Solved: Re: Cisco Radius Config - Page 2

CharlesMcLaine · ‎05-18-2012

So I've read about 2 weeks of posts trying to figure this out and read multiple guides to no avail. So i'm hoping it's a stupid mistake. First here is my AP config.

ap#sh run

Building configuration...

Current configuration : 1750 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

logging rate-limit console 9

enable secret 5 $1$ONQR$Qrzcg9Lyrt2tFlyki7Qr4/

!

aaa new-model

!

aaa group server radius rad_eap

server 10.10.11.200 auth-port 1812 acct-port 1813

!

aaa authentication login eap_methods group rad_eap

!

aaa session-id common

!

dot11 syslog

!

dot11 ssid syrushcw

authentication open eap eap_methods

authentication key-management wpa version 2

guest-mode

!

username Cisco password 7 1531021F0725

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

encryption vlan 1 mode ciphers aes-ccm

!

ssid syrushcw

!

antenna gain 0

speed basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

channel 2437

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 10.10.11.100 255.255.252.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

radius-server host 10.10.11.200 auth-port 1812 acct-port 1813 key 7 12092504011C5C162E

bridge 1 route ip

!

line con 0

line vty 0 4

!

end

ap#

I do not know if the problem is on the AP or NPS server. I've read things such as worked fine on 2008 but exported and imported the config on 2008R2 and did not work. I am of course running 2008 R2. I've alse read NPS expects to get credentials in MD5-CHAP but cisco sends in Plain Text. I Know the client and server are talking since if I make a change on the server the cliet error is diffrent. Example

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

No authoritative response from any server.

If I uncheck Access-Request message must contain the Message-Authenticator attribute under Radius Clients Properties in NPS I get.

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

User authentication request was rejected by server.

In even viewer I see events such as Event ID 17 " An Access-Request was recieved from Radius client 10.10.11.100 without a Message-Authenticator attribute when a Message-Authenticator attribute is required."

I do not know if it matters I am running this on a Virtual Machine; I've tried both Virtual Box and Hyper-V. The virtual Machine has the fireall turned off, the only reason I bring this up; is when I do a netstat there are no connections to port 1812 or 1813.

I appreciate any help, thanks!

Jatin Katyal · ‎05-20-2012

I'm sure that the issue is within the access-policy. In order to eliminate that could you please delete the existing policy and create a nerw one.

Create a network Policy as follows;

a. Right click network policies and click new

b. Type a policy name accept the defaults and click next

c. Add a condition (use NAS-IP-ADDRESS= AP BVI interface IP), click next

d. Make sure the access granted radio button is selected and hit next

e. Select the “Unencrypted authentication (PAP, SPAP)” and unselect the rest

f. Select NO on the annoying help box

g. Finally select next then next and finish to complete.

NOTE: Move this policy on the top of the list.

Also, make sure we have shared secret between AP and NPS is correct.

Regards,

Jatin

~Jatin

CharlesMcLaine · ‎05-20-2012

Removed all other policies, created the new one. Ranked it 1st. Still didn't work

*Mar 22 13:47:35.393: %SYS-5-CONFIG_I: Configured from console by Cisco on vty0 (192.168.2.149)

Attempting authentication test to server-group rad_eap using radius

*Mar 22 13:47:39.245: AAA: parse name= idb type=-1 tty=-1

*Mar 22 13:47:39.245: AAA/MEMORY: create_user (0x22FAAC0) user='cmclaine' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

*Mar 22 13:47:39.246: RADIUS: Pick NAS IP for u=0x22FAAC0 tableid=0 cfg_addr=10.10.11.100

*Mar 22 13:47:39.246: RADIUS: ustruct sharecount=1

*Mar 22 13:47:39.246: Radius: radius_port_info() success=0 radius_nas_port=1

*Mar 22 13:47:39.246: RADIUS(00000000): Send Access-Request to 10.10.11.200:1812 id 1645/8, len 60

*Mar 22 13:47:39.247: RADIUS: authenticator 9E 87 BE 56 42 37 7D F7 - B6 1B F9 07 04 11 24 99

*Mar 22 13:47:39.247: RADIUS: NAS-IP-Address [4] 6 10.10.11.100

*Mar 22 13:47:39.247: RADIUS: NAS-Port-Type [61] 6 Async [0]

*Mar 22 13:47:39.247: RADIUS: User-Name [1] 10 "cmclaine"

*Mar 22 13:47:39.247: RADIUS: User-Password [2] 18 *

*Mar 22 13:47:44.695: RADIUS: Retransmit to (10.10.11.200:1812,1813) for id 1645/8

*Mar 22 13:47:49.657: RADIUS: Retransmit to (10.10.11.200:1812,1813) for id 1645/8

*Mar 22 13:47:54.041: RADIUS: Retransmit to (10.10.11.200:1812,1813) for id 1645/8No authoritative response from any server.

ap#

*Mar 22 13:47:58.713: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.10.11.200:1812,1813 is not responding.

*Mar 22 13:47:58.713: RADIUS: Tried all servers.

*Mar 22 13:47:58.713: RADIUS: No valid server found. Trying any viable server

*Mar 22 13:47:58.714: RADIUS: Tried all servers.

*Mar 22 13:47:58.714: RADIUS: No response from (10.10.11.200:1812,1813) for id 1645/8

*Mar 22 13:47:58.714: RADIUS: No response from server

*Mar 22 13:47:58.714: AAA/MEMORY: free_user (0x22FAAC0) user='cmclaine' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)

*Mar 22 13:47:58.715: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.10.11.200:1812,1813 is being marked alive.

CharlesMcLaine · ‎05-20-2012

Maybe I was being impatient.

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

User was successfully authenticated.

Thanks!

Jatin Katyal · ‎05-20-2012

That's a good new!

Since users are now authenticating, please add only those restrictions which are needed.

In your case, you should only add windows groups.

feel free to post anything that may let you think again.

Regards,

Jatin

~Jatin

ranjit123 · ‎06-27-2016

Hello Jatin,

I am also facing the same issue as below

router#test aaa group radius <username> <password> legacy
Attempting authentication test to server-group radius using radius
User authentication request was rejected by server.

jun 27 09:48:05.439 UTC: AAA: parse name=<no string> idb type=-1 tty=-1
Jun 27 09:48:05.439 UTC: AAA/MEMORY: create_user (0x20D5D30) user='<username>' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII
service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

Jun 27 09:48:05.539 UTC: AAA/MEMORY: free_user (0x20D5D30) user='<username>' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII
service=LOGIN priv=1 vrf= (id=0)

Any pointers what should i get tested..

Regards,

Ranjit

Mohsin Hussain · ‎04-15-2015

Hi guys ,

I was also facing the same problem but my Radius Server is Windows 2012 NPS and Radius clients are NX-OS and IOS , so there was a friendly name mistake.

I recreate the Network policy with friendly name eg : DC_? and rest of the configure is same .

Previously it was specific like DC_RK01_NAS1 and I change it to DC_? and its working fine now ...User is successfully :)

I know issue is fixed for you but its for others who still getting is problem and find the solution.