Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
786
Views
0
Helpful
4
Replies

Aironet 1200 and ACS 3.2 Issue

joveroc
Level 1
Level 1

‎10-26-2004 05:49 AM - edited ‎03-10-2019 01:52 PM

I have been using the ACS 3.2 for some time now and use it to authenticate users on all of my switches and routers. However, I am now trying to setup an aironet 1200 access point to authenticate to the ACS with radius and find myself stumped as to why it fails every single time. I did a packet trace on the ACS server and found that it is indeed responding to the radius requests with an accept packet, but the AP still kicks me out of the interface. Has anyone ever run into a similar situation? Any suggestions or comments will be greatly appreciated.

Labels:
0 Helpful
4 Replies 4

scottosan
Level 1
Level 1

‎10-26-2004 12:57 PM

what does your config look like? It should be similar to this assuming you are using ACS for authenticate administrative users, not wireless authentication.

aaa authentication login default group radius line

aaa authentication login console group radius line

aaa authorization console

aaa authorization exec default group radius

0 Helpful

joveroc
Level 1
Level 1
In response to scottosan

‎10-27-2004 05:27 AM

That is the config that is currently in the AP. However there is also the directive:

ip http authentication aaa

in the config as well to authenticate the web interface, which is what I have been trying to use. However, whether I am using ssh or html to access the AP, they both fail after the ACS 'accepts' my login. Local users work perfectly in this setup.

0 Helpful

scottosan
Level 1
Level 1
In response to joveroc

‎10-27-2004 01:40 PM

Ok, I know the same exact problem that you are talking about. I think the problem is that you are authenticating but not authorizing and getting the proper privilege levels. I think that is the one advantage to using TACACS+ over RADIUS, is the added flexability of assigning privilege levels ans shell command authorizations per user. I was unable to find a fix and eventually rolled over and now use TACACS+. You will notice in the group settings on ACS that there are advanced TACACS+ settings. If you decide to go the TACACS+ method, I can give you more info, but as far as RADIUS goes, Ido not know the workaround for the http authentication. Sorry I could not be more help.

0 Helpful

joveroc
Level 1
Level 1
In response to scottosan

‎10-29-2004 04:05 AM

OK, that makes sense, I will roll over to TACACS and see what happens. However I cannot use TACACS for EAP authentication, but if what your saying is true, then there is no reason that RADIUS would not work for EAP, it just blows up on the admin login.

Thanks.

0 Helpful
Customers Also Viewed These Support Documents