Authentication Radius 4.2 ACS and RADIUS Accounting

Is it possible to configure 4.2 ACS to authenticate users of a wireless network (with autonomous APs) through RADIUS while I use the same ACS to provide the command represent the points of access via GANYMEDE +? This issue came out because when I configure the APs 'AAA Clients' under 'Network Configuration' of the ACS server (necessary config for authentication APs and end users), the authentication method used is the RADIUS (Cisco Aironet) and it prevents the generation GANYMEDE server command accounting reports under "reports and activities > GANYMEDE + Administration.

Any idea on how to solve this problem?

Thank you

Antonio

Hello

Need to add a different hostname for the AP... IE, RPOS and APt, where you can use the same IP n but use radius for Ganymede and the other.

Thank you

Tarik Admani
* Please note the useful messages *.

Tags: Cisco Security

Similar Questions

  • Radius on ACS 5.2 accounting command

    order accounting for RADIUS supported ACS 5.2? status of implementation of radius of the provider supports this feature.

    Well radius account management is supported on ACS so if your aaa client's accounting controls, they will appear on ACS without problem.

  • After Update 1.2 ISE, I get "5413 RADIUS account request declined."

    Hello

    I have an installation of the node two admin at ISE. I installed one of my two knots ISE Admin to Version 1.2. I still have one of my admin to 1.1.4 nodes. When I disable my Version 1.1.4 node and allow wireless authentication be handled by the node to Version 1.2, I get the message... "Fallen of 5413 RADIUS account request". Meanwhile, none of my wireless edge devices can on the network. When I reactivate my 1.1.4 node my wireless devices are allowed on the network.

    I am currently using ISE to authenticate a wireless connection.

    I also get the reason for the failure. "RADIUS Accounting 11038 request header contains invalid authentication field".

    Any ideas?

    Bob

    5413 RADIUS account request has perhaps dropped because the session was active on ISE1 and is now sending messages to update to ISE2. Also, check your shared secret RADIUS is on the servers of the ISE and wlc. I would try the WLC connection for the compensation test user when switching.  Just turn wireless turn against it.  In addition, you use PEAP-MSChapv2 or EAP - TLS to authenticate the clients.  What type of certificate is present, public or private?

  • authentication between the ACS and AD

    Hello

    I would like to know what kind of authentication mechanism ACS 5.1 use to speak with Active Directory. Does simply use MSCHAP, MSCHAPv2 or PAP. By default, it uses PAP to talk between the Cisco IOS and the AEC on the 5.1.

    If you llook at the default admin tab and click on allowed protocols---> he mentions PAP.

    Should I use a safe means of transport between the ACS and AD. IDF, so anyone can say the authentication mechanism?

    Thank you

    Any meeting of directors like telnet, ssh and comfort they always use PAP as an authentication method.

    Although communication pap can be captured and read in this case in clear text. However, since we have Ganymede in use, he always encrypt the whole package with shared secret defined on the IOS and ACS/GANYMEDE so if you capture traffic between the radius and the device you won't be able to decipher it without the key.

    In case you have Ray then using SSH (Putty) so that it can help you for a safe communication.

    ACS and AD support PAP, CHAP, MSCHAPv1 and MSCHAPv2.

    However, the administration does not work on another method of authentication except PAP.

    HTH

    Regds,

    Jousset

    Note the useful posts ~

  • Is it possible to send Radius accounting packets with two different servers?

    Hello experts!

    I have dilemma I send info Radius accounting on two different servers for authentication of the dot1x. Here are the relevent config. However the switch just to send a copy on the first server in the server group...

    RADIUS AAA server Acct group
    ACCT-port of the server 172.17.1.1 auth-port 1812 1813
    ACCT-port of the server 172.17.1.2 auth-port 1812 1813

    accounting dot1x default start-stop broadcast group AAA Acct

    RADIUS-server host 172.17.1.1 auth-port 1812 acct-port 1813 key xxxxxx
    RADIUS-server host 172.17.1.2 auth-port 1812 acct-port 1813 key xxxxxx

    Is it possible to send two copies of two different servers? I tried the key word 'issue' in the aaa accounting command, but it does make a difference. What is doing? I can't find it in the manual...

    Thank you!

    Difan

    Difan,

    You must create two aaa server groups to operate. Allows the sending of accounting records to multiple AAA servers.  At the same time returns accounting records the first server in each group. If the first server is unavailable, the failover occurs using servers defined within this group.

    Accounting AAA broadcast configuration
    The following example shows the turn on broadcast accounting using the aaa accounting global command:

    RADIUS AAA server group isp
    Server 1.0.0.1
    Server 1.0.0.2

    AAA isp_customer radius server group
    Server 3.0.0.1

    AAA accounting network default start-stop broadcast group isp group isp_customer

    host server RADIUS 1.0.0.1
    host server RADIUS 1.0.0.2
    Server RADIUS key key1
    RADIUS-server host 3.0.0.1 key2 keys

    The broadcast keyword causes the start and stop accounting for dot1x connections to be sent simultaneously to the 1.0.0.1 group isp server and Server 3.0.0.1 in the isp_customer group. If 1.0.0.1 is unavailable, Server failover 1.0.0.2 occurs. If the 3.0.0.1 server is unavailable, no failover occurs because backup servers are not configured for the isp_customer group.

    Kind regards

    ~ JG

    Note the useful messages

  • RADIUS accounting report

    Hello

    I would like to know if is possible annex a Radius accounting report and automatically export GBA version 5.4 5.3.or?

    TKS,

    Daniel Stefani

    Scheduled reports is a characteristic pledged to add in ACS 5.5

  • Authentication Radius Cisco with Windows NAP with encrypted authentication

    I need authentication radius configuration for Cisco IOS devices for device management. My radius server is on Windows 2008 R2.

    Can I implement this with encrypted authentication? In the attached diagram, can what protocol I use for encrypted authentication?

    According to some sites, we need activate authentication in clear text. All those put in place secure as MSCHAP authentication?

    Hello

    You activate the text authentication (PAP) clear. Don't forget Ray sends the username in clear but encrypts the password. You can confirm this take a wireshark capture. You will also get the RADIUS encryption using a key to Ray long and complex.

    If you want to encrypt the user name and password, then you would use GANYMEDE

    Thank you

    John

  • Authentication RADIUS Cisco switch

    Hello

    I have a cisco 2960 switch and currently trying to install radius authentication. My guy from microsoft do the side server, we have the correspondence of the keys and he says there is no problem on his side, but we still Pascal operate.

    Config of switch

    AAA new-model
    AAA authentication login default local radius group

    Server RADIUS auth-port host 10.0.0.13 1812
    0 of RADIUS-server key test

    line vty 0 4
    by default the authentication of connection

    switch and the radius server are installed on the same network. I did a debug and confused on the output. Can someone point me in the right direction.

    I did a radius authentication and aaa debug debugging

    AccessSwitch #.

    RADIUS/ENCODE (00001586): orig. component type = Exec

    RADIUS: AAA Attr not supported: interface [221] 4 92269176

    RADIUS / encode (00001586): down the type of service, "radius attribute 6 sur-pour-login-auth server" is disabled

    RADIUS (00001586): Config NAS IP: 0.0.0.0

    RADIUS (00001586): Config NAS IPv6:

    RADIUS / encode (00001586): acct_session_id: 20

    RADIUS (00001586): send

    RADIUS/ENCODE: Best local IP 10.0.0.56 for Radius server - address 10.0.0.13

    RADIUS (00001586): Sending a bunch of RADIUS IPv4

    RADIUS (00001586): Send access request ID 10.0.0.13:1812 1645/18, len 77

    RADIUS: authenticator 7 c B1 A0 55 62 45 7 AF b - E2 F2 48 4 C3 F0 72 98

    RADIUS: Username [1] 15 "james.hoggard".

    RADIUS: User-Password [2] 18 *.

    RADIUS: NAS-Port [5] 6 2

    RADIUS: NAS-Port-Id [87] 6 'tty2 '.

    RADIUS: NAS-Port-Type [61] 6 virtual [5]

    RADIUS: NAS-IP-Address [4] 6 10.0.0.56

    RADIUS (00001586): Started 5 sec timeout

    RADIUS: Receipt id 1645/18 10.0.0.13:1812, Access-Reject, len 20

    RADIUS: authenticator 80 CE C9 C2 D6 30 65 A9 - 07 9th 12 4 80 A9 3 c D8

    RADIUS (00001586): Receipt of id 1645/18

    AAA/AUTHENTIC/LOGIN (00001586): choose method list "by default".

    RADIUS / encode (00001586): ask "" password: ".

    RADIUS / encode (00001586): upload the package. GET_PASSWORD

    Thank you

    James.

    Yes, PAP always use text gross, and that doesn't provide any kind of security.  However, does not support administrative session with Ray chap/mschap.we cannot configure firewall/IOS devices for the Administration as a telnet/ssh session to authenticate users on the mschapv2 authentication method.

    If you need secure communications you can implement GANYMEDE.

    GANYMEDE + and RADIUS using a shared secret key for encryption for communications between the client and the server. RADIUS encrypts the password of the user when the client makes a request to the server. This encryption prevents a person from sniffing the password of the user using a packet Analyzer. However, other information such as username and the services being performed can be analyzed. GANYMEDE + does not encrypt only the entire load at the communication, but it also encrypts the password between the client and the server. This makes it harder to decipher the information on the communication between the client and the server. GANYMEDE + uses the MD5 hash in its algorithm of encryption function and decryption.

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • DHCP Radius account management

    We tried to apply DHCP using RADIUS accounting. All of the configuration made as in http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801543c7.html

    but it seems that appointed accountant lists do not work att.

    I.e.

    Group of power for the RADIUS-GROUP1 RGROUP-1 AAA accounting network

    IP dhcp WIRELESS-POOL pool

    accounting RADIUS-GROUP1

    does not. How can I properly configure DHCP accounting? An example of work?

    PS: 7206, c7200 - is - mz.123 - 16.bin

    In this network of Accountants order aaa RADIUS-arrhythmic GROUP1 group RGROUP-1 tent with various options instead of the word network. See the following URL for more information

    http://www.Cisco.com/univercd/CC/TD/doc/product/software/ios122/122newft/122T/122t15/ftdhcpac.htm#wp1086397

  • Problem with GANYMEDE + (ACS) and cat 2950

    I have configured the 2950 as below and properly configured ACS and I can connect to the 2950 using this configuration, the problem lies after that I go to enable and try any command, I get approval to next error command failed.

    What I missed out the config that will allow me to execute commands?

    AAA new-model

    AAA authentication login default group Ganymede + local

    AAA authorization exec default group Ganymede + local authenticated by FIS

    AAA authorization commands 15 default group Ganymede + authenticated if

    AAA authorization network default group Ganymede + local authenticated by FIS

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    AAA accounting network default start-stop Ganymede group.

    GANYMEDE server host ***. ***

    radius-server key 7 *.

    Thanks in advance.

    Jon

    Hi Jon,

    AAA of the switch seems ok, maybe you need to take a look at your ACS.

    Check the following information, where you have to apply it in your ACS config:

    http://www.Cisco.com/en/us/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd6fc.html#wp676529

    Rgds,

    AK

  • 5.2 of the ACS and Cisco ACE RBAC does not...

    Would be grateful for help here if it can be provided.

    I am configuring GANYMEDE auth for a Cisco ACE through our 5.2 ACS server. I think that I installed everything correctly but when I connect with my GANYMEDE account it gives me only monitor network privileges.

    This is the Configuration of ACE, I use:

    XXXXXXXX, host 1.1.1.1 key radius-server

    XXXXXXXX, host 2.2.2.2 key radius-server

    RADIUS-server timeout 10

    RADIUS-server deadtime 30

    !

    AAA group Ganymede Server + ACS

    Server 1.1.1.1

    2.2.2.2 Server

    output

    !

    AAA authentication login default group local ACS

    AAA authentication login console Group local ACS

    Default accounting AAA group ACS

    !

    This is the Configuration of the ACS:

    When I connect to the ACE I see authenticating and pulling the right group of the ACS journal:

    Connected to the ACS status details user peripheral name server device name group Service identity store identity network access group

    Apr 8:57:40.566 30.13 AM xxxckxxx

    AFA-ACE-internal

    Device Type: all device Types: load balance devices, network, location: Cameron Enterprises: Oklahoma: Data Center - 1 unit Access.TACACS

    AD1 all groups: administrator - full HAPP-CSACS

    Apr 8:52:20.256 30.13 AM xxxckxxx

    AFA-ACE-internal

    Device Type: all device Types: load balance devices, network, location: Cameron Enterprises: Oklahoma: Data Center - 1 unit Access.TACACS

    AD1 all groups: administrator - full xxx movies

    Apr 8:43:43.276 30.13 AM xxxckxxx

    AFA-ACE-internal

    Device Type: all device Types: load balance devices, network, location: Cameron Enterprises: Oklahoma: Data Center - 1 unit Access.TACACS

    AD1 all groups: administrator - full xxx movies

    But when I log in AS and do a show users that I get:

    * xxxckxxx Dev_VC pts/2 Apr 30 09:57 (x.x.x.x) monitor-network-default domain

    I've searched for days to find a solution for this with no luck. Any help would be greatly appreciated.

    Thank you.

    Well, it should work effectively at the same time.

    Could you please check the GANYMEDE of ACS logs and check the newspaper correct PROFILE of SHELL (Shell Administrator profile-material) are selected.

    This can be checked by virtue:

    Monitoring & reports > Reports > Catalog > AAA Protocol > authorization Ganymede

    They provide an output of

    Field of Show running-config

    Would appreciate if you can share the result here.

    Jatin kone

    -Does the rate of useful messages-

  • Cisco ACS and Pix Firewall

    I have configured the aaa authentication in the pix firewall to see the ACS RADIUS Server for verification of the user. If the ACS server becomes unavailable, then I could not connet the pix firewall.

    In the router, I have the configuration option

    AAA authentication login default group Ganymede + local

    that tells the router first looking for a radius server and if is not available connect through the local database.

    Is there an option in the Cisco pix firewall to connect using local information if ACS is not available?

    Thanks in advance

    Hello

    PIX back up method to entered the unit in the event of server failure aaa works on 6.3.4 code and above. In the codes plus late 6.3.4 If the RADIUS server fails it is impossible to get in unless password recovery. "However if we have not configured for console aaa authentication than user name: pix and password: cisco" works by default.

    Kind regards

    Mahmoud Singh

  • 4.2 of the ACS and EAP - TLS with AD and prefix problem

    Hello

    We have the following situation:

    -2 X ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain

    -2 x ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain b.

    First of all, there is a problem to have an ACS SE and a CBS work together for an area, I do not? When we haven't had that one area and the two SE ACS were responsible for domain A, it worked.

    Now after the changes, authentication of machine with EAP - TLS is no longer in effect. In the newspapers, it always says that "external user DB is unknown" for a username (machine) as host/abc.domain.ch

    This is the normal output of the Remote Agent, he finds the host but then nothing happens:

    CSWinAgent 2009-11-30 16:32:13 0140 3672 0x0 customer who connects from x.x.x.x:2443
    CSWinAgent 2009-11-30 16:32:14 0507 3512 0x0 CPP: NT_DSAuthoriseUser received
    CSWinAgent 2009-11-30 16:32:14 0474 3512 0x0 NTLIB: Creating Domain cache
    CSWinAgent 2009-11-30 16:32:14 0549 3512 0x0 NTLIB: domain Cache loading
    CSWinAgent 2009-11-30 16:32:14 0646 NTLIB 3512 0x0: none of the trusted domains found
    CSWinAgent 2009-11-30 16:32:14 0735 3512 0x0 NTLIB: cache loaded field
    CSWinAgent 2009-11-30 16:32:14 2355 3512 0x0 NTLIB: user "host/abc.domain.ch" found [FIELD]
    CSWinAgent 2009-11-30 16:32:14 0584 0 x 3512 0 RPC: NT_DSAuthoriseUser response sent

    So I did a test of the ASA to see if the host is a problem (until changes have been made it was not a problem):

    AAA authentication RADIUS host 10.3.1.9 username host/abc.domain.ch to test (the ASA becomes the host / entry for the correct Windows scheme with the $):

    CSWinAgent 2009-11-30 15:39:23 0140 3672 0x0 customer who connects from x.x.x.x:1509
    CSWinAgent 2009-11-30 15:39:23 0390 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser received
    CSWinAgent 2009-11-30 15:39:23 0474 3728 0x0 NTLIB: Creating Domain cache
    CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
    CSWinAgent 2009-11-30 15:39:23 0646 NTLIB 3728 0x0: none of the trusted domains found
    CSWinAgent 2009-11-30 15:39:23 0735 3728 0x0 NTLIB: cache loaded field
    CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
    CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
    CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
    CSWinAgent 2009-11-30 15:39:23 0373 3728 0x0 NTLIB: retry authentication to the domain
    CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
    CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
    CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
    CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
    CSWinAgent 2009-11-30 15:39:23 0456 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser response sent

    It is clear that the test failed because of the bad 'past to a computer' but it's a different output as before. I saw that in ACS 4.1, you can change the prefix of send_break_action for nothing, but in 4.2 it is no longer possible.

    This could be the problem, or if someone sees no other problem?

    Best regards

    Dominic

    Hello

    I encounter the same problem with my acs. I have all of the attempts failed for the default group. For the default group made configuration is not available. Is - this thereason behind all this?

  • How do .1x port based authentication access network through ACS

    How .1x port based authentication access network through ACS.

    Hello

    802. 1 x can authenticate the host or by the name of username/password, or either through the MAC address of the clients (PC, printers etc.). This process is called agentless network access that can be done via Mac Auth Bypass.

    In this process, the switchport 802.1 x would send the address MAC PC's connected to the server radius for authentication. If the radius server has the MAC address in its database, authentication will be successful and the PC would be granted network access.

    To check the configuration on GBA 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_ser...

    To check the configuration on a CBS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_contro...

    Kind regards

    Kush

  • ACS and download ACL for multiple clients-AAA

    Hello!

    I need to know if it is possible to download ACL on the DACL device that is not a part of the conversation of RADIUS? In other words, I have a user who needs access to certain resources and attempts to connect to the network via PIX1. I need to authenicate it by ACS and download ACL PIX1 and (attention) PIX2 also (some firewalls upstream). Is it possible to do?

    I don't think that you can do. As you mentioned that the other PIX has no Radius configuration. And you can push only DACL of the Radius on the PIX server, she asks, not in any other PIX.

    And I'm not aware of any mechanism or feature, which allows you to transfer the downloaded ACL of one PIX to another.

    Kind regards

    Prem

  • Windows XP 'Welcome screen and user accounts' missing.

    I have a Windows XP and recently installed NETGEAR for internet access.  My "Welcome screen and user accounts" are missing.  The user accounts are in the title of the user accounts Control Panel, but, "How users connect power, change" Windows and switch Fast has been disabled.  I now have the classic to log in to my account, but now I'm the only user on this computer.  Can you help me solve this problem without uninstalling NETGEAR?  I thank very you much for your time.

    2350sandy

    Your symptoms point to a Graphical Identification and Authentication (Msgina.dll) file that has been replaced by your netgear installation.  The following items describe your condition and suggest alternatives:

    "A discussion about the availability of the fast user switching feature.

    <>http://support.Microsoft.com/kb/294739 >

    "The default Windows logon Interface may not appear after installing third-party program"

    <>http://support.Microsoft.com/kb/302346 >

    HTH,
    JW

Maybe you are looking for

  • Games and graphics on the Satellite A100-197

    I have a portable satellite A100-197 and I have problems to read some games. Most of the games work very well, but I have problems to read games on Steam, as source of counterstrike and half-life 2. Before starting the game, I gives me an error messa

  • got a new router how to connect my old again router Extender?

    My ISP has given me a new router. How can I connect my EX2700 existing to the new router extender? I tried just acting as if there had been no previous router, but it did not work.

  • How to display time information in the report and the results?

    Is it necessary to manually calculate the following? Start time of execution Elapsed time since the beginning of the execution Start of stage time Step end time If not, where are these results available within TestStand? I would like to keep the time

  • Send GPIB Read function XY graph data

    Hello I'm really new to LabVIEW, so it is probably an easy one, but I'm having a serious problem, try to understand this one. How to send data from GPIB playback to a graph function, let's say the XY graph. My data consist of a string of numbers, sep

  • Automatic connection to the internet

    I have to manually connect to the internet on my laptop via a wireless router, every time I go online.  He won't have changes settings to connect automatically