Cisco AAA/Identity/Nac :: 877 - Using CHAP With RADIUS Authentication

Jan 19, 2012

I have configured a Cisco 877 router to send RADIUS requests when a user logs in to the console (Line Console or Line VTY) using the following config:
 
aaa new-model
aaa authentication login default group radius
aaa authentication ppp default group radius
 
radius-server host 10.0.0.1 auth-port 1812 acct-port 1812 key mysharedkey
 
When I log the RADIUS packets I see that the Cisco router is sending the initial AccessRequest using PAP.
 
How can I configure the router to send it's inial AccessRequest packet using CHAP?

View 5 Replies


ADVERTISEMENT

AAA/Identity/Nac :: Get ASA 5510 To Use CHAP Via RADIUS Authentication?

Jan 13, 2012

I've setup my ASA 5510 to use AAA to my Windows Server 2008 NAP. After many hours of troubleshooting I got my setup to work. The only thing I'm not satsified with at the moment is, that RADIUS is using PAP for communicating between ASA5510 and W2K8/NAP.I've tried ticking the box "Microsoft CHAPv2 Capable" box under Users/AAA => AAA Server Groups => Edit AAA Server.From EventViewer on W2K8/NAP I get Event ID 6278 and 6272., see attached filehow I change from the PAP to the CHAP protocol?
 
PS: ASA 5510 running ASA version 8.2(4) and ASDM version 6.3(5)

View 4 Replies View Related

AAA/Identity/Nac :: IPS / IDS Authentication With Cisco Radius ACS 5.2

Nov 22, 2011

I have been trying to get our IPS (ASA-SSM-10 and 4260) to authenticate with Cisco Radius ACS 5.2 and they are not working. However, I was able to get them working with Microsoft Radius. Below is the logs from the IPS:
  
evStatus: eventId=1321566464942057375 vendor=Cisco  originator:    hostId: NACAIRVIDLAB1    appName: authentication    appInstanceId: 350  time: 2011/11/23 17:50:38 2011/11/23 09:50:38 GMT-08:00  controlTransaction:

[Code].....

View 0 Replies View Related

Cisco AAA/Identity/Nac :: Radius Authentication In ACS 5.2 With AD

Mar 10, 2011

I have a questión about radius authenticaction with AD, when I log in into the network with user in AD and I make a mistake in password my radius authenticaction event in ACS 5.2 dont show me this logg. only show the authentication succeeded but dont show me the authentication failed. Maybe i must to enable same service to show the authentiaction failed. The Voice authetication works fine..
 
This is the confg in the port of the switch:
 
interface FastEthernet0/12 switchport mode access switchport access vlan 2 switchport voice vlan 10 authentication port-control auto authentication host-mode multi-domain authentication violation protect authentication event fail action authorize vlan 11 authentication event fail retry 2 action authorize vlan 11 authentication event no-response action authorize vlan 11 authentication periodic authentication timer reauthenticate 60 mab dot1x pae authenticator dot1x timeout tx-period 10 dot1x max-reauth-req 3 spanning-tree portfast end
 
Vlan 2: DATA
Vlan 10: VOICE
Vlan 11: GUEST

View 1 Replies View Related

AAA/Identity/Nac :: ACS 4.2 Radius Authentication For SSL VPN Users

Dec 22, 2012

Using Cisco ASA I want the  ssl clientless vpn users to be authenticated through a local Radius-Server. but it does not work, and on asa while i want to see (Debug Radius) output, there is no debuging msgs displayed.    When i try to test the user which i have created on the ACS-Server 4.2,  the test gets successful.  where i have made a mistake in my configuration ?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Authentication Radius Juniper NSM?

May 24, 2011

I am trying to authenticate on Juniper NSM express using cisco ACS 5.2.  The request is arriving at the cisco ACS but i am getting the following error.RADIUS requests can only be processed by Access Services that are of type Network Access.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.0.2 Radius Authentication Setup

Jan 9, 2012

I am having ACS 4.0.2 in my network, which I want to use for 802.1x Radius Authentication for Clients on PEAP-MSCHAPv2 methodology.As per the documentation " EAP Authentication with RADIUS Server",  Doc ID: 44844.I have configured Network Configuration and populated AAA client IP range and Secret Key.
 
Question1: Under Authenticate Using option, there are various RADIUS flavors available for selection. For a Non Cisco AAA client, should I select RADIUS IETF?

Question 2: In the above snap shot, It has an option called Global Authentication Setup, where we can setup EAP configuration. Under PEAP subsection there is an option to "Allow EAP-MSCHAPv2" check box.After checking that, is a restart required to the ACS Server? Would it cause any disruptions to the existing services on the ACS?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 For Wireless Authentication Using Radius?

Jul 4, 2012

how to setup ACS 5.3 to authenticate wireless users over radius? I currently have the SSID pointing to a Microsoft IAS server and would like to move the authentication to be done via ACS.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - Guest NAC Radius Authentication

Oct 31, 2010

For some reason, i can't get the lobby "sponsors" to authentication to the Guest NAC server (2.0.2) using ACS 5.2 via Radius.I was able to figure out how to get the Guest NAC Radius Authentication for "Administrator" to work by adding custom Radius value IEFT-6 under...
 
Policy ElementsAuthorization & permissionsNetwork AccessAuthorization Profiles 
I added a policy & under the Radius Attributes Tab... I manually entered an Attribute that looks like the following:
Dictionary Type: = RADIUS-IETFRadius Attribute: = Service-TypeAttribute Type: = EnumerationAttribute Value: = StaticValue = "Administrative"   
I then created an Access Policy... I looked for a specific AD group - Result = "Name of Custom Policy Above"...
 
All of that is working just fine.... the NAC Guest Docs tell you the Radius server must return a value of IETF-6...
 
When it gets into the Sponsor section, it doesn't tell you the value your Radius server should return... so just for grins, instead of "Name of Custom Policy Above", I tried "Permit Access"... i tried the "Name of Custom Policy above"...  Not sure what else to try to get this to work...
 
here is a like to the document i'm following: URL
 
Page 68 refers to the "Configuring Sponsor Authentication" for Radius.. it just tell you to add the Radius Server & change the authentication order.

View 9 Replies View Related

AAA/Identity/Nac :: Juniper Netscreen Radius Authentication With ACS 5.1

Jun 3, 2011

Several of my older netscreen devices only support radius authentication and I'm having trouble migrating them from ACS 4.2 to ACS 5.1. When I try to authenticate, the authentication passes in ACS but it doesn't log you into the Netscreen (you see a auth failure in the Netscreen logs). I believe that the custom attributes are not being passed from ACS to the Netscreen. The custom attribute we are trying to pass is "NS-Admin-Privilege" with type integer and a value of 2. The netscreen is setup so that the user privledges are obtained from the ACS server.
 
Any setup where they are using Cisco radius authentication to authenticate Netscreen devices?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Radius Authentication With ISE And Nexus 7000

Mar 24, 2013

i am trying to assign a right role for a user who authenticates to nexus 7k switch via radius. i am using cisco ISE version 1.1.1.268 and the nexus version is    5.0.2,I have created a role on nexus.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Nexus 7009 Using Radius Authentication?

Mar 13, 2012

I have setup my radius server access on the Nexus but am unable to authenticate through putty. If I do a radius-server test on the Nexus it says I authenticate. Here is the log I am getting.
 
 2012 Mar 14 16:03:21 switch-a %AUTHPRIV-4-SYSTEM_MSG: pam_unix(aaa:auth): check
pass; user unknown - aaad

[Code].....

View 1 Replies View Related

Cisco AAA/Identity/Nac :: WS-CBS3130X-S-F / Get Authentication For HTTP To Use Radius?

Mar 19, 2012

I am trying to get AAA authentication for HTTP to use radius, and seem to be having problems with setting the priviledge level. It works fine with SSH login, but doesn't work with web management. The model is a WS-CBS3130X-S-F running 12.2(58)SE1 with http version 1.001.002...
 
Config is as follows:
 
aaa new-model
aaa authentication login VTYSandHTTP group radius local
aaa authorization exec VTYSandHTTP group radius local
ip http server
ip http authentication aaa login-authentication VTYSandHTTP

[code]...
 
This is what I get when I try to log on to HTTP
 
HTTP AAA Login-Authentication List name: VTYSandHTTP
HTTP AAA Login-Authentication List name: VTYSandHTTP
HTTP: Authentication failed for level 15

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Radius Authentication Failed On 6509

Jan 29, 2012

I have configured Radius authentication on Windows 2008 server (NPS)  The following configuration is working perfectly on Cisco Switch 3560. [code]But, the same configuration is not working on Cisco Catlyst Switch 6509 (C3560-IPBASEK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)/

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 RADIUS Network Device Authentication

Apr 19, 2011

I am trying to integrate Cisco ACS 5.2 in a network to do device authentication of switches for administrators.

I am not sure if Cisco ACS 5.2 support RADIUS protocol to do device authentication. In the configuration of the Cisco ACS 5.2 I can only see TACACS authentication for device authentication and  I have configured it and it works. If CISCO ACS 5.2 supports RADIUS auth for device authentication?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: AP 3500 - 802.1x Wireless Authentication Against RADIUS Authenticator?

Nov 1, 2012

Would like to check out some client side setting on Wireless 802.1x authenticaiton.
 
Network setup is using

- Cisco WLC 7.2 and AP3500,
- ACS 5.3
- Microsoft Windows server 2008 hosting AD and CA services (same machine)
- Client OS is Microsoft Window 7.
 
Authentication mehtod would use PEAP-MSChap V2 Combo.
  
My question :
 
01. In AD environment, should ACS 5.3 be part of the domain computer?
 
02. To have secure connectivity, IF the security policy force client to check "Validate server certificate", which certificate it is look for? Is it ACS's identity certifate, that require CA server to sign on the CSR?
 
03. Back to client side, should the client also need to import this certificate in trusted root certification authorities?
 
Or the client will trust ACS identity certificate against the root CA certificate store at client's trusted root certification authorities, where they have the identical issuer?
 
04. Extra question: If no CA environment, would it be sufficient simply export ACS self-signed certificate and import to client computer, and it's trusted?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Http Radius Authentication Fail In 12.2.58 And 15.0.1 For 2960

Aug 18, 2011

Find here the extraction of the configuration and the debug sysout. The radius servers works fine with all the other accesss like ssh, telnet...
 
Just the http access fail. This configuration work fine with the version 12.2.55 installed before.
  
Aaa new-model
aaa authentication login default group radius local
aaa authentication login physique local

[Code].....

View 2 Replies View Related

Cisco :: Chap Authentication Not Working

Apr 3, 2012

im having trauble when using chap as authentication for my two routers, i dont know whether my configuration is wrong or not.Is theres anything wrong with the configuration ??note : both routers are c2961

View 11 Replies View Related

Cisco :: CHAP Authentication / One-Way Hash

Jun 17, 2012

How the one-way hash is generated given the challenge number and shared secret password?It's just that I was reading Cisco 3 chapter 7, and it doesn't explicitly outline how the one-way hash is actually generated, it simply states that it is generated given the challenge number (randomly generated for every challenge message) and the shared secret password.

View 1 Replies View Related

AAA/Identity/Nac :: ACS 5.3 RADIUS Authentication Based On IMESI & MSISDN Attributes

Jan 9, 2012

I'm trying to find out the options for authenticating remote users via IMEI and MISDN values via ACS 5.3/I'm unfamiliar with the Radius attribute options here and what kind of request/response we can utilise.  Also previously I could define IP pools on ACS 4 but can't seem to do that now.  Is there a way have ACS 5.3 to provide a DHCP server address for the connection ?

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 RADIUS Authentication Failing / Active Directory Agent

Mar 3, 2012

I'm somewhat new to ACS and am trying to complete a migration from 4 to 5.3.Currently, I've got ACS joined to my (2003) domain, and it shows status connected (although the test connect fails). I have aaa working without issue for TACACS, but all RADIUS authentication is currently failing. Logs show the message below:  "24401 could not establish connection with acs active directory agent"I'm not seeing anything telling in the logs on the domain controllers.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 3750 / Get RADIUS Setup For Authentication To Switches And Routers?

Sep 19, 2012

We are setting up a new office and I am trying to get RADIUS setup for authentication to my switches and routers.  Currently I am working on a 3750 running IOS 15 and getting hung on what I think on something small.  I have attached my Microsoft NPS Network Policy.  Below is my IOS config:
 
aaa group server radius corp-radius
server 10.15.10.20 auth-port 1812 acct-port 1813
!
aaa authentication login default group corp-radius local
aaa authentication login radius-localfallback group corp-radius enable
aaa authorization exec default group radius

[code]....

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 RADIUS Authentication Based On IMEI And MSISDN Attributes

Apr 19, 2011

I've been working on trying to get RADUIS authentication working for devices connecting to our corporate mobile APN.  Out APN provider sends us Username & Password attributes which I can authenticate fine using ACS 5.2 but I'm having a problem using other attributes sent in the Access-Request.  We have mobile SIM cards with an MSISDN value match with a physical device with an IMEI value.  The SIM cards cannot be used in other devices, only their matched device.  The provider passes us the MSISDN attribute under RADIUS-IETF 31 and the IMEI under a VSA of 3GPP-IMEI
 
What is the best way of being able to authenticate a user and match the MSISDN and IMEI associated to that user?

View 1 Replies View Related

Cisco WAN :: 3845 PPP Authentication Failed With Ms-chap-v2

Dec 20, 2012

I'm trying to connect to ISP with PPPoE method using Cisco 861 equip. On the other side Cisco 3845 BRAS.Session fails at authentication phase. Authentication protocol chosen by routers is ms-chap-v2. Chap supported also. [code]

View 2 Replies View Related

Linksys Wireless Router :: WRT54G V6 - ISP Requires PAP Or CHAP Authentication?

Sep 9, 2011

My ISP here at my mother's in Italy (www.teletu.it) gave me the following configuration:
 
1. Supported Protocol: PPPoE or PPPoA

2. VPI: 8

3. VCI: 35

4. Encapsulation: LLC (If not supported: VCMUX/NULL)

5. Modulation: Multimode

6. Authentication Protocol: PAP or CHAP
 
if I connect my laptop to the ADSL modem, it all works just fine and I can connect to the internet (as you can see )
 
HOWEVER, if I then try to configure my WRT54G v6 to use this internet connection (I NEED to be wireless here, or I won't be able to use my iPhone and iPad), there is no way apparently for me to configure the Encapsulation, Modulation, and Authentication Protocol above. I just upgraded my WRT54G's firmware, and am now running firmware Ver.1.02.8, 10/05/2009. I was hoping this would allow me to set these parameters, but I can't find a way.
 
I tried just configuring the WRT54G with PPPoE and the ISP's userId/password, but this doesn't seem to suffice, and I don't see any other settings I could try.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Configure Radius Authentication Across Site-to-site VPN For ASA 5510-01 For Remote Access?

Jun 28, 2012

I am attempting to configure Radius authentication accross a site-to-site VPN for my ASA 5510-01 for remote access.
 
 ASA5510-1 currently has a live site to site to ASA5510-2.
 
ASA 5510-1 - 10.192.0.253
 
ASA 5510-2 - 172.16.102.1
 
DC - 172.16.102.10
 
ASA5510-01 can ping the DC and vica versa but is unable to authticate when i perform a test. ASA5510-01 can authenticate to a DC on it;s own LAN but not on the remote LAN that DC sits on.
 
I have double checked the 'Server Secret Key' and ports as well as various users which all work locallly. ASA5510-02 authenticates to DC with no problems.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: 7200 Default Network Access And CHAP

Feb 12, 2012

I am configuring some of my devices to use CHAP when their backup ISDN interface dials out to the 7200 concentrator node. I wan the CHAP requests to hit our ACS 5.2 appliances and be authenticated via this method. I have built a rule for 'Default netowrk access' which specifies these devices only however when I bring up the ISDN call the process fails. When I look at the logs it doesn't give an error reason but it does say that it failed on one of the rules in the 'default device admin' rule set.I even went to the bother of specifying a single IP address of one of the ISDN backup devices but the result is always the same.

View 3 Replies View Related

Cisco VPN :: SSL VPN Authentication Using Radius ASA 8.4

Apr 25, 2011

I am running ASA version 8.4(1), and anyconnect version 3.0.1047. My SSL VPN works fine, but i run into an issue with one user . his account did not work , and everytime users logged in it got this message "VPN Server could not parse request".
 
I found the problem after getting a user information meaning his username and password. His password had "&" as one of the special characters. when we change it to something that does not have that , it works just fine.
 
We are using microsoft NPS server as radius. but when i run a test within CLI it works just fine, only when anyconnect asks to authenticate it fails.

View 5 Replies View Related

Cisco :: Radius Authentication Time

Aug 6, 2012

Any software to measure Authentication time between client and Radius serverr.

View 8 Replies View Related

Cisco :: WCS 7.0.220.0 Authentication With RADIUS Microsoft NPS?

Nov 14, 2011

I'm running WCS 7.0.220.0.I would like to authenticate users that are able to logon the WCS, through MS Network Policy Service (RADIUS).I would like all my domain users to be member of the local group on the WCS "Lobby Ambassador", so all domain users has access to generate guest access accounts, for the web auth... I can see under the WCS Administration under AAA that it should be able to use RADIUS - but i'm not sure how to setup the NPS policy?

View 1 Replies View Related

Cisco :: Can't Do Radius Authentication Via WLC 4400

Jan 3, 2013

I am configuring an old WLC4400 with V4.2.130.0. I added a new sub-interface for VLAN 50 with proper IP for the subnet and then add the Radius server(Windows server 2008 with NPS) onto WLC4400. I then created new WLAN with WPA+WPA2 Encryption and 802.1x key management and selected the Radius server under AAA for authentication.
 
Configured the test XP with WPA-Enterprise and PEAP as EAP method. I purposely configured computer to prompt for username and password.
 
When I try to connect, I did get prompt for username and password. However after that nothing happens. It seems like laptop just keep trying to authenticate.
 
I checked windows event log and do not see anything under NPS. I know this windows server NPS setup works as it is also the authentication server for our remotevpn.
 
is there any special option I need to turn on for WLC in order for Radius authentication work? Or is there any known bug with V4.2.130.

View 13 Replies View Related

Cisco VPN :: ASA 5520 VPN With Radius Authentication?

Aug 11, 2011

I'm in the process of moving some of our remote access vpn to an asa5520 and anyconnect.
 
The problem I've come across is that when using radius as authentication, I choose any one of my connection profiles in anyconnect and log in with any username regardless of the group on radius.
 
How do I map the connection profile to a group on radius so that i can separate the users?

View 1 Replies View Related

Cisco Firewall :: Getting ASA 5510 Radius Authentication

May 17, 2011

I have a 5510 authenticating successfully with a RADIUS server.  I'm using it for VPN authentication and it works great.  I would also like to do this for administrator access to the ASA.  When I turn it on though, any authentication for VPN access is also granted administrative access to the ASA.  Obviously, I need to limit that to a select few users. 

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved