how to setup ACS 5.3 to authenticate wireless users over radius? I currently have the SSID pointing to a Microsoft IAS server and would like to move the authentication to be done via ACS.
View 1 Replies
Would like to check out some client side setting on Wireless 802.1x authenticaiton.
Network setup is using
- Cisco WLC 7.2 and AP3500,
- ACS 5.3
- Microsoft Windows server 2008 hosting AD and CA services (same machine)
- Client OS is Microsoft Window 7.
Authentication mehtod would use PEAP-MSChap V2 Combo.
My question :
01. In AD environment, should ACS 5.3 be part of the domain computer?
02. To have secure connectivity, IF the security policy force client to check "Validate server certificate", which certificate it is look for? Is it ACS's identity certifate, that require CA server to sign on the CSR?
03. Back to client side, should the client also need to import this certificate in trusted root certification authorities?
Or the client will trust ACS identity certificate against the root CA certificate store at client's trusted root certification authorities, where they have the identical issuer?
04. Extra question: If no CA environment, would it be sufficient simply export ACS self-signed certificate and import to client computer, and it's trusted?
I have been trying to get our IPS (ASA-SSM-10 and 4260) to authenticate with Cisco Radius ACS 5.2 and they are not working. However, I was able to get them working with Microsoft Radius. Below is the logs from the IPS:
evStatus: eventId=1321566464942057375 vendor=Cisco originator: hostId: NACAIRVIDLAB1 appName: authentication appInstanceId: 350 time: 2011/11/23 17:50:38 2011/11/23 09:50:38 GMT-08:00 controlTransaction:
[Code].....
I have a questión about radius authenticaction with AD, when I log in into the network with user in AD and I make a mistake in password my radius authenticaction event in ACS 5.2 dont show me this logg. only show the authentication succeeded but dont show me the authentication failed. Maybe i must to enable same service to show the authentiaction failed. The Voice authetication works fine..
This is the confg in the port of the switch:
interface FastEthernet0/12 switchport mode access switchport access vlan 2 switchport voice vlan 10 authentication port-control auto authentication host-mode multi-domain authentication violation protect authentication event fail action authorize vlan 11 authentication event fail retry 2 action authorize vlan 11 authentication event no-response action authorize vlan 11 authentication periodic authentication timer reauthenticate 60 mab dot1x pae authenticator dot1x timeout tx-period 10 dot1x max-reauth-req 3 spanning-tree portfast end
Vlan 2: DATA
Vlan 10: VOICE
Vlan 11: GUEST
Using Cisco ASA I want the ssl clientless vpn users to be authenticated through a local Radius-Server. but it does not work, and on asa while i want to see (Debug Radius) output, there is no debuging msgs displayed. When i try to test the user which i have created on the ACS-Server 4.2, the test gets successful. where i have made a mistake in my configuration ?
View 2 Replies View RelatedI am trying to authenticate on Juniper NSM express using cisco ACS 5.2. The request is arriving at the cisco ACS but i am getting the following error.RADIUS requests can only be processed by Access Services that are of type Network Access.
View 4 Replies View RelatedI am having ACS 4.0.2 in my network, which I want to use for 802.1x Radius Authentication for Clients on PEAP-MSCHAPv2 methodology.As per the documentation " EAP Authentication with RADIUS Server", Doc ID: 44844.I have configured Network Configuration and populated AAA client IP range and Secret Key.
Question1: Under Authenticate Using option, there are various RADIUS flavors available for selection. For a Non Cisco AAA client, should I select RADIUS IETF?
Question 2: In the above snap shot, It has an option called Global Authentication Setup, where we can setup EAP configuration. Under PEAP subsection there is an option to "Allow EAP-MSCHAPv2" check box.After checking that, is a restart required to the ACS Server? Would it cause any disruptions to the existing services on the ACS?
I have configured a Cisco 877 router to send RADIUS requests when a user logs in to the console (Line Console or Line VTY) using the following config:
aaa new-model
aaa authentication login default group radius
aaa authentication ppp default group radius
radius-server host 10.0.0.1 auth-port 1812 acct-port 1812 key mysharedkey
When I log the RADIUS packets I see that the Cisco router is sending the initial AccessRequest using PAP.
How can I configure the router to send it's inial AccessRequest packet using CHAP?
For some reason, i can't get the lobby "sponsors" to authentication to the Guest NAC server (2.0.2) using ACS 5.2 via Radius.I was able to figure out how to get the Guest NAC Radius Authentication for "Administrator" to work by adding custom Radius value IEFT-6 under...
Policy ElementsAuthorization & permissionsNetwork AccessAuthorization Profiles
I added a policy & under the Radius Attributes Tab... I manually entered an Attribute that looks like the following:
Dictionary Type: = RADIUS-IETFRadius Attribute: = Service-TypeAttribute Type: = EnumerationAttribute Value: = StaticValue = "Administrative"
I then created an Access Policy... I looked for a specific AD group - Result = "Name of Custom Policy Above"...
All of that is working just fine.... the NAC Guest Docs tell you the Radius server must return a value of IETF-6...
When it gets into the Sponsor section, it doesn't tell you the value your Radius server should return... so just for grins, instead of "Name of Custom Policy Above", I tried "Permit Access"... i tried the "Name of Custom Policy above"... Not sure what else to try to get this to work...
here is a like to the document i'm following: URL
Page 68 refers to the "Configuring Sponsor Authentication" for Radius.. it just tell you to add the Radius Server & change the authentication order.
Several of my older netscreen devices only support radius authentication and I'm having trouble migrating them from ACS 4.2 to ACS 5.1. When I try to authenticate, the authentication passes in ACS but it doesn't log you into the Netscreen (you see a auth failure in the Netscreen logs). I believe that the custom attributes are not being passed from ACS to the Netscreen. The custom attribute we are trying to pass is "NS-Admin-Privilege" with type integer and a value of 2. The netscreen is setup so that the user privledges are obtained from the ACS server.
Any setup where they are using Cisco radius authentication to authenticate Netscreen devices?
I've setup my ASA 5510 to use AAA to my Windows Server 2008 NAP. After many hours of troubleshooting I got my setup to work. The only thing I'm not satsified with at the moment is, that RADIUS is using PAP for communicating between ASA5510 and W2K8/NAP.I've tried ticking the box "Microsoft CHAPv2 Capable" box under Users/AAA => AAA Server Groups => Edit AAA Server.From EventViewer on W2K8/NAP I get Event ID 6278 and 6272., see attached filehow I change from the PAP to the CHAP protocol?
PS: ASA 5510 running ASA version 8.2(4) and ASDM version 6.3(5)
i am trying to assign a right role for a user who authenticates to nexus 7k switch via radius. i am using cisco ISE version 1.1.1.268 and the nexus version is 5.0.2,I have created a role on nexus.
View 1 Replies View RelatedI have setup my radius server access on the Nexus but am unable to authenticate through putty. If I do a radius-server test on the Nexus it says I authenticate. Here is the log I am getting.
2012 Mar 14 16:03:21 switch-a %AUTHPRIV-4-SYSTEM_MSG: pam_unix(aaa:auth): check
pass; user unknown - aaad
[Code].....
I am trying to get AAA authentication for HTTP to use radius, and seem to be having problems with setting the priviledge level. It works fine with SSH login, but doesn't work with web management. The model is a WS-CBS3130X-S-F running 12.2(58)SE1 with http version 1.001.002...
Config is as follows:
aaa new-model
aaa authentication login VTYSandHTTP group radius local
aaa authorization exec VTYSandHTTP group radius local
ip http server
ip http authentication aaa login-authentication VTYSandHTTP
[code]...
This is what I get when I try to log on to HTTP
HTTP AAA Login-Authentication List name: VTYSandHTTP
HTTP AAA Login-Authentication List name: VTYSandHTTP
HTTP: Authentication failed for level 15
I have configured Radius authentication on Windows 2008 server (NPS) The following configuration is working perfectly on Cisco Switch 3560. [code]But, the same configuration is not working on Cisco Catlyst Switch 6509 (C3560-IPBASEK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)/
View 2 Replies View RelatedI am trying to integrate Cisco ACS 5.2 in a network to do device authentication of switches for administrators.
I am not sure if Cisco ACS 5.2 support RADIUS protocol to do device authentication. In the configuration of the Cisco ACS 5.2 I can only see TACACS authentication for device authentication and I have configured it and it works. If CISCO ACS 5.2 supports RADIUS auth for device authentication?
Find here the extraction of the configuration and the debug sysout. The radius servers works fine with all the other accesss like ssh, telnet...
Just the http access fail. This configuration work fine with the version 12.2.55 installed before.
Aaa new-model
aaa authentication login default group radius local
aaa authentication login physique local
[Code].....
I'm trying to find out the options for authenticating remote users via IMEI and MISDN values via ACS 5.3/I'm unfamiliar with the Radius attribute options here and what kind of request/response we can utilise. Also previously I could define IP pools on ACS 4 but can't seem to do that now. Is there a way have ACS 5.3 to provide a DHCP server address for the connection ?
View 6 Replies View RelatedI'm somewhat new to ACS and am trying to complete a migration from 4 to 5.3.Currently, I've got ACS joined to my (2003) domain, and it shows status connected (although the test connect fails). I have aaa working without issue for TACACS, but all RADIUS authentication is currently failing. Logs show the message below: "24401 could not establish connection with acs active directory agent"I'm not seeing anything telling in the logs on the domain controllers.
View 1 Replies View RelatedWe are setting up a new office and I am trying to get RADIUS setup for authentication to my switches and routers. Currently I am working on a 3750 running IOS 15 and getting hung on what I think on something small. I have attached my Microsoft NPS Network Policy. Below is my IOS config:
aaa group server radius corp-radius
server 10.15.10.20 auth-port 1812 acct-port 1813
!
aaa authentication login default group corp-radius local
aaa authentication login radius-localfallback group corp-radius enable
aaa authorization exec default group radius
[code]....
I've been working on trying to get RADUIS authentication working for devices connecting to our corporate mobile APN. Out APN provider sends us Username & Password attributes which I can authenticate fine using ACS 5.2 but I'm having a problem using other attributes sent in the Access-Request. We have mobile SIM cards with an MSISDN value match with a physical device with an IMEI value. The SIM cards cannot be used in other devices, only their matched device. The provider passes us the MSISDN attribute under RADIUS-IETF 31 and the IMEI under a VSA of 3GPP-IMEI
What is the best way of being able to authenticate a user and match the MSISDN and IMEI associated to that user?
I am attempting to configure Radius authentication accross a site-to-site VPN for my ASA 5510-01 for remote access.
ASA5510-1 currently has a live site to site to ASA5510-2.
ASA 5510-1 - 10.192.0.253
ASA 5510-2 - 172.16.102.1
DC - 172.16.102.10
ASA5510-01 can ping the DC and vica versa but is unable to authticate when i perform a test. ASA5510-01 can authenticate to a DC on it;s own LAN but not on the remote LAN that DC sits on.
I have double checked the 'Server Secret Key' and ports as well as various users which all work locallly. ASA5510-02 authenticates to DC with no problems.
I try to setup a 1141 aironet AP to authenticate my user through our Ms Radius Server ( Win 2008 R2).Everything is fine with small Bussiness AP WAP4410N with the following configuration:But I can't setup successfully the aironet 1141 with the same settings and getting it works.Here is my configuration for the Aironet 1141 Vlan 1 is the ssid I want to get it work with Radius.
View 1 Replies View RelatedI have a Cisco C1140 Ap. I have cnfigured the device. Initially for testing i used WPA and authenticated locally. I have now setup a radius server and added my AP in as a client etc. I have changed my SSID's to authenticate with the radius server and i am having issues authenticating.I can connect via a PC and an iphone. They say that i am connected but i get no ip address and the debugs.
View 1 Replies View RelatedI'm working on a project where a wi-fi client is tracked and located using RADIUS authentication requests. The problem I'm running into is that the WLC (5508) sends an RADIUS authentication request to my freeradiusd, which is ok so far, but if the client roams to another accesspoint (3602AG, 1131AG, 1252AG), the WLC does not send a further RADIUS auth. request - and the client is allowed to connect to the next ap.Is there an option like RADIUS-cache which I can disable, so that the WLC sends everytime an authentication request when a client tries to connect to an ap or roams from one ap to another one?
View 4 Replies View RelatedI configured the 2504 with 2 SSIDs for staffs and guests.I also configured the Lobby admin with web auth. But if a guest wants to connect our wireless he/she has to enter the PSK key and then only they are able to connect with the user id and password given by Lobby admin. Can we avoid this key and let the guests connect straightaway with the web auth?I’m planning to configure 802.1x & Radius dual authentication for staffs SSID..
View 5 Replies View RelatedI am setting up a WIFI network with a Cisco 5508 controller. I want to configure a first WIFI network (WIFI1) that will authenticate my business laptop based on the AD computer accounts and will access my corporate network.I want to setup a second WIFI network (WIFI2) that will authenticate my phones and tablets devices with AD user accounts and will be on a separate vlan with only access to the Internet.I created 2 policies on the Radius server : one that authenticate computers coming from wireless and a second one authenticating users coming from wireless.
if a user manually creates the WIFI1 network on his phone and enter his AD username, he is going to have access to the corporate network. I would like to be able to say that when a request is coming from WIFI1, only the policy for authenticating wireless devices with computer accounts will apply and the second policy authenticating user wouldn't apply.
Below is he output from debug radius authentication from my AP.
I can see request is forwarding from AP to radius but Radius is not sending any response.Not sure why its not responding.
I also did not under stand few out outputs also
no sg in radius-timers and
RADIUS/DECODE: parse response no app start; FAIL
what does it mean.
I restarted radius server , changed secret key but no luck.
019639: May 1 16:15:08.727: RADIUS: User-Name [1] 32 "host/3KYGRH1.idcap.intdata.com"
019640: May 1 16:15:08.727: RADIUS: Framed-MTU [12] 6 1400
019641: May 1 16:15:08.727: RADIUS: Called-Station-Id [30] 16 "0012.01d6.f691"
[Code]...
i am trying to connect clients to my AP1231 which is running C1200 Software (C1200-K9W7-M), Version 12.3(8)JED. Client authentication is against RADIUS server. [code]
View 3 Replies View RelatedI'm fighting for a few days now to setup the captive portal of 2 wireless access point WAP321. I was able to make it work with local user authentication but now, I want to manage my guest users on active directory. So I setup the captive portal to authentication user with NPS on Windows 2011 SBS.
The problem is that my guest SSID in not encrypted, so the NPS server do not let me login. I try to setup the NPS server like that :
Uncrypted authentification (PAP, SPAP)
Service-Type : Login
Can we enable ssh on 3500 /3600 APs along with use radius for login authentication? idea here is to that ssh will provide another method to access the AP for troubleshooting purposes.I know with autonomous mode APs this should not be an issue but not sure with lightweight APs.
View 2 Replies View RelatedI am running ASA version 8.4(1), and anyconnect version 3.0.1047. My SSL VPN works fine, but i run into an issue with one user . his account did not work , and everytime users logged in it got this message "VPN Server could not parse request".
I found the problem after getting a user information meaning his username and password. His password had "&" as one of the special characters. when we change it to something that does not have that , it works just fine.
We are using microsoft NPS server as radius. but when i run a test within CLI it works just fine, only when anyconnect asks to authenticate it fails.
Any software to measure Authentication time between client and Radius serverr.
View 8 Replies View Related
