Cisco :: ACS 4.2.1 - Alteon 3408 L4 Switch Authentication Failure By RADIUS Protocol?
Jul 25, 2012
I have a question about ACS RADIUS authentication with Alteon 3408 L4 Switch.
I configured a ACS 4.2.1(build 15 patch 4) software for windows on Windows Server 2008 Server STD.TACACS authentication with CISCO product was successfully passed.but RADIUS (IETF) authentication with NORTEL 3408 Switch was failed. ACS Authentication Failure Code was a " ACS password invalid "
I read the post that RADIUS VSA is needed in my environment.but i can not search any sample Nortel VSA dictionary configuration. Need Notel specific VSA configuration.
View 4 Replies
ADVERTISEMENT
May 3, 2013
I am trying to configure 802.1x RADIUS Authentication on cisco 2950-24TT-L Switch. I am using following set of command as given below
Switch# configure t
Switch(config)# aaa new-model
Switch(config)# aaa authentication dotx default group redius
Switch(config)# dot1x system-auth-control
Switch(config)# inter fasteth 0/1
Switch(config)#dot1x port-control atuo
I am facing problem dot1x command is not working on interface.
View 1 Replies
View Related
Mar 28, 2013
I am using the Self RADIUS server in my Cisco ACS SE 4.2 appliance S. I have an AAA client C that interacts with S by means of the RADIUS protocol. This works fine, in that S correctly carries out authentication chores on username/password (PAP and CHAP) pairs received from C, sending back to C the corresponding Access-Accept packet when the authentication succeeds, or Access-Reject when it doesn't.
I have been able to import a set of three VSAs into S. Each of those attributes is of string type. I then configured in S a single user U with password P so that, whenever a U/P pair received in S from C is authenticated by S, S should send back to C, in the Access-Accept packet, the three attributes with the following values: [code]
With this setup, when an authentication is successfully completed by S, C receives 53 bytes worth of data from S every time. I am attaching a typical example, already disassembled. I have disguised the actual vendor ID, for legal reasons, but the rest is exactly as it was when received in C.
According to the disassembly, what we got is an Access-Accept packet, as expected. Its length is 53 bytes - again as expected, for this is the only packet that C has received from S here. However, the packet is incomplete, for attribute #3 is missing its value field.
Looking into the whole packet in more detail, it can be seen that while the wire format for the first attribute, namely, Frame-IP-Address, is correctly constructed, the remaining are not. For example, the sequence of bytes corresponding to the attribute #1 reads 1a 09 00 00 xx xx 2c 61 62 63. I believe that this is incorrect; it should be 1a 0a 00 00 xx xx 2c 61 62 63, for the wire format for this attribute consists of 10, not 9, bytes. I tried a few variations on the values for the attributes, and the results are always substantially the same, in that the wire formats for these attributes are always incorrect.
This all probably implies I have done something wrong when importing the VSAs into S, and/or when configuring things on S. I am therefore attaching the csv files I used to import my VSAs into S; as before, names and vendor ID are disguised, but their lengths are exactly the same as in the undisguised file. I used two csv files: One to import the vendor ID, and the other to import the VSAs under that vendor ID. As for user U, in S's administration GUI I clicked on User Setup and selected user U, moved to the bottom of the screen, where the attributes for this particular vendor were present,introduced the values for each attribute mentioned above, and made sure that button in front of each attribute was ticked.
View 2 Replies
View Related
Sep 24, 2011
I have setup a Cisco Aironet 1040 to connect to our Radius server which I have also configured.
I can successfully connect up any Iphone or Ipad but I cannot get any laptop to connect.
I have attached the logs showing the Iphone Successfully logging in and the Laptop Failing. Every single failure in the Event log for NPS comes up with
Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: scottd
Account Domain: AMSLAN
[Code].....
View 12 Replies
View Related
Jul 31, 2012
on the dashboard of the "Monitoring & Report Viewer" I see a lot of system alarms related to the database.The explanation of the alarm says to look at the Collector logs for the details.
View 3 Replies
View Related
Nov 22, 2012
I have defined Radius proxy on csg2 to external radius server, but pdp fails with Authorization failure message on GGSN and on Csg2 debut log I see “SAMI 3/3: Nov 23 15:11:43.937: RADIUS: Dropping the unsolicited RADIUS packet”
View 0 Replies
View Related
Aug 28, 2012
My customer wants to have mapping of WLAN SSID with different authentication protocol as show below .
1: EMP-M for Mschap
2: EMP-G for Peap GTC
3: EMP-T for TLS
For example EMP-M SSID users should be connected with only PEAP(MSCHAPv2) and not on other methods like PEAP-GTC/EAP-TLS .
customer is currently having WLC 5508 and using ISE for AAA . Any tip how we can do the above requirement through WLC .
View 4 Replies
View Related
Jan 1, 2013
I have a following question. I configured different authentication passwords in Master and slave VRRP setup.
View 2 Replies
View Related
Apr 15, 2013
I'm using the Cisco ANM 5.2 version and I'm trying to import the configurations from ACE modules of Cisco switches. The first step is to import the configuration from Cisco switch and the second one is to import the ACE module in the ANM software. I'm getting an authentication problem to import the configuration from Cisco switch and of course I cannot import the ACE as well. The switches and the ACE are using AAA authentication and I have created a specific username to authenticate and import the configurations in the ANM. If I remove the AAA configurations from the switches and ACE modules it works fine.
Is there some problem with the AAA configurations in the switches or ACE module?
View 7 Replies
View Related
Oct 24, 2012
I am trying to get CiscoWorks LMS 4.0 to connect to my routers in order to back up configurations, but I am getting SSH authentication failures reported in the router logs (and archiving fails).
The credentials LMS is using is a username and password with priviledge 15: the account is established in TACACS+. I can log into the devices directly with this user account.However, I cannot TFTP from the routers to the LMS either (I get a permission denied message in the router).
LMS did manage to fetch some configs, but 90% of my devices are having this issue.
View 4 Replies
View Related
Oct 31, 2010
I replaced an ACS certificate that had been installed as follows:
1. Generate CSR file and private key file, then send CSR to GeoTrust (Key length: 2048 and Digest to sign with SHA1)
2. GeoTrust send me a certificate. Issued by "GeoTrust SSL CA".
3. Install the certificate on the ACS. Restart ACS service.
4. ACS Certification authority setup. Issued by "VeriSign Class 2 Public Primary Certification Authority - G3"
5. Edit certificate trust list and select "VeriSign Class 2 Public Primary Certification Authority - G3" as trusted.
6. Enable EAP-TLS, then restarted the ACS service. The problem is when i try to enable EAP i get the error msg:Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using "ACS Certification Authority Setup" page.I searched on cisco and it said to disable the CSA, but in fact there is no CSA installed on this server.
OS: Win 2003 sp2Cisco ACS: Release 4.2(0) Build 124
View 4 Replies
View Related
Jun 13, 2012
Error: AAA Authentication Failure for UserName:radiususername User Type: WLAN USER
I am using a window radius server. I have added my WLC 4402 as a radius client on my radius server.
I followed the instructions on the MS link : [URL]
I want to use my windows raduis authentication for WLC management login and Web-Auth for guest WLAN user login.
View 2 Replies
View Related
Dec 26, 2012
I have configured an Asa 5510 as SSL vpn gataway ver 8.2(4) Anyconnect Essential. The clients are authenticated via Radius and OTP password.All work well since yesterday. When I have did same configuration changes. My objective was has that the clients accept the self signed certificate issued by the Asa whitout give the warning about the private cert.
So I have try to generaste a new certificate with FQDN equal to myasa.mydomain.com and also a CN=myasa
Then I have change the profile XML file of my anyconnect in this way: [code]
View 1 Replies
View Related
Aug 3, 2011
I've set up several local network users (Security > Local Net Users) on the WLC (5508 running 7.0.98.0). Whenever I try to connect with one of these user accounts (I'm testing this out for now), the attempt is unsuccessful and I see an "AAA Authentication Failure for UserName: xxxxxxx User Type: WLAN USER" in the Trap Log. I thought that after trying to authenticate through a RADIUS server, the local user database would be polled and then a user account in that database would be able to authenticate.
View 1 Replies
View Related
Aug 24, 2011
I've my ACS linked with AD to give administration access to few network devices and I've created an access policy to link my AD groups with those network devices and command sets.
Unfortunately I found I can use any user from my AD to login to my devices. Only LOGIN, the authorization definition is restricting the command set for those users.
How can I restrict the LOGIN to an specific AD group?
View 2 Replies
View Related
Apr 25, 2011
I am running ASA version 8.4(1), and anyconnect version 3.0.1047. My SSL VPN works fine, but i run into an issue with one user . his account did not work , and everytime users logged in it got this message "VPN Server could not parse request".
I found the problem after getting a user information meaning his username and password. His password had "&" as one of the special characters. when we change it to something that does not have that , it works just fine.
We are using microsoft NPS server as radius. but when i run a test within CLI it works just fine, only when anyconnect asks to authenticate it fails.
View 5 Replies
View Related
Jul 31, 2012
I have a Cisco Small bussiness RV120w and I setup the radius server , WPA2 Enterprise with a windows 2008 NPS radius server . The big problem is that the authentication fails .This is the error that I see in event viewer / server roles / Network policy and access services: reason-code 49 "The connection attempt did not match any connection request policy".The radius key is matching between the server and the client . The radius server is reachable and I don't find any routing issues .Does anybody tested this router with this type of wireless security?
View 3 Replies
View Related
Nov 22, 2011
we have ACS 4.2 and 2851 router with IOS 15.0(1)M4. There is authentication failure with error no 254. Is there any compatibilty issue with 15.0(1)M4 IOS
View 1 Replies
View Related
Nov 16, 2011
I have a 3845 router. Setup SSH Version 2generated rsa keys (1024)set login localtransport input ssh and telnet is enabled since I can't get ssh connection working When I connect using SSH, I get the following error. server refused authentication protocol.
View 21 Replies
View Related
Aug 6, 2012
Any software to measure Authentication time between client and Radius serverr.
View 8 Replies
View Related
Nov 22, 2011
I have been trying to get our IPS (ASA-SSM-10 and 4260) to authenticate with Cisco Radius ACS 5.2 and they are not working. However, I was able to get them working with Microsoft Radius. Below is the logs from the IPS:
evStatus: eventId=1321566464942057375 vendor=Cisco originator: hostId: NACAIRVIDLAB1 appName: authentication appInstanceId: 350 time: 2011/11/23 17:50:38 2011/11/23 09:50:38 GMT-08:00 controlTransaction:
[Code].....
View 0 Replies
View Related
Nov 14, 2011
I'm running WCS 7.0.220.0.I would like to authenticate users that are able to logon the WCS, through MS Network Policy Service (RADIUS).I would like all my domain users to be member of the local group on the WCS "Lobby Ambassador", so all domain users has access to generate guest access accounts, for the web auth... I can see under the WCS Administration under AAA that it should be able to use RADIUS - but i'm not sure how to setup the NPS policy?
View 1 Replies
View Related
Mar 10, 2011
I have a questión about radius authenticaction with AD, when I log in into the network with user in AD and I make a mistake in password my radius authenticaction event in ACS 5.2 dont show me this logg. only show the authentication succeeded but dont show me the authentication failed. Maybe i must to enable same service to show the authentiaction failed. The Voice authetication works fine..
This is the confg in the port of the switch:
interface FastEthernet0/12 switchport mode access switchport access vlan 2 switchport voice vlan 10 authentication port-control auto authentication host-mode multi-domain authentication violation protect authentication event fail action authorize vlan 11 authentication event fail retry 2 action authorize vlan 11 authentication event no-response action authorize vlan 11 authentication periodic authentication timer reauthenticate 60 mab dot1x pae authenticator dot1x timeout tx-period 10 dot1x max-reauth-req 3 spanning-tree portfast end
Vlan 2: DATA
Vlan 10: VOICE
Vlan 11: GUEST
View 1 Replies
View Related
Jan 3, 2013
I am configuring an old WLC4400 with V4.2.130.0. I added a new sub-interface for VLAN 50 with proper IP for the subnet and then add the Radius server(Windows server 2008 with NPS) onto WLC4400. I then created new WLAN with WPA+WPA2 Encryption and 802.1x key management and selected the Radius server under AAA for authentication.
Configured the test XP with WPA-Enterprise and PEAP as EAP method. I purposely configured computer to prompt for username and password.
When I try to connect, I did get prompt for username and password. However after that nothing happens. It seems like laptop just keep trying to authenticate.
I checked windows event log and do not see anything under NPS. I know this windows server NPS setup works as it is also the authentication server for our remotevpn.
is there any special option I need to turn on for WLC in order for Radius authentication work? Or is there any known bug with V4.2.130.
View 13 Replies
View Related
Aug 11, 2011
I'm in the process of moving some of our remote access vpn to an asa5520 and anyconnect.
The problem I've come across is that when using radius as authentication, I choose any one of my connection profiles in anyconnect and log in with any username regardless of the group on radius.
How do I map the connection profile to a group on radius so that i can separate the users?
View 1 Replies
View Related
May 17, 2011
I have a 5510 authenticating successfully with a RADIUS server. I'm using it for VPN authentication and it works great. I would also like to do this for administrator access to the ASA. When I turn it on though, any authentication for VPN access is also granted administrative access to the ASA. Obviously, I need to limit that to a select few users.
View 1 Replies
View Related
Sep 2, 2012
which is the best RADIUS server for 802.1x wired authentication?
View 1 Replies
View Related
May 24, 2011
I am trying to authenticate on Juniper NSM express using cisco ACS 5.2. The request is arriving at the cisco ACS but i am getting the following error.RADIUS requests can only be processed by Access Services that are of type Network Access.
View 4 Replies
View Related
Jan 9, 2012
I am having ACS 4.0.2 in my network, which I want to use for 802.1x Radius Authentication for Clients on PEAP-MSCHAPv2 methodology.As per the documentation " EAP Authentication with RADIUS Server", Doc ID: 44844.I have configured Network Configuration and populated AAA client IP range and Secret Key.
Question1: Under Authenticate Using option, there are various RADIUS flavors available for selection. For a Non Cisco AAA client, should I select RADIUS IETF?
Question 2: In the above snap shot, It has an option called Global Authentication Setup, where we can setup EAP configuration. Under PEAP subsection there is an option to "Allow EAP-MSCHAPv2" check box.After checking that, is a restart required to the ACS Server? Would it cause any disruptions to the existing services on the ACS?
View 3 Replies
View Related
Nov 6, 2011
I am trying to setup a RV042 for a Client VPN using AD / Radius authentication. When it was purchased I saw radiuslisted as a feature on it, but I'm not seeing a way to set this up.
[URL]
I have upgraded to the latest firrmware, I have a VPN working with accounts on the router that I manually create, but am not seeing anyplace to configure radius.
View 5 Replies
View Related
Apr 8, 2013
I have a 5508 controller running 7.4.100 and have a WLAN where I have radius configured. On my controller the client machine I'm using appears but the radius authentication doesn't appear to be working. Is there anything on the controller I can do to verify that the request is even being sent to my Microsoft IAS server? The log on the server doesn't show any requests from the controller so my early days guess is the controller isn't actually sending it.
View 3 Replies
View Related
Jul 4, 2012
how to setup ACS 5.3 to authenticate wireless users over radius? I currently have the SSID pointing to a Microsoft IAS server and would like to move the authentication to be done via ACS.
View 1 Replies
View Related
Mar 6, 2013
Can the 2504 WLC be configured to work with one RADIUS Server for Authentication of Management Users and with a second server for 802.1x EAP-TLS certificate authentication for the end users.
Management Users will authenticate on RADIUS Server 1.Wireless End users will request 802.1x EAP-TLS authentication certificate from AAA server 2.
View 5 Replies
View Related
