18.02.2010 23:03:45
rabcdabcd
Posts: 3
|
I am very new to Radius server related config. I have installed TekRadius on my Windows XP with SP3. I have also configure Cisco 3750 switch with one port for dot1x authentication. I would like to consider NT authentication. How should I configure on Tek Radius side so the port I have configured on Cisco 3750 where Laptop is connected gets authentication and so on. I am lost. Any help will be very much appreciated.... Thansk in advanced.
My siwtch and port config is:
conf taaa new-modelaaa authentication dot1x default group radiusaaa authorization network default group radiusdot1x system-auth-controlradius-server host 10.10.65.158 radius-server host 10.10.65.158 auth-port 1812 acct-port 1646 key ciscoradius-server key ritaradius-server vsa send authenticationconf tint gig 0/3switchport access vlan 65switchport mode accessdot1x port-control autodot1x host-mode single-hostdot1x auth-fail vlan 4dot1x guest-vlan 7
How should I take care of on the tekradius side so the port on which laptop is connected gets the authentication with Microsoft AD?
Do I need special setup on windows XP laptop for this. As I conencted laptop to the port, machine stopped communicaiton. I had no way to authenticate to Radius server from laptop.
Thansk
|
|
• permalink
• reply with quote
|
19.02.2010 16:24:03
admin
Administrator
Posts: 881
|
Hi,
I assume that you have sucessfully installed TekRADIUS with SQL server.
Add your switch as a RADIUS client in Clients tab. Create a user profile with at least User-Password attribute (Check) as instructed in TekRADIUS manual.
You can not use AD integration with 802.1X authentication in TekRADIUS since 802.1X authentication methods does not use PAP authentication. TekRADIUS needs to receive cleart
text user-password in order to query AD for the login request.
Best regards,
Yasin KAPLAN
|
|
• permalink
• reply with quote
|
20.02.2010 02:13:30
rabcdabcd
Posts: 3
|
I tried as per your advise. no luck.
Here is my config on Cisco Switch side:
conf t
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
radius-server host 10.10.65.158
radius-server host 10.10.65.158 auth-port 1812 acct-port 1646 key cisco
radius-server key cisco
radius-server vsa send authentication
On Tek Radous server side:
Addes my switch IP address added with cisco secret and cisco vendor name
Also created a user ID cisco with default group with cisco as password.
I tried to telnet the cisco switch, I am being asked username. I tried the username the one I created in Tekradius
but it does not accept the password.
Thanks for your help...
|
|
• permalink
• reply with quote
|
20.02.2010 09:44:12
admin
Administrator
Posts: 881
|
Hi,
In order to authorize Cisco Telnet Sessions you need have something different...
You need create a user profile like;
Attribute Type Value
UserPassword check Password
cisco-avpair reply shell:priv-lvl=15
Service-Type reply NAS-Prompt
Please see http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml for Cisco configuration.
Best regards,
Yasin KAPLAN
|
|
• permalink
• reply with quote
|
22.02.2010 16:00:49
rabcdabcd
Posts: 3
|
Thank you very much!!!!!!!!!!!!!
|
|
• permalink
• reply with quote
|
26.02.2010 13:04:51
admin
Administrator
Posts: 881
|
You welcome
|
|
• permalink
• reply with quote
|
06.04.2010 22:15:13
abdielhiram
Posts: 3
|
Hi All
I found the software very easy to use, but new to radius. I am a bit confused on the items you say are need to be added. I tried the GUI but i can't seem to find where to edit these
Attribute Type Value
UserPassword check Password
cisco-avpair reply shell:priv-lvl=15
Service-Type reply NAS-Prompt
Is it from the GUI?
please advice
Abdiel
|
|
• permalink
• reply with quote
|
06.04.2010 22:18:14
abdielhiram
Posts: 3
|
Having the same issue, but not clear where i need to edit this values...
Attribute Type Value
UserPassword check Password
cisco-avpair reply shell:priv-lvl=15
Service-Type reply NAS-Prompt
Please advice,
Abdiel
|
|
• permalink
• reply with quote
|
07.04.2010 08:22:28
admin
Administrator
Posts: 881
|
Hi,
You can add a user in Users tab. You can configure attributes after adding the user. You must add reply attributes as
Success-Reply attributes.
Best regards,
Yasin KAPLAN
|
|
• permalink
• reply with quote
|
07.04.2010 18:24:44
abdielhiram
Posts: 3
|
Hi again, sorry for my ignorance. i added the user attributes on the cisco user, however telnet still won't authenticate the cisco user...
i added this lines to the config
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
radius-server host 10.10.100.37
radius-server host 10.10.100.37 auth-port 1812 acct-port 1646 key cisco
radius-server key cisco
radius-server vsa send authentication
admin wrote:
Hi,
You can add a user in Users tab. You can configure attributes after adding the user. You must add reply attributes as
Success-Reply attributes.
Best regards,
Yasin KAPLAN
|
|
• permalink
• reply with quote
|
08.04.2010 08:37:04
admin
Administrator
Posts: 881
|
Please see following link for Cisco configuration;
http://www.cisco.com/en/US/docs/ios/12_0/security/configuration/guide/scrad.html
You can check TekRADIUS response examining TeKRADIUS.log. Set Logging = Debug at Settings / Service Parameters before checking
TekRADIUS.log.
edited by admin on 13.04.2010
|
|
• permalink
• reply with quote
|