcast-key vlan 1 change 30
  broadcast-key vlan 2 change 30
  broadcast-key vlan 3 change 30
  ssid home
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  interface Dot11Radio0.3
  encapsulation dot1Q 3
  no cdp enable
  bridge-group 3
  bridge-group 3 subscriber-loop-control
  bridge-group 3 spanning-disabled
  bridge-group 3 block-unknown-source
  no bridge-group 3 source-learning
  no bridge-group 3 unicast-flooding
  interface Vlan3
  no ip address
  bridge-group 3
  interface BVI3
  ip address 192.168.1.1 255.255.255.0
  ip inspect ethernetin in
  ip nat inside
  ip virtual-reassembly
  radius-server local
  no authentication mac
  nas 172.27.44.1 key 0 123456
  user test1 nthash 0 B151E8FF684B4F376C018E632A247D84
  user test2 nthash 0 F2EEAE1D895645B819C9FD217D0CA1F9
  user test3 nthash 0 0CB6948805F797BF2A82807973B89537
  radius-server host 172.27.44.1 auth-port 1812 acct-port 1813 key 123456
  radius-server vsa send accounting

• VPN 3000 and Radius authentication/authorization

  hello.
  I have to configure RADIUS authentication
  with a VPN 3000 concentrator.
  I'm completely new with this product
  (the concentrator).
  It seems that, if I want to perform authentication
  of username and password with Radius, then I also have to download the entire VPN configuration from the same Radius, using the attibute set loaded with the appropriate dictionary.
  am I rigth with this supposition?
  I mean: should be possible to authenticate only an username and password externally on RADIUS, while continuing to mantain the user (or group) VPN configuration locally in the concentrator?
  thank you.
  Davide

  No, downloading the entire VPN configuration from the RADIUS server is not necessary. If you are new to configuring VPN's on concentrators or the Concentrator iself, having a look at the support page will be agood idea. It is accessible at http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:Cisco_VPN_3000_Concentrator

• ISE - AAA radius authentication for NAD access

  Hi ,
  I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
  for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
  While testing the login access to the switches we've come up with 2 results :
  1.A domain user can indeed login to the switch as intended.
  2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
  So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
  of the IT_department only .
  I haven't been successfull , would appreciate any ideas on how to accomplish this .
  Switch configurations :
  =================
  aaa new-model
  aaa authentication login default group radius local
  ISE Authentication policy
  ==================
  Policy Name : NADs Authentication
  Condition:  "DEVICE:Device Type Equals :All Device Types#Wired"
  Allowed Protocol : Default Network Access
  use identity source : AD1

  Thank you for the quick replys , and now  ok , I've configured the following authorization policy :
  Rule Name : Nad Auth
  Conditions
  if: Any
  AND : AD1:ExternalGroups EQUALS IT_Departments
  Permissions , then PermitAccess
  What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
  How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?