topic hmmm, I did not get much in in Network Access Control

radius server accepts users only if username equals password

andbor600 — Mon, 11 Mar 2019 04:42:29 GMT

good day collegues,

I must have something wrong with configuration of my cisco devices. my accesspoint which is also a radius server rejects users if the username does not equal password.

did you come accross of that kind of issue before ? could you give me a hand with that ?

so as an example:

the output of the command: "test aaa group rad_eap test test legacy":

a) if username is "test" and password is set to "test" , then I got in return the message:

"Attempting authentication test to server-group rad_eap using radius
User was successfully authenticated."

b) but if username is "test" and password is set to "test123", then I got in return the message:

"Attempting authentication test to server-group rad_eap using radius
User authentication request was rejected by server"

the config of the device trying to connect to a radius-server:

-------------------------------------

Current configuration : 7606 bytes
!
! Last configuration change at 11:49:13 +0100 Sun May 11 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP1
!
logging buffered 409600 notifications
logging rate-limit console 9
enable secret 5 xxx
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.10.10.3 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
server 10.10.10.3 auth-port 1812 acct-port 1813
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
clock timezone +0100 1 0
clock save interval 8
no ip routing
ip domain name xx.xx
!
!
dot11 syslog
dot11 activity-timeout unknown default 18000
dot11 activity-timeout client default 18000 maximum 99999
dot11 vlan-name DMZ vlan 13
dot11 vlan-name service vlan 15
!
dot11 ssid guests
   vlan 13
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 xxx
!
dot11 ssid isa
   vlan 11
   authentication open mac-address mac_methods eap eap_methods
   authentication network-eap eap_methods mac-address mac_methods
   authentication key-management wpa version 2
   mbssid guest-mode dtim-period 100
!
dot11 ids mfp distributor
dot11 ids mfp detector
dot11 ids mfp generator
dot11 network-map
dot11 arp-cache optional
eap profile leap
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2817640586
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2817640586
revocation-check none
rsakeypair TP-self-signed-2817640586
!
!
crypto pki certificate chain TP-self-signed-2817640586
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32383137 36343035 3836301E 170D3134 30343136 32303038
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38313736
34303538 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A733 79307386 2E8862FE 1146C09E 127D73D7 310EE458 8425BF93 EE61C865
DCBAE908 237B9211 48DB3EBA 23453C48 6E305E6D AF126A95 FC5F67A7 3CCA44BE
2C0F78D9 65107B3C 8A9CEA54 F2CC0F39 9ED4E927 AC5604C2 A6728936 A8292AC2
5D5B3C88 66D8CC92 05DEEC82 5FFF7D54 96D336E0 2AA4857E A9D72299 563CA72A
84C70203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1427123B 2BFDD69C E735E02F 6EF73C47 DFEE8719 8F301D06
03551D0E 04160414 27123B2B FDD69CE7 35E02F6E F73C47DF EE87198F 300D0609
2A864886 F70D0101 05050003 81810085 DE81A2AA 8D2C8A8B 776630A9 196792BF
9DFC91DC A74A18DF 17F4BD8F 5882CFAD 79807290 E866330B F640FF49 708E636B
D5DBDE7D 81A10122 EA002533 C70F5FD6 C2571D27 15C4664B B9777D22 937ECF29
9F46570A CDA31885 1ADDF8F7 3E0DF4D4 26DCC671 00871029 65DF9B65 0D89B42F
95BC2224 BE8C3877 007C3F93 C696DE
quit
username admin privilege 15 secret 5 xxx
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 11 mode ciphers aes-ccm
!
encryption vlan 13 mode ciphers aes-ccm
!
encryption vlan 15 mode ciphers aes-ccm
!
ssid guests
!
ssid isa
!
antenna gain 0
stbc
mbssid
packet retries 128
channel least-congested 2412 2417 2422
station-role root
rts retries 1
beacon period 20
beacon dtim-period 1
l2-filter bridge-group-acl
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 spanning-disabled
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
!
interface Dot11Radio0.13
encapsulation dot1Q 13
no ip route-cache
bridge-group 13
bridge-group 13 subscriber-loop-control
bridge-group 13 spanning-disabled
bridge-group 13 block-unknown-source
no bridge-group 13 source-learning
no bridge-group 13 unicast-flooding
!
interface Dot11Radio0.15
encapsulation dot1Q 15
no ip route-cache
bridge-group 15
bridge-group 15 subscriber-loop-control
bridge-group 15 spanning-disabled
bridge-group 15 block-unknown-source
no bridge-group 15 source-learning
no bridge-group 15 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 11 mode ciphers aes-ccm
!
ssid isa
!
antenna gain 0
no dfs band block
stbc
mbssid
packet retries 128
channel 5200
station-role root
rts retries 1
beacon period 20
beacon dtim-period 1
l2-filter bridge-group-acl
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 spanning-disabled
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
!
interface Dot11Radio1.13
encapsulation dot1Q 13
no ip route-cache
bridge-group 13
bridge-group 13 subscriber-loop-control
bridge-group 13 spanning-disabled
bridge-group 13 block-unknown-source
no bridge-group 13 source-learning
no bridge-group 13 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 spanning-disabled
no bridge-group 11 source-learning
!
interface GigabitEthernet0.13
encapsulation dot1Q 13
no ip route-cache
bridge-group 13
bridge-group 13 spanning-disabled
no bridge-group 13 source-learning
!
interface GigabitEthernet0.15
encapsulation dot1Q 15
no ip route-cache
bridge-group 15
bridge-group 15 spanning-disabled
no bridge-group 15 source-learning
!
interface BVI1
ip address 10.10.10.2 255.255.255.0
no ip route-cache
!
ip default-gateway 10.10.10.1
ip http server
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 86400
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
logging history size 500
logging trap notifications
access-list 701 permit c8f7.3301.7f43   0000.0000.0000
access-list 701 deny   0000.0000.0000   ffff.ffff.ffff
radius-server local
nas 10.10.10.1 key 7 xxx
nas 10.10.10.253 key 7 xxx
nas 10.10.10.3 key 7 xxx
!
radius-server host 10.10.10.3 auth-port 1812 acct-port 1813 key 7 xxx
radius-server vsa send accounting
!
bridge 1 route ip
!
!
!
line con 0
length 34
line vty 0 4
session-timeout 35791
exec-timeout 35791 0
length 34
transport input all
!
sntp server 10.10.10.1
end

---------------------------------

and below the config of the cisco Ap, which is a radius-server:

------------------------

Building configuration...

Current configuration : 7677 bytes
!
! Last configuration change at 11:49:09 +0100 Sun May 11 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname APx
!
!
logging rate-limit console 9
enable secret 5 xxx
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.10.10.3 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
server 10.10.10.3 auth-port 1812 acct-port 1813
!
aaa group server radius rad_acct
!
aaa group server tacacs+ tac_admin
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
clock timezone +0100 1 0
no ip routing
no ip cef
ip domain name ml-ab.pl
!
!
!
dot11 syslog
dot11 vlan-name HOME vlan 11
dot11 vlan-name service vlan 15
!
dot11 ssid isa
   vlan 11
   authentication open mac-address mac_methods eap eap_methods
   authentication network-eap eap_methods mac-address mac_methods
   authentication key-management wpa version 2
   mbssid guest-mode
!
dot11 ssid service
   vlan 15
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa version 2
   mbssid guest-mode
!
!
dot11 network-map
dot11 arp-cache
eap profile leap
!
eap profile tls
!
eap profile fast
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-4134675474
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4134675474
revocation-check none
rsakeypair TP-self-signed-4134675474
!
!
crypto pki certificate chain TP-self-signed-4134675474
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313334 36373534 3734301E 170D3933 30333031 30303236
31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31333436
37353437 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B2D8 A7342171 9FC96AEE 51CD6F6F D8E84484 EB582B9F B4F650FD 023ADF2E
415EE3DF 2F267472 D11459D9 4373B2AC B46CFB6E FC095340 2262B97F E0CC377C
B31151A9 D5E97960 21BE9E67 CF9CF4FA F5190FA1 D118E812 BD7750EE BC59D5DB
EA96FC3B 5C17D2C1 AE9F24B2 2DEE330F 8F5322ED B4E3836F D4AC80E0 9FB34080
19D50203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 140659F1 243DBE3B B47C785A 2739F683 483820C7 52301D06
03551D0E 04160414 0659F124 3DBE3BB4 7C785A27 39F68348 3820C752 300D0609
2A864886 F70D0101 05050003 8181004B 64716D8B 85FACCA2 79D9322C 239A792A
E0B88C94 8C6A75F6 BB04298F E65494BA 389A0F91 17A4F8B9 41C14D8C 3CEBD373
DAEF6275 ACE89E6F 2D5B8DE1 41C64497 9744D53D B7A6171A 893BF5C9 E0C0EBB0
4E067B0A 5354B063 9390FB16 C7E3F09C ECD25412 CADB4B02 4426B879 FE504D42
56B37D9D A75ED6C8 1D8AE81F B8E1F4
quit
username admin privilege 15 secret 5 $xxx.
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 11 mode ciphers aes-ccm
!
encryption vlan 15 mode ciphers aes-ccm
!
ssid isa
!
ssid service
!
antenna gain 0
stbc
mbssid
channel least-congested 2462 2467 2472
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 spanning-disabled
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
!
interface Dot11Radio0.15
encapsulation dot1Q 15
no ip route-cache
bridge-group 15
bridge-group 15 subscriber-loop-control
bridge-group 15 spanning-disabled
bridge-group 15 block-unknown-source
no bridge-group 15 source-learning
no bridge-group 15 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 11 mode ciphers aes-ccm
!
ssid isa
!
antenna gain 0
no dfs band block
stbc
mbssid
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 spanning-disabled
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 spanning-disabled
no bridge-group 11 source-learning
!
interface GigabitEthernet0.15
encapsulation dot1Q 15
no ip route-cache
bridge-group 15
bridge-group 15 spanning-disabled
no bridge-group 15 source-learning
!
interface BVI1
ip address 10.10.10.3 255.255.255.0
no ip route-cache
!
ip default-gateway 10.10.10.1
ip forward-protocol nd
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
radius-server local
nas 10.10.10.3 key 7 xxx
nas 10.10.10.1 key 7 xxx
nas 10.10.10.2 key 7 xxx

user test nthash 7 xxx

!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.10.10.3 auth-port 1812 acct-port 1813 key 7 xxx

radius-server vsa send accounting
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
session-timeout 35791
exec-timeout 35791 0
transport input all
!
sntp server 10.10.10.1
sntp broadcast client
end

Hey,What Radius server are

edwardcollins7 — Tue, 20 May 2014 06:58:18 GMT

Hey,

What Radius server are you using?

Rate if Useful 🙂

Sharing knowledge makes you Immortal.

Regards,

radius server located within

andbor600 — Thu, 22 May 2014 20:11:14 GMT

radius server located within my access-point.

The Cisco AP cannot be a

edwardcollins7 — Fri, 23 May 2014 06:02:46 GMT

The Cisco AP cannot be a Radius server, it can send radius requests as a client to an external server.

Which SSID are you using ?

Could you share the configuration within "rad_eap test" radius group?

Rate if Useful 🙂

Sharing knowledge makes you Immortal.

Regards,

ok. I did not know that.SSID

andbor600 — Tue, 27 May 2014 17:57:47 GMT

ok. I did not know that.

SSID "isa" is used for Radius authentication.

"rad_eap" radius group is shown above (AP config)

After correlating your

edwardcollins7 — Wed, 28 May 2014 07:04:09 GMT

After correlating your configuration, this is what is relevant:

aaa group server radius rad_eap
server 10.10.10.3 auth-port 1812 acct-port 1813

dot11 ssid isa
   vlan 11
   authentication open mac-address mac_methods eap eap_methods
   authentication network-eap eap_methods mac-address mac_methods
   authentication key-management wpa version 2
   mbssid guest-mode

aaa authentication login eap_methods group rad_eap

Now, the question is , which device is "10.10.10.3" ?

Rate if Useful 🙂

Sharing knowledge makes you Immortal.

Regards,

ok. now I am with you. right.

andbor600 — Thu, 29 May 2014 17:37:46 GMT

ok. now I am with you. right. this is the same device. "10.10.10.3" is an AP.

Now its starting to make

edwardcollins7 — Fri, 30 May 2014 07:04:25 GMT

Now its starting to make sense.

Let us try to work this out together, could you tell me AP model?

"10.10.10.3"

Regards

AP2602i SAP (stand alone)

andbor600 — Fri, 30 May 2014 08:23:32 GMT

AP2602i SAP (stand alone)

Could you collect "debug

edwardcollins7 — Fri, 30 May 2014 14:34:27 GMT

Could you collect "debug radius authentication" and " debug radius local-server client" from the Radius server AP?

Regards

hmmm, I did not get much in

andbor600 — Sun, 01 Jun 2014 05:08:01 GMT

hmmm, I did not get much in return ...

this is what was output:

----------------

Jun 1 06:03:45.791: RADSRV: Client test password failed
Jun 1 06:03:45.791: RADSRV 10.10.10.2< Code 3 Id 4A Len 88
Jun 1 06:03:45.791:   Auth 22F10EFB 11CDBBDF F415809E B12642DE
Jun 1 06:03:45.791:   24 - 05 15 63 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D9 57 22 E2 0B 63 ED E9 28 E3 A3 89 14 DE 89 86
Jun 1 06:03:45.791:   80 - FF 4A 85 AD 92 B6 1A 22 C3 02 79 8A DC 06 57 E8
-----------------

Was this on the server side

edwardcollins7 — Mon, 02 Jun 2014 07:15:54 GMT

Was this on the server side or client side AP?

http://www.cisco.com/c/en/us/support/docs/wireless/aironet-1100-series/44100-leaplocalauth.html#configproc

I am referring this.

Rate if Useful 🙂

Sharing knowledge makes you Immortal.

Regards,

this is of course on server

andbor600 — Mon, 02 Jun 2014 16:34:57 GMT

this is of course on server side.

I have the same problem. I

Ramon Jimenez — Mon, 16 Feb 2015 19:40:14 GMT

I have the same problem.

I read and followed the following link in order to configure an AP as a local Radius server.

http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-2_15_JA/configuration/guide/i12215sc/s15local.html

It should be possible.