Cisco AAA/Identity/Nac :: Configuring 802.1x With ACS 4.2 (RADIUS)?

Mar 25, 2013

I am trying to configure AAA authentication and authorization with Cisco 3725 (IOS 12.4(17)) for 802.1x and ACS 4.2 with VLAN assignment to my Windows XP client. (trying to assign VLAN 100 in my scenario).When user connects to the Router, it passes the authentication process (EAP-MD5). In my debug i see that Router recieves the Radius Attributes BUT does not apply anything!My running config:

Building configuration... 
Current configuration : 1736 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec

[code]......
 
As a result the vlan-switch data based does not change.

View 3 Replies


ADVERTISEMENT

AAA/Identity/Nac :: Configuring AAA Network Client On ACS V5.1 Using Same Radius

Feb 6, 2012

I was wondering if i should use the same RADIUS VSA attribute on ACS v5.1 to authenticate AAA clients as those i was using on my old  ACS v3.3 server.

Example : under ACS v3.3 i was using RADIUS (Cisco Aironet) attribute to authenticate AP & WLC, should i do the same under ACS v5.1 ?

View 2 Replies View Related

Cisco :: Configuring RADIUS Server For It?

Jan 25, 2012

Does anyone have or know of a tried and true method of configuring a Windows Server 2008 box to provide authentication/accounting services for Cisco devices. I've read a few websites already and a lot of them seem to be geared toward VPN and some of the settings each site goes through are different.I've got NPS installed and a RADIUS client configured with the shared key. Right now I'm in the process of creating the Network Policy which only allows a Windows "admin" group to log in. Curious about the "Constraints" section where the NAS Port Type is selected and the "Settings" section where the service-type and vendor specific options are configured.

View 18 Replies View Related

Cisco Switching/Routing :: Configuring Radius On 2950G Switch With IOS 12.1?

Jul 20, 2011

getting radius to work on a 2950G switch with an older IOS of 12.1(22)EA1. I have radius setup on a windows 2k8 box and all of my other switches 2960's and above have no issues. I am unable to input the nas-identifier of 32 into the config using - radius-server 32 attribute 32 include-in-access-req format %h as well as the aaa session-id common commands. Doing a debug radius says that the radius server is not defined.

View 5 Replies View Related

Cisco Wireless :: Configuring RADIUS Server On 2500 Controller

Dec 3, 2012

We have recently installed Cisco for our wireless solution. We are an education and are looking to let staff and pupils bring their own devices. The route that we are planning to take to let them join the school's WiFi is to implement a RADIUS server so that they can authenticate with their Active Directory username and password. I have tried to test the solution but so far without any success. I am using a Windows Server 2008 R2 as my NPS server, I have setup the Cisco controller as per below:
Security Tab | RADIUS | Authentication - I added my windows server there and the preshared key, the Network User and Management is ticket and the server responds to a ping command,In the WLANs Tab, I selected my test WLAN and under Security | AAA Servers I selected the RADIUS server that I configured in the Security TabI then try to logon to my test WLAN and on the Cisco WLAN controller I get the following error: AAA Authentication Failure for UserName:test User Type: WLAN USER 
Before trying to tinker with policies on the Windows Server I was wondering if the RADIUS is correctly setup on the Controller or have I missed something obvious?

View 6 Replies View Related

Cisco Wireless :: Configuring Microsoft Radius Server For 5508?

Apr 28, 2013

I would like to know if microsoft 2008 server RADIUS server could be use for authentication on Cosco 5508 instead of Cisco ACS.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS5.3 - Configuring Multiple Identity Sources

Aug 28, 2012

I have an ACS 5.3 cluster, that is configured to use AD. There are a few wireless devices, and monitoring tools that do not have AD accounts. I would like to configure ACS to first check AD for the user authentication, and if that fails to roll over to the local (Internal Users) identity source where I can define these user accounts.
 
It seems that when the authentication hits the initial Identity Policy rule, it never moves onto the next one if the first fails.
 
Attached are screen shots that show how i'm configured for the test, i have a local user defined and I'm trying to log into the firewalls.
 
- Identity Definition : Screen shot of the main ACS definition for the rule i'm testing that's not working
- Identity Rule 1 : The configuration of rule 1 that if it fails i need it to move onto rule 2.
- Log Output : Screen shot for one of the failed attempts from the ACS View Log server.
 
Reason I need to configure it this way is:

- Wireless users authenticate to wireless using AD user accounts. Some hand held scanners do not support that and will need to authenticate using the MAC address.
- Authentication to Network devices for managment uses AD accounts. We have some monitoring tools that do not have AD accounts, and will need to    be able to log into Network devices to issue some commands (Examples: Cisco Prime LMS and NCS, Infoblox NetMRI).

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.X And Radius Using AD

Oct 30, 2011

I am currently useing ACS 5.2 and have no problem using Tacacs+ with AD access.

But with Radius it seems I can only get the Local identity store to work, need to do something special to get Radius to work with active directory with Cisco ACS?

View 10 Replies View Related

AAA/Identity/Nac :: IPS / IDS Authentication With Cisco Radius ACS 5.2

Nov 22, 2011

I have been trying to get our IPS (ASA-SSM-10 and 4260) to authenticate with Cisco Radius ACS 5.2 and they are not working. However, I was able to get them working with Microsoft Radius. Below is the logs from the IPS:
  
evStatus: eventId=1321566464942057375 vendor=Cisco  originator:    hostId: NACAIRVIDLAB1    appName: authentication    appInstanceId: 350  time: 2011/11/23 17:50:38 2011/11/23 09:50:38 GMT-08:00  controlTransaction:

[Code].....

View 0 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.x RADIUS VSA Configuration?

Dec 3, 2011

I need to configure RADIUS VSA configuration for a my alvarion device. Following are the attributes that need to be configured.
 
- Packet Data Flow ID (ID 1, integer16)
- Direction (ID 4, integer8)
- Transport Type (ID 6, integer8)
- UplinkQoSID (ID 7, integer8)
- DownlinkQoSID (ID 8, integer8)

[code]....

I was able to configure the first 6 attributes, how can I add the Sub - TLV's ClassifiedID, Priority, VLAN-ID and Classifier Direction which come under Classifier. Don't see any option for that in ACS 5.x

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2.1.15 RADIUS Stops After A While

Jan 31, 2012

We have 2 ACS 4.2.1 servers in Windows 2003 with SP2 installed. We have updated the first ACS to the latest patches for Windows. After that we started having problems. CSRadius either stops by itself or when some time passes we get the following error in Failed attempts "Unknown error". When we restart the ACS services by the GUI, it resumes until the next time it stops.Do you happen to know if we have any bugs related to Windows patches?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Radius Authentication In ACS 5.2 With AD

Mar 10, 2011

I have a questión about radius authenticaction with AD, when I log in into the network with user in AD and I make a mistake in password my radius authenticaction event in ACS 5.2 dont show me this logg. only show the authentication succeeded but dont show me the authentication failed. Maybe i must to enable same service to show the authentiaction failed. The Voice authetication works fine..
 
This is the confg in the port of the switch:
 
interface FastEthernet0/12 switchport mode access switchport access vlan 2 switchport voice vlan 10 authentication port-control auto authentication host-mode multi-domain authentication violation protect authentication event fail action authorize vlan 11 authentication event fail retry 2 action authorize vlan 11 authentication event no-response action authorize vlan 11 authentication periodic authentication timer reauthenticate 60 mab dot1x pae authenticator dot1x timeout tx-period 10 dot1x max-reauth-req 3 spanning-tree portfast end
 
Vlan 2: DATA
Vlan 10: VOICE
Vlan 11: GUEST

View 1 Replies View Related

Cisco AAA/Identity/Nac :: RADIUS And VRF In 6500

Apr 10, 2012

I have the next config of radius authentication:

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa session-id common
ip radius source-interface Vlan31 vrf LEGACY
[Code] .....

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 - Add RADIUS Attributes

Mar 17, 2012

I want to add Radius attribute to Rad ware devices , so I will have the option to grant "read only" permission to users. as I understand I need to add VSA for the "read only" permission, or configure specific "Service-Type value 255"
   
in the following picture you can see the required information from Rad ware:

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS SE 4.2 RADIUS Protocol

Mar 28, 2013

I am using the Self RADIUS server in my Cisco ACS SE 4.2 appliance S. I have an AAA client C that interacts with S by means of the RADIUS protocol. This works fine, in that S correctly carries out authentication chores on username/password (PAP and CHAP) pairs received from C, sending back to C the corresponding Access-Accept packet when the authentication succeeds, or Access-Reject when it doesn't.
 
I have been able to import a set of three VSAs into S. Each of those attributes is of string type. I then configured in S a single user U with password P so that, whenever a U/P pair received in S from C is authenticated by S, S should send back to C, in the Access-Accept packet, the three attributes with the following values: [code]

With this setup, when an authentication is successfully completed by S, C receives 53 bytes worth of data from S every time. I am attaching a typical example, already disassembled. I have disguised the actual vendor ID, for legal reasons, but the rest is exactly as it was when received in C.
 
According to the disassembly, what we got is an Access-Accept packet, as expected. Its length is 53 bytes - again as expected, for this is the only packet that C has received from S here. However, the packet is incomplete, for attribute #3 is missing its value field.
 
Looking into the whole packet in more detail, it can be seen that while the wire format for the first attribute, namely, Frame-IP-Address, is correctly constructed, the remaining are not. For example, the sequence of bytes corresponding to the attribute #1 reads 1a 09 00 00 xx xx 2c 61 62 63. I believe that this is incorrect; it should be 1a 0a 00 00 xx xx 2c 61 62 63, for the wire format for this attribute consists of 10, not 9, bytes. I tried a few variations on the values for the attributes, and the results are always substantially the same, in that the wire formats for these attributes are always incorrect.
 
This all probably implies I have done something wrong when importing the VSAs into S, and/or when configuring things on S. I am therefore attaching the csv files I used to import my VSAs into S; as before, names and vendor ID are disguised, but their lengths are exactly the same as in the undisguised file. I used two csv files: One to import the vendor ID, and the other to import the VSAs under that vendor ID. As for user U, in S's administration GUI I clicked on User Setup and selected user U, moved to the bottom of the screen, where the attributes for this particular vendor were present,introduced the values for each attribute mentioned above, and made sure that button in front of each attribute was ticked.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Add OPNET Radius Attributes In ACS 4.2

May 16, 2012

I need to add OPNET Radius attributes in ACS 4.2. How should I add a new VSA in ACS?  The google search is pointing me to CSUtil.exe, and I cannot find this utility in the ACS install files.  These are the values that I need added for OPNET. When configuring the RADIUS server to support the ACE Live Appliance, use the following Vendor Code and Vendor Specific Attribute (VSA): Vendor Code: 7119 VSA: 33.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Missing RADIUS On 3750?

Feb 27, 2012

When I upgraded my cisco 3750 ME from c3750me-i5k91-mz.122-46.SE to c3750me-i5k91-mz.122-58.SE2.bin all commands for radius disappeared? However, there are a lot of commands to ldap which was missing in the previous version. Seems as if the radius has disappeared and been replaced by ldap?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ASA5500 / ACS 5.1 Radius For VPN And Admin?

Feb 27, 2011

I am trying to configure ACS 5.1 to authenticate SSL VPNs on an ASA5500 and aslo to provide admin access to the ASA5500 both via radius.I want to authenticate the VPN against a SeureID appliance and the admin login against a different database (using internal for testing but will use LDAP in the end).I cant seem to get the ACS to distinguish between the two authentication types. If I create a rule that says match protocol radius I can point that at either database but if I try saying match radius and service type 5 it doesnt match the VPN and falls through to the default authentication service. I have also tried matching service type 6 for admin and that doesnt seem to work either.In the end what I want to acheive is to authenticate teh ASA5500 VPN against the SecureID appliance and then admin access to all devices on teh newtork (a mixture of Cisco, F5 and Juniper) to active directory via LDAP where if the user is a member of the "admin" group they get access.I was intending to use specific devices for the ASA5500s (there aretwo) and then creat a device group based on IP address range for everything else.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Authentication Radius Juniper NSM?

May 24, 2011

I am trying to authenticate on Juniper NSM express using cisco ACS 5.2.  The request is arriving at the cisco ACS but i am getting the following error.RADIUS requests can only be processed by Access Services that are of type Network Access.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: AIRONET 1260 With New Radius ACS 4.x?

Nov 18, 2012

I have CISCO ACS 5.1 radius for VPN on ASA and tried to configure an NDG on it for AIRONET 1260 too and worked fine with IEEE 802.1x CISCO EAP-FAST authentication As I had some trouble to let users to authenticate only on VPN if are VPN users and only on CISCO AIRONET if need only WIFI AIRONET I tried exception policies rules but something not working. VPN was ok but not WIFI access denied for rule policy access I decided to install CISCO ACS 4.x on Windows 2003 that is on ACS 5 DVD I created NDG as done on ACS 5 put a shared secret , put on AIRONET too as done for ACS 5 but I receive an error against ACS 4.x To troubleshout it I tried [URL] but not work ! I think to have done all fine owever on ACS 5 it worked in 5 minutes I searched log inside ACS 4 and found "Invalid message authenticator in EAP request" and I found this: [URL]Changed shared secret more times but ever not workign with ACS 4 I need to have user and password prompt on client trying to authentincate on AIRONET WIFI and I need ACS INTERNAL USER no active directory, no LDAP , no external user database?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.0.2 Radius Authentication Setup

Jan 9, 2012

I am having ACS 4.0.2 in my network, which I want to use for 802.1x Radius Authentication for Clients on PEAP-MSCHAPv2 methodology.As per the documentation " EAP Authentication with RADIUS Server",  Doc ID: 44844.I have configured Network Configuration and populated AAA client IP range and Secret Key.
 
Question1: Under Authenticate Using option, there are various RADIUS flavors available for selection. For a Non Cisco AAA client, should I select RADIUS IETF?

Question 2: In the above snap shot, It has an option called Global Authentication Setup, where we can setup EAP configuration. Under PEAP subsection there is an option to "Allow EAP-MSCHAPv2" check box.After checking that, is a restart required to the ACS Server? Would it cause any disruptions to the existing services on the ACS?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Command Accounting For Radius On ACS 5.2?

May 26, 2011

is command accounting for Radius supported on ACS 5.2 ? provided vendor's radius implementation supports this capability.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ISDN Authorization With RADIUS Using ISE 1.1.2?

Nov 19, 2012

I am trying to move my ISDN dialup branches authentication/authorization from old ACS 4.1 to ISE appliance. Before it was through ACS 4.2 with TACACS protocol but now since we are moving to ISE we are moving them to ISE with radius.
 
Problem is that isdn client gets authenticated and authorized but calls get dropped and they dont able to communicate with HO. IP address is assigned by Head End router to all remote isdn dialing branches..
 
I have used default "PermitAccess" in authorization policy and authentication policy is also default. I dont understand where I am going wrong as authentication and authorization is sucessful.
 
aaa authentication ppp default group radius local
aaa authentication network default group radius
aaa accounting network default start-stop group radius
 radius-server host 12.18.22.41
radius-server key *****

View 8 Replies View Related

Cisco AAA/Identity/Nac :: How To Configure Radius Failover In ACS 5.1

Aug 21, 2011

I need to configure the ACS 5.1 to meet the following requirement :-
 
1. ACS 5.1 will point to a RSA SecurID as the first authentication mechanism for the validation of user credential

2. In the event that RSA SecurID is not reachable, the ACS 5.1 shall point to its local user database.
 
 I had no problem configuring for Point (1), but I am not able to let it failover to the local user database.

View 11 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 For Wireless Authentication Using Radius?

Jul 4, 2012

how to setup ACS 5.3 to authenticate wireless users over radius? I currently have the SSID pointing to a Microsoft IAS server and would like to move the authentication to be done via ACS.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 ASA 5510 Radius Connection

Jan 17, 2012

currently I'm evaluating an ACS 5.2.I need to authenticate the VPN-Users against LDAP, but have no direct connection from the ASA to the LDAP-Server. So the ASA should connect to the ACS to ask the LDAP-Identity-Store, OK.
 
My first Problem is: the ACS doesn't respond to the RADIUS-Requests of the ASA! ASA use's Port 1812, the Secret is ok, the ASA is as a Network Device in the ACS configured and I've created an internal Test-User on the ACS.the Firewall-Log shows the established connection (so I think, there is a Hand shake!? ), but the ASA says in Radius-Test: "EROR:Authentication-Server not responding".

View 3 Replies View Related

Cisco AAA/Identity/Nac :: 5508-WLC Using MS NPS As RADIUS Server For EAP-TLS

May 18, 2011

getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
 
I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.  Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Radius Accounting From ASA And Juniper?

Apr 10, 2013

i changed from ACS 4 to ACS 5.2. Everything works fine but i have authentication failed in the Radius accouting reports every time when users connect through ASA or Juniper into our network. Juniper amd ASA only send accounting informations to ACS. The users are not configured on the ACS, authentication is done via external LDAP. So my question is why do o see authentication error on ACS because Juniper and ASA only send accounting packets ?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: 877 - Using CHAP With RADIUS Authentication

Jan 19, 2012

I have configured a Cisco 877 router to send RADIUS requests when a user logs in to the console (Line Console or Line VTY) using the following config:
 
aaa new-model
aaa authentication login default group radius
aaa authentication ppp default group radius
 
radius-server host 10.0.0.1 auth-port 1812 acct-port 1812 key mysharedkey
 
When I log the RADIUS packets I see that the Cisco router is sending the initial AccessRequest using PAP.
 
How can I configure the router to send it's inial AccessRequest packet using CHAP?

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 / ISE As Standalone RADIUS Server

Apr 7, 2013

Is there any way to set up our ISE to provide Radius instead of acting as Radius Proxy? In our Company we use ACS 4.2 to provide AAA via Tacacs+ and this works proper with all our Cisco-Switches. Now we are testing the ISE 1.1.1 as NAC-Solution.
 
I know how to set up the ISE as 'Radius Proxy', configuring the Sequences and Policies, but till now we are using only Tacacs+ for AAA. The current version of ISE does not support Tacacs+ and I don't want to set up a Radius-enviroment in ACS if not necessary. Somewhere ( I think the specs) I read, the ISE is a merge of ACS and NAC. So in my Opinion there should be a way to provide AAA via Radius on the ISE without ACS and without 'Radius Proxy'.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Switches TACACS Or RADIUS With ACS 4.2

Aug 14, 2011

So far i managed my switches with TACACS+, however now i've to deploy 802.1X, requiring RADIUS only. For what i know, ACS (i'm using 4.2) allows to define a device using only TACACS or RADIUS, but not both. Do i am right? Or there is a way to define an AAA client to communicate with the same ACS using both the protocols?
 
Supposing i am right, i was then considering the following options: - configure all of the switches to use radius for any service (authentication, authorization etc ec) This simplifies the task, but i lose the TACACS+ services for the switches. Is this a big loss?
 
- configure the L3 switches to use a second Loopback, just for RADIUS services. This would allow to still use the TACACS+ but would require a new network just for the RADIUS service; furthermore L2 switches doesn't support two IP addresses and would require anyway a migration to RADIUS.

A considerable administrative overhead, in other words. I'm not willing to deploy a second RADIUS (ACS, Windows, whatever), in this moment.
 
The key point is this: reading around i see Cisco documentation recommending always to use TACACS+ for management, but in this situation is not possibile. In general, every time the device has a role of network admission  (switch or access-point) RADIUS seems to be the protocol of choice. Moving to RADIUS would have some major drawback or only a change in the communication protocol? (I know the difference between TACACS+ and RADIUS: tcp vs udp, encryption of the whole packet vs encryption of only the password).

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - Guest NAC Radius Authentication

Oct 31, 2010

For some reason, i can't get the lobby "sponsors" to authentication to the Guest NAC server (2.0.2) using ACS 5.2 via Radius.I was able to figure out how to get the Guest NAC Radius Authentication for "Administrator" to work by adding custom Radius value IEFT-6 under...
 
Policy ElementsAuthorization & permissionsNetwork AccessAuthorization Profiles 
I added a policy & under the Radius Attributes Tab... I manually entered an Attribute that looks like the following:
Dictionary Type: = RADIUS-IETFRadius Attribute: = Service-TypeAttribute Type: = EnumerationAttribute Value: = StaticValue = "Administrative"   
I then created an Access Policy... I looked for a specific AD group - Result = "Name of Custom Policy Above"...
 
All of that is working just fine.... the NAC Guest Docs tell you the Radius server must return a value of IETF-6...
 
When it gets into the Sponsor section, it doesn't tell you the value your Radius server should return... so just for grins, instead of "Name of Custom Policy Above", I tried "Permit Access"... i tried the "Name of Custom Policy above"...  Not sure what else to try to get this to work...
 
here is a like to the document i'm following: URL
 
Page 68 refers to the "Configuring Sponsor Authentication" for Radius.. it just tell you to add the Radius Server & change the authentication order.

View 9 Replies View Related

AAA/Identity/Nac :: ACS 4.2 Radius Authentication For SSL VPN Users

Dec 22, 2012

Using Cisco ASA I want the  ssl clientless vpn users to be authenticated through a local Radius-Server. but it does not work, and on asa while i want to see (Debug Radius) output, there is no debuging msgs displayed.    When i try to test the user which i have created on the ACS-Server 4.2,  the test gets successful.  where i have made a mistake in my configuration ?

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved