radius authentication on Cisco AP 1240

Remove this...

radius-server local
  nas 192.168.139.17 key 7 141F131D0F0C2F26

Select allOpen in new window

Very sorry for this latey reply. I was out of internet connectivity for about 10 days due to health issues. i am back here. I would update you once i am done with this.

would you kindly let me know what does the second command mean? Are we defining the same readius server as nas server  which is wrong?

Kindly guide


nas 192.168.139.17 key 7 141F131D0F0C2F26

Once i removed radius-server local, the second one automatically gone. but i don't see any results. here is the output of "sh radius server-group all", which doesn't show any result

sh radius server-group all


Server group rad_eap
    Sharecount = 1  sg_unconfigured = FALSE
    Type = standard
Server group rad_mac
    Sharecount = 1  sg_unconfigured = FALSE
    Type = standard
Server group rad_acct
    Sharecount = 1  sg_unconfigured = FALSE
    Type = standard
Server group rad_admin
    Sharecount = 1  sg_unconfigured = FALSE
    Type = standard
Server group rad_pmip
    Sharecount = 1  sg_unconfigured = FALSE
    Type = standard
Server group dummy
    Sharecount = 1  sg_unconfigured = FALSE
    Type = standard
Server group rad_acct2
    Sharecount = 1  sg_unconfigured = FALSE
    Type = standard
Server group rad_eap2
    Sharecount = 1  sg_unconfigured = FALSE
    Type = standard

You were telling the local RADIUS server who the RADIUS client was.  Even though its the same device you still have to specify it.

This will show you exactly what you need...

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

Thanks for the document , but i already had a look at this in which Cisco ACS is used as authentication server. IN my scenario, its Windows server. So, just wanted to know if my windows end config is correct. Do you have any windows end radius config part as an example? meanwhile i will compare the config given as example matches with my config.

Thanks for the support.

Your Windows RADIUS config is the same as ACS - you just use ports 1812 and 1813 instead of 1645 and 1646.

Quoting from the article...

AP#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

AP(config)#aaa group server radius rad_eap

AP(config-sg-radius)#server 10.0.0.3 auth-port 1645 acct-port 1646

AP(config-sg-radius)#exit

AP(config)#aaa new-model

AP(config)#aaa authentication login eap_methods group rad_eap

AP(config)#radius-server host 10.0.0.3 auth-port 1645 acct-port 1646 key labap1200ip102

AP(config)#end

AP#write memory

All you need to do is change the port numbers - everything else is the same, as follows:

AP#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

AP(config)#aaa group server radius rad_eap

AP(config-sg-radius)#server 10.0.0.3 auth-port 1812 acct-port 1813

AP(config-sg-radius)#exit

AP(config)#aaa new-model

AP(config)#aaa authentication login eap_methods group rad_eap

AP(config)#radius-server host 10.0.0.3 auth-port 1812 acct-port 1813 key labap1200ip102

AP(config)#end

AP#write memory

Select allOpen in new window

Thanks for the inputs, but i was just asking about radius server end configuration for authentication methods and etc. IN case if thats stopping us to be successful. However i will check this and keep you posted.

Thanks for all your support.

Thanks for your config example.  I see the below config for radius,  Can i remove all  "aaa group server" statements other than " aaa group server radius rad_eap"?



xxxxxx#sh run | inc radius
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa group server radius rad_acct2
aaa group server radius rad_eap2
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.139.17 auth-port 1812 acct-port 1813 key 7 141F131D0F                                                                                                  0C2F26
radius-server vsa send accounting

Yes, that should be ok.  If they're default, or required by IOS they will be recreated when the AP reloads.

So you want me to remove the other things except "aaa group server radius rad_eap
" and the main things is , i am unable to test it because some how i don't have a test machine which points to this AP.  Do we have any possible test we can do to confirm that our configuration is correct and working?

Yes, unless you're doing RADIUS for administrative login to the AP too.

There is a test to verify administrative user authentication, but that's not the same thing really.  That just confirms the link to the RADIUS server is functioning, and not that Network-EAP or 802.1x is working.

Please let me know the Test and how to do it !And  In case if i leave the config as it is  including " aaa group server radius rad_eap" is there  any problem?

The test will tell you if a specific user account is allowed to connect, but it does not really help if your actual RADIUS server configuration is not working.

At the CLI...


test aaa group radius <username> <password> legacy

When i tested with above command, it gave the below info, does it mean that my Radius server rejected the request. How can i check whether my radius config on server is correct ? Kindly suggest?

HAVAP01#test aaa group radius Rvelicheti Intellixxxxx legacy


Attempting authentication test to server-group radius using radius
User authentication request was rejected by server.

Rejected by server means that the RADIUS sent the authentication failure message back to the AP.  This isn't enough to conclude whether the configuration is correct, although it does imply that the AP is configured correctly.

You should check the logs on your RADIUS server to see if that means that the actual user request was denied, or the request from the AP itself.

Thanks for the update and sorry for late response. i have seen the logs in radius server. and now i seethe below info. So does this mean Radius is working and the user is blocked.



Event Type:        Warning
Event Source:    IAS
Event Category:                None
Event ID:              2
Date:                     5/25/2012
Time:                     9:42:33 PM
User:                     N/A
Computer:          HVSV-PRINT
Description:
User Rvelicheti was denied access.
Fully-Qualified-User-Name = havchem.com/Employees/Contractors/Ravi Kiran. Velicheti
NAS-IP-Address = 192.168.215.66
NAS-Identifier = HAVAP01
Called-Station-Identifier = <not present>
 Calling-Station-Identifier = <not present>
 Client-Friendly-Name = HAVAP01
Client-IP-Address = 192.168.215.66
NAS-Port-Type = Async
NAS-Port = <not present>
 Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = Connections to other access servers
Authentication-Type = PAP
EAP-Type = <undetermined>
 Reason-Code = 65
Reason = The connection attempt failed because remote access permission for the user account was denied. To allow remote access, enable remote access permission for the user account, or, if the user account specifies that access is controlled through the matching remote access policy, enable remote access permission for that remote access policy.

Hi Craig,

This is radius log i received and problem is authentication method radius has is not supported by APs authentication methods. AP has EAP but radius
server has PEAP but we don't have any certificates on radius server. Kindly suggest what can be done.

Thanks for your support.

Event Type:        Warning
Event Source:    IAS
Event Category:                None
Event ID:              2
Date:                     5/25/2012
Time:                     10:45:09 PM
User:                     N/A
Computer:          HVSV-PRINT
Description:
User Rvelicheti was denied access.
Fully-Qualified-User-Name = havchem.com/Employees/Contractors/Ravi Kiran. Velicheti
NAS-IP-Address = 192.168.215.66
NAS-Identifier = HAVAP01
Called-Station-Identifier = <not present>
 Calling-Station-Identifier = <not present>
 Client-Friendly-Name = HAVAP01
Client-IP-Address = 192.168.215.66
NAS-Port-Type = Async
NAS-Port = <not present>
 Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = Connections to other access servers
Authentication-Type = PAP
EAP-Type = <undetermined>
 Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

Craig,

Now my problem is according to above event,  My authentication methods on both AP and Radius server are not matching. Now , I have  checked for similar  authentication type both ends but couln't  find . i would request to kindly guide me through for a common best authentication method?

Thanks in advance.

If you have PEAP configured you have Certs on your RADIUS server - PEAP isn't configurable without one.

The authentication type your clients are trying to use appears to be PAP, not PEAP or EAP-TLS, so your client configuration is incorrect.

This will show you how to configure the client correctly...

http://technet.microsoft.com/en-us/library/dd759154.aspx

I am sorry , but i didn't understand which clinet you are talking about. are you saying that my AP is configured for PAP but not PEAP .  Unfortunately My radius server doesn't have any certificates for now. The document seems like for configuring wired clients. I didn't understand where do i need this configuration to be. Can you just kindly explain in detail please.

By the way this foryour info. My windows raidus server is  server2003.

Here is the AP config incase to analyze.

Thanks for the support.
Latest-AP-attached.txt

No I apologise I was meaning the Wireless Client you were testing with, but now I realise you were testing with an administrative logon.

You need a separate policy on your IAS server to allow administrative users to login to the AP via RADIUS.  You should do the following to create a policy for Administrative access to the AP:

1] Create a new security group in your AD for Administrative users
2] Add an administrative user account to the new security group you just created
3] Create a policy on your IAS server for Administrative user logins and put it at the TOP of the order.
4] In the Administrative policy set the condition based on your new Windows Security Group.
5] In the constraints set the Authentication type to Unencrypted (PAP or SPAP).  Untick all other boxes.
6] Configure an AV-Pair in the Settings tab under Vendor-Specific options.  You need to configure an AV-Pair with the following string: "shell-priv-lvl=15".
7] Set the Service Type to "Administrative".

Yes, I have tested through the test aaa group radius command from AP itself and have seen the above radius server logs.


Thanks for the above steps. Please do let me know do i have to create a new policy ? is not possible to edit the current " connections to other access servers" policy ? I don't have much idea
at windows config actually.  So you want me to create a security group and i need to add all admin user accounts to new sec group? I didn't understand 4th point .  

If i select unencrypted type, is it not a problem? and do i see " vendor-specific options" tab when i crate a new policy?

Ohh regarding 4th point, did you mean that i need to go to policy conditions and click add, i see attribute types and i have to select the last one " windows-Groups" ?  and you want me to create a
separate policy for only admin users.

What does this vendor exactly mean ? i see only two attributes " Client-Vendor" and "MS-RAS-Vendor", Do you want me to add any of these ? and finally wanted to know do i really need to move it front
in order for any precidence ?

1] Create a new security group in your AD for Administrative users
2] Add an administrative user account to the new security group you just created
3] Create a policy on your IAS server for Administrative user logins and put it at the TOP of the order.
4] In the Administrative policy set the condition based on your new Windows Security Group.


5] In the constraints set the Authentication type to Unencrypted (PAP or SPAP).  Untick all other boxes.

This one i could see when i edi the profile and i can do it in authention tab, only selected (pap or Spap)

6] Configure an AV-Pair in the Settings tab under Vendor-Specific options.  You need to configure an AV-Pair with the following string: "shell-priv-lvl=15".

This one i see in advanced tab as an attribute "vendor specific and  below that  i see " Cisco-AV-Pair" which is the correct one ?



7] Set the Service Type to "Administrative".
This one also i see in advanced tab and also in "attributes types" under "Policy Conditions"  . is this correct

Hi,

Please let me know if i am making any sense.

I just edited the current existing policy with Cisco-AV-Pair and selected type as  "Administrative". Now i see the below info. It says its successful.


xxxxxx#test aaa group radius Rvelicheti xxxxxxx legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.

Event Type:      Information
Event Source:      IAS
Event Category:      None
Event ID:      1
Date:            5/28/2012
Time:            10:29:32 AM
User:            N/A
Computer:      HVSV-PRINT
Description:
User Rvelicheti was granted access.
 Fully-Qualified-User-Name = havchem.com/Employees/Contractors/Ravi Kiran. Velicheti
 NAS-IP-Address = 192.168.215.66
 NAS-Identifier = HAVAP01
 Client-Friendly-Name = HAVAP01
 Client-IP-Address = 192.168.215.66
 Calling-Station-Identifier = <not present>
 NAS-Port-Type = Async
 NAS-Port = <not present>
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = Connections to other access servers
 Authentication-Type = PAP
 EAP-Type = <undetermined>

---

So can we conclude that if any user comes with domain credentials would be successfully login?

Please let me know the any security threat because of pap/spap?

Sorry if i remove Cisco-AV-Pair  also , it works, so seems like its basically working by authentication method (PAP) as both side its the same now.

But my concern here is I didn't use PAP on AP but how and why  in this windows events its showing " authentication as PAP". Would you kindly clarify?

I don't think PAP is genuine to configure ! Please do let me know your points on this.

PAP is the method the AP uses to send the Administrative logon to the IAS server.  It is genuine.  It means the username/password is sent to the RADIUS server unencrypted.

Have a look at this...

http://www.ifm.net.nz/cookbooks/wpa_sbs2003/index.html

Thanks for the info. But sorry, i repeat, why its showing PAP as  authentication method at AP end ? because i remember i
didn't configured pap at AP.Just wanted to know the reason. Kindly explain. Is it not a security breach that Username/password are sent

in Clear text to the Rad server?

The AP only sends Administrative login details as unencrypted.  That is why it appears as PAP.

When a wireless client authenticates it will be sent via PEAP if that's what you have configured in your policy.

Thanks for the information. So, can we conclude that this is resolved and one more thing, yesterday i have configured that Cisco AV pair and later i removed , still authentication part is successful. is there any specific reason ? and finally are we done with this  ? i mean incase any client who tries to access AP would get authenticated by Radius right?

Thanks for the support and all help. Before closing this case Finally i just doubt one thing and which i didn't see anything about PAP in the URL you have given above.Like AP  sends Administrative login details as unencrypted and i was just wondaring if someone inbetween on the line can have this sensitive info. Just needed some more clarity on this concept. I would be very glad and thankful to you if i can get more info(any explanation or any url) about this

Thanks in advance

Sorry for the late reply. Was away from the system due to Fever. Thanks for the help and support.

Thanks for the help and support