topic Re: Cisco Radius Config in Network Access Control

Cisco Radius Config

CharlesMcLaine — Mon, 11 Mar 2019 02:06:04 GMT

So I've read about 2 weeks of posts trying to figure this out and read multiple guides to no avail. So i'm hoping it's a stupid mistake. First here is my AP config.

ap#sh run

Building configuration...

Current configuration : 1750 bytes

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname ap

logging rate-limit console 9

enable secret 5 $1$ONQR$Qrzcg9Lyrt2tFlyki7Qr4/

aaa new-model

aaa group server radius rad_eap

server 10.10.11.200 auth-port 1812 acct-port 1813

aaa authentication login eap_methods group rad_eap

aaa session-id common

dot11 syslog

dot11 ssid syrushcw

authentication open eap eap_methods

authentication key-management wpa version 2

guest-mode

username Cisco password 7 1531021F0725

bridge irb

interface Dot11Radio0

no ip address

no ip route-cache

encryption mode ciphers aes-ccm

encryption vlan 1 mode ciphers aes-ccm

ssid syrushcw

antenna gain 0

speed basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

channel 2437

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

interface BVI1

ip address 10.10.11.100 255.255.252.0

no ip route-cache

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

radius-server host 10.10.11.200 auth-port 1812 acct-port 1813 key 7 12092504011C5C162E

bridge 1 route ip

line con 0

line vty 0 4

end

ap#

I do not know if the problem is on the AP or NPS server. I've read things such as worked fine on 2008 but exported and imported the config on 2008R2 and did not work. I am of course running 2008 R2. I've alse read NPS expects to get credentials in MD5-CHAP but cisco sends in Plain Text. I Know the client and server are talking since if I make a change on the server the cliet error is diffrent. Example

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

No authoritative response from any server.

If I uncheck Access-Request message must contain the Message-Authenticator attribute under Radius Clients Properties in NPS I get.

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

User authentication request was rejected by server.

In even viewer I see events such as Event ID 17 " An Access-Request was recieved from Radius client 10.10.11.100 without a Message-Authenticator attribute when a Message-Authenticator attribute is required."

I do not know if it matters I am running this on a Virtual Machine; I've tried both Virtual Box and Hyper-V. The virtual Machine has the fireall turned off, the only reason I bring this up; is when I do a netstat there are no connections to port 1812 or 1813.

I appreciate any help, thanks!

Cisco Radius Config

Jatin Katyal — Sat, 19 May 2012 03:01:35 GMT

Since you're getting, an Access-Request was recieved from Radius client 10.10.11.100 without a Message-Authenticator attribute when a Message-Authenticator attribute is required.

On the NPS, could you uncheck the check-box as " Access-Request messages must contain the Message-Authenticator attribute". After that look inside the event viewer logs again.

Do let me know.

Regards,

Jatin

Cisco Radius Config

CharlesMcLaine — Sat, 19 May 2012 11:30:01 GMT

When I uncheck the box, on the AP I get

"Attempting authentication test to server-group rad_eap using radius

User authentication request was rejected by server."

But no event on the Server which I thought was bizzare.

Cisco Radius Config

Jatin Katyal — Sat, 19 May 2012 18:37:38 GMT

Where exectly are we looking for logs in the event viewer?

When you run a test command from any NAS device that actually uses PAP as an authentication method. I doubt if we have enabled the same method under network policy.

Since we're getting access-reject from the radius server so server logs will surely help us.

Also, we can get debugs from the AP to see if it shows something.

debug aaa authentication

debug radius

Regards,

Jatin

Re: Cisco Radius Config

CharlesMcLaine — Sat, 19 May 2012 20:47:40 GMT

Debug gives nothing

ap#debug aaa authentication

AAA Authentication debugging is on

ap#debug radius

Radius protocol debugging is on

Radius protocol brief debugging is off

Radius protocol verbose debugging is off

Radius packet hex dump debugging is off

Radius packet protocol debugging is on

Radius elog debugging debugging is off

Radius packet retransmission debugging is off

Radius server fail-over debugging is off

Radius elog debugging debugging is off

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

User authentication request was rejected by server.

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

User authentication request was rejected by server.

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

User authentication request was rejected by server.

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

No authoritative response from any server.

Here is the event I'm looking at, no new logs appear when I uncheck Access-Request.

I am using PAP also

Cisco Radius Config

Jatin Katyal — Sat, 19 May 2012 20:56:10 GMT

Seems like you ran those commands while connected through telnet/ssh.

We should turn on

terminal monitor

regards,

Jatin

Re: Cisco Radius Config

CharlesMcLaine — Sat, 19 May 2012 21:15:36 GMT

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

*Mar 22 02:41:37.669: AAA: parse name= idb type=-1 tty=-1

*Mar 22 02:41:37.669: AAA/MEMORY: create_user (0x234C804) user='cmclaine' ruser= 'NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 init ial_task_id='0', vrf= (id=0)

*Mar 22 02:41:37.669: RADIUS: Pick NAS IP for u=0x234C804 tableid=0 cfg_addr=10. 10.11.100

*Mar 22 02:41:37.669: RADIUS: ustruct sharecount=1

*Mar 22 02:41:37.669: Radius: radius_port_info() success=0 radius_nas_port=1

*Mar 22 02:41:37.670: RADIUS(00000000): Send Access-Request to 10.10.11.200:1812 id 1645/6, len 60

*Mar 22 02:41:37.670: RADIUS: authenticator 44 BE 1F 29 EB 13 91 18 - A6 75 47 2E 74 69 5C 1D

*Mar 22 02:41:37.670: RADIUS: NAS-IP-Address [4] 6 10.10.11.100

*Mar 22 02:41:37.670: RADIUS: NAS-Port-Type [61] 6 Async [0]

*Mar 22 02:41:37.670: RADIUS: User-Name [1] 10 "cmclaine"

*Mar 22 02:41:37.670: RADIUS: User-Password [2] 18 *

*Mar 22 02:41:42.162: RADIUS: Retransmit to (10.10.11.200:1812,1813) for id 1645/6

*Mar 22 02:41:46.482: RADIUS: Retransmit to (10.10.11.200:1812,1813) for id 1645/6

*Mar 22 02:41:50.802: RADIUS: Retransmit to (10.10.11.200:1812,1813) for id 1645/6No authoritative response from any server.

ap#

*Mar 22 02:41:55.602: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.10.11.200:1812,1813 is not responding.

*Mar 22 02:41:55.602: RADIUS: Tried all servers.

*Mar 22 02:41:55.602: RADIUS: No valid server found. Trying any viable server

*Mar 22 02:41:55.602: RADIUS: Tried all servers.

*Mar 22 02:41:55.602: RADIUS: No response from (10.10.11.200:1812,1813) for id 1645/6

*Mar 22 02:41:55.602: RADIUS: No response from server

*Mar 22 02:41:55.603: AAA/MEMORY: free_user (0x234C804) user='cmclaine' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)

*Mar 22 02:41:55.603: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.10.11.200:1812,1813 is being marked alive.

Re: Cisco Radius Config

Jatin Katyal — Sat, 19 May 2012 21:38:07 GMT

Let's troubleshoot while we have that option unchecked.

Can you send me the screen shots of radius client and network policy.

Re: Cisco Radius Config

Jatin Katyal — Sat, 19 May 2012 21:53:57 GMT

When you see an access-reject from any radius server that indicates that the request has been processed by radius. If we don't see any corresponsing logs in the event viewer then there could be an issues with logging/NPS.

This is what I found in my google search.

http://social.technet.microsoft.com/Forums/nl/winserverNAP/thread/c32b4ad2-118b-4368-9bce-11560668d368

Also, NPS records connection request failure events in the System and Security event logs by default. For the radius access-reject, please check the logs in the above suggested location.

http://technet.microsoft.com/en-us/library/cc753898%28v=ws.10%29.aspx

Re: Cisco Radius Config

CharlesMcLaine — Sat, 19 May 2012 22:58:03 GMT

Re: Cisco Radius Config

CharlesMcLaine — Sun, 20 May 2012 01:43:28 GMT

Interesting problem now, I do not know if the AP is bad, but when I ping from the AP to NPS ping either works 0% or 20%. It can ping some other IP just fine. Now the interesting part is the NPS can ping the AP no problem.

ap#ping 10.10.11.200

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.11.200, timeout is 2 seconds:

!....

Success rate is 20 percent (1/5), round-trip min/avg/max = 2/2/2 ms

ap#ping 10.10.8.12

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.8.12, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Here is an example, 10.10.8.12 is a host os Windows 7 and 10.10.11.200 is the guest os 2008R2.

ap#ping 10.10.8.12

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.8.12, timeout is 2 seconds:

!....

Success rate is 20 percent (1/5), round-trip min/avg/max = 2/2/2 ms

Spoke to soon.

Re: Cisco Radius Config

Jatin Katyal — Sun, 20 May 2012 09:53:31 GMT

I went through your last post wherein you've uploaded all the settings. looking at second last screen shot. I see you've lots of conditions defined. I'd like you to try this:

Keep this option unchecked "Access-Request message must contain the Message-Authenticator attribute" under Radius Clients Properties in NPS

Remove all the conditions from condition tab like Nas Port-type, User groups (domain admin and domain groups), Allowed EAP Types.

Add NAS-IP-ADDRESS= 10.10.11.100 instead.

Click OK And restart NPS service.

Try again from test command, it should work now.

NOTE: When you run test command, it actually uses NAS-PORT type= async, authentication method=PAP. However, those options are not selecetd in your network policy.

Once it starts working for you. We'll configure only for wireless authentication.

Let me know how it goes.

Regards,

Jatin

Do rate helpful posts-

Re: Cisco Radius Config

CharlesMcLaine — Sun, 20 May 2012 11:13:22 GMT

No such luck.

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

User authentication request was rejected by server.

ap#

*Mar 22 16:15:47.200: AAA: parse name= idb type=-1 tty=-1

*Mar 22 16:15:47.200: AAA/MEMORY: create_user (0x234A53C) user='cmclaine' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

*Mar 22 16:15:47.201: RADIUS: Pick NAS IP for u=0x234A53C tableid=0 cfg_addr=10.10.100.10

*Mar 22 16:15:47.201: RADIUS: ustruct sharecount=1

*Mar 22 16:15:47.201: Radius: radius_port_info() success=0 radius_nas_port=1

*Mar 22 16:15:47.201: RADIUS(00000000): Send Access-Request to 10.10.11.200:1812 id 1645/10, len 60

*Mar 22 16:15:47.202: RADIUS: authenticator C7 AC 1E 9F D2 40 C3 FD - 30 34 DF 7D 7D 4C FD 9D

*Mar 22 16:15:47.202: RADIUS: NAS-IP-Address [4] 6 10.10.100.10

*Mar 22 16:15:47.202: RADIUS: NAS-Port-Type [61] 6 Async [0]

*Mar 22 16:15:47.202: RADIUS: User-Name [1] 10 "cmclaine"

*Mar 22 16:15:47.202: RADIUS: User-Password [2] 18 *

*Mar 22 16:15:47.206: RADIUS: Received from id 1645/10 10.10.11.200:1812, Access-Reject, len 20

*Mar 22 16:15:47.206: RADIUS: authenticator 3E A6 54 ED A5 6A BA D1 - 30 87 C9 B2 76 8F 0A BA

*Mar 22 16:15:47.206: RADIUS: saved authorization data for user 234A53C at 0

*Mar 22 16:15:47.207: AAA/MEMORY: free_user (0x234A53C) user='cmclaine' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)

ap#u all

All possible debugging has been turned off

ap#test aaa group rad_eap cmclaine Password legacy

Attempting authentication test to server-group rad_eap using radius

User authentication request was rejected by server.

Should I be worrying about ethernet connectivity?

Re: Cisco Radius Config

Jatin Katyal — Sun, 20 May 2012 12:25:12 GMT

you should not because I do see access-reject coming back from radius server in the debugs.

*Mar 22 16:15:47.206: RADIUS: Received from id 1645/10 10.10.11.200:1812, Access-Reject, len 20

This indicates that the access-request parameters are not matching the network access policy parameters.

Did you check the NPS logs under event viewer under system and security tab.

Regards,

Jatin

Re: Cisco Radius Config

CharlesMcLaine — Sun, 20 May 2012 12:59:19 GMT

I changed the logging no NPS even in Security but I am getting this.

An account was logged off.

Subject:

Security ID: SYSTEM

Account Name: SYRUS-DC$

Account Domain: SYRUSHCW

Logon ID: 0x2e6e05

Logon Type: 3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

Re: Cisco Radius Config

Jatin Katyal — Sun, 20 May 2012 15:43:15 GMT

I'm sure that the issue is within the access-policy. In order to eliminate that could you please delete the existing policy and create a nerw one.

Create a network Policy as follows;

a. Right click network policies and click new

b. Type a policy name accept the defaults and click next

c. Add a condition (use NAS-IP-ADDRESS= AP BVI interface IP), click next

d. Make sure the access granted radio button is selected and hit next

e. Select the “Unencrypted authentication (PAP, SPAP)” and unselect the rest

f. Select NO on the annoying help box

g. Finally select next then next and finish to complete.

NOTE: Move this policy on the top of the list.

Also, make sure we have shared secret between AP and NPS is correct.

Regards,

Jatin

Re: Cisco Radius Config

CharlesMcLaine — Sun, 20 May 2012 19:50:35 GMT

Removed all other policies, created the new one. Ranked it 1st. Still didn't work

*Mar 22 13:47:35.393: %SYS-5-CONFIG_I: Configured from console by Cisco on vty0 (192.168.2.149)

Attempting authentication test to server-group rad_eap using radius

*Mar 22 13:47:39.245: AAA: parse name= idb type=-1 tty=-1

*Mar 22 13:47:39.245: AAA/MEMORY: create_user (0x22FAAC0) user='cmclaine' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

*Mar 22 13:47:39.246: RADIUS: Pick NAS IP for u=0x22FAAC0 tableid=0 cfg_addr=10.10.11.100

*Mar 22 13:47:39.246: RADIUS: ustruct sharecount=1

*Mar 22 13:47:39.246: Radius: radius_port_info() success=0 radius_nas_port=1

*Mar 22 13:47:39.246: RADIUS(00000000): Send Access-Request to 10.10.11.200:1812 id 1645/8, len 60

*Mar 22 13:47:39.247: RADIUS: authenticator 9E 87 BE 56 42 37 7D F7 - B6 1B F9 07 04 11 24 99

*Mar 22 13:47:39.247: RADIUS: NAS-IP-Address [4] 6 10.10.11.100

*Mar 22 13:47:39.247: RADIUS: NAS-Port-Type [61] 6 Async [0]

*Mar 22 13:47:39.247: RADIUS: User-Name [1] 10 "cmclaine"

*Mar 22 13:47:39.247: RADIUS: User-Password [2] 18 *

*Mar 22 13:47:44.695: RADIUS: Retransmit to (10.10.11.200:1812,1813) for id 1645/8

*Mar 22 13:47:49.657: RADIUS: Retransmit to (10.10.11.200:1812,1813) for id 1645/8

*Mar 22 13:47:54.041: RADIUS: Retransmit to (10.10.11.200:1812,1813) for id 1645/8No authoritative response from any server.

ap#

*Mar 22 13:47:58.713: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.10.11.200:1812,1813 is not responding.

*Mar 22 13:47:58.713: RADIUS: Tried all servers.

*Mar 22 13:47:58.713: RADIUS: No valid server found. Trying any viable server

*Mar 22 13:47:58.714: RADIUS: Tried all servers.

*Mar 22 13:47:58.714: RADIUS: No response from (10.10.11.200:1812,1813) for id 1645/8

*Mar 22 13:47:58.714: RADIUS: No response from server

*Mar 22 13:47:58.714: AAA/MEMORY: free_user (0x22FAAC0) user='cmclaine' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)

*Mar 22 13:47:58.715: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.10.11.200:1812,1813 is being marked alive.

Re: Cisco Radius Config

CharlesMcLaine — Sun, 20 May 2012 19:54:03 GMT

Maybe I was being impatient.

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

User was successfully authenticated.

Thanks!

Re: Cisco Radius Config

Jatin Katyal — Sun, 20 May 2012 20:03:29 GMT

That's a good new!

Since users are now authenticating, please add only those restrictions which are needed.

In your case, you should only add windows groups.

feel free to post anything that may let you think again.

Regards,

Jatin

Hi guys , I

Mohsin Hussain — Wed, 15 Apr 2015 09:18:07 GMT

Hi guys ,

I was also facing the same problem but my Radius Server is Windows 2012 NPS and Radius clients are NX-OS and IOS , so there was a friendly name mistake.

I recreate the Network policy with friendly name eg : DC_? and rest of the configure is same .

Previously it was specific like DC_RK01_NAS1 and I change it to DC_? and its working fine now ...User is successfully 🙂

I know issue is fixed for you but its for others who still getting is problem and find the solution.