raviv0731
asked on
radius authentication on Cisco AP 1240
Hi Experts,
Kindly help with this. I am unable to configure successfully the ap for external radius server and authenticate users. Here is the config attached for AP. Kindly guide.
Looking forward for your suggestion.
AP-config.txt
Kindly help with this. I am unable to configure successfully the ap for external radius server and authenticate users. Here is the config attached for AP. Kindly guide.
Looking forward for your suggestion.
AP-config.txt
ASKER
Very sorry for this latey reply. I was out of internet connectivity for about 10 days due to health issues. i am back here. I would update you once i am done with this.
ASKER
would you kindly let me know what does the second command mean? Are we defining the same readius server as nas server which is wrong?
Kindly guide
nas 192.168.139.17 key 7 141F131D0F0C2F26
Kindly guide
nas 192.168.139.17 key 7 141F131D0F0C2F26
ASKER
Once i removed radius-server local, the second one automatically gone. but i don't see any results. here is the output of "sh radius server-group all", which doesn't show any result
sh radius server-group all
Server group rad_eap
Sharecount = 1 sg_unconfigured = FALSE
Type = standard
Server group rad_mac
Sharecount = 1 sg_unconfigured = FALSE
Type = standard
Server group rad_acct
Sharecount = 1 sg_unconfigured = FALSE
Type = standard
Server group rad_admin
Sharecount = 1 sg_unconfigured = FALSE
Type = standard
Server group rad_pmip
Sharecount = 1 sg_unconfigured = FALSE
Type = standard
Server group dummy
Sharecount = 1 sg_unconfigured = FALSE
Type = standard
Server group rad_acct2
Sharecount = 1 sg_unconfigured = FALSE
Type = standard
Server group rad_eap2
Sharecount = 1 sg_unconfigured = FALSE
Type = standard
sh radius server-group all
Server group rad_eap
Sharecount = 1 sg_unconfigured = FALSE
Type = standard
Server group rad_mac
Sharecount = 1 sg_unconfigured = FALSE
Type = standard
Server group rad_acct
Sharecount = 1 sg_unconfigured = FALSE
Type = standard
Server group rad_admin
Sharecount = 1 sg_unconfigured = FALSE
Type = standard
Server group rad_pmip
Sharecount = 1 sg_unconfigured = FALSE
Type = standard
Server group dummy
Sharecount = 1 sg_unconfigured = FALSE
Type = standard
Server group rad_acct2
Sharecount = 1 sg_unconfigured = FALSE
Type = standard
Server group rad_eap2
Sharecount = 1 sg_unconfigured = FALSE
Type = standard
You were telling the local RADIUS server who the RADIUS client was. Even though its the same device you still have to specify it.
This will show you exactly what you need...
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
This will show you exactly what you need...
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
ASKER
Thanks for the document , but i already had a look at this in which Cisco ACS is used as authentication server. IN my scenario, its Windows server. So, just wanted to know if my windows end config is correct. Do you have any windows end radius config part as an example? meanwhile i will compare the config given as example matches with my config.
Thanks for the support.
Thanks for the support.
Your Windows RADIUS config is the same as ACS - you just use ports 1812 and 1813 instead of 1645 and 1646.
Quoting from the article...
All you need to do is change the port numbers - everything else is the same, as follows:
Quoting from the article...
AP#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
AP(config)#aaa group server radius rad_eap
AP(config-sg-radius)#server 10.0.0.3 auth-port 1645 acct-port 1646
AP(config-sg-radius)#exit
AP(config)#aaa new-model
AP(config)#aaa authentication login eap_methods group rad_eap
AP(config)#radius-server host 10.0.0.3 auth-port 1645 acct-port 1646 key labap1200ip102
AP(config)#end
AP#write memory
All you need to do is change the port numbers - everything else is the same, as follows:
AP#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
AP(config)#aaa group server radius rad_eap
AP(config-sg-radius)#server 10.0.0.3 auth-port 1812 acct-port 1813
AP(config-sg-radius)#exit
AP(config)#aaa new-model
AP(config)#aaa authentication login eap_methods group rad_eap
AP(config)#radius-server host 10.0.0.3 auth-port 1812 acct-port 1813 key labap1200ip102
AP(config)#end
AP#write memory
ASKER
Thanks for the inputs, but i was just asking about radius server end configuration for authentication methods and etc. IN case if thats stopping us to be successful. However i will check this and keep you posted.
Thanks for all your support.
Thanks for all your support.
ASKER
Thanks for your config example. I see the below config for radius, Can i remove all "aaa group server" statements other than " aaa group server radius rad_eap"?
xxxxxx#sh run | inc radius
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa group server radius rad_acct2
aaa group server radius rad_eap2
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.139.17 auth-port 1812 acct-port 1813 key 7 141F131D0F 0C2F26
radius-server vsa send accounting
xxxxxx#sh run | inc radius
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa group server radius rad_acct2
aaa group server radius rad_eap2
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.139.17 auth-port 1812 acct-port 1813 key 7 141F131D0F 0C2F26
radius-server vsa send accounting
Yes, that should be ok. If they're default, or required by IOS they will be recreated when the AP reloads.
ASKER
So you want me to remove the other things except "aaa group server radius rad_eap
" and the main things is , i am unable to test it because some how i don't have a test machine which points to this AP. Do we have any possible test we can do to confirm that our configuration is correct and working?
" and the main things is , i am unable to test it because some how i don't have a test machine which points to this AP. Do we have any possible test we can do to confirm that our configuration is correct and working?
Yes, unless you're doing RADIUS for administrative login to the AP too.
There is a test to verify administrative user authentication, but that's not the same thing really. That just confirms the link to the RADIUS server is functioning, and not that Network-EAP or 802.1x is working.
There is a test to verify administrative user authentication, but that's not the same thing really. That just confirms the link to the RADIUS server is functioning, and not that Network-EAP or 802.1x is working.
ASKER
Please let me know the Test and how to do it !And In case if i leave the config as it is including " aaa group server radius rad_eap" is there any problem?
The test will tell you if a specific user account is allowed to connect, but it does not really help if your actual RADIUS server configuration is not working.
At the CLI...
test aaa group radius <username> <password> legacy
At the CLI...
test aaa group radius <username> <password> legacy
ASKER
When i tested with above command, it gave the below info, does it mean that my Radius server rejected the request. How can i check whether my radius config on server is correct ? Kindly suggest?
HAVAP01#test aaa group radius Rvelicheti Intellixxxxx legacy
Attempting authentication test to server-group radius using radius
User authentication request was rejected by server.
HAVAP01#test aaa group radius Rvelicheti Intellixxxxx legacy
Attempting authentication test to server-group radius using radius
User authentication request was rejected by server.
Rejected by server means that the RADIUS sent the authentication failure message back to the AP. This isn't enough to conclude whether the configuration is correct, although it does imply that the AP is configured correctly.
You should check the logs on your RADIUS server to see if that means that the actual user request was denied, or the request from the AP itself.
You should check the logs on your RADIUS server to see if that means that the actual user request was denied, or the request from the AP itself.
ASKER
Thanks for the update and sorry for late response. i have seen the logs in radius server. and now i seethe below info. So does this mean Radius is working and the user is blocked.
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 5/25/2012
Time: 9:42:33 PM
User: N/A
Computer: HVSV-PRINT
Description:
User Rvelicheti was denied access.
Fully-Qualified-User-Name = havchem.com/Employees/Cont ractors/Ra vi Kiran. Velicheti
NAS-IP-Address = 192.168.215.66
NAS-Identifier = HAVAP01
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = HAVAP01
Client-IP-Address = 192.168.215.66
NAS-Port-Type = Async
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 65
Reason = The connection attempt failed because remote access permission for the user account was denied. To allow remote access, enable remote access permission for the user account, or, if the user account specifies that access is controlled through the matching remote access policy, enable remote access permission for that remote access policy.
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 5/25/2012
Time: 9:42:33 PM
User: N/A
Computer: HVSV-PRINT
Description:
User Rvelicheti was denied access.
Fully-Qualified-User-Name = havchem.com/Employees/Cont
NAS-IP-Address = 192.168.215.66
NAS-Identifier = HAVAP01
Called-Station-Identifier = <not present>
Calling-Station-Identifier
Client-Friendly-Name = HAVAP01
Client-IP-Address = 192.168.215.66
NAS-Port-Type = Async
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 65
Reason = The connection attempt failed because remote access permission for the user account was denied. To allow remote access, enable remote access permission for the user account, or, if the user account specifies that access is controlled through the matching remote access policy, enable remote access permission for that remote access policy.
ASKER
Hi Craig,
This is radius log i received and problem is authentication method radius has is not supported by APs authentication methods. AP has EAP but radius
server has PEAP but we don't have any certificates on radius server. Kindly suggest what can be done.
Thanks for your support.
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 5/25/2012
Time: 10:45:09 PM
User: N/A
Computer: HVSV-PRINT
Description:
User Rvelicheti was denied access.
Fully-Qualified-User-Name = havchem.com/Employees/Cont ractors/Ra vi Kiran. Velicheti
NAS-IP-Address = 192.168.215.66
NAS-Identifier = HAVAP01
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = HAVAP01
Client-IP-Address = 192.168.215.66
NAS-Port-Type = Async
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.
This is radius log i received and problem is authentication method radius has is not supported by APs authentication methods. AP has EAP but radius
server has PEAP but we don't have any certificates on radius server. Kindly suggest what can be done.
Thanks for your support.
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 5/25/2012
Time: 10:45:09 PM
User: N/A
Computer: HVSV-PRINT
Description:
User Rvelicheti was denied access.
Fully-Qualified-User-Name = havchem.com/Employees/Cont
NAS-IP-Address = 192.168.215.66
NAS-Identifier = HAVAP01
Called-Station-Identifier = <not present>
Calling-Station-Identifier
Client-Friendly-Name = HAVAP01
Client-IP-Address = 192.168.215.66
NAS-Port-Type = Async
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.
ASKER
Craig,
Now my problem is according to above event, My authentication methods on both AP and Radius server are not matching. Now , I have checked for similar authentication type both ends but couln't find . i would request to kindly guide me through for a common best authentication method?
Thanks in advance.
Now my problem is according to above event, My authentication methods on both AP and Radius server are not matching. Now , I have checked for similar authentication type both ends but couln't find . i would request to kindly guide me through for a common best authentication method?
Thanks in advance.
If you have PEAP configured you have Certs on your RADIUS server - PEAP isn't configurable without one.
The authentication type your clients are trying to use appears to be PAP, not PEAP or EAP-TLS, so your client configuration is incorrect.
This will show you how to configure the client correctly...
http://technet.microsoft.com/en-us/library/dd759154.aspx
The authentication type your clients are trying to use appears to be PAP, not PEAP or EAP-TLS, so your client configuration is incorrect.
This will show you how to configure the client correctly...
http://technet.microsoft.com/en-us/library/dd759154.aspx
ASKER
I am sorry , but i didn't understand which clinet you are talking about. are you saying that my AP is configured for PAP but not PEAP . Unfortunately My radius server doesn't have any certificates for now. The document seems like for configuring wired clients. I didn't understand where do i need this configuration to be. Can you just kindly explain in detail please.
ASKER
By the way this foryour info. My windows raidus server is server2003.
ASKER
No I apologise I was meaning the Wireless Client you were testing with, but now I realise you were testing with an administrative logon.
You need a separate policy on your IAS server to allow administrative users to login to the AP via RADIUS. You should do the following to create a policy for Administrative access to the AP:
1] Create a new security group in your AD for Administrative users
2] Add an administrative user account to the new security group you just created
3] Create a policy on your IAS server for Administrative user logins and put it at the TOP of the order.
4] In the Administrative policy set the condition based on your new Windows Security Group.
5] In the constraints set the Authentication type to Unencrypted (PAP or SPAP). Untick all other boxes.
6] Configure an AV-Pair in the Settings tab under Vendor-Specific options. You need to configure an AV-Pair with the following string: "shell-priv-lvl=15".
7] Set the Service Type to "Administrative".
You need a separate policy on your IAS server to allow administrative users to login to the AP via RADIUS. You should do the following to create a policy for Administrative access to the AP:
1] Create a new security group in your AD for Administrative users
2] Add an administrative user account to the new security group you just created
3] Create a policy on your IAS server for Administrative user logins and put it at the TOP of the order.
4] In the Administrative policy set the condition based on your new Windows Security Group.
5] In the constraints set the Authentication type to Unencrypted (PAP or SPAP). Untick all other boxes.
6] Configure an AV-Pair in the Settings tab under Vendor-Specific options. You need to configure an AV-Pair with the following string: "shell-priv-lvl=15".
7] Set the Service Type to "Administrative".
ASKER
Yes, I have tested through the test aaa group radius command from AP itself and have seen the above radius server logs.
Thanks for the above steps. Please do let me know do i have to create a new policy ? is not possible to edit the current " connections to other access servers" policy ? I don't have much idea
at windows config actually. So you want me to create a security group and i need to add all admin user accounts to new sec group? I didn't understand 4th point .
If i select unencrypted type, is it not a problem? and do i see " vendor-specific options" tab when i crate a new policy?
Thanks for the above steps. Please do let me know do i have to create a new policy ? is not possible to edit the current " connections to other access servers" policy ? I don't have much idea
at windows config actually. So you want me to create a security group and i need to add all admin user accounts to new sec group? I didn't understand 4th point .
If i select unencrypted type, is it not a problem? and do i see " vendor-specific options" tab when i crate a new policy?
ASKER
Ohh regarding 4th point, did you mean that i need to go to policy conditions and click add, i see attribute types and i have to select the last one " windows-Groups" ? and you want me to create a
separate policy for only admin users.
What does this vendor exactly mean ? i see only two attributes " Client-Vendor" and "MS-RAS-Vendor", Do you want me to add any of these ? and finally wanted to know do i really need to move it front
in order for any precidence ?
separate policy for only admin users.
What does this vendor exactly mean ? i see only two attributes " Client-Vendor" and "MS-RAS-Vendor", Do you want me to add any of these ? and finally wanted to know do i really need to move it front
in order for any precidence ?
ASKER
1] Create a new security group in your AD for Administrative users
2] Add an administrative user account to the new security group you just created
3] Create a policy on your IAS server for Administrative user logins and put it at the TOP of the order.
4] In the Administrative policy set the condition based on your new Windows Security Group.
5] In the constraints set the Authentication type to Unencrypted (PAP or SPAP). Untick all other boxes.
This one i could see when i edi the profile and i can do it in authention tab, only selected (pap or Spap)
6] Configure an AV-Pair in the Settings tab under Vendor-Specific options. You need to configure an AV-Pair with the following string: "shell-priv-lvl=15".
This one i see in advanced tab as an attribute "vendor specific and below that i see " Cisco-AV-Pair" which is the correct one ?
7] Set the Service Type to "Administrative".
This one also i see in advanced tab and also in "attributes types" under "Policy Conditions" . is this correct
2] Add an administrative user account to the new security group you just created
3] Create a policy on your IAS server for Administrative user logins and put it at the TOP of the order.
4] In the Administrative policy set the condition based on your new Windows Security Group.
5] In the constraints set the Authentication type to Unencrypted (PAP or SPAP). Untick all other boxes.
This one i could see when i edi the profile and i can do it in authention tab, only selected (pap or Spap)
6] Configure an AV-Pair in the Settings tab under Vendor-Specific options. You need to configure an AV-Pair with the following string: "shell-priv-lvl=15".
This one i see in advanced tab as an attribute "vendor specific and below that i see " Cisco-AV-Pair" which is the correct one ?
7] Set the Service Type to "Administrative".
This one also i see in advanced tab and also in "attributes types" under "Policy Conditions" . is this correct
ASKER
Hi,
Please let me know if i am making any sense.
Please let me know if i am making any sense.
ASKER
I just edited the current existing policy with Cisco-AV-Pair and selected type as "Administrative". Now i see the below info. It says its successful.
xxxxxx#test aaa group radius Rvelicheti xxxxxxx legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 5/28/2012
Time: 10:29:32 AM
User: N/A
Computer: HVSV-PRINT
Description:
User Rvelicheti was granted access.
Fully-Qualified-User-Name = havchem.com/Employees/Cont ractors/Ra vi Kiran. Velicheti
NAS-IP-Address = 192.168.215.66
NAS-Identifier = HAVAP01
Client-Friendly-Name = HAVAP01
Client-IP-Address = 192.168.215.66
Calling-Station-Identifier = <not present>
NAS-Port-Type = Async
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = PAP
EAP-Type = <undetermined>
---
So can we conclude that if any user comes with domain credentials would be successfully login?
Please let me know the any security threat because of pap/spap?
xxxxxx#test aaa group radius Rvelicheti xxxxxxx legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 5/28/2012
Time: 10:29:32 AM
User: N/A
Computer: HVSV-PRINT
Description:
User Rvelicheti was granted access.
Fully-Qualified-User-Name = havchem.com/Employees/Cont
NAS-IP-Address = 192.168.215.66
NAS-Identifier = HAVAP01
Client-Friendly-Name = HAVAP01
Client-IP-Address = 192.168.215.66
Calling-Station-Identifier
NAS-Port-Type = Async
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = PAP
EAP-Type = <undetermined>
---
So can we conclude that if any user comes with domain credentials would be successfully login?
Please let me know the any security threat because of pap/spap?
ASKER
Sorry if i remove Cisco-AV-Pair also , it works, so seems like its basically working by authentication method (PAP) as both side its the same now.
But my concern here is I didn't use PAP on AP but how and why in this windows events its showing " authentication as PAP". Would you kindly clarify?
But my concern here is I didn't use PAP on AP but how and why in this windows events its showing " authentication as PAP". Would you kindly clarify?
ASKER
I don't think PAP is genuine to configure ! Please do let me know your points on this.
PAP is the method the AP uses to send the Administrative logon to the IAS server. It is genuine. It means the username/password is sent to the RADIUS server unencrypted.
Have a look at this...
http://www.ifm.net.nz/cookbooks/wpa_sbs2003/index.html
Have a look at this...
http://www.ifm.net.nz/cookbooks/wpa_sbs2003/index.html
ASKER
Thanks for the info. But sorry, i repeat, why its showing PAP as authentication method at AP end ? because i remember i
didn't configured pap at AP.Just wanted to know the reason. Kindly explain. Is it not a security breach that Username/password are sent
in Clear text to the Rad server?
didn't configured pap at AP.Just wanted to know the reason. Kindly explain. Is it not a security breach that Username/password are sent
in Clear text to the Rad server?
The AP only sends Administrative login details as unencrypted. That is why it appears as PAP.
When a wireless client authenticates it will be sent via PEAP if that's what you have configured in your policy.
When a wireless client authenticates it will be sent via PEAP if that's what you have configured in your policy.
ASKER
Thanks for the information. So, can we conclude that this is resolved and one more thing, yesterday i have configured that Cisco AV pair and later i removed , still authentication part is successful. is there any specific reason ? and finally are we done with this ? i mean incase any client who tries to access AP would get authenticated by Radius right?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the support and all help. Before closing this case Finally i just doubt one thing and which i didn't see anything about PAP in the URL you have given above.Like AP sends Administrative login details as unencrypted and i was just wondaring if someone inbetween on the line can have this sensitive info. Just needed some more clarity on this concept. I would be very glad and thankful to you if i can get more info(any explanation or any url) about this
Thanks in advance
Thanks in advance
ASKER
Sorry for the late reply. Was away from the system due to Fever. Thanks for the help and support.
ASKER
Thanks for the help and support
Open in new window