cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2772
Views
0
Helpful
13
Replies

radius server accepts users only if username equals password

andbor600
Level 1
Level 1

good day collegues,

I must have something wrong with configuration of my cisco devices. my accesspoint which is also a radius server rejects users if the username does not equal password.

did you come accross of that kind of issue before ? could you give me a hand with that ?

so as an example: 

the output of the command: "test aaa group rad_eap test test legacy":

a) if username is "test" and password is set to "test" , then I got in return the message:

"Attempting authentication test to server-group rad_eap using radius
User was successfully authenticated."

 

b) but if username is "test" and password is set to "test123", then I got in return the message:

"Attempting authentication test to server-group rad_eap using radius
User authentication request was rejected by server"

 

 

the config of the device trying to connect to a radius-server:

-------------------------------------

Current configuration : 7606 bytes
!
! Last configuration change at 11:49:13 +0100 Sun May 11 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP1
!
logging buffered 409600 notifications
logging rate-limit console 9
enable secret 5 xxx
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 10.10.10.3 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
 server 10.10.10.3 auth-port 1812 acct-port 1813
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
clock timezone +0100 1 0
clock save interval 8
no ip routing
ip domain name xx.xx
!
!
dot11 syslog
dot11 activity-timeout unknown default 18000
dot11 activity-timeout client default 18000 maximum 99999
dot11 vlan-name DMZ vlan 13
dot11 vlan-name service vlan 15
!
dot11 ssid guests
   vlan 13
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 xxx
!
dot11 ssid isa
   vlan 11
   authentication open mac-address mac_methods eap eap_methods
   authentication network-eap eap_methods mac-address mac_methods
   authentication key-management wpa version 2
   mbssid guest-mode dtim-period 100
!
dot11 ids mfp distributor
dot11 ids mfp detector
dot11 ids mfp generator
dot11 network-map
dot11 arp-cache optional
eap profile leap
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2817640586
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2817640586
 revocation-check none
 rsakeypair TP-self-signed-2817640586
!
!
crypto pki certificate chain TP-self-signed-2817640586
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32383137 36343035 3836301E 170D3134 30343136 32303038
  30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38313736
  34303538 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A733 79307386 2E8862FE 1146C09E 127D73D7 310EE458 8425BF93 EE61C865
  DCBAE908 237B9211 48DB3EBA 23453C48 6E305E6D AF126A95 FC5F67A7 3CCA44BE
  2C0F78D9 65107B3C 8A9CEA54 F2CC0F39 9ED4E927 AC5604C2 A6728936 A8292AC2
  5D5B3C88 66D8CC92 05DEEC82 5FFF7D54 96D336E0 2AA4857E A9D72299 563CA72A
  84C70203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 1427123B 2BFDD69C E735E02F 6EF73C47 DFEE8719 8F301D06
  03551D0E 04160414 27123B2B FDD69CE7 35E02F6E F73C47DF EE87198F 300D0609
  2A864886 F70D0101 05050003 81810085 DE81A2AA 8D2C8A8B 776630A9 196792BF
  9DFC91DC A74A18DF 17F4BD8F 5882CFAD 79807290 E866330B F640FF49 708E636B
  D5DBDE7D 81A10122 EA002533 C70F5FD6 C2571D27 15C4664B B9777D22 937ECF29
  9F46570A CDA31885 1ADDF8F7 3E0DF4D4 26DCC671 00871029 65DF9B65 0D89B42F
  95BC2224 BE8C3877 007C3F93 C696DE
   quit
username admin privilege 15 secret 5 xxx
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 11 mode ciphers aes-ccm
 !
 encryption vlan 13 mode ciphers aes-ccm
 !
 encryption vlan 15 mode ciphers aes-ccm
 !
 ssid guests
 !
 ssid isa
 !
 antenna gain 0
 stbc
 mbssid
 packet retries 128
 channel least-congested 2412 2417 2422
 station-role root
 rts retries 1
 beacon period 20
 beacon dtim-period 1
 l2-filter bridge-group-acl
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.11
 encapsulation dot1Q 11
 no ip route-cache
 bridge-group 11
 bridge-group 11 subscriber-loop-control
 bridge-group 11 spanning-disabled
 bridge-group 11 block-unknown-source
 no bridge-group 11 source-learning
 no bridge-group 11 unicast-flooding
!
interface Dot11Radio0.13
 encapsulation dot1Q 13
 no ip route-cache
 bridge-group 13
 bridge-group 13 subscriber-loop-control
 bridge-group 13 spanning-disabled
 bridge-group 13 block-unknown-source
 no bridge-group 13 source-learning
 no bridge-group 13 unicast-flooding
!
interface Dot11Radio0.15
 encapsulation dot1Q 15
 no ip route-cache
 bridge-group 15
 bridge-group 15 subscriber-loop-control
 bridge-group 15 spanning-disabled
 bridge-group 15 block-unknown-source
 no bridge-group 15 source-learning
 no bridge-group 15 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 11 mode ciphers aes-ccm
 !
 ssid isa
 !
 antenna gain 0
 no dfs band block
 stbc
 mbssid
 packet retries 128
 channel 5200
 station-role root
 rts retries 1
 beacon period 20
 beacon dtim-period 1
 l2-filter bridge-group-acl
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.11
 encapsulation dot1Q 11
 no ip route-cache
 bridge-group 11
 bridge-group 11 subscriber-loop-control
 bridge-group 11 spanning-disabled
 bridge-group 11 block-unknown-source
 no bridge-group 11 source-learning
 no bridge-group 11 unicast-flooding
!
interface Dot11Radio1.13
 encapsulation dot1Q 13
 no ip route-cache
 bridge-group 13
 bridge-group 13 subscriber-loop-control
 bridge-group 13 spanning-disabled
 bridge-group 13 block-unknown-source
 no bridge-group 13 source-learning
 no bridge-group 13 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface GigabitEthernet0.11
 encapsulation dot1Q 11
 no ip route-cache
 bridge-group 11
 bridge-group 11 spanning-disabled
 no bridge-group 11 source-learning
!
interface GigabitEthernet0.13
 encapsulation dot1Q 13
 no ip route-cache
 bridge-group 13
 bridge-group 13 spanning-disabled
 no bridge-group 13 source-learning
!
interface GigabitEthernet0.15
 encapsulation dot1Q 15
 no ip route-cache
 bridge-group 15
 bridge-group 15 spanning-disabled
 no bridge-group 15 source-learning
!
interface BVI1
 ip address 10.10.10.2 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.10.10.1
ip http server
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 86400
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
logging history size 500
logging trap notifications
access-list 701 permit c8f7.3301.7f43   0000.0000.0000
access-list 701 deny   0000.0000.0000   ffff.ffff.ffff
radius-server local
  nas 10.10.10.1 key 7 xxx
  nas 10.10.10.253 key 7 xxx
  nas 10.10.10.3 key 7 xxx
!
radius-server host 10.10.10.3 auth-port 1812 acct-port 1813 key 7 xxx
radius-server vsa send accounting
!
bridge 1 route ip
!
!
!
line con 0
 length 34
line vty 0 4
 session-timeout 35791
 exec-timeout 35791 0
 length 34
 transport input all
!
sntp server 10.10.10.1
end

---------------------------------

 

 

and below the config of the cisco Ap, which is a radius-server:

 

 

------------------------

 


Building configuration...

Current configuration : 7677 bytes
!
! Last configuration change at 11:49:09 +0100 Sun May 11 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname APx
!
!
logging rate-limit console 9
enable secret 5 xxx
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 10.10.10.3 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
 server 10.10.10.3 auth-port 1812 acct-port 1813
!
aaa group server radius rad_acct
!
aaa group server tacacs+ tac_admin
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
clock timezone +0100 1 0
no ip routing
no ip cef
ip domain name ml-ab.pl
!
!
!
dot11 syslog
dot11 vlan-name HOME vlan 11
dot11 vlan-name service vlan 15
!
dot11 ssid isa
   vlan 11
   authentication open mac-address mac_methods eap eap_methods
   authentication network-eap eap_methods mac-address mac_methods
   authentication key-management wpa version 2
   mbssid guest-mode
!
dot11 ssid service
   vlan 15
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa version 2
   mbssid guest-mode
!
!
dot11 network-map
dot11 arp-cache
eap profile leap
!
eap profile tls
!
eap profile fast
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-4134675474
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4134675474
 revocation-check none
 rsakeypair TP-self-signed-4134675474
!
!
crypto pki certificate chain TP-self-signed-4134675474
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34313334 36373534 3734301E 170D3933 30333031 30303236
  31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31333436
  37353437 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B2D8 A7342171 9FC96AEE 51CD6F6F D8E84484 EB582B9F B4F650FD 023ADF2E
  415EE3DF 2F267472 D11459D9 4373B2AC B46CFB6E FC095340 2262B97F E0CC377C
  B31151A9 D5E97960 21BE9E67 CF9CF4FA F5190FA1 D118E812 BD7750EE BC59D5DB
  EA96FC3B 5C17D2C1 AE9F24B2 2DEE330F 8F5322ED B4E3836F D4AC80E0 9FB34080
  19D50203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 140659F1 243DBE3B B47C785A 2739F683 483820C7 52301D06
  03551D0E 04160414 0659F124 3DBE3BB4 7C785A27 39F68348 3820C752 300D0609
  2A864886 F70D0101 05050003 8181004B 64716D8B 85FACCA2 79D9322C 239A792A
  E0B88C94 8C6A75F6 BB04298F E65494BA 389A0F91 17A4F8B9 41C14D8C 3CEBD373
  DAEF6275 ACE89E6F 2D5B8DE1 41C64497 9744D53D B7A6171A 893BF5C9 E0C0EBB0
  4E067B0A 5354B063 9390FB16 C7E3F09C ECD25412 CADB4B02 4426B879 FE504D42
  56B37D9D A75ED6C8 1D8AE81F B8E1F4
   quit
username admin privilege 15 secret 5 $xxx.
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 11 mode ciphers aes-ccm
 !
 encryption vlan 15 mode ciphers aes-ccm
 !
 ssid isa
 !
 ssid service
 !
 antenna gain 0
 stbc
 mbssid
 channel least-congested 2462 2467 2472
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.11
 encapsulation dot1Q 11
 no ip route-cache
 bridge-group 11
 bridge-group 11 subscriber-loop-control
 bridge-group 11 spanning-disabled
 bridge-group 11 block-unknown-source
 no bridge-group 11 source-learning
 no bridge-group 11 unicast-flooding
!
interface Dot11Radio0.15
 encapsulation dot1Q 15
 no ip route-cache
 bridge-group 15
 bridge-group 15 subscriber-loop-control
 bridge-group 15 spanning-disabled
 bridge-group 15 block-unknown-source
 no bridge-group 15 source-learning
 no bridge-group 15 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 11 mode ciphers aes-ccm
 !
 ssid isa
 !
 antenna gain 0
 no dfs band block
 stbc
 mbssid
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.11
 encapsulation dot1Q 11
 no ip route-cache
 bridge-group 11
 bridge-group 11 subscriber-loop-control
 bridge-group 11 spanning-disabled
 bridge-group 11 block-unknown-source
 no bridge-group 11 source-learning
 no bridge-group 11 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface GigabitEthernet0.11
 encapsulation dot1Q 11
 no ip route-cache
 bridge-group 11
 bridge-group 11 spanning-disabled
 no bridge-group 11 source-learning
!
interface GigabitEthernet0.15
 encapsulation dot1Q 15
 no ip route-cache
 bridge-group 15
 bridge-group 15 spanning-disabled
 no bridge-group 15 source-learning
!
interface BVI1
 ip address 10.10.10.3 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.10.10.1
ip forward-protocol nd
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
radius-server local
  nas 10.10.10.3 key 7 xxx
  nas 10.10.10.1 key 7 xxx
  nas 10.10.10.2 key 7 xxx

  user test nthash 7 xxx

!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.10.10.3 auth-port 1812 acct-port 1813 key 7 xxx

radius-server vsa send accounting
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 session-timeout 35791
 exec-timeout 35791 0
 transport input all
!
sntp server 10.10.10.1
sntp broadcast client
end

 

 

13 Replies 13

edwardcollins7
Level 1
Level 1

Hey,

What Radius server are you using?

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

radius server located within my access-point.

The Cisco AP cannot be a Radius server, it can send radius requests as a client to an external server.

Which SSID are you using ?

Could you share the configuration within "rad_eap test" radius group?

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

ok. I did not know that.

SSID "isa" is used for Radius authentication.

"rad_eap" radius group is shown above (AP config)

After correlating your configuration, this is what is relevant:

aaa group server radius rad_eap
 server 10.10.10.3 auth-port 1812 acct-port 1813

dot11 ssid isa
   vlan 11
   authentication open mac-address mac_methods eap eap_methods
   authentication network-eap eap_methods mac-address mac_methods
   authentication key-management wpa version 2
   mbssid guest-mode

aaa authentication login eap_methods group rad_eap

 

Now, the question is , which device is "10.10.10.3" ?

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

ok. now I am with you. right. this is the same device. "10.10.10.3" is an AP.

Now its starting to make sense.

Let us try to work this out together, could you tell me AP model?

"10.10.10.3"

Regards

Ed

AP2602i SAP (stand alone)

Could you collect "debug radius authentication" and " debug radius local-server client" from the Radius server AP?

Regards

Ed

hmmm, I did not get much in return ...

this is what was output:

----------------

Jun  1 06:03:45.791: RADSRV: Client test password failed
Jun  1 06:03:45.791: RADSRV 10.10.10.2< Code 3 Id 4A Len 88
Jun  1 06:03:45.791:   Auth 22F10EFB 11CDBBDF F415809E B12642DE
Jun  1 06:03:45.791:   24 - 05 15 63 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D9 57 22 E2 0B 63 ED E9 28 E3 A3 89 14 DE 89 86
Jun  1 06:03:45.791:   80 - FF 4A 85 AD 92 B6 1A 22 C3 02 79 8A DC 06 57 E8

-----------------

 

Was this on the server side or client side AP?

http://www.cisco.com/c/en/us/support/docs/wireless/aironet-1100-series/44100-leaplocalauth.html#configproc

I am referring this.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

this is of course on server side.

I have the same problem.

 

I read and followed the following link in order to configure an AP as a local Radius server.

 

http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-2_15_JA/configuration/guide/i12215sc/s15local.html

 

It should be possible.