Solved: ACS 4.0.2 Radius Authentication Setup

karthiksunkesula · ‎01-10-2012

Dear Experts,

I am having ACS 4.0.2 in my network, which I want to use for 802.1x Radius Authentication for Clients on PEAP-MSCHAPv2 methodology.

As per the documentation " EAP Authentication with RADIUS Server", Doc ID: 44844

I have configured Network Configuration and populated AAA client IP range and Secret Key.

Question1:

Under Authenticate Using option, there are various RADIUS flavors available for selection. For a Non Cisco AAA client, should I select RADIUS IETF?

Question 2:

In the above snap shot, It has an option called Global Authentication Setup, where we can setup EAP configuration. Under PEAP subsection there is an option to "Allow EAP-MSCHAPv2" check box.

After checking that, is a restart required to the ACS Server? Would it cause any disruptions to the existing services on the ACS?

Kindly help as it is not mentioned in the documentation available with me.

Regards,

Karthik

camejia · ‎01-10-2012

Hello,

Question 1:

Usually 3rd-Party devices should comply with the RADIUS standards. In that case selecting RADIUS (IETF) should be fine. If specific 3rd-Party attributes (for example VLAN IDs) are required then you should contact the 3rd-Party device support in order to confirm if a RADIUS Dictionary has to be added to the RADIUS server in order to send specific Vendor Attributes.

NOTE: We can add RADIUS Dictionaries to the ACS in the above described case but you will need the appropriate dictionary file usually provided by the 3rd-Party device support.

Question 2:

In order to enable PEAP or any other EAP Method on the ACS 4.x we need to use the Submit+Apply option. The ACS services will be restarted (RADIUS and Auth services). It should take less than a minute on a common scenario for the ACS to apply the changes. It is not a server reboot but a services restart instead.

Hope this helps.

Regards.

View solution in original post

camejia · ‎01-11-2012

Hello,

As per the ASCII and HEXA settings concern you might want to ignore those fields and leave them as they are by default.

As per the "Bad request from NAS" and "Invalid message authenticator in EAP request" it is 99% of the times a Shared Secret Mismatch.

Under the ACS Interface Configuration > Advanced Options > Is the Network Device Groups option enabled? If yes, please check the Shared Secret Key at the NDG level where the device was created. Remember the NDG Shared Secret takes precedence over the one configured on the AAA Client entry itself.

Attaching an Example:

AAA client with Shared Secret as "Cisco123":

NDG Entry (which allocates AAA clients) with Shared Secret as "cisco"

In order to check the NDG Shared Secret go to Network Configuration > Click the appropriate NDG > Scroll to the bottom and click on Edit Properties.:

NOTE: Click the images to enlarge.

Hope this helps.

Regards.

View solution in original post

camejia · ‎01-10-2012

Hello,

Question 1:

Usually 3rd-Party devices should comply with the RADIUS standards. In that case selecting RADIUS (IETF) should be fine. If specific 3rd-Party attributes (for example VLAN IDs) are required then you should contact the 3rd-Party device support in order to confirm if a RADIUS Dictionary has to be added to the RADIUS server in order to send specific Vendor Attributes.

NOTE: We can add RADIUS Dictionaries to the ACS in the above described case but you will need the appropriate dictionary file usually provided by the 3rd-Party device support.

Question 2:

In order to enable PEAP or any other EAP Method on the ACS 4.x we need to use the Submit+Apply option. The ACS services will be restarted (RADIUS and Auth services). It should take less than a minute on a common scenario for the ACS to apply the changes. It is not a server reboot but a services restart instead.

Hope this helps.

Regards.

karthiksunkesula · ‎01-11-2012

Hi Carlos,

Many thanks for the reply. I am facing another issue. I have followed the above steps. But my client authentication is failing. I am getting Message Type as "Bad request from NAS" and Authen-Failure-Code as "Invalid message authenticator in EAP request".

As per some blogs I could gather that this could be because of Shared Secret Mismatch between Radius client and Radius Server. I have reverified on both sides it is the matching.

But there is a Key Encryption Field below Shared Key. There is also ASCII and HEXA options. If I want to simplify my usage, can you please share the easiest way to do so?

Appreciate your response.

camejia · ‎01-11-2012

Hello,

As per the ASCII and HEXA settings concern you might want to ignore those fields and leave them as they are by default.

As per the "Bad request from NAS" and "Invalid message authenticator in EAP request" it is 99% of the times a Shared Secret Mismatch.

Under the ACS Interface Configuration > Advanced Options > Is the Network Device Groups option enabled? If yes, please check the Shared Secret Key at the NDG level where the device was created. Remember the NDG Shared Secret takes precedence over the one configured on the AAA Client entry itself.

Attaching an Example:

AAA client with Shared Secret as "Cisco123":

NDG Entry (which allocates AAA clients) with Shared Secret as "cisco"

In order to check the NDG Shared Secret go to Network Configuration > Click the appropriate NDG > Scroll to the bottom and click on Edit Properties.:

NOTE: Click the images to enlarge.

Hope this helps.

Regards.