im having trauble when using chap as authentication for my two routers, i dont know whether my configuration is wrong or not.Is theres anything wrong with the configuration ??note : both routers are c2961
View 11 RepliesHow the one-way hash is generated given the challenge number and shared secret password?It's just that I was reading Cisco 3 chapter 7, and it doesn't explicitly outline how the one-way hash is actually generated, it simply states that it is generated given the challenge number (randomly generated for every challenge message) and the shared secret password.
View 1 Replies View RelatedI'm trying to connect to ISP with PPPoE method using Cisco 861 equip. On the other side Cisco 3845 BRAS.Session fails at authentication phase. Authentication protocol chosen by routers is ms-chap-v2. Chap supported also. [code]
View 2 Replies View RelatedI have configured a Cisco 877 router to send RADIUS requests when a user logs in to the console (Line Console or Line VTY) using the following config:
aaa new-model
aaa authentication login default group radius
aaa authentication ppp default group radius
radius-server host 10.0.0.1 auth-port 1812 acct-port 1812 key mysharedkey
When I log the RADIUS packets I see that the Cisco router is sending the initial AccessRequest using PAP.
How can I configure the router to send it's inial AccessRequest packet using CHAP?
I've setup my ASA 5510 to use AAA to my Windows Server 2008 NAP. After many hours of troubleshooting I got my setup to work. The only thing I'm not satsified with at the moment is, that RADIUS is using PAP for communicating between ASA5510 and W2K8/NAP.I've tried ticking the box "Microsoft CHAPv2 Capable" box under Users/AAA => AAA Server Groups => Edit AAA Server.From EventViewer on W2K8/NAP I get Event ID 6278 and 6272., see attached filehow I change from the PAP to the CHAP protocol?
PS: ASA 5510 running ASA version 8.2(4) and ASDM version 6.3(5)
My ISP here at my mother's in Italy (www.teletu.it) gave me the following configuration:
1. Supported Protocol: PPPoE or PPPoA
2. VPI: 8
3. VCI: 35
4. Encapsulation: LLC (If not supported: VCMUX/NULL)
5. Modulation: Multimode
6. Authentication Protocol: PAP or CHAP
if I connect my laptop to the ADSL modem, it all works just fine and I can connect to the internet (as you can see )
HOWEVER, if I then try to configure my WRT54G v6 to use this internet connection (I NEED to be wireless here, or I won't be able to use my iPhone and iPad), there is no way apparently for me to configure the Encapsulation, Modulation, and Authentication Protocol above. I just upgraded my WRT54G's firmware, and am now running firmware Ver.1.02.8, 10/05/2009. I was hoping this would allow me to set these parameters, but I can't find a way.
I tried just configuring the WRT54G with PPPoE and the ISP's userId/password, but this doesn't seem to suffice, and I don't see any other settings I could try.
I am configuring some of my devices to use CHAP when their backup ISDN interface dials out to the 7200 concentrator node. I wan the CHAP requests to hit our ACS 5.2 appliances and be authenticated via this method. I have built a rule for 'Default netowrk access' which specifies these devices only however when I bring up the ISDN call the process fails. When I look at the logs it doesn't give an error reason but it does say that it failed on one of the rules in the 'default device admin' rule set.I even went to the bother of specifying a single IP address of one of the ISDN backup devices but the result is always the same.
View 3 Replies View RelatedI have a cisco 870 router which I'm trying to connect to my ISP all the interfaces are in a up, up state. But I'm unable to ping any IP address on the internet. When I do a debug ppp I can see that the username and password are correct with the dialer 1 interface as there is no errors and I can see success. But when I shutdown the atm0 interface and then do a no shutdown I see a message called authentication failed.How does the atm0 interface work with the dialer,Also I spoke to the ISP and they can't see any connection being made but the debug shows success. I also get a default gateway via the ISP but it is the incorrect default gateway as I can't ping the internet and the ISP confirms that the default gateway is incorrect.
View 33 Replies View RelatedI have a dot1x client with client certificate working well with my ACS 5.2 and EAP-TLS. Now I would like to configure the Re-Auth periode on the ACS 5.2, I did the following:
1. Configure a Access Profile with Reauthentication Timer = static and 30 seconds (see attachment ACS1.png and ACS2.png)
2. Enabled authentication periodic and authentication timer reauthenticate server on switchport
interface GigabitEthernet1/0/x
description to dot1x clients
switchport access vlan 5
switchport mode access
authentication event fail action authorize vlan 998
[code]....
I have a 5508 controller running 7.4.100 and have a WLAN where I have radius configured. On my controller the client machine I'm using appears but the radius authentication doesn't appear to be working. Is there anything on the controller I can do to verify that the request is even being sent to my Microsoft IAS server? The log on the server doesn't show any requests from the controller so my early days guess is the controller isn't actually sending it.
View 3 Replies View RelatedI am enabling our wireless controllers to use 802.1x authentication for our wireless clients. Both computer and user are provided with certificate from CA server.I have 9 APs and 2 controllers installed in my infrastucture, one of the controllers is working fine with setting specified above but the other one is not.Both has same configuration and both seems identical with same model and IOS.
View 3 Replies View RelatedI am trying to get a NAC demo running and am having some issues with a Layer 2 OOB, Virtual GW configuration. Currently I have 3560G switches and would like to assign ports to a vlan based on user roles.
My Auth VLAN is 110 and maps to VLAN 11
Guest VLAN is 11 (172.16.1.0/24)
Employee VLAN is 1
NAS Mgmt VLAN is 20 - CAS is 10.10.20.5 (this ip is setup on both eth0 and eth1 per documentation for L2 OOB Virtual GW)
NAM Mgmt VLAN is 30 - CAM is 10.10.30.5
Untrusted (Eth1) switchport is setup as a trunk allowing only vlan 110 and has a native vlan 999 to blackhole traffic.
Trusted (Eth0) switchport is setup as a trunk allowing vlan 1, 11, 20 and has a native vlan 998 to blackhole traffic.
I also setup a Managed Subnet on the CAS with IP 172.16.1.254 and VLAN 110.Switchport controlled by NAC is access vlan 110. When a machine connects an snmp trap is sent to CAM and is forced into vlan 110. If I try to put the port in another vlan CAM puts it back to 110 immediately. This all seems to be working well.The machine connected to the port gets a DHCP address from VLAN 11. When I initiate traffic from this machine, everything is blocked. If I open a web browser I do not get an authentication page. I also installed CCA 4.1.10 on the machine but it does not find a discovery host and the Login option is grayed out. The only way to get this machine to send traffic is to add a filter for it and force it to the ALLOW option. I did setup a default web login page but I seem to be missing something to get authentication to work. I am running version 4.1.8 with a demo license. The host running CCA is Windows Vista.
I'm on an ASA 5510 running 8.2(5)41. I have clientless WebVPN configured to authenticate against an RSA RADIUS server, which has users assigned to RADIUS Class attribute 25 to match the group-lock values assigned to each ASA group-policy. This of course is to ensure users can only access the login page's drop-down VPN profiles they are assigned to by the RADIUS server. I have two other ASA 5510s (same code level) using the same RADIUS server with group-lock enabled but for IPSec remote access VPN's, and the group-lock feature works fine.
WebVPN, however, is authenticating any user to any VPN profile without regard to the RADIUS Class attribute 25 they are assigned. If I configure the VPN profiles to authenticate locally and assign group-lock to individual ASA user accounts, group-lock works. As soon as I point it back to the RADIUS server, group-lock does nothing. From the 'debug aaa' below for user 'corpvpnstp', you can see the RADIUS server sends back the attribute 25 values of "ou=stp.Client;" and "ou=stp.ClientDRC;" for this user. The ASA profile this user has attempted to connect to is "EMS-Admin", which should get denied by the ASA. Instead, the ASA successfully authenticates the user.
I have issue with 2950 switch dot1x config is not working , but on 2960 its working fine .Below are the configs from both switches and a debug dot1x all snap, what may be the issue with 2950 switch ...
on 2950======>
aaa new-modelaaa authentication dot1x default group radiusaaa authorization network default group radius
[Code].....
My switches are able to successfully authenticate user access against ACS 5.1 via SSH with TACACS+, but I am not able to authenticate via HTTPS with TACACS+. I don't even get a log in ACS when attempting to authenticate via HTTPS.
Here is my AAA config, followed by a debug:
aaa new-modelaaa authentication login ACCESS group tacacs+ localaaa authorization consoleaaa authorization config-commandsaaa authorization exec ACCESS group tacacs+ aaa authorization commands 1 Priv1 group tacacs+ none
[Code]......
on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working.
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in(code)
We have a Catalyst 3750 switch that failed over to local login after the Tacacs authentication stopped working. I went through the configuration settings and everything appears to be identical to another switch in this same building.
View 4 Replies View RelatedXP Home edition, went to tools can't find working off line or working online to make sure off line is not checked so I can get on line DSL Verizon , Wireless router, wireless switch in on, on the cpu
View 1 Replies View RelatedASUS Notebook G60Vx Series
Windows 7 Home Premium 64-bit
Intel(R) WiFi Link 5100 AGN
A few days ago my internet suddenly stopped working. I plugged in the ethernet cord and everything worked fine. Checking the properties in the device manager showed the device was working properly, I also tried resetting it to make sure it was enabled but it did not work.
Upon troubleshooting, the "Windows Network Diagnostic" said the problems was that the Wireless adapter was not turned on. Using the switch on the front of the laptop as well as the function keys does nothing. Usually a graphic pops up showing if the WiFi is on or off, changinging transparent to show the WiFi is disabled. Now when I turn the switch on it always appears transparent, effectively going from off to off
So I know the computer reads both the function keys and the switch on the front but both methods never actually turns the adapter on. I just finished a system restore and nothing has changed
Today, while surfing the web my internet connection on my PC just randomly shuts off. I go check on my laptop and its normal. My WiFi says that I am connected to an Unidentified network with no internet access. So i got frustrated and checked all the forums and nothing seemed to work. So i restored my computer to factory settings and I still got this problem. Does this mean my Wifi Card is bad? Is it a virus? I can see other networks fine but i just cant connect to mine!
View 8 Replies View Relatedhow many of you use 802.1x for authenticating users on a wired LAN. We have a new site which supports a ton of users and before implementing an RA VPN solution for them I was thinking about using 802.1x to ensure they've got proper credentials before they're put on the production VLAN.
View 11 Replies View Relatedhow can I config Auth-proxy In ACS 4.0 in ACS 3.3 we can Add this in the Interface , but I can't see any thing for Add Auth-proxy in This menu
View 2 Replies View RelatedCurrently working on Proxy Authentication on a catalyst 3750GCisco's documentation says that I can customize my own web pages for the login, success, failure, and expire web pages. However, I am having a difficult time finding a template to build upon.
View 8 Replies View RelatedJust a sanity check, but setting up NTP authetication on our switches to sync with our Core first, then our NTP server that the Core syncs to second.
View 3 Replies View RelatedI have a access point model WAP4410N , I want to configure for mac authentication by using MS IAS , but when I set MY SSID to radius in wireless connection control and try to connect to that SSID by a laptop I didn't get any logs in my IAS. My methods for radius mac authentication is correct or not ?
View 1 Replies View RelatedIn order to restrict access to websites on our internal network, would we be able to put an ASA in front of the web server and force users to authenticate through the ASA and, once authenticated, allow only port 80 or 443 traffic for that use? The ASA would query the ACS 5.1 server for authentication/authorization using AD as the identity store. Is this even possible with TACACS?
View 1 Replies View RelatedMy customer has a large installed base of MACs, all connected via controller-based (5508) WLAN. He wants to grant access to the network based on the device's mac addresses and move the WLAN-clients to a specific VLAN.I added all devices with their mac addresses to the ACS internal identity store for hosts.According to the following message the client sends the user-login credentials (chegger) within the RADIUS-request instead of the clients mac address and of course it has to fail. After many configuration changes, I ended up always with the same result.
View 2 Replies View RelatedI have set up an ACS (5.2) to do EAP-TLS Machine and User Authentication.I am getting intermittent results with the machine authentication using the same laptop as a test client.When the machine authentication succeeds the RADIUS name shows as host/xxx-yyy.When the machine authentication fails the RADIUS name shows as xxx-yyy without the host/.
View 9 Replies View RelatedI need to order a CISCO881, only CISCO881-K9 is available.I checked everywhere, still not sure if it is enough for me. We used to buy Sec-K9.I've got an adsl modem in bridgemode in the front. As only 1 IP provided by ISP, I need 881 to be able to pass on the PPP authentication.I also need the router to have vpn server function.Could CISCO881-K9 do this or not?
View 1 Replies View RelatedI have question on EAP-TLS with ACS 5.2. If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place? Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?
If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?
And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.
And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?
I'm using a router 877 at home and i really need to check out what this router do during the day. So some time ago i configured it using some eem actions and sending to me email, without any problems. Yesterday I changed my internet provider and now i need to use smtp autheticantion to send emails.
I read about how to authenticate, like username:password@host and also made a fast search here, without solve my problem. I need to put as username the email of the provider like: mouse@host.com:mypassword@smtpserveraddress.com. So, i want to know if someone had the same problem and solved it. Of course i couldn't use @ two times or eem would think that host.com is my smtp server! And right now is going in this way!
My IOS version is 15.1(2)T2, eem version is 3.1.
Trying to apply NTP authentication to 3750 switches (layer-2 WS-C3750-24P switches) but they don't wont to work. Applying the same config to any router or 4500/6500 chassis, and NTP authenticates straight away. NTP without authentication works fine on 3750s as well...
ntp authentication-key 1 md5 <key>
ntp authenticate
ntp trusted-key 1
ntp server 10.200.11.200 key 1
Is there additional config required for 3750s? This is across different IOS versions, so doesn't look like a bug..
I have cisco 851 using ccp to configure EASY VPN
I click on TEST VPN SERVER then click start the status shows successfull
when I tried to connect a client I get mm_no_state
When I reviewed the report from the test I found
AAA authentication : Not configured
My AAA
aaa new-model
!
!
aaa authentication login tgcsusers local
aaa authorization network tgcsvpn local(code)