Solved: Cisco Radius Config

CharlesMcLaine · ‎05-18-2012

So I've read about 2 weeks of posts trying to figure this out and read multiple guides to no avail. So i'm hoping it's a stupid mistake. First here is my AP config.

ap#sh run

Building configuration...

Current configuration : 1750 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

logging rate-limit console 9

enable secret 5 $1$ONQR$Qrzcg9Lyrt2tFlyki7Qr4/

!

aaa new-model

!

aaa group server radius rad_eap

server 10.10.11.200 auth-port 1812 acct-port 1813

!

aaa authentication login eap_methods group rad_eap

!

aaa session-id common

!

dot11 syslog

!

dot11 ssid syrushcw

authentication open eap eap_methods

authentication key-management wpa version 2

guest-mode

!

username Cisco password 7 1531021F0725

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

encryption vlan 1 mode ciphers aes-ccm

!

ssid syrushcw

!

antenna gain 0

speed basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

channel 2437

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 10.10.11.100 255.255.252.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

radius-server host 10.10.11.200 auth-port 1812 acct-port 1813 key 7 12092504011C5C162E

bridge 1 route ip

!

line con 0

line vty 0 4

!

end

ap#

I do not know if the problem is on the AP or NPS server. I've read things such as worked fine on 2008 but exported and imported the config on 2008R2 and did not work. I am of course running 2008 R2. I've alse read NPS expects to get credentials in MD5-CHAP but cisco sends in Plain Text. I Know the client and server are talking since if I make a change on the server the cliet error is diffrent. Example

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

No authoritative response from any server.

If I uncheck Access-Request message must contain the Message-Authenticator attribute under Radius Clients Properties in NPS I get.

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

User authentication request was rejected by server.

In even viewer I see events such as Event ID 17 " An Access-Request was recieved from Radius client 10.10.11.100 without a Message-Authenticator attribute when a Message-Authenticator attribute is required."

I do not know if it matters I am running this on a Virtual Machine; I've tried both Virtual Box and Hyper-V. The virtual Machine has the fireall turned off, the only reason I bring this up; is when I do a netstat there are no connections to port 1812 or 1813.

I appreciate any help, thanks!

Jatin Katyal · ‎05-20-2012

I'm sure that the issue is within the access-policy. In order to eliminate that could you please delete the existing policy and create a nerw one.

Create a network Policy as follows;

a. Right click network policies and click new

b. Type a policy name accept the defaults and click next

c. Add a condition (use NAS-IP-ADDRESS= AP BVI interface IP), click next

d. Make sure the access granted radio button is selected and hit next

e. Select the “Unencrypted authentication (PAP, SPAP)” and unselect the rest

f. Select NO on the annoying help box

g. Finally select next then next and finish to complete.

NOTE: Move this policy on the top of the list.

Also, make sure we have shared secret between AP and NPS is correct.

Regards,

Jatin

~Jatin

View solution in original post

Jatin Katyal · ‎05-18-2012

Since you're getting, an Access-Request was recieved from Radius client 10.10.11.100 without a Message-Authenticator attribute when a Message-Authenticator attribute is required.

On the NPS, could you uncheck the check-box as " Access-Request messages must contain the Message-Authenticator attribute". After that look inside the event viewer logs again.

Do let me know.

Regards,

Jatin

~Jatin

CharlesMcLaine · ‎05-19-2012

When I uncheck the box, on the AP I get

"Attempting authentication test to server-group rad_eap using radius

User authentication request was rejected by server."

But no event on the Server which I thought was bizzare.

Jatin Katyal · ‎05-19-2012

Where exectly are we looking for logs in the event viewer?

When you run a test command from any NAS device that actually uses PAP as an authentication method. I doubt if we have enabled the same method under network policy.

Since we're getting access-reject from the radius server so server logs will surely help us.

Also, we can get debugs from the AP to see if it shows something.

debug aaa authentication

debug radius

Regards,

Jatin

~Jatin

CharlesMcLaine · ‎05-19-2012

Debug gives nothing

ap#debug aaa authentication

AAA Authentication debugging is on

ap#debug radius

Radius protocol debugging is on

Radius protocol brief debugging is off

Radius protocol verbose debugging is off

Radius packet hex dump debugging is off

Radius packet protocol debugging is on

Radius elog debugging debugging is off

Radius packet retransmission debugging is off

Radius server fail-over debugging is off

Radius elog debugging debugging is off

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

User authentication request was rejected by server.

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

User authentication request was rejected by server.

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

User authentication request was rejected by server.

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

No authoritative response from any server.

Here is the event I'm looking at, no new logs appear when I uncheck Access-Request.

I am using PAP also

Jatin Katyal · ‎05-19-2012

Seems like you ran those commands while connected through telnet/ssh.

We should turn on

terminal monitor

regards,

Jatin

~Jatin

CharlesMcLaine · ‎05-19-2012

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

*Mar 22 02:41:37.669: AAA: parse name= idb type=-1 tty=-1

*Mar 22 02:41:37.669: AAA/MEMORY: create_user (0x234C804) user='cmclaine' ruser= 'NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 init ial_task_id='0', vrf= (id=0)

*Mar 22 02:41:37.669: RADIUS: Pick NAS IP for u=0x234C804 tableid=0 cfg_addr=10. 10.11.100

*Mar 22 02:41:37.669: RADIUS: ustruct sharecount=1

*Mar 22 02:41:37.669: Radius: radius_port_info() success=0 radius_nas_port=1

*Mar 22 02:41:37.670: RADIUS(00000000): Send Access-Request to 10.10.11.200:1812 id 1645/6, len 60

*Mar 22 02:41:37.670: RADIUS: authenticator 44 BE 1F 29 EB 13 91 18 - A6 75 47 2E 74 69 5C 1D

*Mar 22 02:41:37.670: RADIUS: NAS-IP-Address [4] 6 10.10.11.100

*Mar 22 02:41:37.670: RADIUS: NAS-Port-Type [61] 6 Async [0]

*Mar 22 02:41:37.670: RADIUS: User-Name [1] 10 "cmclaine"

*Mar 22 02:41:37.670: RADIUS: User-Password [2] 18 *

*Mar 22 02:41:42.162: RADIUS: Retransmit to (10.10.11.200:1812,1813) for id 1645/6

*Mar 22 02:41:46.482: RADIUS: Retransmit to (10.10.11.200:1812,1813) for id 1645/6

*Mar 22 02:41:50.802: RADIUS: Retransmit to (10.10.11.200:1812,1813) for id 1645/6No authoritative response from any server.

ap#

*Mar 22 02:41:55.602: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.10.11.200:1812,1813 is not responding.

*Mar 22 02:41:55.602: RADIUS: Tried all servers.

*Mar 22 02:41:55.602: RADIUS: No valid server found. Trying any viable server

*Mar 22 02:41:55.602: RADIUS: Tried all servers.

*Mar 22 02:41:55.602: RADIUS: No response from (10.10.11.200:1812,1813) for id 1645/6

*Mar 22 02:41:55.602: RADIUS: No response from server

*Mar 22 02:41:55.603: AAA/MEMORY: free_user (0x234C804) user='cmclaine' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)

*Mar 22 02:41:55.603: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.10.11.200:1812,1813 is being marked alive.

Jatin Katyal · ‎05-19-2012

Let's troubleshoot while we have that option unchecked.

Can you send me the screen shots of radius client and network policy.

~Jatin

Jatin Katyal · ‎05-19-2012

When you see an access-reject from any radius server that indicates that the request has been processed by radius. If we don't see any corresponsing logs in the event viewer then there could be an issues with logging/NPS.

This is what I found in my google search.

http://social.technet.microsoft.com/Forums/nl/winserverNAP/thread/c32b4ad2-118b-4368-9bce-11560668d368

Also, NPS records connection request failure events in the System and Security event logs by default. For the radius access-reject, please check the logs in the above suggested location.

http://technet.microsoft.com/en-us/library/cc753898%28v=ws.10%29.aspx

~Jatin

CharlesMcLaine · ‎05-19-2012

CharlesMcLaine · ‎05-19-2012

Interesting problem now, I do not know if the AP is bad, but when I ping from the AP to NPS ping either works 0% or 20%. It can ping some other IP just fine. Now the interesting part is the NPS can ping the AP no problem.

ap#ping 10.10.11.200

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.11.200, timeout is 2 seconds:

!....

Success rate is 20 percent (1/5), round-trip min/avg/max = 2/2/2 ms

ap#ping 10.10.8.12

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.8.12, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Here is an example, 10.10.8.12 is a host os Windows 7 and 10.10.11.200 is the guest os 2008R2.

ap#ping 10.10.8.12

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.8.12, timeout is 2 seconds:

!....

Success rate is 20 percent (1/5), round-trip min/avg/max = 2/2/2 ms

Spoke to soon.

Jatin Katyal · ‎05-20-2012

I went through your last post wherein you've uploaded all the settings. looking at second last screen shot. I see you've lots of conditions defined. I'd like you to try this:

Keep this option unchecked "Access-Request message must contain the Message-Authenticator attribute" under Radius Clients Properties in NPS

Remove all the conditions from condition tab like Nas Port-type, User groups (domain admin and domain groups), Allowed EAP Types.

Add NAS-IP-ADDRESS= 10.10.11.100 instead.

Click OK And restart NPS service.

Try again from test command, it should work now.

NOTE: When you run test command, it actually uses NAS-PORT type= async, authentication method=PAP. However, those options are not selecetd in your network policy.

Once it starts working for you. We'll configure only for wireless authentication.

Let me know how it goes.

Regards,

Jatin

Do rate helpful posts-

~Jatin

CharlesMcLaine · ‎05-20-2012

No such luck.

ap#test aaa group rad_eap cmclaine password legacy

Attempting authentication test to server-group rad_eap using radius

User authentication request was rejected by server.

ap#

*Mar 22 16:15:47.200: AAA: parse name= idb type=-1 tty=-1

*Mar 22 16:15:47.200: AAA/MEMORY: create_user (0x234A53C) user='cmclaine' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

*Mar 22 16:15:47.201: RADIUS: Pick NAS IP for u=0x234A53C tableid=0 cfg_addr=10.10.100.10

*Mar 22 16:15:47.201: RADIUS: ustruct sharecount=1

*Mar 22 16:15:47.201: Radius: radius_port_info() success=0 radius_nas_port=1

*Mar 22 16:15:47.201: RADIUS(00000000): Send Access-Request to 10.10.11.200:1812 id 1645/10, len 60

*Mar 22 16:15:47.202: RADIUS: authenticator C7 AC 1E 9F D2 40 C3 FD - 30 34 DF 7D 7D 4C FD 9D

*Mar 22 16:15:47.202: RADIUS: NAS-IP-Address [4] 6 10.10.100.10

*Mar 22 16:15:47.202: RADIUS: NAS-Port-Type [61] 6 Async [0]

*Mar 22 16:15:47.202: RADIUS: User-Name [1] 10 "cmclaine"

*Mar 22 16:15:47.202: RADIUS: User-Password [2] 18 *

*Mar 22 16:15:47.206: RADIUS: Received from id 1645/10 10.10.11.200:1812, Access-Reject, len 20

*Mar 22 16:15:47.206: RADIUS: authenticator 3E A6 54 ED A5 6A BA D1 - 30 87 C9 B2 76 8F 0A BA

*Mar 22 16:15:47.206: RADIUS: saved authorization data for user 234A53C at 0

*Mar 22 16:15:47.207: AAA/MEMORY: free_user (0x234A53C) user='cmclaine' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)

ap#u all

All possible debugging has been turned off

ap#test aaa group rad_eap cmclaine Password legacy

Attempting authentication test to server-group rad_eap using radius

User authentication request was rejected by server.

Should I be worrying about ethernet connectivity?

Jatin Katyal · ‎05-20-2012

you should not because I do see access-reject coming back from radius server in the debugs.

*Mar 22 16:15:47.206: RADIUS: Received from id 1645/10 10.10.11.200:1812, Access-Reject, len 20

This indicates that the access-request parameters are not matching the network access policy parameters.

Did you check the NPS logs under event viewer under system and security tab.

Regards,

Jatin

~Jatin

CharlesMcLaine · ‎05-20-2012

I changed the logging no NPS even in Security but I am getting this.

An account was logged off.

Subject:

Security ID: SYSTEM

Account Name: SYRUS-DC$

Account Domain: SYRUSHCW

Logon ID: 0x2e6e05

Logon Type: 3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.