Wlse internal radius server
it is possible to use wlse internal radius server to authenticate users with LEAP.
When you say it should use LEAP is this what you have configured on the phone? The WLSE Express can configure and use more than one of the authentication services at the same time. If more than one service is configured, the WLSE negotiates which one to use. Where are you seeing it is using Cisco-PEAP instead of LEAP? Can you attach these?
Similar Messages
-
WDS - and WLSE as radius server
Hi all
we have a warehouse with 10 ap's once of them is wds master to control the roaming function, to become part of the wds they all have to authenticate with a radius server, so i believe, what I want to know is , if I lost the WLSE on my main site where all the udernames and passwords are foe each ap, what would happen?can anyone help with this?
-
Cisco ISE with both internal and External RADIUS Server
Hi
I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
I will like to know if it is possible to configure it and how I can do it ?
Thanks in advance for your help
Regards
BlaiseCisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same. -
Authenticated on ISE 1.2 (as admin) against an external radius server
Hello
Our customer wants to be authenticated on ISE 1.2 (as admin) against an external radius server (like ACS not microsoft). How could i do that ?
Is it possible while retaining internal admin users database in a sequence "external_radius or internal"
thank you in advance.
Best regardsExternal authentication is supported only with internal authorization:
External Authentication + Internal Authorization
When configuring Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from External Authentication + External Authorization:
You do not need to specify any particular external administrator groups for the administrator.
You must configure the same username in both the external identity store and the local Cisco ISE database.
To create a new Cisco ISE administrator that authenticates via the external identity store, complete the following steps:
Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.
The Administrators window appears, listing all existing locally defined administrators.
Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.
Note Remember: you do not need to specify a password for this external administrator user ID, nor are you required to apply any specially configured external administrator group to the associated RBAC policy.
Step 3 Click Save . -
Trying to implement EAP/TLS using java (as part of RADIUS server)
Hi
This is a cross port since I didn't know which forum to post in!
I'm trying to implement a RADIUS server (EAP/TLS) as part of my master thesis. I'm not used to Java SSL libraries and can't get it to work. The server will respond to an accesspoint that uses 802.1x. I have created certificates using openssl and imported the "cert-clt.pl2"and "root.pem" to a laptop trying to connect to the accesspoint. On the server side i imported the "cacert.pem" and "cert-srv.der" using keytool to a keystore. In my code I read the keystore and create the SSLEngine with following code:
KeyStore ksKeys = KeyStore.getInstance("JKS");
ksKeys.load(new FileInputStream("certs/FeebeeCommunity.keystore"), passphrase);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ksKeys, passphrase);
KeyStore ksTrust = KeyStore.getInstance("JKS");
ksTrust.load(new FileInputStream("FeebeeCommunity.keystore"), passphrase);
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ksKeys);
sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(false);
sslEngine.setNeedClientAuth(true);
sslEngine.setWantClientAuth(true);
sslEngine.setEnableSessionCreation(true);
appBuffer = ByteBuffer.allocate(sslEngine.getSession().getApplicationBufferSize());
appBuffer.clear();
netBuffer = ByteBuffer.allocate(sslEngine.getSession().getPacketBufferSize());
netBuffer.clear();All I want to do with TLS is a handshake.
I'm not talking ssl using sockets instead I receive and send all TLS data encapsulated in EAP packet that are incapsulated in RADIUS packets. I start off with sending TLS-Start upon I recive TLS data. I handle it with the following code:
SSLEngineResult result = null;
SSLEngineResult.HandshakeStatus hsStatus = null;
if( internalState != EAPTLSState.Handshaking ) {
if( internalState == EAPTLSState.None ) {
TLSPacket tlsPacket = new TLSPacket( packet.getData() );
peerIdentity = tlsPacket.getData();
internalState = EAPTLSState.Starting;
try {
sslEngine.beginHandshake();
} catch (SSLException e) {
e.printStackTrace();
return;
else if(internalState == EAPTLSState.Starting ) {
internalState = EAPTLSState.Handshaking;
try {
sslEngine.beginHandshake();
} catch (SSLException e) {
e.printStackTrace();
TLSPacket tlsPacket = new TLSPacket( packet.getData() );
netBuffer.put( tlsPacket.getData() );
netBuffer.flip();
while(true) {
hsStatus = sslEngine.getHandshakeStatus();
if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
Runnable task;
while((task=sslEngine.getDelegatedTask()) != null) {
new Thread(task).start();
else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP) {
try {
result = sslEngine.unwrap( netBuffer, appBuffer );
} catch (SSLException e) {
e.printStackTrace();
else {
return;
}When I try to send data I use the following code:
SSLEngineResult.HandshakeStatus hsStatus = null;
SSLEngineResult result = null;
// netBuffer = ByteBuffer.allocate(EAPTLSMethod.BUFFER_SIZE);
netBuffer.clear();
while(true) {
hsStatus = sslEngine.getHandshakeStatus();
if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
Runnable task;
while((task=sslEngine.getDelegatedTask()) != null) {
new Thread(task).start();
else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
try {
result = sslEngine.wrap( dummyBuffer, netBuffer );
} catch (SSLException e) {
e.printStackTrace();
else {
if( result != null && result.getStatus() == SSLEngineResult.Status.OK ) {
int size = Math.min(result.bytesProduced(),this.MTU);
byte [] tlsData = new byte[size];
netBuffer.flip();
netBuffer.get(tlsData,0,size);
TLSPacket tlsPacket = new TLSPacket((byte)0,tlsData);
if( size < result.bytesProduced() ) {
tlsPacket.setFlag(TLSFlag.MoreFragments);
return new EAPTLSRequestPacket( ID,
(short)(tlsPacket.getData().length + 6),
stateMachine.getCurrentMethod(), tlsPacket );
else {
return null;
}After I sent TLS-Start I receive data and manage to process it but when then trying to produce TLS data I get the following error:
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:992)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1054)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1026)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.java:125)
at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStateMachine.java:358)
at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.java:262)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:930)
Any help wold be most greatfull, if any questions or anything unclear plz let me know.
add some additional information here is a debug output
Before this I have sent a TLS-star package and this is when I receive new information and then try to create the answer
[Raw read]: length = 5
0000: 16 03 01 00 41 ....A
[Raw read]: length = 65
0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
0040: 00 .
Thread-2, READ: TLSv1 Handshake, length = 65
*** ClientHello, TLSv1
RandomCookie: GMT: 1084488726 bytes = { 168, 20, 137, 240, 89, 129, 200, 201, 4
1, 194, 9, 209, 10, 112, 24, 88, 220, 46, 176, 200, 20, 144, 212, 253, 164, 198,
50, 201 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH
_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA,
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EX
PORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DE
S_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
Compression Methods: { 0 }
[read] MD5 and SHA1 hashes: len = 65
0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
0040: 00 .
Thread-5, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
Thread-5, SEND TLSv1 ALERT: fatal, description = handshake_failure
Thread-5, WRITE: TLSv1 Alert, length = 2
Thread-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeEx
ception: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:9
92)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineI
mpl.java:459)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineIm
pl.java:1054)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:10
26)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.ja
va:153)
at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStat
eMachine.java:358)
at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.j
ava:262)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1
352)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(Serve
rHandshaker.java:638)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHands
haker.java:450)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHa
ndshaker.java:178)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:4
95)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.
java:930)
... 1 moreI am developing a simple client/server SSL app using sdk 1.4 (no SSLEngine) and am faced with the same problem. Could anybody track down the problem further?
-
Cisco 871w, radius server local, and leap or eap-fast will not authenticate
Hello, i trying to setup eap-fast or leap on my 871w. i belive i have it confiured correctly but i can not get any device to authenticate to router. Below is the confiureation that i being used. any help would be welcome!
! Last configuration change at 15:51:30 AZT Wed Jan 4 2012 by testtest
! NVRAM config last updated at 15:59:37 AZT Wed Jan 4 2012 by testtest
version 12.4
configuration mode exclusive auto
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service linenumber
service pt-vty-logging
service sequence-numbers
hostname router871
boot-start-marker
boot-end-marker
logging count
logging message-counter syslog
logging buffered 4096
logging rate-limit 512 except critical
logging console critical
enable secret 5 <omitted>
aaa new-model
aaa group server radius rad-test3
server 192.168.16.49 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication login eap-methods group rad-test3
aaa authorization exec default local
aaa session-id common
clock timezone AZT -7
clock save interval 8
dot11 syslog
dot11 ssid test2
vlan 2
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 <omitted>
dot11 ssid test1
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 <omitted>
dot11 ssid test3
vlan 3
authentication open eap eap-methods
authentication network-eap eap-methods
no ip source-route
no ip gratuitous-arps
ip options drop
ip dhcp bootp ignore
ip dhcp excluded-address 192.162.16.49 192.162.16.51
ip dhcp excluded-address 192.168.16.33
ip dhcp excluded-address 192.168.16.1 192.168.16.4
ip dhcp pool vlan1pool
import all
network 192.168.16.0 255.255.255.224
default-router 192.168.16.1
domain-name test1.local.home
lease 4
ip dhcp pool vlan2pool
import all
network 192.168.16.32 255.255.255.240
default-router 192.168.16.33
domain-name test2.local.home
lease 0 6
ip dhcp pool vlan3pool
import all
network 192.168.16.48 255.255.255.240
default-router 192.168.16.49
domain-name test3.local.home
lease 2
ip cef
ip inspect alert-off
ip inspect max-incomplete low 25
ip inspect max-incomplete high 50
ip inspect one-minute low 25
ip inspect one-minute high 50
ip inspect udp idle-time 15
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 30
ip inspect tcp synwait-time 60
ip inspect tcp block-non-session
ip inspect tcp max-incomplete host 25 block-time 2
ip inspect name firewall tcp router-traffic
ip inspect name firewall ntp
ip inspect name firewall ftp
ip inspect name firewall udp router-traffic
ip inspect name firewall pop3
ip inspect name firewall pop3s
ip inspect name firewall imap
ip inspect name firewall imap3
ip inspect name firewall imaps
ip inspect name firewall smtp
ip inspect name firewall ssh
ip inspect name firewall icmp router-traffic timeout 10
ip inspect name firewall dns
ip inspect name firewall h323
ip inspect name firewall hsrp
ip inspect name firewall telnet
ip inspect name firewall tftp
no ip bootp server
no ip domain lookup
ip domain name local.home
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip accounting-threshold 100
ip accounting-list 192.168.16.0 0.0.0.31
ip accounting-list 192.168.16.32 0.0.0.15
ip accounting-list 192.168.16.48 0.0.0.15
ip accounting-transits 25
login block-for 120 attempts 5 within 60
login delay 5
login on-failure log
memory free low-watermark processor 65536
memory free low-watermark IO 16384
username testtest password 7 <omitted>
archive
log config
logging enable
logging size 255
notify syslog contenttype plaintext
hidekeys
path tftp://<omitted>/archive-config
write-memory
ip tcp synwait-time 10
ip ssh time-out 20
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
bridge irb
interface Loopback0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
interface Null0
no ip unreachables
interface FastEthernet0
switchport mode trunk
shutdown
interface FastEthernet1
switchport mode trunk
shutdown
interface FastEthernet2
shutdown
spanning-tree portfast
interface FastEthernet3
spanning-tree portfast
interface FastEthernet4
description Cox Internet Connection
ip address dhcp
ip access-group ingress-filter in
ip access-group egress-filter out
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip flow ingress
ip flow egress
ip inspect firewall out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
load-interval 30
duplex auto
speed auto
no cdp enable
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 2 mode ciphers aes-ccm
encryption key 1 size 128bit 7 <omitted> transmit-key
encryption mode wep mandatory
broadcast-key vlan 1 change <omitted> membership-termination
broadcast-key vlan 3 change <omitted> membership-termination
broadcast-key vlan 2 change <omitted> membership-termination
ssid test2
ssid test1
ssid test3
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
rts threshold 2312
no cdp enable
interface Dot11Radio0.1
description <omitted>
encapsulation dot1Q 1 native
no ip redirects
no ip unreachables
no ip proxy-arp
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.2
description <omitted>
encapsulation dot1Q 2
no ip redirects
no ip unreachables
no ip proxy-arp
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio0.3
description <omitted>
encapsulation dot1Q 3
no ip redirects
no ip unreachables
no ip proxy-arp
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
interface Vlan1
description <omitted>
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
interface Vlan2
description <omitted>
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
bridge-group 2
bridge-group 2 spanning-disabled
interface Vlan3
description <omitted>
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
bridge-group 3
bridge-group 3 spanning-disabled
interface BVI1
description <omitted>
ip address 192.168.16.1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
interface BVI2
description <omitted>
ip address 192.168.16.33 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
interface BVI3
description <omitted>
ip address 192.168.16.49 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip http secure-ciphersuite 3des-ede-cbc-sha rc4-128-sha
ip http timeout-policy idle 5 life 43200 requests 5
ip flow-top-talkers
top 10
sort-by bytes
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.16.50 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.16.50 53 interface FastEthernet4 53
ip nat inside source static tcp 192.168.16.50 3074 interface FastEthernet4 3074
ip nat inside source static udp 192.168.16.50 3074 interface FastEthernet4 3074
ip nat inside source static udp 192.168.16.50 88 interface FastEthernet4 88
ip nat inside source static udp 192.168.16.50 53 interface FastEthernet4 53
ip access-list extended egress-filter
deny ip any host <omitted>
deny ip any host <omitted>
deny ip host <omitted> any
deny ip host <omitted> any
remark ----- Bogons Filter -----
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.10.9.255 any
deny ip 10.0.0.0 0.10.13.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.15.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
remark ----- Internal networks -----
permit ip <omitted> 0.0.0.3 any
deny ip any any log
ip access-list extended ingress-filter
remark ----- To get IP form COX -----
permit udp any eq bootps any eq bootpc
deny icmp any any log
deny udp any any eq echo
deny udp any eq echo any
deny tcp any any fragments
deny udp any any fragments
deny ip any any fragments
deny ip any any option any-options
deny ip any any ttl lt 4
deny ip any host <omitted>
deny ip any host <omitted>
deny udp any any range 33400 34400
remark ----- Bogons Filter -----
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
remark ----- Internal networks -----
deny ip 10.10.10.0 0.0.0.255 any
deny ip 10.10.11.0 0.0.0.255 any
deny ip 10.10.12.0 0.0.0.255 any
deny ip any any log
access-list 1 permit 192.168.16.0 0.0.0.63
access-list 20 permit 127.127.1.1
access-list 20 permit 204.235.61.9
access-list 20 permit 173.201.38.85
access-list 20 permit 216.229.4.69
access-list 20 permit 152.2.21.1
access-list 20 permit 130.126.24.24
access-list 21 permit 192.168.16.0 0.0.0.63
radius-server local
no authentication mac
eapfast authority id <omitted>
eapfast authority info <omitted>
eapfast server-key primary 7 <omitted>
nas 192.168.16.49 key 7 <omitted>
group rad-test3
vlan 3
ssid test3
user test nthash 7 <omitted> group rad-test3
user testtest nthash 7 <omitted> group rad-test3
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.16.49 auth-port 1812 acct-port 1813 key 7 <omitted>
radius-server vsa send accounting
control-plane host
control-plane transit
control-plane cef-exception
control-plane
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
bridge 3 protocol ieee
bridge 3 route ip
line con 0
password 7 <omitted>
logging synchronous
no modem enable
transport output telnet
line aux 0
password 7 <omitted>
logging synchronous
transport output telnet
line vty 0 4
password 7 <omitted>
logging synchronous
transport preferred ssh
transport input ssh
transport output ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
process cpu threshold type total rising 80 interval 10 falling 40 interval 10
ntp authentication-key 1 md5 <omitted> 7
ntp authenticate
ntp trusted-key 1
ntp source FastEthernet4
ntp access-group peer 20
ntp access-group serve-only 21
ntp master 1
ntp server 152.2.21.1 maxpoll 4
ntp server 204.235.61.9 maxpoll 4
ntp server 130.126.24.24 maxpoll 4
ntp server 216.229.4.69 maxpoll 4
ntp server 173.201.38.85 maxpoll 4
endso this what i am getting now for debug? any thoughs?
010724: Jan 5 16:26:04.527 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/2
010725: Jan 5 16:26:08.976 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/2
010726: Jan 5 16:26:08.976 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
010727: Jan 5 16:26:08.976 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
010728: Jan 5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
010729: Jan 5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
010730: Jan 5 16:26:08.976 AZT: Client d8b3.7759.0488 failed: EAP reason 1
010731: Jan 5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
010732: Jan 5 16:26:08.976 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
010733: Jan 5 16:26:08.976 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
010734: Jan 5 16:26:08.976 AZT: EAPOL pak dump tx
010735: Jan 5 16:26:08.976 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0004
010736: Jan 5 16:26:08.976 AZT: EAP code: 0x4 id: 0x1 length: 0x0004
0AD05650: 01000004 04010004 ........
0AD05660:
010737: Jan 5 16:26:08.980 AZT: dot11_auth_send_msg: sending data to requestor status 1
010738: Jan 5 16:26:08.980 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
010739: Jan 5 16:26:08.980 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
010740: Jan 5 16:26:08.980 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
010741: Jan 5 16:26:08.980 AZT: dot11_auth_send_msg: sending data to requestor status 0
010742: Jan 5 16:26:08.980 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
010743: Jan 5 16:26:08.980 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
010744: Jan 5 16:26:08.984 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
010745: Jan 5 16:26:09.624 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
010746: Jan 5 16:26:09.624 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
010747: Jan 5 16:26:09.624 AZT: dot11_auth_add_client_entry: req->auth_type 0
010748: Jan 5 16:26:09.624 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
010749: Jan 5 16:26:09.624 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
010750: Jan 5 16:26:09.624 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
010751: Jan 5 16:26:09.624 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
010752: Jan 5 16:26:09.624 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
010753: Jan 5 16:26:09.624 AZT: EAPOL pak dump tx
010754: Jan 5 16:26:09.624 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0031
010755: Jan 5 16:26:09.624 AZT: EAP code: 0x1 id: 0x1 length: 0x0031 type: 0x1
0AD05B50: 01000031 01010031 ...1...1
0AD05B60: 01006E65 74776F72 6B69643D 746F7973 ..networkid=toys
0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465 onpg,nasid=route
0AD05B80: 72383731 2C706F72 7469643D 30 r871,portid=0
010756: Jan 5 16:26:09.644 AZT: dot11_auth_send_msg: sending data to requestor status 1
010757: Jan 5 16:26:09.648 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
010758: Jan 5 16:26:09.648 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
010759: Jan 5 16:26:09.656 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
010760: Jan 5 16:26:09.656 AZT: EAPOL pak dump rx
010761: Jan 5 16:26:09.656 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0009
010762: Jan 5 16:26:09.656 AZT: EAP code: 0x2 id: 0x1 length: 0x0009 type: 0x1
0B060D50: 01000009 02010009 ........
0B060D60: 01746573 74 .test
010763: Jan 5 16:26:09.660 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
010764: Jan 5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
010765: Jan 5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
010766: Jan 5 16:26:09.664 AZT: RADIUS/ENCODE(00000198):Orig. component type = DOT11
010767: Jan 5 16:26:09.664 AZT: RADIUS: AAA Unsupported Attr: ssid [282] 8
010768: Jan 5 16:26:09.664 AZT: RADIUS: 74 6F 79 73 6F 6E [toyson]
010769: Jan 5 16:26:09.664 AZT: RADIUS: AAA Unsupported Attr: interface [175] 3
010770: Jan 5 16:26:09.664 AZT: RADIUS: 36 [6]
010771: Jan 5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
010772: Jan 5 16:26:09.664 AZT: RADIUS/ENCODE(00000198): acct_session_id: 408
010773: Jan 5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
010774: Jan 5 16:26:09.664 AZT: RADIUS(00000198): sending
010775: Jan 5 16:26:09.664 AZT: RADIUS(00000198): Send Access-Request to 162.168.16.49:1645 id 1645/3, len 133
010776: Jan 5 16:26:09.664 AZT: RADIUS: authenticator BF 69 DD DF 89 1F C6 FB - EF EC 12 EB C5 3F 3A CD
010777: Jan 5 16:26:09.664 AZT: RADIUS: User-Name [1] 6 "test"
010778: Jan 5 16:26:09.664 AZT: RADIUS: Framed-MTU [12] 6 1400
010779: Jan 5 16:26:09.664 AZT: RADIUS: Called-Station-Id [30] 16 "0019.3075.e660"
010780: Jan 5 16:26:09.664 AZT: RADIUS: Calling-Station-Id [31] 16 "d8b3.7759.0488"
010781: Jan 5 16:26:09.668 AZT: RADIUS: Service-Type [6] 6 Login [1]
010782: Jan 5 16:26:09.668 AZT: RADIUS: Message-Authenticato[80] 18
010783: Jan 5 16:26:09.668 AZT: RADIUS: 5B FA 47 07 0E E3 4B 71 7F 60 6E 4E 91 37 84 A6 [[?G???Kq?`nN?7??]
010784: Jan 5 16:26:09.668 AZT: RADIUS: EAP-Message [79] 11
010785: Jan 5 16:26:09.668 AZT: RADIUS: 02 01 00 09 01 74 65 73 74 [?????test]
010786: Jan 5 16:26:09.668 AZT: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
010787: Jan 5 16:26:09.668 AZT: RADIUS: NAS-Port [5] 6 661
010788: Jan 5 16:26:09.668 AZT: RADIUS: NAS-Port-Id [87] 5 "661"
010789: Jan 5 16:26:09.668 AZT: RADIUS: NAS-IP-Address [4] 6 192.168.16.49
010790: Jan 5 16:26:09.668 AZT: RADIUS: Nas-Identifier [32] 11 "router871"
010791: Jan 5 16:26:14.501 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
router871#
010792: Jan 5 16:26:19.018 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
router871#
010793: Jan 5 16:26:23.739 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
router871#
010794: Jan 5 16:26:28.700 AZT: RADIUS: Fail-over to (162.168.16.49:1812,1813) for id 1645/3
router871#
010795: Jan 5 16:26:33.629 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
router871#
010796: Jan 5 16:26:38.494 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
router871#
010797: Jan 5 16:26:39.794 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
010798: Jan 5 16:26:39.794 AZT: EAPOL pak dump rx
010799: Jan 5 16:26:39.794 AZT: EAPOL Version: 0x1 type: 0x1 length: 0x0000
0AD053D0: 01010000 ....
010800: Jan 5 16:26:39.798 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,EAP_START) for d8b3.7759.0488
010801: Jan 5 16:26:39.798 AZT: dot11_auth_dot1x_ignore_event: Ignore event: do nothing
router871#
010802: Jan 5 16:26:43.007 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
router871#
010803: Jan 5 16:26:47.336 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/3
010804: Jan 5 16:26:47.336 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
010805: Jan 5 16:26:47.336 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
010806: Jan 5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
010807: Jan 5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
010808: Jan 5 16:26:47.336 AZT: Client d8b3.7759.0488 failed: EAP reason 1
010809: Jan 5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
010810: Jan 5 16:26:47.336 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
010811: Jan 5 16:26:47.336 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
010812: Jan 5 16:26:47.336 AZT: EAPOL pak dump tx
010813: Jan 5 16:26:47.336 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0004
010814: Jan 5 16:26:47.336 AZT: EAP code: 0x4 id: 0x1 length: 0x0004
0B060710: 01000004 04010004 ........
0B060720:
010815: Jan 5 16:26:47.340 AZT: dot11_auth_send_msg: sending data to requestor status 1
010816: Jan 5 16:26:47.340 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
010817: Jan 5 16:26:47.340 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
010818: Jan 5 16:26:47.340 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
010819: Jan 5 16:26:47.340 AZT: dot11_auth_send_msg: sending data to requestor status 0
010820: Jan 5 16:26:47.340 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
router871#
010821: Jan 5 16:26:47.340 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
010822: Jan 5 16:26:47.344 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
010823: Jan 5 16:26:47.972 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
010824: Jan 5 16:26:47.972 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
010825: Jan 5 16:26:47.972 AZT: dot11_auth_add_client_entry: req->auth_type 0
010826: Jan 5 16:26:47.972 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
010827: Jan 5 16:26:47.972 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
010828: Jan 5 16:26:47.976 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
010829: Jan 5 16:26:47.976 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
010830: Jan 5 16:26:47.976 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
010831: Jan 5 16:26:47.976 AZT: EAPOL pak dump tx
010832: Jan 5 16:26:47.976 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0031
010833: Jan 5 16:26:47.976 AZT: EAP code: 0x1 id: 0x1 length: 0x0031 type: 0x1
0AD05B50: 01000031 01010031 ...1...1
0AD05B60: 01006E65 74776F72 6B69643D 746F7973 ..networkid=toys
0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465 onpg,nasid=route
0AD05B80: 72383731 2C706F72 7469643D 30 r871,portid=0
010834: Jan 5 16:26:47.996 AZT: dot11_auth_send_msg: sending data to requestor status 1
010835: Jan 5 16:26:47.996 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
010836: Jan 5 16:26:47.996 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
010837: Jan 5 16:26:47.996 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
010838: Jan 5 16:26:47.996 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
router871#
010839: Jan 5 16:26:47.996 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
router871#
010840: Jan 5 16:26:58.634 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
010841: Jan 5 16:26:58.634 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
010842: Jan 5 16:26:58.638 AZT: dot11_auth_add_client_entry: req->auth_type 0
010843: Jan 5 16:26:58.638 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
010844: Jan 5 16:26:58.638 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
010845: Jan 5 16:26:58.638 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
010846: Jan 5 16:26:58.638 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
010847: Jan 5 16:26:58.638 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
010848: Jan 5 16:26:58.638 AZT: EAPOL pak dump tx
010849: Jan 5 16:26:58.638 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0031
010850: Jan 5 16:26:58.638 AZT: EAP code: 0x1 id: 0x1 length: 0x0031 type: 0x1
0B060710: 01000031 01010031 ...1...1
0B060720: 01006E65 74776F72 6B69643D 746F7973 ..networkid=toys
0B060730: 6F6E7067 2C6E6173 69643D72 6F757465 onpg,nasid=route
0B060740: 72383731 2C706F72 7469643D 30 r871,portid=0
010851: Jan 5 16:26:58.658 AZT: dot11_auth_send_msg: sending data to requestor status 1
010852: Jan 5 16:26:58.658 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
010853: Jan 5 16:26:58.658 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
010854: Jan 5 16:27:01.603 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
010855: Jan 5 16:27:01.603 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
010856: Jan 5 16:27:01.603 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
010857: Jan 5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list ingress-filter denied tcp 32.42.41.254(57443) -> 72.201.117.84(59652), 1 packet
010858: Jan 5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list egress-filter denied tcp 22.3.184.118(0) -> 74.125.53.188(0), 4 packets
010859: Jan 5 16:27:12.261 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
010860: Jan 5 16:27:12.261 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
010861: Jan 5 16:27:12.261 AZT: dot11_auth_add_client_entry: req->auth_type 0
010862: Jan 5 16:27:12.261 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
010863: Jan 5 16:27:12.261 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
010864: Jan 5 16:27:12.261 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
010865: Jan 5 16:27:12.261 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
010866: Jan 5 16:27:12.261 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
010867: Jan 5 16:27:12.261 AZT: EAPOL pak dump tx
010868: Jan 5 16:27:12.261 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0031
010869: Jan 5 16:27:12.261 AZT: EAP code: 0x1 id: 0x1 length: 0x0031 type: 0x1
0B060FD0: 01000031 01010031 ...1...1
0B060FE0: 01006E65 74776F72 6B69643D 746F7973 ..networkid=toys
0B060FF0: 6F6E7067 2C6E6173 69643D72 6F757465 onpg,nasid=route
0B061000: 72383731 2C706F72 7469643D 30 r871,portid=0
010870: Jan 5 16:27:12.285 AZT: dot11_auth_send_msg: sending data to requestor status 1
010871: Jan 5 16:27:12.285 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
010872: Jan 5 16:27:12.285 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
010873: Jan 5 16:27:12.293 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
010874: Jan 5 16:27:12.293 AZT: EAPOL pak dump rx
010875: Jan 5 16:27:12.293 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0009
010876: Jan 5 16:27:12.293 AZT: EAP code: 0x2 id: 0x1 length: 0x0009 type: 0x1
0AD05290: 01000009 02010009 ........
0AD052A0: 01746573 74 .test
010877: Jan 5 16:27:12.301 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
010878: Jan 5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
010879: Jan 5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
010880: Jan 5 16:27:12.301 AZT: RADIUS/ENCODE(0000019B):Orig. component type = DOT11
010881: Jan 5 16:27:12.305 AZT: RADIUS: AAA Unsupported Attr: ssid [282] 8
010882: Jan 5 16:27:12.305 AZT: RADIUS: 74 6F 79 73 6F 6E [toyson]
010883: Jan 5 16:27:12.305 AZT: RADIUS: AAA Unsupported Attr: interface [175] 3
010884: Jan 5 16:27:12.305 AZT: RADIUS: 36 [6]
010885: Jan 5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
010886: Jan 5 16:27:12.305 AZT: RADIUS/ENCODE(0000019B): acct_session_id: 411
010887: Jan 5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
010888: Jan 5 16:27:12.305 AZT: RADIUS(0000019B): sending
010889: Jan 5 16:27:12.305 AZT: RADIUS(0000019B): Send Access-Request to 162.168.16.49:1645 id 1645/4, len 133
010890: Jan 5 16:27:12.305 AZT: RADIUS: authenticator 6F 6C 63 31 88 DE 30 A2 - C2 06 12 EB 50 A3 53 36
010891: Jan 5 16:27:12.305 AZT: RADIUS: User-Name [1] 6 "test"
010892: Jan 5 16:27:12.305 AZT: RADIUS: Framed-MTU [12] 6 1400
010893: Jan 5 16:27:12.305 AZT: RADIUS: Called-Station-Id [30] 16 "0019.3075.e660"
010894: Jan 5 16:27:12.305 AZT: RADIUS: Calling-Station-Id [31] 16 "d8b3.7759.0488"
010895: Jan 5 16:27:12.305 AZT: RADIUS: Service-Type [6] 6 Login [1]
010896: Jan 5 16:27:12.305 AZT: RADIUS: Message-Authenticato[80] 18
010897: Jan 5 16:27:12.305 AZT: RADIUS: 9D D5 62 1A 38 13 94 30 3A 43 D7 A4 AE A4 43 64 [??b?8??0:C????Cd]
010898: Jan 5 16:27:12.305 AZT: RADIUS: EAP-Message [79] 11
010899: Jan 5 16:27:12.305 AZT: RADIUS: 02 01 00 09 01 74 65 73 74 [?????test]
010900: Jan 5 16:27:12.305 AZT: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
010901: Jan 5 16:27:12.305 AZT: RADIUS: NAS-Port [5] 6 664
010902: Jan 5 16:27:12.309 AZT: RADIUS: NAS-Port-Id [87] 5 "664"
010903: Jan 5 16:27:12.309 AZT: RADIUS: NAS-IP-Address [4] 6 192.168.16.49
010904: Jan 5 16:27:12.309 AZT: RADIUS: Nas-Identifier [32] 11 "router871"
010905: Jan 5 16:27:16.642 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/4 -
Hi everyone, im having problems in a wireless network, the SSID has security layer 2 WPA, layer 3 web authentication (internal default page), and external RADIUS.
When a client makes a roaming from one AP to another one or when he has a idle time, he needs to re authenticate in the web login page. Somebody knows a solution to avoid this behavior?. Or somebody has a troubleshooting way to determine why the clients have this problems??A few things I can share that might help .. Your actually feet on the ground will be importnat to see this issue for yourself.
I know when a client or if the AP sends a DEAUTH frame the client will need to reestablish its connection and it will 100% of the time require a new web auth. If a client loses connection while roaming and a DEAUTH is sent on either side you will get the page. If youre client isnt romaing cleanly this can be a problem.
Another problem is your using EAP. Are you using CCK or a device that supports OKC. What does your radius server say when a client roams ?
You could also simply your config and then reapply your security and see where it breaks. By this I mean. For testing, create a SSID turn off security and leave layer 3 web auth on. Roam and see what happens. If it works, then start to apply the security and see where it breaks.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
Hello all,
I have configured a radius server on my sbs2008 server. I am able to test it from the ASA successfully, however when I try to login with the Anyconnect client I get a login failed. When I check the logs I see that the VPN is trying to authenitcate against the Local database and not my RADIUS server evern though I have authentication-server-group set. I have also restarted the asa thinking that was the issue.
Here is my config:
webvpn
port 444
enable outside
svc image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy OAC internal
group-policy OAC attributes
wins-server value 192.168.2.2
dns-server value 192.168.2.2
vpn-tunnel-protocol svc webvpn
group-lock value OAC
split-tunnel-policy tunnelspecified
split-tunnel-network-list value OAC
default-domain value OAC.LOCAL
tunnel-group OAC type remote-access
tunnel-group OAC general-attributes
address-pool vpnpool
authentication-server-group OAC
default-group-policy OAC
Thank you for any help,
LeonLeon,
Looks like your connection is falling on DefaultWebvpn tunnel group. You need to define group list so as to choose
OAC as tunnel group for connection. Here is what needs to be configured:
webvpn
tunnel-group-list enable
tunnel-group OAC webvpn-attributes
group-alias OAC enable
Users will connect to correct OAC tunnel group to get authentocated from radius server.
Regards,
Varinder
P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users -
Authenticate Users against external RADIUS-Server
Hi,
i have some users in the local LDAP database of an 10.5 Server.
Is there a way to store their passwords on an external RADIUS-Server?
Thank you very much,
macservo
Message was edited by: macservoCryptoCard does this.
We use it at one customer for L2TP VPN authentication.
This way the VPN user get's a yes or no to use the VPN server and then has to give his credentials: name and VPN shared secret or certificate (support for CryptoCard is in the OS X VPN client) to get on the network. The password is in 2 halves, one half is static and the rest is added to it from the Token.
You then have to authenticate to any service you want to use (Kerberos?).
We only had to alter a PPP config file on the OS X server and add a small file to both server (and client) to make it contact their Radius server instead of it using Apples regular internal VPN authentication (not the Radius one). And we had to add a shared secret corresponding to what was setup for the customer at CryptoCard (in the server only) for the OS X Server (Radius client) to CryptoCard server (Radius server) communication. You can't use Server Admin to alter VPN settings afterwards without messing up the PPP settings file.
Maybe possible to us it for Ethernet/Wireless 802.1X authentication too?
For just AFP server auth I don't know. -
ISE 1.2 Patch 2 External RADIUS Server Sequence Broken?
Hi community,
We have upgraded our proof of concept ISE 1.2 lab to Patch level 2.
Our lab design includes the use of external RADIUS servers which we off-load certain authentication rules to.
To ensure resiliency of the external RADIUS service, we have two of these which we add to a RADIUS Server Sequence, the idea being that if the first in the list is unavailable, ISE will try the second and all will be well.
Now this worked for us in testing ISE 1.2, but I have noticed that after the upgrade to Patch 2 ISE is sending the majority RADIUS traffic to the first (failed) external RADIUS server, with only the odd RADIUS Access-Request to thte next in the list.
Anybody else come across this??
All helpful comments rated!
Many thanks, Ash.I couldn't find any known issues with this feature. Could you please paste the screen shot of external radius sequence and configuration. Also, how are we determing that the first server in the sequence is DEAD?
~BR
Jatin Katyal
**Do rate helpful posts** -
EAP-FAST on Local Radius Server : Can't Get It Working
Hi all
I'm using an 877w router (flash:c870-advsecurityk9-mz.124-24.T4.bin) as local radius server and have followed various config guides on CCO. LEAP works fine but I just can't get EAP-FAST to work.
I'm testing with win7 client using anyconnect secure mobility client, and also a mac book pro but without luck.
the router sees unknown auth type, and when I run some debugs it talks of unknown eap type 3
sh radius local-server s
Successes : 1 Unknown usernames : 0
Client blocks : 0 Invalid passwords : 0
Unknown NAS : 0 Invalid packet from NAS: 17
NAS : 172.27.44.1
Successes : 1 Unknown usernames : 0
Client blocks : 0 Invalid passwords : 0
Corrupted packet : 0 Unknown RADIUS message : 0
No username attribute : 0 Missing auth attribute : 0
Shared key mismatch : 0 Invalid state attribute: 0
Unknown EAP message : 0 Unknown EAP auth type : 17
Auto provision success : 0 Auto provision failure : 0
PAC refresh : 0 Invalid PAC received : 0
Can anyone suggest what I might be doing wrong?
Regs, TimThanks Nicolas, relevant snippets from config:
aaa new-model
aaa group server radius rad_eap
server 172.27.44.1 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa session-id common
dot11 ssid home
vlan 3
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
ip dhcp pool home
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 194.74.65.68 194.74.65.69
ip inspect name ethernetin tcp
ip inspect name ethernetin udp
ip inspect name ethernetin pop3
ip inspect name ethernetin ssh
ip inspect name ethernetin dns
ip inspect name ethernetin ftp
ip inspect name ethernetin tftp
ip inspect name ethernetin smtp
ip inspect name ethernetin icmp
ip inspect name ethernetin telnet
interface Dot11Radio0
no ip address
encryption vlan 1 mode ciphers aes-ccm tkip
encryption vlan 2 mode ciphers aes-ccm tkip
encryption vlan 3 mode ciphers aes-ccm tkip
broadcast-key vlan 1 change 30
broadcast-key vlan 2 change 30
broadcast-key vlan 3 change 30
ssid home
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.3
encapsulation dot1Q 3
no cdp enable
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
interface Vlan3
no ip address
bridge-group 3
interface BVI3
ip address 192.168.1.1 255.255.255.0
ip inspect ethernetin in
ip nat inside
ip virtual-reassembly
radius-server local
no authentication mac
nas 172.27.44.1 key 0 123456
user test1 nthash 0 B151E8FF684B4F376C018E632A247D84
user test2 nthash 0 F2EEAE1D895645B819C9FD217D0CA1F9
user test3 nthash 0 0CB6948805F797BF2A82807973B89537
radius-server host 172.27.44.1 auth-port 1812 acct-port 1813 key 123456
radius-server vsa send accounting -
We have configured following commands on switch to fallback to local Vlan if both radius server (policy persona's) is found dead. For test purpose we shutdown both servers (policy persona's) but fallback didn't work. We have 3750 switch running image 12.2(55)SE6 having following configuration.
We do not know whether we configured switch in proper way or do we need to modify it.
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
client 10.10.10.10 server-key 7 12345678 (Policy Persona 1)
client 10.10.10.11 server-key 7 12345678 (Policy Persona 2)
server-key 7 12345678
ip device tracking
epm logging
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 1)
radius-server host 10.10.10.11 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 2)
radius-server vsa send accounting
radius-server vsa send authentication
Port Configuration
interface GigabitEthernet0/1
switchport access vlan 305
switchport mode access
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 305
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
Please help....
ThanksTabish-
The pre-auth ACL that you have on your port is used for what's called a "Low-Impact" mode type of setup. With Low-Impact mode you are allowing services defined in the pre-auth ACL until the user/devices is authenticated. Once authenticated the pre-auth ACL gets replaced with the dACL/authorization policy that you have defined in the authorization profile. As a result, it is not possible to use "fail-open" configuration with low-impact as there is nothing to replace that pre-auth ACL since your NAD device(s) are unavailable.
If you want to use the "fail-open" features you will have to use the "High Securty/Closed Mode." In that mode you cannot utilize the pre-auth ACL and essentially only EPoL traffic is allowed on port until authenticated.
For more info you should reference the TrustSec design guide located at:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
Thank you for rating! -
Can't authenticate Mac VPN client from RADIUS server
Hello,
I'm a real noob here so please bear with me.
I have been able to configure my PIX 515E to allow VPN connections onto my network, but what I need to do is set up some sort of user authentication to control access at a user level. From what I've read here and in the Configuration Guide I should be able to do this authentication with a RADIUS server. I'm running a Corriente Networks Elektron Security server which has RADIUS server capabilities. It is running on my (inside) interface at IP 192.168.10.26.
I thought that I had everything configured properly but it never seems to authenticate. I connect, the XAUTH window pops up, I add my username and password as it's configured on my RADIUS server, but when I click OK it just cycles the progress bar at the bottom and eventually times out. The client log doesn't show me anything and the log on the RADIUS server shows me nothing. Any ideas? this seems like it should be simple because I can connect until I attempt to authenticate to the RADIUS server.
TIA for any direction you can provide me.
ChristineIf it helps, here is my config with a some of the non-related bits deleted:
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password ********* encrypted
passwd ******* encrypted
hostname pixfirewall
domain-name acme.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol http 80
fixup protocol http 82
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
access-list inside_outbound_nat0_acl permit ip any 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.10.26 192.168.10.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip host 192.168.10.69 192.168.10.192 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.10.192 255.255.255.224
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 207.XXX.XXX.130 255.255.255.0
ip address inside 192.168.10.1 255.255.255.0
ip address DMZ 192.168.100.1 255.255.255.0
multicast interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool CBI_VPN_Pool 192.168.10.201-192.168.10.220
pdm location 192.168.10.50 255.255.255.255 inside
pdm group CBI_Servers inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 200 interface
global (DMZ) 200 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 200 192.168.10.0 255.255.255.0 0 0
static (inside,outside) 207.XXX.XXX.150 192.168.10.27 netmask 255.255.255.255 0 0
static (inside,outside) 207.XXX.XXX.132 192.168.10.26 dns netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 207.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1812
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.10.26 ************* timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.10.3 255.255.255.255 inside
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
crypto map inside_map interface inside
isakmp enable outside
isakmp nat-traversal 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Test_VPN address-pool CBI_VPN_Pool
vpngroup Test_VPN dns-server 142.77.2.101 142.77.2.36
vpngroup Test_VPN default-domain acme.com
vpngroup Test_VPN idle-time 1800
vpngroup Test_VPN authentication-server RADIUS
vpngroup Test_VPN user-authentication
vpngroup Test_VPN user-idle-timeout 1200
vpngroup Test_VPN password ********
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.100-192.168.10.254 inside
dhcpd dns 142.77.2.101 142.77.2.36
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside -
SSL VPN IP Address Assignment from IAS radius server
Can I use SSL VPN IP Address Assignment from IAS radius server?it can be done with acs server.are there some differ from the acs and IAS?
Hi,
I will suggest to setup a sniffer capture with ACS and look for the attribute that ACS sends for IP Address Assignment, once you know the attribute apply it on the IAS.
If you have any question do not hesitate to contact me. -
I have an Script mostly that is generated by SSMS which works with-out issue on SQL Server 2008, but when I attempt to run it on a new fresh install of SQL Server 2012 I get an Msg 8631. Internal error: Server stack limit has been reached. Please look for
potentially deep nesting in your query, and try to simplify it.
The script itself doesn't seem to be all that deep or nested. The script is large 2600 lines and when I remove the bulk of the 2600 lines, it does run on SQL Server 2012. I'm just really baffled why something that SQL Server generated with very
few additions/changes AND that WORKS without issue in SQL Server 2008 R2 would suddenly be invalid in SQL Server 2012
I need to know why my script which is working great on our current SQL Server 2008 R2 servers suddenly fails and won't run on an new SQL Server 2012 server. This script is used to create 'bulk' Replications on a large number of DBs saving a tremendous
amount of our time doing it the manual way.
Below is an 'condensed' version of the script which fails. I have removed around 2550 lines of specific sp_addarticle statements which are mostly just copy and pasted from what SQL Management Studio 'scripted' for me went I when through the Replication
Wizard and told it to save to script.
declare @dbname varchar(MAX), @SQL nvarchar(MAX)
declare c_dblist cursor for
select name from sys.databases WHERE name like 'dbone[_]%' order by name;
open c_dblist
fetch next from c_dblist into @dbname
while @@fetch_status = 0
begin
print @dbname
SET @SQL = 'DECLARE @dbname NVARCHAR(MAX); SET @dbname = ''' + @dbname + ''';
use ['+@dbname+']
exec sp_replicationdboption @dbname = N'''+@dbname+''', @optname = N''publish'', @value = N''true''
use ['+@dbname+']
exec ['+@dbname+'].sys.sp_addlogreader_agent @job_login = N''DOMAIN\DBServiceAccount'', @job_password = N''secret'', @publisher_security_mode = 1, @job_name = null
-- Adding the transactional publication
use ['+@dbname+']
exec sp_addpublication @publication = N'''+@dbname+' Replication'', @description = N''Transactional publication of database
'''''+@dbname+''''' from Publisher ''''MSSQLSRV\INSTANCE''''.'', @sync_method = N''concurrent'', @retention = 0, @allow_push = N''true'', @allow_pull = N''true'', @allow_anonymous = N''false'', @enabled_for_internet
= N''false'', @snapshot_in_defaultfolder = N''true'', @compress_snapshot = N''false'', @ftp_port = 21, @allow_subscription_copy = N''false'', @add_to_active_directory = N''false'', @repl_freq = N''continuous'', @status = N''active'', @independent_agent = N''true'',
@immediate_sync = N''true'', @allow_sync_tran = N''false'', @allow_queued_tran = N''false'', @allow_dts = N''false'', @replicate_ddl = 1, @allow_initialize_from_backup = N''true'', @enabled_for_p2p = N''false'', @enabled_for_het_sub = N''false''
exec sp_addpublication_snapshot @publication = N'''+@dbname+' Replication'', @frequency_type = 1, @frequency_interval = 1, @frequency_relative_interval = 1, @frequency_recurrence_factor = 0, @frequency_subday = 8,
@frequency_subday_interval = 1, @active_start_time_of_day = 0, @active_end_time_of_day = 235959, @active_start_date = 0, @active_end_date = 0, @job_login = N''DOMAIN\DBServiceAccount'', @job_password = N''secret'', @publisher_security_mode = 1
-- There are around 2400 lines roughly the same as this only difference is the tablename repeated below this one
use ['+@dbname+']
exec sp_addarticle @publication = N'''+@dbname+' Replication'', @article = N''TABLE_ONE'', @source_owner = N''dbo'', @source_object = N''TABLE_ONE'', @type = N''logbased'', @description = null, @creation_script =
null, @pre_creation_cmd = N''drop'', @schema_option = 0x000000000803509F, @identityrangemanagementoption = N''manual'', @destination_table = N''TABLE_ONE'', @destination_owner = N''dbo'', @vertical_partition = N''false'', @ins_cmd = N''CALL sp_MSins_dboTABLE_ONE'',
@del_cmd = N''CALL sp_MSdel_dboTABLE_ONE'', @upd_cmd = N''SCALL sp_MSupd_dboTABLE_ONE''
EXEC sp_executesql @SQL
SET @dbname = REPLACE(@dbname, 'dbone_', 'dbtwo_');
print @dbname
SET @SQL = 'DECLARE @dbname NVARCHAR(MAX); SET @dbname = ''' + @dbname + ''';
use ['+@dbname+']
exec sp_replicationdboption @dbname = N'''+@dbname+''', @optname = N''publish'', @value = N''true''
use ['+@dbname+']
exec ['+@dbname+'].sys.sp_addlogreader_agent @job_login = N''DOMAIN\DBServiceAccount'', @job_password = N''secret'', @publisher_security_mode = 1, @job_name = null
-- Adding the transactional publication
use ['+@dbname+']
exec sp_addpublication @publication = N'''+@dbname+' Replication'', @description = N''Transactional publication of database
'''''+@dbname+''''' from Publisher ''''MSSQLSRV\INSTANCE''''.'', @sync_method = N''concurrent'', @retention = 0, @allow_push = N''true'', @allow_pull = N''true'', @allow_anonymous = N''false'', @enabled_for_internet
= N''false'', @snapshot_in_defaultfolder = N''true'', @compress_snapshot = N''false'', @ftp_port = 21, @allow_subscription_copy = N''false'', @add_to_active_directory = N''false'', @repl_freq = N''continuous'', @status = N''active'', @independent_agent = N''true'',
@immediate_sync = N''true'', @allow_sync_tran = N''false'', @allow_queued_tran = N''false'', @allow_dts = N''false'', @replicate_ddl = 1, @allow_initialize_from_backup = N''true'', @enabled_for_p2p = N''false'', @enabled_for_het_sub = N''false''
exec sp_addpublication_snapshot @publication = N'''+@dbname+' Replication'', @frequency_type = 1, @frequency_interval = 1, @frequency_relative_interval = 1, @frequency_recurrence_factor = 0, @frequency_subday = 8,
@frequency_subday_interval = 1, @active_start_time_of_day = 0, @active_end_time_of_day = 235959, @active_start_date = 0, @active_end_date = 0, @job_login = N''DOMAIN\DBServiceAccount'', @job_password = N''secret'', @publisher_security_mode = 1
-- There are around 140 lines roughly the same as this only difference is the tablename repeated below this one
use ['+@dbname+']
exec sp_addarticle @publication = N'''+@dbname+' Replication'', @article = N''DB_TWO_TABLE_ONE'', @source_owner = N''dbo'', @source_object = N''DB_TWO_TABLE_ONE'', @type = N''logbased'', @description = null, @creation_script
= null, @pre_creation_cmd = N''drop'', @schema_option = 0x000000000803509D, @identityrangemanagementoption = N''manual'', @destination_table = N''DB_TWO_TABLE_ONE'', @destination_owner = N''dbo'', @vertical_partition = N''false''
EXEC sp_executesql @SQL
fetch next from c_dblist into @dbname
end
close c_dblist
deallocate c_dblist
George P Botuwell, ProgrammerHi George,
Thank you for your question.
I am trying to involve someone more familiar with this topic for a further look at this issue. Sometime delay might be expected from the job transferring. Your patience is greatly appreciated.
Thank you for your understanding and support.
If you have any feedback on our support, please click
here.
Allen Li
TechNet Community Support
Maybe you are looking for
-
When frequently switching between mobile and desktop view
When I frequently switching between mobile and desktop view I have to open the layers every time since they get closed/collapsed. Adobe may need to fix it for the next version.
-
RRI - Jump query, unable to pass the variable value from source to target
Hi, I've a source query which has a variable on 0vendor, from this query i jump to another query for which i want to pass the this variable value, in the target query i've vendor in free characteristics (no filter or variable in there), and in RS
-
My G4 keeps freezing up. It sounds like it's spinning down. Sometimes preceding by a whiny clicking noise. Occasionaly it comes back to life but usually have to force shut down. Temperature is fine I have run disc utility and Zapped PRAM Have unpluug
-
Multiple WLC and AP secondary config
Hi all, we have 2 WLC, each licensed for 12 AP's. Here is the issue, we will have up to 20 Ap in our enviroment. No problem getting each AP assigned to a primary controller. My question is assinging an AP to a secondary. If I assign 10 AP's to each a
-
Am I missing something here? I have stacks set with groups of images, when those stacks are referenced in a collection the stacks are open and can not be closed? These images reside with in the same folder and are already stacked. I can see the possi