none
Windows 2003 R2 - Radius Configuration for cisco device authentication

    Question

  • To the windows Community,

         I have a windows 2003 R2 server that for the life of me I  cannot get my cisco switches authenticating through my IAS - Radius server authenticating back to active directory successfully. I have looked through multiple cisco and microsoft documents but cannot get this authentication thing working.    At the bottem of my client debug it looks as if its waiting on the server to respond back with something and I can't figure out what its waiting on, timing out. This is the debug of the cisco switch radius client below. My client and my server are on different subnets and there is no ACLs or firewalls in the middle of the radius client and windows server. 

    Could someone please give me a valid windows 2003 IAS radius configuration so i can at least elimitate that my windows server is not the probem. Thank you

     

    How do I get my windows server configured so my cisco radius clients can authenticate to it. I have already loaded RADIUS and registered it in active directory.

     

     

    032037: Apr 20 12:03:03.875 salvado: RADIUS/ENCODE(0000010C):Orig. component type = EXEC

    032038: Apr 20 12:03:03.875 salvado: RADIUS: AAA Unsupported Attr: interface [171] 4

    032039: Apr 20 12:03:03.875 salvado: RADIUS: 74 74 [ tt]

    032040: Apr 20 12:03:03.875 salvado: RADIUS(0000010C): Config NAS IP: 0.0.0.0

    032041: Apr 20 12:03:03.875 salvado: RADIUS/ENCODE(0000010C): acct_session_id: 268

    032042: Apr 20 12:03:03.875 salvado: RADIUS(0000010C): sending

    032043: Apr 20 12:03:03.883 salvado: RADIUS/ENCODE: Best Local IP-Address 10.10.99.3 for Radius-Server 10.10.100.17

    032044: Apr 20 12:03:03.883 salvado: RADIUS(0000010C): Send Access-Request to 10.10.100.17:1812 id 1645/98, len 91

    032045: Apr 20 12:03:03.883 salvado: RADIUS: authenticator 6A 8D 2B E2 E8 92 DF 3B - 34 2C 02 DF C8 89 29 96

    032046: Apr 20 12:03:03.883 salvado: RADIUS: User-Name [1] 10 "username"

    032047: Apr 20 12:03:03.883 salvado: RADIUS: User-Password [2] 18 *

    032048: Apr 20 12:03:03.883 salvado: RADIUS: NAS-Port [5] 6 1

    032049: Apr 20 12:03:03.883 salvado: RADIUS: NAS-Port-Id [87] 6 "tty1"

    032050: Apr 20 12:03:03.883 salvado: RADIUS: NAS-Port-Type [61] 6 Virtual [5]CI_Warehouse#

    032051: Apr 20 12:03:03.883 salvado: RADIUS: Calling-Station-Id [31] 13 "10.10.69.11"

    032052: Apr 20 12:03:03.883 salvado: RADIUS: Service-Type [6] 6 Outbound [5]

    032053: Apr 20 12:03:03.883 salvado: RADIUS: NAS-IP-Address [4] 6 10.10.99.3

    032054: Apr 20 12:03:03.883 salvado: RADIUS(0000010C): Started 5 sec timeout CI_Warehouse#

    032055: Apr 20 12:03:08.724 salvado: RADIUS(0000010C): Request timed out

    032056: Apr 20 12:03:08.724 salvado: RADIUS: Retransmit to (10.10.100.17:1812,1813) for id 1645/98

    032057: Apr 20 12:03:08.724 salvado: RADIUS(0000010C): Started 5 sec timeout

     

     

    Wednesday, April 20, 2011 6:10 PM

Answers

  • Microsoft Community,

       This is a little late of a reponse but after getting a technet subscripting which I highly recommend to any Microsoft Engineer Im back again. So I ended up fixes this another way. Basically it was my fault. When I was applying my Cisco preshared key I was using the copy and paste feature. I think I was copying over some hidden charecters or somthing because when I manually typed the Cisco Pre-shared key in it started working.

    Rob

    Friday, February 24, 2012 2:39 PM

All replies

  • Hi there -

    You might want to step through the first two checklists in the topic "Checklists: Configuring IAS for Authenticated Switch Access: Internet Authentication Service (IAS)" at http://technet.microsoft.com/en-us/library/cc776221(WS.10).aspx to verify the IAS server configuration.

    Have you configured the switches as RADIUS clients in IAS? Are you using the same shared secret on the IAS server as you are on the switches?

    Also, if you're using EAP you might want to make sure EAP is enabled on the switches so that they'll pass EAP authentication messages from access clients to the IAS server, and vice versa.

    Thanks -


    James McIllece
    Wednesday, April 20, 2011 7:35 PM
  • Hi.

    If you look at the logs on the IAS side, do you see any traces that there has been communications between the Cisco and IAS server?


    Oscar Virot
    Wednesday, April 20, 2011 7:48 PM
  • Oscar,

       Yes, Very good question. I trace those logs aswell and I see the log treading. The logs show both the client and the server communicating but the client is not successfully authenticating.

    Monday, April 25, 2011 8:48 PM
  • James,

           You are right I should step through that document. This is a new document for me and I look forward reviewing it shortly! Oh and about the pre-shared KEY. Very good idea that is a gottcha for many administrators. I have already ran in to that problem and fixed it. My original Cisco Debugs gave me a decrypt fail error which lead me to isolateing the mis-match key error. After matching the keys I no longer have this problem. I actually copied and pasted the key to the  RADIUS Client and to the Radius server key so I know they match! Thanks.

    I will let you know shortly how it goes.

     

    Thanks

    Rob Orr - Bunch o microsoft certs from NT to 2008

    Monday, April 25, 2011 8:57 PM
  • Hi.

    Since Radius uses UDP, some firewalls can't handle udp and states correctly. Do you have a firewall between the Radius server and clients? Try to open it both ways, just remember that src and dst ports are other way around then.


    Oscar Virot
    Monday, April 25, 2011 9:21 PM
  • Yes,

       That is correct I have seen this problem as well. However in my original post you likely have already seen that in my environment I do not have a firewall between my radius client and server just a cisco 3800 series router with no ACLS on either of the interfaces that connected to those 2 subnets.

    Thanks

    Rob

    Monday, April 25, 2011 9:56 PM
  • You cannot vote on your own post
    0

    James,

       I ran through this checklist and didn't find anything to terrible useful. This is my server side configuration that I currently have under my "Remote Access Policies" Policy  "Edit Profile" 

    EAP Methods

    ************

    Unencrypted Authentication(PAP,SPAP)

    ************

    Encryption

    ************ 

    No Encryption

    Monday, April 25, 2011 10:03 PM
  • Hi.

    How have you configured the Network Policy?


    Oscar Virot
    Monday, April 25, 2011 10:19 PM
  • You mean the "Connection Request Policies"?
    Monday, April 25, 2011 10:21 PM
  • Remember I have windows 2003 R2 not windows 2008.
    Monday, April 25, 2011 10:23 PM
  • Yes, i just realized that again.

    Do you use the standard "Connection Request Policies" and "Remote Access Policies"?

    And you log stated that you use "NAS-Port-Type" is virtual, not "Ethernet", as the default guide would guess.


    Oscar Virot


    • Edited by Oscar Virot Monday, April 25, 2011 10:29 PM changes to a stupid entry
    Monday, April 25, 2011 10:23 PM
  • My Radius Client is reporting that it is picking the server group.

     

    033875: Apr 25 16:20:28.919 salvado: AAA/AUTHEN/LOGIN (00000126): Pick method list 'RADIUS-GROUP'

    Monday, April 25, 2011 10:25 PM
  • What policy Conditions do you have entered?
    Oscar Virot
    Monday, April 25, 2011 10:41 PM
  • OK, Lets talk terms that are the same.  Do you have a windows 2003 server that you can look at? Load the IAS component and open "Internet Authentication Service" Application to see what I see.

    1. My "Radius Clients" are configured perfectly. The problem is I think is either the "Remote Access Policies" or the "Connection Request Policies".  I will however look in to the cisco documentation to see if my NAS settings are wrong due to the virtual and not ethernet settings. If you have an email address I can email you the screen shots?

    Tuesday, April 26, 2011 3:04 PM
  • Yes I have a 2003 server environment.

    You can reach me at lastname@lastname.com, please replace with my lastname :)


    Oscar Virot
    Tuesday, April 26, 2011 8:36 PM
  • Microsoft Community,

       This is a little late of a reponse but after getting a technet subscripting which I highly recommend to any Microsoft Engineer Im back again. So I ended up fixes this another way. Basically it was my fault. When I was applying my Cisco preshared key I was using the copy and paste feature. I think I was copying over some hidden charecters or somthing because when I manually typed the Cisco Pre-shared key in it started working.

    Rob

    Friday, February 24, 2012 2:39 PM