Wirelss AP1140 Radius authentication with Microsoft IAS

Similar Messages

• Authentication with MS-IAS / AD

  I'm trying to control the access of my LAN by authenticate user with EAP / MSIAS + AD.
  The IAS denied the access with error 112: The remote RADIUS server did not process the authentication request.
  I setup the IAS policy to answer with vendor specific 64:"VLAN", 65:802, 81:10
  Is somebody already acheive to use MS-IAS Radius authentication with a Cisco switch 2960
  Mon Jun 28 12:22:49 2010: <191>4105: Jun 28 12:22:49.122 UTC+1: RADIUS(00000098): Send Access-Request to 10.221.136.14:1645 id 1645/56, len 211
  Mon Jun 28 12:22:49 2010: <191>4106: Jun 28 12:22:49.122 UTC+1: RADIUS:  authenticator 91 EC 87 87 89 0E AF 79 - 76 CE 5A 61 ED 1A D7 AC
  Mon Jun 28 12:22:49 2010: <191>4107: Jun 28 12:22:49.122 UTC+1: RADIUS:  User-Name           [1]   17  "EUROPE\ParisAdm"
  Mon Jun 28 12:22:49 2010: <191>4108: Jun 28 12:22:49.122 UTC+1: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  Mon Jun 28 12:22:49 2010: <191>4109: Jun 28 12:22:49.122 UTC+1: RADIUS:  Framed-MTU          [12]  6   1500                     
  Mon Jun 28 12:22:49 2010: <191>4110: Jun 28 12:22:49.122 UTC+1: RADIUS:  Called-Station-Id   [30]  19  "00-24-51-55-47-84"
  Mon Jun 28 12:22:49 2010: <191>4111: Jun 28 12:22:49.122 UTC+1: RADIUS:  Calling-Station-Id  [31]  19  "00-14-22-BF-46-40"
  Mon Jun 28 12:22:49 2010: <191>4112: Jun 28 12:22:49.122 UTC+1: RADIUS:  EAP-Message         [79]  22 
  Mon Jun 28 12:22:49 2010: <191>4113: Jun 28 12:22:49.122 UTC+1: RADIUS:   02 02 00 14 01 45 55 52 4F 50 45 5C 50 61 72 69 73 41 64 6D   [ EUROPE\ParisAdm]
  Mon Jun 28 12:22:49 2010: <191>4114: Jun 28 12:22:49.122 UTC+1: RADIUS:  Message-Authenticato[80]  18 
  Mon Jun 28 12:22:49 2010: <191>4115: Jun 28 12:22:49.122 UTC+1: RADIUS:   27 E9 35 4C C3 69 99 B0 1B D9 3A 08 84 C0 71 E4            [ '5Li:q]
  Mon Jun 28 12:22:49 2010: <191>4116: Jun 28 12:22:49.122 UTC+1: RADIUS:  Vendor, Cisco       [26]  49 
  Mon Jun 28 12:22:49 2010: <191>4117: Jun 28 12:22:49.122 UTC+1: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A8FE030000006B13A4833C"
  Mon Jun 28 12:22:49 2010: <191>4118: Jun 28 12:22:49.122 UTC+1: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  Mon Jun 28 12:22:49 2010: <191>4119: Jun 28 12:22:49.122 UTC+1: RADIUS:  NAS-Port            [5]   6   50004                    
  Mon Jun 28 12:22:49 2010: <191>4120: Jun 28 12:22:49.122 UTC+1: RADIUS:  NAS-Port-Id         [87]  17  "FastEthernet0/4"
  Mon Jun 28 12:22:49 2010: <191>4121: Jun 28 12:22:49.122 UTC+1: RADIUS:  NAS-IP-Address      [4]   6   192.168.254.3            
  Mon Jun 28 12:22:50 2010: <191>4122: Jun 28 12:22:49.206 UTC+1: RADIUS: Received from id 1645/56 10.221.136.14:1645, Access-Reject, len 20
  Mon Jun 28 12:22:50 2010: <191>4123: Jun 28 12:22:49.206 UTC+1: RADIUS:  authenticator CC 28 1A 22 28 32 F2 27 - 79 1F 2B 01 32 C5 AD BC
  Mon Jun 28 12:22:50 2010: <191>4124: Jun 28 12:22:49.206 UTC+1: RADIUS(00000098): Received from id 1645/56
  Mon Jun 28 12:22:52 2010: <187>4125: Jun 28 12:22:50.842 UTC+1: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to up
  Thx for your help
  Pascal

  You need to have 3 policies create in IAS. Each will define the ssid and the AD group the user belongs to. So on the wlc, do you have 3 ssids and each has it own vlan?
  Sent from Cisco Technical Support iPad App

• Using Cisco WCS with Microsoft IAS

  Hi.
  I have two 5508 and WCS 7.0.172. I want to user Active Directory users credintals to login on ther WCS. Have a configurated NPS role on server with windows 2008 r2.
  I have read this http://zmq503o1.wordpress.com/2008/01/06/using-cisco-wcs-with-microsoft-ias/ and done the same.
  I dont't agree with "on the "Encryption" tab and clear all the checkboxes except "No encryption" - wants an encryption connection but this didn't work till in user's properites in AD permit "Reversible encryption". This is not what that I want.  Would I need to generate ssl-cert for the wcs as wroted this?http://www.cisco.com/en/US/docs/wireless/wcs/7.0MR1/configuration/guide/hard.html#wp1042471
  or doing smth else? thx

  Camera is only supported for use with CUVA. Any other application attempting to utilize the camera is not tested and is not supported.

• WLC 4402 RADIUS Authentication with IAS

  Hello
  I configured a WLAN with PEAP (CHAP v2)and Radius authentication to a Win 2003 IAS Radius Server.
  On the controller 4402 the layer 2 security is set to WPA1+WPA2 with 802.1x authentication.
  The IAS server don't use the configured policy when a authentication reguest arrive.
  I there an issue with special RADIUS attributes or configuration items on the IAS Server?
  The following event appear in the windows logs:
  User STANS\kaesmr was denied access.
  Fully-Qualified-User-Name = STANS\kaesmr
  NAS-IP-Address = 172.17.25.6
  NAS-Identifier = keynet-01
  Called-Station-Identifier = 00-18-74-FB-CA-20:keynet
  Calling-Station-Identifier = 00-16-CE-52-C8-EB
  Client-Friendly-Name = Wireless-Controller
  Client-IP-Address = 172.17.25.6
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 1
  Proxy-Policy-Name = Windows-Authentifizierung f?r alle Benutzer verwenden
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = <undetermined>
  Authentication-Type = Extension
  EAP-Type = <undetermined>
  Reason-Code = 21
  Reason = The request was rejected by a third-party extension DLL file.

  What I understand from your post is that the authentication is not handled by your IAS server. IF I am correct, the problem might be with the "Allow AA override" option disabled in your WLAN. If it is enabled, then the AAA server or your IAS server will override the security parameters set locally on the controller.
  So, first ensure whether "Allow AAA override" is enabled under Controller--->WLAN field.
  Also, chek out the logs of the IAS server for obtaining more info on this.

• Web Authentication with MS IAS Server

  I'm trying to configure my 2106 WLC to authenticate with an MS IAS Radius Server. I had this working, but my boss did not want to do any configuration on the client side and now wants to do all authentication through Web authentication with the Radius server. The wireless client connects and is redirected to the login page like they're supposed to, but when I enter my credentials the login fails. However, if I enter the login of a local user to the controller the authentication works.
  I see in the logs the following error: AAA Authentication Failure for UserName:chevym User Type: WLAN USER. The authentication is reaching the server too, but the logs don't tell you much.
  Here is what is in the server logs: 192.168.0.77,chevym,07/29/2008,05:58:16,IAS,TESTLAB1,25,311 1 192.168.0.221 07/28/2008 17:27:10 48,4127,2,4130,TESTLAB\chevym,4129,TESTLAB\chevym,4154,Use Windows authentication for all users,4155,1,4128,Wireless LAN Controller,4116,9,4108,192.168.0.77,4136,3,4142,19
  I don't really understand any of that and I'm not really sure if I have the server itself configured correctly for what I want to do. Does anyone have instructions on how to do this?

  I had another thread going on this, but since it appears to be an IAS problem, I've been posting on the MS forum instead of here.
  I'm trying to set up wireless laptop-WLC-IAS authentication using PEAP.
  The machine authenticates on boot, but any login by any user results in this message in the Windows Event log on the IAS server:
  Event Type: Warning
  Event Source: IAS
  Event Category: None
  Event ID: 2
  Date: 9/3/2008
  Time: 11:00:55 PM
  User: N/A
  Computer: DC1
  Description:
  User SCOTRNCPQ003.scdl.local was denied access.
  Fully-Qualified-User-Name = SCDL\SCOTRNCPQ003.scdl.local
  NAS-IP-Address = 10.10.10.10
  NAS-Identifier = scohc0ciswlc
  Called-Station-Identifier = 00-21-55-C0-7D-70:Domain Staff
  Calling-Station-Identifier = 00-90-4B-4C-92-B7
  Client-Friendly-Name = WLAN Controller
  Client-IP-Address = 10.10.10.10
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 29
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server =
  Policy-Name =
  Authentication-Type = EAP
  EAP-Type =
  Reason-Code = 8
  Reason = The specified user account does not exist.
  The policy is the default connection policy created when installing IAS.
  In ADUC, I've tried setting both the machine and users Dial-In properties to Allow Access or Control through policy, with the same result.
  I've gone through the policy and there isn't anything there, other than the Day-Time rule which is set to allow access for all hours of the whole day, every day.
  In the last few days, I've read about the Ignore User Dial In properties, but can't find where/how you set this.
  It sounded to me as if this had been resolved in this thread, so I wanted to know how this had been accomplished.

• ACS 5.3 Radius authentication with ASA and DACL

  Hi,
  I am trying to do Radius authentication on the ACS 5.3 for VPN access (cisco client) using a downloadable ACL with AD identity
  Clients are connecting to an ASA 5510 with image asa843-K8.bin
  I followed the configuration example on the Cisco site, but I am having some problems
  First : AD identity is not triggered, I put a profile  :
  Status
  Name
  Conditions
  Results
  Hit Count
  NDG:Location
  Time And   Date
  AD1:memberOf
  Authorization   Profiles
  1
  TestVPNDACL
  -ANY-
  -ANY-
  equals Network Admin
  TEST DACL
  0
  But if I am getting no hits on it, Default Access is being used (Permit Access)
  So I tried putting the DACL in the default profile, but when connecting I am immediately disconnected.
  I can see the DACL/ASA being authenticated in the ACS log but no success
  I am using my user which is member of the Network Admin Group.
  Am I missing something?
  Any help greatly appreciated!
  Wim

  Hello Stephen,
  As per the IP Pools feature, the ACS 5.x does not include such functionality. It is not on the ACS 5.x roadmap either as the recommended scenario would be to use a dedicated DHCP server.
  ACS 4.x included that functionality, however, it was not the best solution as the ACS returned the IP Address value as a RADIUS Attribute instead of acting as a real DCHP server.
  As per the IMEI and MISDN I am assuming you are referring to International Mobile Equipment Identity and Mobile Subscriber ISDN. Correct me if I am wrong.
  In that case it seems that the ACS 5.x should be able to Allow or Deny access based on Radius Attribute 30 (Called-Station-Id) and 31 (Calling-Station-Id).
  In that case you might want to use the End-Station Filters feature and use it as the condition for the Rule. The End-Station Filter feature uses CLI/DNIS where CLI is Radius Attribute 31 and DNIS is Attribute 30.
  I am assuming a Generic Username will be embedded on the devices request. In that case you will define which end-user devices will be granted access based on the above attributes.
  Here is a snapshot of the section:

• Radius authentication with ISE - wrong IP address

  Hello,
  We are using ISE for radius authentication.  I have setup a new Cisco switch stack at one of our locations and setup the network device in ISE.  Unfortunately, when trying to authenticate, the ISE logs show a failure of "Could not locate Network Device or AAA Client" The reason for this failure is the log shows it's coming from the wrong IP address.  The IP address of the switch is 10.xxx.aaa.241, but the logs show it is 10.xxx.aaa.243.  I have removed and re-added the radius configs on both ISE and the switch, but it still comes in as .243.  There is another switch stack at that location (same model, IOS etc), that works properly.
  The radius config on the switch:
  aaa new-model
  aaa authentication login default local
  aaa authentication login Comm group radius local
  aaa authentication enable default enable
  aaa authorization exec default group radius if-authenticated
  ip radius source-interface Vlanyy
  radius server 10.xxx.yyy.zzz
   address ipv4 10.xxx.yyy.zzz auth-port 1812 acct-port 1813
   key 7 abcdefg
  The log from ISE:
  Overview
  Event  5405 RADIUS Request dropped 
  Username  
  Endpoint Id  
  Endpoint Profile  
  Authorization Profile  
  Authentication Details
  Source Timestamp  2014-07-30 08:48:51.923 
  Received Timestamp  2014-07-30 08:48:51.923 
  Policy Server  ise
  Event  5405 RADIUS Request dropped 
  Failure Reason  11007 Could not locate Network Device or AAA Client 
  Resolution  Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices 
  Root cause  Could not find the network device or the AAA Client while accessing NAS by IP during authentication. 
  Username  
  User Type  
  Endpoint Id  
  Endpoint Profile  
  IP Address  
  Identity Store  
  Identity Group  
  Audit Session Id  
  Authentication Method  
  Authentication Protocol  
  Service Type  
  Network Device  
  Device Type  
  Location  
  NAS IP Address  10.xxx.aaa.243 
  NAS Port Id  tty2 
  NAS Port Type  Virtual 
  Authorization Profile  
  Posture Status  
  Security Group  
  Response Time  
  Other Attributes
  ConfigVersionId  107 
  Device Port  1645 
  DestinationPort  1812 
  Protocol  Radius 
  NAS-Port  2 
  AcsSessionID  ise1/186896437/1172639 
  Device IP Address  10.xxx.aaa.243 
  CiscoAVPair  
     Steps
    11001  Received RADIUS Access-Request 
    11017  RADIUS created a new session 
    11007  Could not locate Network Device or AAA Client 
    5405  
  As a test, I setup a device using the .243 address.  While ISE claims it authenticates, it really doesn't.  I have to use my local account to access the device.
  Any advice on how to resolve this issue would be appreciated.  Please let me know if more information is needed.

  Well from the debug I would say there may be an issue with the addressing of the radius server on the switch.
  radius-server host 10.xxx.xxx.xxx key******** <--- Make sure this address and Key matches what you have in ISE PSN and that switch. Watch for spaces in your key at the begining or end of the string.
  What interface should your switch be sending the radius request?
  ip radius source-interface VlanXXX vrf default
  Here is what my debug looks like when it is working correctly.
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): ask "Password: "
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265):Orig. component type = EXEC
  Aug  4 15:58:47 EST: RADIUS(00000265): Config NAS IP: 10.xxx.xxx.251
  Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): acct_session_id: 613
  Aug  4 15:58:47 EST: RADIUS(00000265): sending
  Aug  4 15:58:47 EST: RADIUS(00000265): Send Access-Request to 10.xxx.xxx.35:1645 id 1645/110, len 104
  Aug  4 15:58:47 EST: RADIUS:  authenticator 97 FB CF 13 2E 6F 62 5D - 5B 10 1B BD BA EB C9 E3
  Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 15:58:47 EST: RADIUS:  Reply-Message       [18]  12 
  Aug  4 15:58:47 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
  Aug  4 15:58:47 EST: RADIUS:  User-Password       [2]   18  *
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port            [5]   6   3                        
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty3"
  Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Aug  4 15:58:47 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
  Aug  4 15:58:47 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
  Aug  4 15:58:47 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
  Aug  4 15:58:47 EST: RADIUS(00000265): Started 5 sec timeout
  Aug  4 15:58:47 EST: RADIUS: Received from id 1645/110 10.xxx.xxx.35:1645, Access-Accept, len 127
  Aug  4 15:58:47 EST: RADIUS:  authenticator 1B 98 AB 4F B1 F4 81 41 - 3D E1 E9 DB 33 52 54 C1
  Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 15:58:47 EST: RADIUS:  State               [24]  40 
  Aug  4 15:58:47 EST: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61  [ReauthSession:0a]
  Aug  4 15:58:47 EST: RADIUS:   30 63 66 65 32 33 30 30 30 31 46 37 30 37 35 33  [0cfe230001F70753]
  Aug  4 15:58:47 EST: RADIUS:   44 46 45 35 46 37            [ DFE5F7]
  Aug  4 15:58:47 EST: RADIUS:  Class               [25]  58 
  Aug  4 15:58:47 EST: RADIUS:   43 41 43 53 3A 30 61 30 63 66 65 32 33 30 30 30  [CACS:0a0cfe23000]
  Aug  4 15:58:47 EST: RADIUS:   31 46 37 30 37 35 33 44 46 45 35 46 37 3A 50 52  [1F70753DFE5F7:PR]
  Aug  4 15:58:47 EST: RADIUS:   59 49 53 45 30 30 32 2F 31 39 33 37 39 34 36 39  [YISE002/19379469]
  Aug  4 15:58:47 EST: RADIUS:   38 2F 32 30 36 33 31 36          [ 8/206316]
  Aug  4 15:58:47 EST: RADIUS(00000265): Received from id 1645/110
  ---------------------------------------------------------------------------------------------------------------This is after I added the incorrect Radius server address.
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): ask "Password: "
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268):Orig. component type = EXEC
  Aug  4 16:05:19 EST: RADIUS(00000268): Config NAS IP: 10.xxx.xxx.251
  Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): acct_session_id: 616
  Aug  4 16:05:19 EST: RADIUS(00000268): sending
  Aug  4 16:05:19 EST: RADIUS(00000268): Send Access-Request to 10.xxx.xxx.55:1645 id 1645/112, len 104
  Aug  4 16:05:19 EST: RADIUS:  authenticator FC 94 BA 5D 75 1F 84 08 - E0 56 05 3A 7F BC FB BB
  Aug  4 16:05:19 EST: RADIUS:  User-Name           [1]   9   "admin"
  Aug  4 16:05:19 EST: RADIUS:  Reply-Message       [18]  12 
  Aug  4 16:05:19 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
  Aug  4 16:05:19 EST: RADIUS:  User-Password       [2]   18  *
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port            [5]   6   7                        
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty7"
  Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Aug  4 16:05:19 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
  Aug  4 16:05:19 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
  Aug  4 16:05:19 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
  Aug  4 16:05:19 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:23 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:23 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:23 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:29 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:29 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:29 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:33 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
  Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
  Aug  4 16:05:33 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:33 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:38 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:38 EST: RADIUS: Fail-over to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:38 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:43 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:43 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:43 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:48 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:48 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:48 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:53 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
  Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
  Aug  4 16:05:53 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:53 EST: RADIUS(00000268): Started 5 sec timeout
  Aug  4 16:05:57 EST: RADIUS(00000268): Request timed out
  Aug  4 16:05:57 EST: RADIUS: No response from (10.xxx.xxx.55:1645,1646) for id 1645/112
  Aug  4 16:05:57 EST: RADIUS/DECODE: parse response no app start; FAIL
  Aug  4 16:05:57 EST: RADIUS/DECODE: parse response; FAIL
  This is a default template I use for all my devices routers or switches hope it helps. I have two PSN's that is why we have two radius-server host commands..
  aaa authentication login vty group radius local enable
  aaa authentication login con group radius local enable
  aaa authentication dot1x default group radius
  aaa authorization network default group radius 
  aaa accounting system default start-stop group radius
  ip radius source-interface VlanXXX vrf default
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 30 tries 3
  radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
  radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
  radius-server vsa send accounting
  radius-server vsa send authentication
  You can use this in the switch to test radius
  test aaa group radius server 10.xxx.xxx.xxx <username> <password>

• APC (UPS) RADIUS authentication with ACS 5.X

  I am trying to do RADIUS authentication for APC (UPS) using ACS 5.2 Appliance. It is working fine with ACS 4.2, but unfortunately not with ACS 5.2. I tried creating RADIUS VSA (Vendor Specific Attributes) for APC in ACS 5.2.
  According to the APC dictionary file
  VENDOR APC 318
  # Attributes
  ATTRIBUTE APC-Service-Type 1 integer APC
  ATTRIBUTE APC-Outlets 2 string APC
  VALUE APC-Service-Type Admin 1
  VALUE APC-Service-Type Device 2
  VALUE APC-Service-Type ReadOnly 3
  # For devices with outlet users only
  VALUE APC-Service-Type Outlet 4
  I have added the attributes in blue(attached), how do I add the VALUE's (shown red) in ACS 5.2? What else should I do to get this working?
  The hit count on the ACS shows that it is getting authentication request from the APC appliance.
  Thanks in advance.

  Hi,
  I am working on the same issue and i manage to login (using Ldap A/D backend authentication). When using the standard Radius attribute Service-Type (1 for read-only and 6 for admin) i manage to get this working. I am however trying to use the APC VSAs (as above) without any success. The objective is to have outlet management for specific users, admin or read-only others. Did u manage to get this working and how?
  ./G

• Integrating RADIUS authentication with JAAS ???

  Hi,
  I have username/password JAAS authentication in my application.
  Now I have to support RADIUS authentication on top of the existing username/password authenticaiton.
  I am in the process of defining a login module for RADIUS.
  Is there any opensource login module existing for RADIUS ??
  After defining the RADIUS login module where to configure the multiple authentication policies ??
  Thanks,
  Dyanesh.

  This sample configuration shows how to set up a remote access VPN connection between a Cisco VPN Client (4.x for Windows) and the PIX 500 Series Security Appliance 7.x using a Cisco Secure Access Control Server (ACS version 3.2) for extended authentication (Xauth).
  http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml

• Radius authentication with MSCHAP

  Hi,
  I have a few 2960 and 3650 switches in my network. I have the aaa authentication login configured for RADIUS but it is only using PAP which is unencrypted.
  The 2960 switches are running version 15.2 and the 3650 are on 3.02. The RADIUS server I am using is Microsoft NPS which can do other methods of encryption.
  Is it possible to do mschap or any other type of encryption with the switches to authenticate management access?
  Regards,
  Waqas

  This sample configuration shows how to set up a remote access VPN connection between a Cisco VPN Client (4.x for Windows) and the PIX 500 Series Security Appliance 7.x using a Cisco Secure Access Control Server (ACS version 3.2) for extended authentication (Xauth).
  http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml

• WAP200 and .1x/radius authentication with multiple SSIDs

  Apparently it's not possible to define more than a single radius server when using multiple SSIDs with WAP200. Unfortunately WAP200 doesn't add the name of the SSID as a radius attribute, so it's not possible to make distinction whether the user is trying to log in to SSID A or B. Does anyone have any ideas or workarounds for this limitation? Of course the best solution would be if Cisco/Linksys fixed the firmware so that the SSID of the logging in user would be sent to the radius server as an extra attribute or appended to the client mac address.

  Security option for an SSID can be unique and can be configured when you configure a SSID or under VLAN . Note that each vlan is uniquely mapped to induvidual SSID.

• RADIUS authentication on IAS server

  I have a 1200 AP configured for RADIUS authentication on Microsoft IAS server but I am experiencing a problem getting clients authenticated. (Association is working fine.)
  The 1200 is connected to the IAS Server via an 837 router (no switch involved) and I am wondering if any RADIUS settings have to be configured on the 837 for AAA communication to pass through to the IAS server or will the requests pass through automatically?

  ScottMac is correct, if you're using IAS you need to use PEAP which requires a security cert. Microsoft provide a very nice toolkit of scripts and documents to simplify the installation and configuration of IAS, Cert Services, etc, etc, you can get it from here:
  http://www.microsoft.com/downloads/details.aspx?FamilyId=CDB639B3-010B-47E7-B234-A27CDA291DAD&displaylang=en

• WCS authentication in Microsoft Radius

  Hi!
  We've been using the WCS for some years now and have chosen (more along the lines of not bothering to put in the hours required to change it) to use local authentication. However, I've finally grown tired of people asking me to reset their password after they have forgotten it. We are a group of 5 people who need access but only 3 who use the WCS regularly, thus the problem
  Now we're trying to change to using RADIUS authentication. Our primary Radius-server is running 2k8 with NPS while our backup server is running 2k3 with IAS. The WCS is running at 6.0.181.0 though we're considering upgrading it.
  My problem is that I'm unable to find any sort of documentation of how to configure our primary radius server. I found this http://mihai.radoveanu.ro/2010/11/configuring-the-radius-authentication-with-cisco-wireless-control-system-6-0-196-0/ for when using IAS and a WCS running 6.0.196.0. In NPS I couldn't find the cisco-av-pair attribute. We tried without this attribute and with fallback to local but ended up not being able to log in at all.
  Would be really gratefull for some help! My main expertise is in networking so go easy on me, please!

  I personally used a combination of netsh and excel to add the cisco av types needed.
  However after logging successfully in through NPS RADIUS authentication i was only able to see the front page and was given permission denied errors on most if not all pages.. I tried adding all of the Admin pairs and then tested the SuperUser pairs..
  According to the radius log files the correct network policy was being applied so the cisco av pairs must have been sent as well..
  I gave up but here's how i did the netsh thing (profileid refers to the cisco av pairs, not a policy nor connection profile):
  netsh nps set np "networkpolicyname" profileid = "0x1388" profiledata = "Wireless-WCS:role0=admin" profiledata = "Wireless-WCS:task0=UsersandGroups" profiledata = "Wireless-WCS:task1=AuditTrails" profiledata = "Wireless-WCS:task2=TACACS+Servers" profiledata = "Wireless-WCS:task3=RADIUSServers" profiledata = "Wireless-WCS:task4=Logging" profiledata = "Wireless-WCS:task5=LicenseCenter" profiledata = "Wireless-WCS:task6=ScheduledTasksandDataCollection" profiledata = "Wireless-WCS:task7=UserPreferences" profiledata = "Wireless-WCS:task8=SystemSettings" profiledata = "Wireless-WCS:task9=ViewAlertsandEvents" profiledata = "Wireless-WCS:task10=EmailNotification" profiledata = "Wireless-WCS:task11=DeleteandClearAlerts" profiledata = "Wireless-WCS:task12=PickandUnpickAlerts" profiledata = "Wireless-WCS:task13=AckandUnackAlerts" profiledata = "Wireless-WCS:task14=ConfigureControllers" profiledata = "Wireless-WCS:task15=ConfigureTemplates" profiledata = "Wireless-WCS:task16=ConfigureConfigGroups" profiledata = "Wireless-WCS:task17=ConfigureAccessPoints" profiledata = "Wireless-WCS:task18=ConfigureAccessPointTemplates" profiledata = "Wireless-WCS:task19=MigrationTemplates" profiledata = "Wireless-WCS:task20=ConfigureChokePoints" profiledata = "Wireless-WCS:task21=ConfigureSpectrumExperts" profiledata = "Wireless-WCS:task22=MonitorControllers" profiledata = "Wireless-WCS:task23=MonitorAccessPoints" profiledata = "Wireless-WCS:task24=MonitorClients" profiledata = "Wireless-WCS:task25=MonitorTags" profiledata = "Wireless-WCS:task26=MonitorSecurity" profiledata = "Wireless-WCS:task27=MonitorChokepoints" profiledata = "Wireless-WCS:task28=MonitorSpectrumExperts" profiledata = "Wireless-WCS:task29=InterferersSearch" profiledata = "Wireless-WCS:task30=MeshReports" profiledata = "Wireless-WCS:task31=ClientReports" profiledata = "Wireless-WCS:task32=PerformanceReports" profiledata = "Wireless-WCS:task33=SecurityReports" profiledata = "Wireless-WCS:task34=MapsReadOnly" profiledata = "Wireless-WCS:task35=MapsReadWrite" profiledata = "Wireless-WCS:task36=ClientLocation" profiledata = "Wireless-WCS:task37=RogueLocation" profiledata = "Wireless-WCS:task38=PlanningMode" profiledata = "Wireless-WCS:task39=VirtualDomainManagement" profiledata = "Wireless-WCS:task40=HighAvailabilityConfiguration" profiledata = "Wireless-WCS:task41=HealthMonitorDetails" profiledata = "Wireless-WCS:task42=ConfigureWIPSProfiles" profiledata = "Wireless-WCS:task43=GlobalSSIDGroups" profiledata = "Wireless-WCS:task44=WIPSService" profiledata = "Wireless-WCS:task45=ConfigureLightweightAccessPointTemplates" profiledata = "Wireless-WCS:task46=ConfigureAutonomousAccessPointTemplates" profiledata = "Wireless-WCS:task47=ScheduledConfigurationTasks" profiledata = "Wireless-WCS:task48=ConfigureLocationSensors" profiledata = "Wireless-WCS:task49=ConfigureACSViewServers" profiledata = "Wireless-WCS:task50=AutoProvisioning" profiledata = "Wireless-WCS:task51=MonitorLocationSensors" profiledata = "Wireless-WCS:task52=RRMDashboard" profiledata = "Wireless-WCS:task53=ComplianceAssistanceReports" profiledata = "Wireless-WCS:task54=VoiceAuditReport" profiledata = "Wireless-WCS:task55=ConfigAuditDashboard" profiledata = "Wireless-WCS:task56=GuestReports" profiledata = "Wireless-WCS:task57=ConfigureEthernetSwitchPorts" profiledata = "Wireless-WCS:task58=ConfigureEthernetSwitches" profiledata = "Wireless-WCS:task59=DeviceReports" profiledata = "Wireless-WCS:task60=NetworkSummaryReports" profiledata = "Wireless-WCS:task61=ComplianceReports" profiledata = "Wireless-WCS:task62=ReportLaunchPad" profiledata = "Wireless-WCS:task63=RunReportsList" profiledata = "Wireless-WCS:task64=SavedReportsList" profiledata = "Wireless-WCS:task65=ReportRunHistory"
  Simply a matter of copy pasting the exported task list from WCS to a text editor, replacing all "Wireless-WCS: with profiledata = "Wireless-WCS:
  and replacing all newlines with spaces (f.x. in notepad++ choose an extended search in replace all and look for \r\n)

• [ ISSUE ] NCS / PI authentication using Microsoft NPS as a RADIUS server

  So here is my goal:
  Authenticate employees who use NCS or PI with their ActiveDirectory credentials against Microsoft NPS.
  Background:
  I have successfully configured our switches to use the NPS server and our AD credentials to log into and receive plvl=15 access.
  I've also used NPS to authenticate wireless clients in a lab setting.
  Problem:
  I cannot figure out what is going on with NCS/PI authentication against NPS.
  Here are a couple/few steps I've taken:
  - I've added the RADIUS client to the list.
  - I've created a network policy to grant access to a specific group of users (AD group).  It accepts either CHAP or PAP authentication
  - I've also taken out the default radius attributes and inserted these:
  - - Vendor Specific, Cisco-AV-Pair
  - - - - I've used both the ASCII format of the task list and/or variations of the HEX value
  - - Vendor-Specific, RAIDUS Standard
  - - - - I've used both the ASCII format of the task list and/or variations of the HEX value
  On the NPS server I can see the request coming in on the NPS logs.  Access has been granted and it matches the Network Policy I created.
  The usual message I receive is this:
  No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server
  Attached is a picture from a packet capture.  The RAIDUS "Access-Accept" message has something under the Attribute Value Pairs section:
  - "[Not enough room in packet for AVP] "
  This capture was taken when I was only using the RAIDUS role value and not all the RAIDUS Tasks.
  Has anyone gotten this to work using Cisco NCS/PI and Microsoft NPS?
  Here are some of guides I used:
  http://mihai.radoveanu.ro/2010/11/configuring-the-radius-authentication-with-cisco-wireless-control-system-6-0-196-0/
  https://supportforums.cisco.com/thread/339057
  http://www.cisco.com/en/US/products/ps6305/products_tech_note09186a00809038e6.shtml

  Hi Kyujin,
  I wish I had finished my guide.  Didn't realize it would take this long.
  But what I meant is that when adding the attributes to my NPS (Microsoft's Network Policy Server) I only had to add the role and virtual domain if using Prime Infrastructure.
  If you use NCS, you have to add the role, all the tasks, and the virtual domain.
  See the screenshots and see if that helps explain it.  Not sure how TACACS will work as I'm not familiar with it.
  Microsoft NPS - Attributes for NCS
  Microsoft NPS - Attributes for PI

• Radius authentication for privileged access

  Hello,
            I have configured Cisco 6513 for radius authentication with following commands.
  aaa new-model
  aaa authentication login authradius group radius line
  aaa accounting exec acctradius start-stop group radius
  radius-server host <radius-ip> auth-port 1812 acct-port 1646 key 6912911
  line vty 0 4
  accounting exec acctradius
  login authentication authradius
       This is working pretty fine. I want to configure radius authentication for priviledged access / for enable access.
       I am using TeKRadius as Radius server.
       Please help.
  Thanks and Regards,
  Pratik

  Hi Pratik
  Sorry I mostly use only TACACS+ for AAA as it provides better granularity of access controls.
  You'll need to make some specific changes to your RADIUS config so that nominated users ( the ones you want to be able to go to enable mode ) get put straight into enable mode upon login.
  There's a guide here http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ which details the steps if you're using the Microsoft IAS radius server - you should be able to figure out that changes you need to make to your own server from there.
  Nick
  Message was edited by: NickNac79 - Spelt the OP's name wrong, sorry.