I have an SG300 authenticating telnet login to a RADIUS server. It allows me to log in at Priv level 1. when I try and enter Priv 15 mode, I'm prompted for a password which I don't appear to be able to set anywhere or know.
If I remove RADIUS and go back to Local authentication, telnet logs me in at Priv15 immediately.
configure Line Telnet on a Cisco SG300-10P switch.I am in config mode and enters line telnet,but when I do a show line,telnet still are disabled..
View 1 Replies View RelatedI am using the CISCO SG300-28 with firmware version 1.0.0.27. I enabled RADIUS authentication and accounting. Authentication is working but there are no accounting requests/replys (Accounting on, accounting off, accoun ting start, accounting stop) when running RADIUS in debug mode. I also did a packetcapture and there are no accounting packets.
So i updated the firmware image up to version 1.1.2.0. When I now want to configure accounting in RADIUS settings then there isn't any option to set an accounting port.
Ich checked the data sheet of the switch and it says that accounting is supported:
===============================================
802.1X: RADIUS authentication and accounting, MD5 hash; guest VLAN; unauthenticated VLAN, single/multiple host mode and single/multiple sessions [URL]
===============================================
I did a second packet capture with the new firmware image and there are still no accounting packets.
The RADIUS server is configured correct for accounting because when using another NAS like a WLAN-AP with DD-WRT accounting is workings. It is working with pfsense Captive Portal (an open source firewall and routing solution with a hotspot portal).
I am using several SG300-28 Switches with firmware version 1.1.2.0.I have dynamic VLAN enabled. As RADIUS server I am using free radius 2.1.12.Authentication is only based on the MAC address. (I configured that on the switches)On the switches I created three VLANs. VLAN100 for the authenticated clients, VLAN200 for Management interface and VLAN300 as Guest VLAN. After a wrong authentication the clients should be put into this Guest VLAN immediately (I configured this on the switches). I am using Windows XP and Windows 7 clients in my network. I did not configure any EAP settings because I just wnat to use the MAC address.
In most cases the dynamic VLAN assignment and authentication is working fine. The switch log says that the client is authenticated and the same I can see on free radius log. But in some (rare) cases the client is rejected. The CISCO log says "MAC aa:bb:cc:dd:ee:ff was rejected on port ge17" but when I look at the free radius log then this MAC address was successfully authorized.
The problem is that the client gets an IP address based on the Guest VLAN300 but after that the switch seems to "switch" the VLAN on the port and then the client is authenticated correctly on the right VLAN but the client does not request a new IP on the new VLAN. If I unplug and re-plug the LAN cable in most cases the client get the correct VLAN and the correct IP. This is happening randomly on nearly all my PCs.
Do I have to set some timers higher ? I don't think it is a problem between switch and RADIUS but a problem between communication of the host and the switch.
I have an SG300-20 here for testing (firmware: 1.1.2.0, boot version: 1.0.0.4, language version: 1.1.1.6 English). Everything seems to work on it, except, that if I choose Radius authentication by mac address only, then the switch does not honor the Idle-Timeout and Session-Timeout attributes from the Radius server (freeradius).
The setup is the following: I have a no name access point plugged in to switch port gi1. The port gi1 is set up for Radius authentication by mac address only. The access point itself is authenticated, no problem with that. If I connect through the access point by (say) a mobile phone, it is authenticated, no problem. The radius server does send the Idle-Timeout and Session-Timeout attributes, I checked it by running "freeradius -X", both are set to 30 seconds. Then I turn off the wireless card in my mobile phone and check the dot1x users by "show dot1x users". My mobile phone's mac address remains there for 5-10 minutes, so the Idle-Timeout and Session-Timeout does not work.
Another way I could resolv this problem is by explicitely asking the switch to reauthenticate the user. Unfortunately there is no CLI command to do just that, I can do however a reauthentication on a port using "dot1x re-authenticate gi1" (for example). But it does not work as it is expected: the switch uses the stored mac-address to reauthenticate the user, so nothing changes on the port (unless something changes in the radius server). I think it should work like the following: remove the authenticated user from the port, and whenever that mac address makes some network traffic, then reauthenticate as if it were a completely new connection. BTW: it would work for me also if I could just remove an authenticated user from a port, but I did not find a command to do that.
As a last resort I can simply shutdown the port, bring it up again ("shutdown" and "no shutdown" in the interface config), then all users are removed from the port and they all mush reauthenticate. But it causes a network outage for a couple of seconds for all users on that port, on a busy access point it is quite disturbing, and it is not an elegant way to do this.
So my actual question is: is there a way to remove an authenticated user either automatically (Idle-Timeout and Session-Timeout) or manually from this switch?
I enclose the relevant part of the running config.
interface range gi1-2
dot1x host-mode multi-sessions
exit
vlan database
vlan 2-4
exit
[code]....
I want to secure my routers & switches using ACS server (win server 2003 platform)i prefer Radius how to set it up lets say my ACS server ip addy 192.168.100.100 & key cisco both how to set up ACS for the router/switch & commands for router/switch ALSO, i wanna keep open a back door. if some ACS server is down, i want, ppl can log into router/switch using SSH (local user/pass) but only when ACS is down?
View 4 Replies View RelatedRADIUS authentication SF300-24P
We have just purchased 20x SF300-24P switches to be installed at our remote offices and we are unable to get RADIUS authentication to work. We already use RADIUS on all our primary network CISCO switches (e.g. 4506s¸ 3560s, 3750s, AP1231Gs,etc) and these work fine so we know the RADIUS server is working.
We are trying to use RADIUS authentication to gain management access onto these switches. Quite simply although we can see that the RADIUS server is accepting the username and password being sent, however the switch says “authentication failed” when to receives the response. We are using Microsoft NPS RADIUS Clients for authentication purposes.
We have upgrade the switches to the latest firmware 1.1.2.0, via the console it seems to have a very cut down IOS version so we cannot use the typical CISCO command set to configure the RADIUS as we normally would. Looking at the web GUI there seems to be a number of options missing including the Accounting port. When debugging is switch on there is no indication to say that any of the settings have been misconfigured.
I have configured a Microsoft Server 2008 R2 with Radius Server and connect it with a Cisco SG300 Switch.
If a new device connect to the switch it goes automatically to the guestnet. If a device with the correct certificate and a valid useraccount connect to the switch, the deivce goes in to the local company network.
Now my problem: If I connect a device which is in the domain and which have installed the correct certificate and want to login with a new domain user (which is not cached in windows) I can not login.
The following message appears: "There are Currently no Logon Servers Available"
I think the problem is that the authentication process only starts after a user have succsess logged in in windows.
Now I search for a solution which allows me to conntact the Logon Server for Domain Login before the User has logged in.
We are setting up a new office and I am trying to get RADIUS setup for authentication to my switches and routers. Currently I am working on a 3750 running IOS 15 and getting hung on what I think on something small. I have attached my Microsoft NPS Network Policy. Below is my IOS config:
aaa group server radius corp-radius
server 10.15.10.20 auth-port 1812 acct-port 1813
!
aaa authentication login default group corp-radius local
aaa authentication login radius-localfallback group corp-radius enable
aaa authorization exec default group radius
[code]....
These are our first switches and seems like GUI is lot different than the online. Out intervlan routing is o not working. I am absolutely sure that I setup the switch in L3 mode since it allows me to create mutiple interfaces. I am hoping that this GUI issue is related to interVLAN routing.
Below is the blog I started for InterVlan issue [URL]
This is the link for online simulator and what I see in its IP tab. I know this switch is not SG300. [URL]
This is what I see on our switch.
Our switch version
switchd64684#show version
SW version 1.1.0.73 ( date 19-Jun-2011 time 18:10:49 )
Boot version 1.0.0.4 ( date 08-Apr-2010 time 16:37:57 )
HW version V01
1) I have a Cisco SG300-28P. I plan to add a SG300-52. Would it be possible to manage the new switch through the SG300-28P web browser ?
2) There are 2 fans in the POE model SG300-28P. How many fans are they in the non POE switch SG300-52 ?
I'm using a radius server to authenticate ssh when connecting to my company's switches (a 3560 + several 2960s).
Everywhere I've looked claims that using the line 'transport input ssh' in my switch config should disable telnet access and allow ssh only. But after changing 'transport input ssh telnet' to 'transport input ssh' I can still connect to all of the switches from telnet. I can't block telnet with ACLs either because my company uses a telnet based terminal client to do most of their work.
I don't have much experience with radius. How do I stop telnet connections when using radius to authenticate?
Can I connect a single Cat5e cable between two SG300-28 and link them? If so what must I configure?
View 1 Replies View RelatedI have SG300-28P that I am using as layer-3 switch. Recently I ran in to SG300-52 switch and even though loading same firmware doesn't give me option to do layer-3 switching. For SG-300 I see options in GUI to create vlan interfaces under IP information section, while SG300-52 has IP information option only under the management section.let me know if these are 2 different hardware types and L3 is not possible on SG300-52. If its possible to enable L3 switching on SG300-52?
View 2 Replies View RelatedI am running ASA version 8.4(1), and anyconnect version 3.0.1047. My SSL VPN works fine, but i run into an issue with one user . his account did not work , and everytime users logged in it got this message "VPN Server could not parse request".
I found the problem after getting a user information meaning his username and password. His password had "&" as one of the special characters. when we change it to something that does not have that , it works just fine.
We are using microsoft NPS server as radius. but when i run a test within CLI it works just fine, only when anyconnect asks to authenticate it fails.
Any software to measure Authentication time between client and Radius serverr.
View 8 Replies View RelatedI have been trying to get our IPS (ASA-SSM-10 and 4260) to authenticate with Cisco Radius ACS 5.2 and they are not working. However, I was able to get them working with Microsoft Radius. Below is the logs from the IPS:
evStatus: eventId=1321566464942057375 vendor=Cisco originator: hostId: NACAIRVIDLAB1 appName: authentication appInstanceId: 350 time: 2011/11/23 17:50:38 2011/11/23 09:50:38 GMT-08:00 controlTransaction:
[Code].....
I'm running WCS 7.0.220.0.I would like to authenticate users that are able to logon the WCS, through MS Network Policy Service (RADIUS).I would like all my domain users to be member of the local group on the WCS "Lobby Ambassador", so all domain users has access to generate guest access accounts, for the web auth... I can see under the WCS Administration under AAA that it should be able to use RADIUS - but i'm not sure how to setup the NPS policy?
View 1 Replies View RelatedI have a questión about radius authenticaction with AD, when I log in into the network with user in AD and I make a mistake in password my radius authenticaction event in ACS 5.2 dont show me this logg. only show the authentication succeeded but dont show me the authentication failed. Maybe i must to enable same service to show the authentiaction failed. The Voice authetication works fine..
This is the confg in the port of the switch:
interface FastEthernet0/12 switchport mode access switchport access vlan 2 switchport voice vlan 10 authentication port-control auto authentication host-mode multi-domain authentication violation protect authentication event fail action authorize vlan 11 authentication event fail retry 2 action authorize vlan 11 authentication event no-response action authorize vlan 11 authentication periodic authentication timer reauthenticate 60 mab dot1x pae authenticator dot1x timeout tx-period 10 dot1x max-reauth-req 3 spanning-tree portfast end
Vlan 2: DATA
Vlan 10: VOICE
Vlan 11: GUEST
I am configuring an old WLC4400 with V4.2.130.0. I added a new sub-interface for VLAN 50 with proper IP for the subnet and then add the Radius server(Windows server 2008 with NPS) onto WLC4400. I then created new WLAN with WPA+WPA2 Encryption and 802.1x key management and selected the Radius server under AAA for authentication.
Configured the test XP with WPA-Enterprise and PEAP as EAP method. I purposely configured computer to prompt for username and password.
When I try to connect, I did get prompt for username and password. However after that nothing happens. It seems like laptop just keep trying to authenticate.
I checked windows event log and do not see anything under NPS. I know this windows server NPS setup works as it is also the authentication server for our remotevpn.
is there any special option I need to turn on for WLC in order for Radius authentication work? Or is there any known bug with V4.2.130.
I'm in the process of moving some of our remote access vpn to an asa5520 and anyconnect.
The problem I've come across is that when using radius as authentication, I choose any one of my connection profiles in anyconnect and log in with any username regardless of the group on radius.
How do I map the connection profile to a group on radius so that i can separate the users?
I have a 5510 authenticating successfully with a RADIUS server. I'm using it for VPN authentication and it works great. I would also like to do this for administrator access to the ASA. When I turn it on though, any authentication for VPN access is also granted administrative access to the ASA. Obviously, I need to limit that to a select few users.
View 1 Replies View Relatedwhich is the best RADIUS server for 802.1x wired authentication?
View 1 Replies View RelatedI am trying to authenticate on Juniper NSM express using cisco ACS 5.2. The request is arriving at the cisco ACS but i am getting the following error.RADIUS requests can only be processed by Access Services that are of type Network Access.
View 4 Replies View RelatedI am having ACS 4.0.2 in my network, which I want to use for 802.1x Radius Authentication for Clients on PEAP-MSCHAPv2 methodology.As per the documentation " EAP Authentication with RADIUS Server", Doc ID: 44844.I have configured Network Configuration and populated AAA client IP range and Secret Key.
Question1: Under Authenticate Using option, there are various RADIUS flavors available for selection. For a Non Cisco AAA client, should I select RADIUS IETF?
Question 2: In the above snap shot, It has an option called Global Authentication Setup, where we can setup EAP configuration. Under PEAP subsection there is an option to "Allow EAP-MSCHAPv2" check box.After checking that, is a restart required to the ACS Server? Would it cause any disruptions to the existing services on the ACS?
I am trying to setup a RV042 for a Client VPN using AD / Radius authentication. When it was purchased I saw radiuslisted as a feature on it, but I'm not seeing a way to set this up.
[URL]
I have upgraded to the latest firrmware, I have a VPN working with accounts on the router that I manually create, but am not seeing anyplace to configure radius.
I have a 5508 controller running 7.4.100 and have a WLAN where I have radius configured. On my controller the client machine I'm using appears but the radius authentication doesn't appear to be working. Is there anything on the controller I can do to verify that the request is even being sent to my Microsoft IAS server? The log on the server doesn't show any requests from the controller so my early days guess is the controller isn't actually sending it.
View 3 Replies View Relatedhow to setup ACS 5.3 to authenticate wireless users over radius? I currently have the SSID pointing to a Microsoft IAS server and would like to move the authentication to be done via ACS.
View 1 Replies View RelatedCan the 2504 WLC be configured to work with one RADIUS Server for Authentication of Management Users and with a second server for 802.1x EAP-TLS certificate authentication for the end users.
Management Users will authenticate on RADIUS Server 1.Wireless End users will request 802.1x EAP-TLS authentication certificate from AAA server 2.
I have a problem with radius authentication on catalyst 2960 with freeradius as radius-server. The Catalyst is behind a HP5412zl layer3-switch. The rest of the network are hp-layer2 switches, which do radius authentication to the same radius server. The ios on the catalyst is c2960-lanbasek9-mz.150-1.SE3. Apparently there are no requests made to the radius-server, since I dont see any requests coming in. Port 0/7 is voice port with laptop behind , /port 0/8 access-port with laptop directly connected.
config :
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
!
!
!
interface FastEthernet0/1
[code]....
I have configured a Cisco 877 router to send RADIUS requests when a user logs in to the console (Line Console or Line VTY) using the following config:
aaa new-model
aaa authentication login default group radius
aaa authentication ppp default group radius
radius-server host 10.0.0.1 auth-port 1812 acct-port 1812 key mysharedkey
When I log the RADIUS packets I see that the Cisco router is sending the initial AccessRequest using PAP.
How can I configure the router to send it's inial AccessRequest packet using CHAP?
I'm a trainee in Network and Telecommunication, and I have to do a "model" with a controller, an AP, and a RADIUS server. Communication and configuration of the lightweight AP has been done.
I use an autonomous access point 1220 as the RADIUS server (no considering it as an AP), and I'm a beginner in RADIUS configuration. I get a "Processing AAA Error 'No Server' (-7) for mobile 00:24:d6:8f:2c:7e" when I launch a debug targetting my PC, connecting to the LAP.
Precursory : 10.137.125.71 is the IP address of the ap1220, working as the RADIUS server 10.137.125.15 is the IP address of the controller. 00:24:d6:8f:2c:7e is the MAC address of my PC, connecting to the Wi-Fi. ping works to the RADIUS, to the controller. Each devices are connected by a layer 3 Switch, and ping each others. The Wi-Fi works when I don't use 802.1X (or when I don't use RADIUS authentication at all)
What I did on the RADIUS server (ap1220 autonomous) :
aaa new-model
radius-server local
nas 10.137.125.15 key password
[Code]......
For some reason, i can't get the lobby "sponsors" to authentication to the Guest NAC server (2.0.2) using ACS 5.2 via Radius.I was able to figure out how to get the Guest NAC Radius Authentication for "Administrator" to work by adding custom Radius value IEFT-6 under...
Policy ElementsAuthorization & permissionsNetwork AccessAuthorization Profiles
I added a policy & under the Radius Attributes Tab... I manually entered an Attribute that looks like the following:
Dictionary Type: = RADIUS-IETFRadius Attribute: = Service-TypeAttribute Type: = EnumerationAttribute Value: = StaticValue = "Administrative"
I then created an Access Policy... I looked for a specific AD group - Result = "Name of Custom Policy Above"...
All of that is working just fine.... the NAC Guest Docs tell you the Radius server must return a value of IETF-6...
When it gets into the Sponsor section, it doesn't tell you the value your Radius server should return... so just for grins, instead of "Name of Custom Policy Above", I tried "Permit Access"... i tried the "Name of Custom Policy above"... Not sure what else to try to get this to work...
here is a like to the document i'm following: URL
Page 68 refers to the "Configuring Sponsor Authentication" for Radius.. it just tell you to add the Radius Server & change the authentication order.