WLC 4402 RADIUS Authentication with IAS

Hello
I configured a WLAN with PEAP (CHAP v2)and Radius authentication to a Win 2003 IAS Radius Server.
On the controller 4402 the layer 2 security is set to WPA1+WPA2 with 802.1x authentication.
The IAS server don't use the configured policy when a authentication reguest arrive.
I there an issue with special RADIUS attributes or configuration items on the IAS Server?
The following event appear in the windows logs:
User STANS\kaesmr was denied access.
Fully-Qualified-User-Name = STANS\kaesmr
NAS-IP-Address = 172.17.25.6
NAS-Identifier = keynet-01
Called-Station-Identifier = 00-18-74-FB-CA-20:keynet
Calling-Station-Identifier = 00-16-CE-52-C8-EB
Client-Friendly-Name = Wireless-Controller
Client-IP-Address = 172.17.25.6
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Windows-Authentifizierung f?r alle Benutzer verwenden
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = Extension
EAP-Type = <undetermined>
Reason-Code = 21
Reason = The request was rejected by a third-party extension DLL file.

What I understand from your post is that the authentication is not handled by your IAS server. IF I am correct, the problem might be with the "Allow AA override" option disabled in your WLAN. If it is enabled, then the AAA server or your IAS server will override the security parameters set locally on the controller.
So, first ensure whether "Allow AAA override" is enabled under Controller--->WLAN field.
Also, chek out the logs of the IAS server for obtaining more info on this.

Similar Messages

  • WLC 4402 Web Authentication, Mac Filtering and Layer 2 Seciruty

    Hi All,
    I have configured web authentication and Mac filtering on WLC 4402 for my wireless network and its working fine. I wants to configure layer 2 security for the same Wireless network without pre shared key. Could you please advice how to configure layer 2 security with web authentication withour preshare key.
    Is there any security issue with web authentication and Mac FIltering only? My concern in my wireless network shows open.
    Thanks,
    Kashif

    Hi,
    if you have a ACS, then you can do Web auth Splash page!!! Please refer to the below doc!!
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080956185.shtml
    Lemme know if this answered ur question!!
    Regards
    Surendra

  • ACS 5.3 Radius authentication with ASA and DACL

    Hi,
    I am trying to do Radius authentication on the ACS 5.3 for VPN access (cisco client) using a downloadable ACL with AD identity
    Clients are connecting to an ASA 5510 with image asa843-K8.bin
    I followed the configuration example on the Cisco site, but I am having some problems
    First : AD identity is not triggered, I put a profile  :
    Status
    Name
    Conditions
    Results
    Hit Count
    NDG:Location
    Time And   Date
    AD1:memberOf
    Authorization   Profiles
    1
    TestVPNDACL
    -ANY-
    -ANY-
    equals Network Admin
    TEST DACL
    0
    But if I am getting no hits on it, Default Access is being used (Permit Access)
    So I tried putting the DACL in the default profile, but when connecting I am immediately disconnected.
    I can see the DACL/ASA being authenticated in the ACS log but no success
    I am using my user which is member of the Network Admin Group.
    Am I missing something?
    Any help greatly appreciated!
    Wim

    Hello Stephen,
    As per the IP Pools feature, the ACS 5.x does not include such functionality. It is not on the ACS 5.x roadmap either as the recommended scenario would be to use a dedicated DHCP server.
    ACS 4.x included that functionality, however, it was not the best solution as the ACS returned the IP Address value as a RADIUS Attribute instead of acting as a real DCHP server.
    As per the IMEI and MISDN I am assuming you are referring to International Mobile Equipment Identity and Mobile Subscriber ISDN. Correct me if I am wrong.
    In that case it seems that the ACS 5.x should be able to Allow or Deny access based on Radius Attribute 30 (Called-Station-Id) and 31 (Calling-Station-Id).
    In that case you might want to use the End-Station Filters feature and use it as the condition for the Rule. The End-Station Filter feature uses CLI/DNIS where CLI is Radius Attribute 31 and DNIS is Attribute 30.
    I am assuming a Generic Username will be embedded on the devices request. In that case you will define which end-user devices will be granted access based on the above attributes.
    Here is a snapshot of the section:

  • Radius authentication with ISE - wrong IP address

    Hello,
    We are using ISE for radius authentication.  I have setup a new Cisco switch stack at one of our locations and setup the network device in ISE.  Unfortunately, when trying to authenticate, the ISE logs show a failure of "Could not locate Network Device or AAA Client" The reason for this failure is the log shows it's coming from the wrong IP address.  The IP address of the switch is 10.xxx.aaa.241, but the logs show it is 10.xxx.aaa.243.  I have removed and re-added the radius configs on both ISE and the switch, but it still comes in as .243.  There is another switch stack at that location (same model, IOS etc), that works properly.
    The radius config on the switch:
    aaa new-model
    aaa authentication login default local
    aaa authentication login Comm group radius local
    aaa authentication enable default enable
    aaa authorization exec default group radius if-authenticated
    ip radius source-interface Vlanyy
    radius server 10.xxx.yyy.zzz
     address ipv4 10.xxx.yyy.zzz auth-port 1812 acct-port 1813
     key 7 abcdefg
    The log from ISE:
    Overview
    Event  5405 RADIUS Request dropped 
    Username  
    Endpoint Id  
    Endpoint Profile  
    Authorization Profile  
    Authentication Details
    Source Timestamp  2014-07-30 08:48:51.923 
    Received Timestamp  2014-07-30 08:48:51.923 
    Policy Server  ise
    Event  5405 RADIUS Request dropped 
    Failure Reason  11007 Could not locate Network Device or AAA Client 
    Resolution  Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices 
    Root cause  Could not find the network device or the AAA Client while accessing NAS by IP during authentication. 
    Username  
    User Type  
    Endpoint Id  
    Endpoint Profile  
    IP Address  
    Identity Store  
    Identity Group  
    Audit Session Id  
    Authentication Method  
    Authentication Protocol  
    Service Type  
    Network Device  
    Device Type  
    Location  
    NAS IP Address  10.xxx.aaa.243 
    NAS Port Id  tty2 
    NAS Port Type  Virtual 
    Authorization Profile  
    Posture Status  
    Security Group  
    Response Time  
    Other Attributes
    ConfigVersionId  107 
    Device Port  1645 
    DestinationPort  1812 
    Protocol  Radius 
    NAS-Port  2 
    AcsSessionID  ise1/186896437/1172639 
    Device IP Address  10.xxx.aaa.243 
    CiscoAVPair  
       Steps
      11001  Received RADIUS Access-Request 
      11017  RADIUS created a new session 
      11007  Could not locate Network Device or AAA Client 
      5405  
    As a test, I setup a device using the .243 address.  While ISE claims it authenticates, it really doesn't.  I have to use my local account to access the device.
    Any advice on how to resolve this issue would be appreciated.  Please let me know if more information is needed.

    Well from the debug I would say there may be an issue with the addressing of the radius server on the switch.
    radius-server host 10.xxx.xxx.xxx key******** <--- Make sure this address and Key matches what you have in ISE PSN and that switch. Watch for spaces in your key at the begining or end of the string.
    What interface should your switch be sending the radius request?
    ip radius source-interface VlanXXX vrf default
    Here is what my debug looks like when it is working correctly.
    Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): ask "Password: "
    Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265):Orig. component type = EXEC
    Aug  4 15:58:47 EST: RADIUS(00000265): Config NAS IP: 10.xxx.xxx.251
    Aug  4 15:58:47 EST: RADIUS/ENCODE(00000265): acct_session_id: 613
    Aug  4 15:58:47 EST: RADIUS(00000265): sending
    Aug  4 15:58:47 EST: RADIUS(00000265): Send Access-Request to 10.xxx.xxx.35:1645 id 1645/110, len 104
    Aug  4 15:58:47 EST: RADIUS:  authenticator 97 FB CF 13 2E 6F 62 5D - 5B 10 1B BD BA EB C9 E3
    Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
    Aug  4 15:58:47 EST: RADIUS:  Reply-Message       [18]  12 
    Aug  4 15:58:47 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
    Aug  4 15:58:47 EST: RADIUS:  User-Password       [2]   18  *
    Aug  4 15:58:47 EST: RADIUS:  NAS-Port            [5]   6   3                        
    Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty3"
    Aug  4 15:58:47 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
    Aug  4 15:58:47 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
    Aug  4 15:58:47 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
    Aug  4 15:58:47 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
    Aug  4 15:58:47 EST: RADIUS(00000265): Started 5 sec timeout
    Aug  4 15:58:47 EST: RADIUS: Received from id 1645/110 10.xxx.xxx.35:1645, Access-Accept, len 127
    Aug  4 15:58:47 EST: RADIUS:  authenticator 1B 98 AB 4F B1 F4 81 41 - 3D E1 E9 DB 33 52 54 C1
    Aug  4 15:58:47 EST: RADIUS:  User-Name           [1]   9   "admin"
    Aug  4 15:58:47 EST: RADIUS:  State               [24]  40 
    Aug  4 15:58:47 EST: RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61  [ReauthSession:0a]
    Aug  4 15:58:47 EST: RADIUS:   30 63 66 65 32 33 30 30 30 31 46 37 30 37 35 33  [0cfe230001F70753]
    Aug  4 15:58:47 EST: RADIUS:   44 46 45 35 46 37            [ DFE5F7]
    Aug  4 15:58:47 EST: RADIUS:  Class               [25]  58 
    Aug  4 15:58:47 EST: RADIUS:   43 41 43 53 3A 30 61 30 63 66 65 32 33 30 30 30  [CACS:0a0cfe23000]
    Aug  4 15:58:47 EST: RADIUS:   31 46 37 30 37 35 33 44 46 45 35 46 37 3A 50 52  [1F70753DFE5F7:PR]
    Aug  4 15:58:47 EST: RADIUS:   59 49 53 45 30 30 32 2F 31 39 33 37 39 34 36 39  [YISE002/19379469]
    Aug  4 15:58:47 EST: RADIUS:   38 2F 32 30 36 33 31 36          [ 8/206316]
    Aug  4 15:58:47 EST: RADIUS(00000265): Received from id 1645/110
    ---------------------------------------------------------------------------------------------------------------This is after I added the incorrect Radius server address.
    Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): ask "Password: "
    Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268):Orig. component type = EXEC
    Aug  4 16:05:19 EST: RADIUS(00000268): Config NAS IP: 10.xxx.xxx.251
    Aug  4 16:05:19 EST: RADIUS/ENCODE(00000268): acct_session_id: 616
    Aug  4 16:05:19 EST: RADIUS(00000268): sending
    Aug  4 16:05:19 EST: RADIUS(00000268): Send Access-Request to 10.xxx.xxx.55:1645 id 1645/112, len 104
    Aug  4 16:05:19 EST: RADIUS:  authenticator FC 94 BA 5D 75 1F 84 08 - E0 56 05 3A 7F BC FB BB
    Aug  4 16:05:19 EST: RADIUS:  User-Name           [1]   9   "admin"
    Aug  4 16:05:19 EST: RADIUS:  Reply-Message       [18]  12 
    Aug  4 16:05:19 EST: RADIUS:   50 61 73 73 77 6F 72 64 3A 20        [ Password: ]
    Aug  4 16:05:19 EST: RADIUS:  User-Password       [2]   18  *
    Aug  4 16:05:19 EST: RADIUS:  NAS-Port            [5]   6   7                        
    Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Id         [87]  6   "tty7"
    Aug  4 16:05:19 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
    Aug  4 16:05:19 EST: RADIUS:  Calling-Station-Id  [31]  15  "10.xxx.xxx.100"
    Aug  4 16:05:19 EST: RADIUS:  Service-Type        [6]   6   Login                     [1]
    Aug  4 16:05:19 EST: RADIUS:  NAS-IP-Address      [4]   6   10.xxx.xxx.251           
    Aug  4 16:05:19 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:23 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:23 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:23 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:29 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:29 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:29 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:33 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
    Aug  4 16:05:33 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
    Aug  4 16:05:33 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:33 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:38 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:38 EST: RADIUS: Fail-over to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:38 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:43 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:43 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:43 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:48 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:48 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:48 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:53 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.xxx.xxx.55:1645,1646 is not responding.
    Aug  4 16:05:53 EST: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.xxx.xxx.55:1645,1646 is being marked alive.
    Aug  4 16:05:53 EST: RADIUS: Retransmit to (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:53 EST: RADIUS(00000268): Started 5 sec timeout
    Aug  4 16:05:57 EST: RADIUS(00000268): Request timed out
    Aug  4 16:05:57 EST: RADIUS: No response from (10.xxx.xxx.55:1645,1646) for id 1645/112
    Aug  4 16:05:57 EST: RADIUS/DECODE: parse response no app start; FAIL
    Aug  4 16:05:57 EST: RADIUS/DECODE: parse response; FAIL
    This is a default template I use for all my devices routers or switches hope it helps. I have two PSN's that is why we have two radius-server host commands..
    aaa authentication login vty group radius local enable
    aaa authentication login con group radius local enable
    aaa authentication dot1x default group radius
    aaa authorization network default group radius 
    aaa accounting system default start-stop group radius
    ip radius source-interface VlanXXX vrf default
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 30 tries 3
    radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
    radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key *********
    radius-server vsa send accounting
    radius-server vsa send authentication
    You can use this in the switch to test radius
    test aaa group radius server 10.xxx.xxx.xxx <username> <password>

  • RADIUS authentication on IAS server

    I have a 1200 AP configured for RADIUS authentication on Microsoft IAS server but I am experiencing a problem getting clients authenticated. (Association is working fine.)
    The 1200 is connected to the IAS Server via an 837 router (no switch involved) and I am wondering if any RADIUS settings have to be configured on the 837 for AAA communication to pass through to the IAS server or will the requests pass through automatically?

    ScottMac is correct, if you're using IAS you need to use PEAP which requires a security cert. Microsoft provide a very nice toolkit of scripts and documents to simplify the installation and configuration of IAS, Cert Services, etc, etc, you can get it from here:
    http://www.microsoft.com/downloads/details.aspx?FamilyId=CDB639B3-010B-47E7-B234-A27CDA291DAD&displaylang=en

  • Wlc 5508 radius authentication fail

    I am trying to setup a wireless lan for the first time using 5508, all is working to a point, until i try to setup client authentication using the following
    so settings are:
    Layer Wlan settings:
    Layer 2 security:WPA+WPA2
    AES
    Auth Key mgmt:802.1x
    We have the authentication server enabled:
    Ip an port are correct
    AAA overide not enabled
    Order for authentication, radius only
    Advanced: dafault settings
    Radius authentication servers:
    Call Station ID Type: IP address
    MAC Delimiter: Colon
    Network User
    Management
    Server Index
    Server Address
    Port
    IPSec
    Admin Status
    Server Index
    Server Address
    Shared Secret Format
                     ASCII                 Hex              
    Shared Secret
    Confirm Shared Secret
    Key Wrap
      (Designed for FIPS customers and requires a key wrap compliant RADIUS server)
    Port Number
    Server Status
                     Enabled                  Disabled              
    Support for RFC 3576
                     Enabled                  Disabled              
    Server Timeout
      seconds
    Network User
    Enable
    Management
    Enable
    IPSec
    Enable
    *radiusTransportThread: Dec 21 12:07:46.488: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 115) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
    *radiusTransportThread: Dec 21 12:07:46.012: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 114) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
    *Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
    *Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:b9:d5:e1
    *radiusTransportThread: Dec 21 12:07:16.412: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 113) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
    *Dot1x_NW_MsgTask_1: Dec 21 12:06:59.741: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
    Radius server occasionally sees attempts from user "XXZZYY"

    Osvaldo,
    Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
    Quote:
    Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
    Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
    AAA server defined on WLAN takes precedence over global.

  • APC (UPS) RADIUS authentication with ACS 5.X

    I am trying to do RADIUS authentication for APC (UPS) using ACS 5.2 Appliance. It is working fine with ACS 4.2, but unfortunately not with ACS 5.2. I tried creating RADIUS VSA (Vendor Specific Attributes) for APC in ACS 5.2.
    According to the APC dictionary file
    VENDOR APC 318
    # Attributes
    ATTRIBUTE APC-Service-Type 1 integer APC
    ATTRIBUTE APC-Outlets 2 string APC
    VALUE APC-Service-Type Admin 1
    VALUE APC-Service-Type Device 2
    VALUE APC-Service-Type ReadOnly 3
    # For devices with outlet users only
    VALUE APC-Service-Type Outlet 4
    I have added the attributes in blue(attached), how do I add the VALUE's (shown red) in ACS 5.2? What else should I do to get this working?
    The hit count on the ACS shows that it is getting authentication request from the APC appliance.
    Thanks in advance.

    Hi,
    I am working on the same issue and i manage to login (using Ldap A/D backend authentication). When using the standard Radius attribute Service-Type (1 for read-only and 6 for admin) i manage to get this working. I am however trying to use the APC VSAs (as above) without any success. The objective is to have outlet management for specific users, admin or read-only others. Did u manage to get this working and how?
    ./G

  • Integrating RADIUS authentication with JAAS ???

    Hi,
    I have username/password JAAS authentication in my application.
    Now I have to support RADIUS authentication on top of the existing username/password authenticaiton.
    I am in the process of defining a login module for RADIUS.
    Is there any opensource login module existing for RADIUS ??
    After defining the RADIUS login module where to configure the multiple authentication policies ??
    Thanks,
    Dyanesh.

    This sample configuration shows how to set up a remote access VPN connection between a Cisco VPN Client (4.x for Windows) and the PIX 500 Series Security Appliance 7.x using a Cisco Secure Access Control Server (ACS version 3.2) for extended authentication (Xauth).
    http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml

  • Wirelss AP1140 Radius authentication with Microsoft IAS

    Hi,
    I have a Cisco C1140 Ap. I have cnfigured the device. Initially for testing i used WPA and authenticated locally. I have now setup a radius server and added my AP in as a client etc. I have changed my SSID's to authenticate with the radius server and i am having issues authenticating.
    I can connect via a PC and an iphone. They say that i am connected but i get no ip address and the debugs state that the authentication fails:
    000466: Sep 5 14:33:07.074 AEST: %DOT11-7-AUTH_FAILED: Station 40a6.d967.8b13 Authentication failed
    000467: Sep 5 14:33:28.368 AEST: %DOT11-7-AUTH_FAILED: Station bc77.3771.b15f Authentication failed
    000468: Sep 5 14:33:39.837 AEST: %DOT11-7-AUTH_FAILED: Station 40a6.d967.8b13 Authentication failed
    I can see the Radius server as connected
    imc-syd-ap1#show aaa servers
    RADIUS: id 4, priority 1, host 10.10.0.2, auth-port 1645, acct-port 1646
    State: current UP, duration 4337s, previous duration 0s
    Dead: total time 0s, count 0
    Authen: request 0, timeouts 0
    Response: unexpected 0, server error 0, incorrect 0, time 0ms
    Transaction: success 0, failure 0
    Author: request 0, timeouts 0
    Response: unexpected 0, server error 0, incorrect 0, time 0ms
    Transaction: success 0, failure 0
    Account: request 0, timeouts 0
    Response: unexpected 0, server error 0, incorrect 0, time 0ms
    Transaction: success 0, failure 0
    Elapsed time since counters last cleared: 1h12m
    The debugs show:
    000474: Sep 5 14:36:00.969 AEST: %DOT11-7-AUTH_FAILED: Station bc77.3771.b15f Authentication failed
    000475: Sep 5 14:36:01.485 AEST: AAA/BIND(00000109
    show dot11 associations:
    imc-syd-ap1#show dot11 associations
    802.11 Client Stations on Dot11Radio0:
    SSID [IMC-Wireless-Data] :
    MAC Address IP address Device Name Parent State
    bc77.3771.b15f 0.0.0.0 ccx-client DAVID self AAA_Auth
    Any ideas or recomendations would be greatly appreciated
    Thanks
    Below is a copy of my wireless config:
    version 12.4
    no service pad
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    hostname xxxxxxxxxxxxxx
    logging buffered 40960 debugging
    enable secret 5 xxxxxxxxxxxxx
    aaa new-model
    aaa group server tacacs+ IMC
    server 172.16.100.3
    aaa group server radius AUTHVPN
    server 10.10.0.2 auth-port 1645 acct-port 1646
    server 10.11.0.24 auth-port 1645 acct-port 1646
    aaa authentication login default group IMC local enable
    aaa authorization exec default group IMC local if-authenticated
    aaa session-id common
    clock timezone AEST 10
    clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
    no ip domain lookup
    ip domain name imc.net.au
    dot11 syslog
    dot11 ssid IMC-Wireless-Data
    vlan 10
    authentication open eap AUTHVPN
    authentication network-eap AUTHVPN
    guest-mode
    mbssid guest-mode
    infrastructure-ssid optional
    information-element ssidl
    dot11 ssid IMC-Wireless-Voice
    vlan 14
    authentication open eap AUTHVPN
    authentication network-eap AUTHVPN
    mbssid guest-mode
    information-element ssidl
    dot11 aaa authentication attributes service login-only
    bridge irb
    interface Dot11Radio0
    no ip address
    no ip route-cache
    encryption mode wep mandatory
    ssid IMC-Wireless-Data
    ssid IMC-Wireless-Voice
    antenna gain 0
    mbssid
    station-role root
    interface Dot11Radio0.10
    encapsulation dot1Q 10 native
    no ip route-cache
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface Dot11Radio0.14
    encapsulation dot1Q 14
    no ip route-cache
    bridge-group 14
    bridge-group 14 subscriber-loop-control
    bridge-group 14 block-unknown-source
    no bridge-group 14 source-learning
    no bridge-group 14 unicast-flooding
    bridge-group 14 spanning-disabled
    interface Dot11Radio1
    no ip address
    no ip route-cache
    encryption mode wep mandatory
    ssid IMC-Wireless-Data
    ssid IMC-Wireless-Voice
    antenna gain 0
    no dfs band block
    mbssid
    channel dfs
    station-role root
    interface Dot11Radio1.10
    encapsulation dot1Q 10 native
    no ip route-cache
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface Dot11Radio1.14
    encapsulation dot1Q 14
    no ip route-cache
    bridge-group 14
    bridge-group 14 subscriber-loop-control
    bridge-group 14 block-unknown-source
    no bridge-group 14 source-learning
    no bridge-group 14 unicast-flooding
    bridge-group 14 spanning-disabled
    interface GigabitEthernet0
    description IMC-Wireless-Data
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    no keepalive
    interface GigabitEthernet0.10
    description IMC-Wireless-Data
    encapsulation dot1Q 10 native
    no ip route-cache
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface GigabitEthernet0.14
    description IMC-Wireless-Voice
    encapsulation dot1Q 14
    no ip route-cache
    bridge-group 14
    no bridge-group 14 source-learning
    bridge-group 14 spanning-disabled
    interface BVI1
    description IMC-Wireless-Data
    ip address 10.10.0.245 255.255.255.0
    no ip route-cache
    ip default-gateway 10.10.0.254
    ip http server
    ip http authentication local
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    access-list 111 permit tcp any any eq telnet
    access-list 111 permit tcp any any eq www
    access-list 111 permit tcp any any eq 22
    snmp-server community public RO
    snmp-server enable traps tty
    tacacs-server host 172.16.100.3 key 7 xxxxxxxxxxxxxxxxxxx
    tacacs-server directed-request
    radius-server host 10.10.0.2 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxx
    bridge 1 route ip
    wlccp wds aaa authentication attributes service login-only
    line con 0
    line vty 0 4
    access-class 111 in
    exec-timeout 5 0
    line vty 5 15
    access-class 111 in
    exec-timeout 5 0
    sntp server 10.10.0.254
    end

    Inside the ssid, when you put "authentication open" it's an eap_method that follows. You put your AUTHVPN aaa server group name. that's wrong.
    aaa authentication login  group AUTHVPN
    and adjust your "authentication open eap " to match with that method name.
    Also your group authvpn contains a 2nd server that is undefined in yoru global config ...
    Nicolas

  • Radius authentication with MSCHAP

    Hi,
    I have a few 2960 and 3650 switches in my network. I have the aaa authentication login configured for RADIUS but it is only using PAP which is unencrypted.
    The 2960 switches are running version 15.2 and the 3650 are on 3.02. The RADIUS server I am using is Microsoft NPS which can do other methods of encryption.
    Is it possible to do mschap or any other type of encryption with the switches to authenticate management access?
    Regards,
    Waqas

    This sample configuration shows how to set up a remote access VPN connection between a Cisco VPN Client (4.x for Windows) and the PIX 500 Series Security Appliance 7.x using a Cisco Secure Access Control Server (ACS version 3.2) for extended authentication (Xauth).
    http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml

  • CAM Radius Authentication against IAS

    Hello i have spent the greater part of the day trying to get my Clean access manager to Authenicate against my Windows IAS server. I can see the connections showing up in the logs however i keep getting registration rejected or no matching policy errors. I have tried all of the different radius types and have tried many diffeent policies with various NAS-Port-types and other NAS properties however nothing seems to work. Is there a sure fire setup that will at least get the Cam talking to the IAS server. I have yet to find a config example anywhere or anythign that talks about how the IAs box should be set to accept what the CAM sends. Any help is appreciated.
    scott

    I have solved my problem, persistence wins out.
    thank you

  • WAP200 and .1x/radius authentication with multiple SSIDs

    Apparently it's not possible to define more than a single radius server when using multiple SSIDs with WAP200. Unfortunately WAP200 doesn't add the name of the SSID as a radius attribute, so it's not possible to make distinction whether the user is trying to log in to SSID A or B. Does anyone have any ideas or workarounds for this limitation? Of course the best solution would be if Cisco/Linksys fixed the firmware so that the SSID of the logging in user would be sent to the radius server as an extra attribute or appended to the client mac address.

    Security option for an SSID can be unique and can be configured when you configure a SSID or under VLAN . Note that each vlan is uniquely mapped to induvidual SSID.

  • Authentication with MS-IAS / AD

    I'm trying to control the access of my LAN by authenticate user with EAP / MSIAS + AD.
    The IAS denied the access with error 112: The remote RADIUS server did not process the authentication request.
    I setup the IAS policy to answer with vendor specific 64:"VLAN", 65:802, 81:10
    Is somebody already acheive to use MS-IAS Radius authentication with a Cisco switch 2960
    Mon Jun 28 12:22:49 2010: <191>4105: Jun 28 12:22:49.122 UTC+1: RADIUS(00000098): Send Access-Request to 10.221.136.14:1645 id 1645/56, len 211
    Mon Jun 28 12:22:49 2010: <191>4106: Jun 28 12:22:49.122 UTC+1: RADIUS:  authenticator 91 EC 87 87 89 0E AF 79 - 76 CE 5A 61 ED 1A D7 AC
    Mon Jun 28 12:22:49 2010: <191>4107: Jun 28 12:22:49.122 UTC+1: RADIUS:  User-Name           [1]   17  "EUROPE\ParisAdm"
    Mon Jun 28 12:22:49 2010: <191>4108: Jun 28 12:22:49.122 UTC+1: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Mon Jun 28 12:22:49 2010: <191>4109: Jun 28 12:22:49.122 UTC+1: RADIUS:  Framed-MTU          [12]  6   1500                     
    Mon Jun 28 12:22:49 2010: <191>4110: Jun 28 12:22:49.122 UTC+1: RADIUS:  Called-Station-Id   [30]  19  "00-24-51-55-47-84"
    Mon Jun 28 12:22:49 2010: <191>4111: Jun 28 12:22:49.122 UTC+1: RADIUS:  Calling-Station-Id  [31]  19  "00-14-22-BF-46-40"
    Mon Jun 28 12:22:49 2010: <191>4112: Jun 28 12:22:49.122 UTC+1: RADIUS:  EAP-Message         [79]  22 
    Mon Jun 28 12:22:49 2010: <191>4113: Jun 28 12:22:49.122 UTC+1: RADIUS:   02 02 00 14 01 45 55 52 4F 50 45 5C 50 61 72 69 73 41 64 6D   [ EUROPE\ParisAdm]
    Mon Jun 28 12:22:49 2010: <191>4114: Jun 28 12:22:49.122 UTC+1: RADIUS:  Message-Authenticato[80]  18 
    Mon Jun 28 12:22:49 2010: <191>4115: Jun 28 12:22:49.122 UTC+1: RADIUS:   27 E9 35 4C C3 69 99 B0 1B D9 3A 08 84 C0 71 E4            [ '5Li:q]
    Mon Jun 28 12:22:49 2010: <191>4116: Jun 28 12:22:49.122 UTC+1: RADIUS:  Vendor, Cisco       [26]  49 
    Mon Jun 28 12:22:49 2010: <191>4117: Jun 28 12:22:49.122 UTC+1: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A8FE030000006B13A4833C"
    Mon Jun 28 12:22:49 2010: <191>4118: Jun 28 12:22:49.122 UTC+1: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
    Mon Jun 28 12:22:49 2010: <191>4119: Jun 28 12:22:49.122 UTC+1: RADIUS:  NAS-Port            [5]   6   50004                    
    Mon Jun 28 12:22:49 2010: <191>4120: Jun 28 12:22:49.122 UTC+1: RADIUS:  NAS-Port-Id         [87]  17  "FastEthernet0/4"
    Mon Jun 28 12:22:49 2010: <191>4121: Jun 28 12:22:49.122 UTC+1: RADIUS:  NAS-IP-Address      [4]   6   192.168.254.3            
    Mon Jun 28 12:22:50 2010: <191>4122: Jun 28 12:22:49.206 UTC+1: RADIUS: Received from id 1645/56 10.221.136.14:1645, Access-Reject, len 20
    Mon Jun 28 12:22:50 2010: <191>4123: Jun 28 12:22:49.206 UTC+1: RADIUS:  authenticator CC 28 1A 22 28 32 F2 27 - 79 1F 2B 01 32 C5 AD BC
    Mon Jun 28 12:22:50 2010: <191>4124: Jun 28 12:22:49.206 UTC+1: RADIUS(00000098): Received from id 1645/56
    Mon Jun 28 12:22:52 2010: <187>4125: Jun 28 12:22:50.842 UTC+1: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to up
    Thx for your help
    Pascal

    You need to have 3 policies create in IAS. Each will define the ssid and the AD group the user belongs to. So on the wlc, do you have 3 ssids and each has it own vlan?
    Sent from Cisco Technical Support iPad App

  • Radius authentication for privileged access

    Hello,
              I have configured Cisco 6513 for radius authentication with following commands.
    aaa new-model
    aaa authentication login authradius group radius line
    aaa accounting exec acctradius start-stop group radius
    radius-server host <radius-ip> auth-port 1812 acct-port 1646 key 6912911
    line vty 0 4
    accounting exec acctradius
    login authentication authradius
         This is working pretty fine. I want to configure radius authentication for priviledged access / for enable access.
         I am using TeKRadius as Radius server.
         Please help.
    Thanks and Regards,
    Pratik

    Hi Pratik
    Sorry I mostly use only TACACS+ for AAA as it provides better granularity of access controls.
    You'll need to make some specific changes to your RADIUS config so that nominated users ( the ones you want to be able to go to enable mode ) get put straight into enable mode upon login.
    There's a guide here http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ which details the steps if you're using the Microsoft IAS radius server - you should be able to figure out that changes you need to make to your own server from there.
    Nick
    Message was edited by: NickNac79 - Spelt the OP's name wrong, sorry.

  • VPN 3000 and Radius authentication/authorization

    hello.
    I have to configure RADIUS authentication
    with a VPN 3000 concentrator.
    I'm completely new with this product
    (the concentrator).
    It seems that, if I want to perform authentication
    of username and password with Radius, then I also have to download the entire VPN configuration from the same Radius, using the attibute set loaded with the appropriate dictionary.
    am I rigth with this supposition?
    I mean: should be possible to authenticate only an username and password externally on RADIUS, while continuing to mantain the user (or group) VPN configuration locally in the concentrator?
    thank you.
    Davide

    No, downloading the entire VPN configuration from the RADIUS server is not necessary. If you are new to configuring VPN's on concentrators or the Concentrator iself, having a look at the support page will be agood idea. It is accessible at http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:Cisco_VPN_3000_Concentrator

Maybe you are looking for

  • "insufficient bandwidth" error when seemingly all is OK

    after months of flawless iChatAV sessions between me in Los Angeles and my brother in NYC, we recently started getting an error message that there is insufficient bandwidth to make the connection. Yet all tests (and even an in-house visit today from

  • How can I avoid image 'distortion' when saving jpegs from Photoshop?

    I've created a logo with a transparent background and saved as an eps in Illustrator CS3.  To create a jpeg I then opened opened the eps in Photoshop CS3, set the resolution at 300ppi and then saved the image as a jpeg.  The image views ok on screen

  • Cannot access some sites in either Firefox or Safari

    I'm not sure when this began, but last month I tried to go to Ebay in both Safari and and Firefox and neither would find the site. Here's what I'm using: MacPro Desktop 2 x 2.8GHz, Quad-core Intel Xeon 8GB memory Snow Leopard 10.6.8 My network is set

  • C++ XML Init error

    Hi, I try to execute the sample "SAXSample" take in the XDK and compiled with the last lib I got. -r--r--r-- 25 stvobadm svrtech 1205244 Dec 10 05:16 libxml9.a -r--r--r-- 25 stvobadm svrtech 36176 Dec 10 05:16 libxmlg9.a -r--r--r-- 25 stvobadm svrtec

  • Data access disrupters  (DAD's)are not being displayed on control panel

    Hi, Data access disrupters are not being displayed on Application server control panel (sid.host.domine > HTTP Server > mod_plsql Services >DAD's ) But users are able to access their applications. Not able to see database access details through Appli