Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
New Member

Ironport S170 and Microsoft RADIUS

I'm trying to setup management logins for the IronPort S170 using RADIUS.  I have the Windows server configured and the server information is in the S170, but I'm having trouble with the Group Mapping.  Under the RADIUS Class Attribute, what is an example of something that would go there?  Is it an AD group?  If not, is it some attribute number that I need to configure on the AD user object?  If so, where?  TAC has no idea how to do this. 

14 REPLIES

Ironport S170 and Microsoft RADUIS

So the first question is, if you set up the user, and check the box to map everyone authed via radius as admins, does that work?

The Class Attribute is any string or strings you want to use.  When you set up the users in the WSA, you specify which string gets mapped to Admin roles, which gets mapped to ReadOnly role, etc.  (eg here, I set it as "WSAAdmin")

It may be that the ClassAttribute get MAPPED in the NAP server as a group name, but it can be anything... I use Steel Belted at the moment, and we just set it on the user, but you could have the NAP policy set it based on group memership, or whatever...

New Member

Ironport S170 and Microsoft RADIUS

It doesn't work when I set it to "Map all externally authenticated users to the Administrator role". 

Ironport S170 and Microsoft RADIUS

Ok... so you need to chase that down as its the simplest config.  Check the External Auth Logs on the WSA. Try looking at a packet capture and see what's going on between the WSA and the Radius box... 

Take a look at this:

http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/

New Member

Ironport S170 and Microsoft RADIUS

It was a bad secret.  Evidently it didn't like the long and complex generated secret.  So now that works.  Next is how to narrow it down to a group.

Ironport S170 and Microsoft RADIUS

That link I posted has info on how to set up the policy based on AD group too... its built for Cisco hardware, the WSA stuff is just an extension of what's there...(standard radius attribute instead of Cisco attribute, etc.)

New Member

Ironport S170 and Microsoft RADIUS

That seems to go into more router/switch specific stuff.  I tried to put together what I thought was correct.  But what gets added to the RADIUS Class Attribute in the WSA?  The Windows Group name?

Re:Ironport S170 and Microsoft RADIUS

On the MS side, in the Settings tab for the policy you tell it to send a standard Radius attribute of "class" with a value of whatever you want... then that value gets set on the wsa and mapped to a role.

Sent from Cisco Technical Support Android App

New Member

Ironport S170 and Microsoft RADIUS

That's what I thought.  I tried that and I get auth failures.  In the log on the Windows server, I see "The user attempted to use an authentication method that is not enabled on the matching network policy."  I then noticed that the policy was set for CHAP but the WSA was set for PAP.  Looks like only PAP will work.  Not ideal, but working. 

Cisco Employee

Ironport S170 and Microsoft RADIUS

Hi Mike,

I was going through your last reply and wondering why we cannot use chap when we have an option on external authentication settings, so if you select CHAP under external authentication settings and on the microsoft side you enable CHAP as well under remote access policy > properties > authentication tab and select CHAP.

User guide:

The appliance can communicate with RADIUS directories using either the Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP).

Let me know how it goes.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Ironport S170 and Microsoft RADIUS

I was a little brief in my last reply.  I should have included that CHAP does not work.  The following error is recorded in the log: 

"The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account."

Cisco Employee

Ironport S170 and Microsoft RADIUS

This error occurs when the user’s account is not stored in reversible encryption.

CHAP requires that the secret be available in plaintext form. CHAP cannot use irreversibly encrypted password databases that are commonly available. If the RADIUS server does not have access to the plaintext password, it cannot perform the one-way hash to verify the user and the authentication will fail. By default, Microsoft Active Directory does not store user accounts with reversible encryption.

Reversible encryption is a user class attribute and is not enabled by default in the Active Directory. You must enable this setting manually on each account or through Group Policy Objects when dealing with multiple users.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Cisco Employee

Ironport S170 and Microsoft RADIUS

did you get a chance to try out last suggestion on CHAP authentication?

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Ironport S170 and Microsoft RADIUS

According to TAC:

"the WSA does not support “chap” as of now.  There is a bug opened and developers are working on it.  Bug : CSCzv38428    Support RADIUS CHAP protocol for External Authentication"

Enabling reversible encryption in AD is not an option.

Cisco Employee

Re: Ironport S170 and Microsoft RADIUS

Yeah, there is a severity 6 enhancement request opened on it. Thanks for keep this thread updated.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
1897
Views
0
Helpful
14
Replies
CreatePlease login to create content