locked
IAS Radius Authentication issue RRS feed

  • Question

  • I have this weird issue with authenticating Cisco Small Business Smart switches using IAS Radius.  I also have a wireless Cisco Router that authenticates users with no problems.

    My swithes authenticate ok within IAS and I see the logs allowing the authentication, but my swithes webpage is not allowing me in saying wrong username or password.  I had Cisco run a webex session with me, and they believe the IAS is set up wrong.

    They showed me the settings that they used on a LAB setup with the same swith I am using, everytime I try to use the switch I see an error on the switch log showing this...


    %AAA-W-REJECT: New http connection for user TestPass1234, source 192.168.0.8 destin
    ation 192.168.0.37  REJECTED

    The username is not Testpass1234, the username should be Admin and the password should be Testpass1234.  Why is the password being entered in as a username?

    User Admin was granted access.

    Fully-Qualified-User-Name = NEPTUNE\admin

    NAS-IP-Address = 192.168.0.37

    NAS-Identifier = <not present>

    Client-Friendly-Name = SLM224G

    Client-IP-Address = 192.168.0.37

    Calling-Station-Identifier = <not present>

    NAS-Port-Type = <not present>

    NAS-Port = <not present>

    Proxy-Policy-Name = Switch_Policy

    Authentication-Provider = Windows

    Authentication-Server = <undetermined>

    Policy-Name = SLM224G

    Authentication-Type = PAP

    EAP-Type = <undetermined>

    This is from the event log...  Test setup.

    • Changed type Aiden_Cao Tuesday, February 21, 2012 4:46 AM it's a question
    Saturday, February 18, 2012 10:31 PM

Answers

  • verify shell=15 for Cisco for web access.

    refer to this article which might help you : http://www.alcatelunleashed.com/viewtopic.php?f=193&t=14816


    Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.

    • Proposed as answer by Ace Fekay [MCT] Thursday, February 23, 2012 1:04 AM
    • Marked as answer by Dean Thompson Saturday, February 25, 2012 10:41 PM
    Saturday, February 18, 2012 10:53 PM
  • I agree with Gopi. I've seen this once before. Also, if you have a 24/7 Gold Support contract with Cisco, I suggest putting in a TAC request. They can walk you through or actually configure it for you, even on the Windows side. I had a Cisco AP 1231 a few years back that I needed asistance, and the contract came in real handy. It took them 2 weeks to do it, but they did it.
    http://www.cisco.com/cisco/web/support/index.html

    .

    Also, you may want to change this thread type from a "Discussion" to a "Question," since after all you're asking a question. :-)

    .

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Aiden_Cao Tuesday, February 21, 2012 4:46 AM
    Monday, February 20, 2012 12:14 AM

All replies

  • verify shell=15 for Cisco for web access.

    refer to this article which might help you : http://www.alcatelunleashed.com/viewtopic.php?f=193&t=14816


    Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.

    • Proposed as answer by Ace Fekay [MCT] Thursday, February 23, 2012 1:04 AM
    • Marked as answer by Dean Thompson Saturday, February 25, 2012 10:41 PM
    Saturday, February 18, 2012 10:53 PM
  • I agree with Gopi. I've seen this once before. Also, if you have a 24/7 Gold Support contract with Cisco, I suggest putting in a TAC request. They can walk you through or actually configure it for you, even on the Windows side. I had a Cisco AP 1231 a few years back that I needed asistance, and the contract came in real handy. It took them 2 weeks to do it, but they did it.
    http://www.cisco.com/cisco/web/support/index.html

    .

    Also, you may want to change this thread type from a "Discussion" to a "Question," since after all you're asking a question. :-)

    .

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Aiden_Cao Tuesday, February 21, 2012 4:46 AM
    Monday, February 20, 2012 12:14 AM
  • I actually had Cisco level 2 tech Webex into my system and they could not figure it out.  You guys on the other hand had the correct information.  Everything was set but I had the service type as "Login" and not "Administrative".  Tested it and it went in streight away!

    Just to let you all know, this has given me weeks of headaches.  I should have came here and asked in the first place....  THANK YOU ALL.

    Wednesday, February 22, 2012 8:54 PM
  • I actually had Cisco level 2 tech Webex into my system and they could not figure it out.  You guys on the other hand had the correct information.  Everything was set but I had the service type as "Login" and not "Administrative".  Tested it and it went in streight away!

    Just to let you all know, this has given me weeks of headaches.  I should have came here and asked in the first place....  THANK YOU ALL.

    Dean,

    Glad to hear that! At least wtih Cisco support, you didn't have to pay anything for the TAC, since it's already part of the contract you purchased.

    I marked Gopi's post a "Propose as Answer," since that's where you got the Service type suggestion. You may want to mark his as an Answer. :-)

    Once again, glad to hear it's working. :-)

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, February 23, 2012 1:06 AM
  • Dean,

    Sorry for the Delay response.Glad to hear that..the link helped you to figure out problem.

    Ace,

    Thank you for the support.


    Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.

    Sunday, February 26, 2012 10:36 AM