ACS 4.2 - add RADIUS Attributs

Similar Messages

• Add RADIUS attributes under "Group Setup" in ACS 4.2

  Hi Security Experts,
  I need to add RADIUS attributes for a custom vendor under "Group Setup" page in ACS 4.2. As of now, I see Cisco Aironet RADIUS Attributes,
  IETF RADIUS Attributes etc in "Group Setup" page. How can I make sure that the RADIUS attributes for a vendor also appear on that page?
  PS: I rate useful posts
  Thanks,
  Kashish

  Under "Interface" you can enable which RADIUS-Attributes you want to display. Probably there's just one checkmark missing for your vendor.
  The Options for RADIUS are described here:
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/A_RADAtr.html

• ACS 4.2 Windows Radius Attributes for VPN-dial-in

  Hello,
  this Situation:
  Remote-User establish a VPN-Connection (AnyConnect) to a ASA 8.4, ASA forwards Authentication to ACS 4.2. , ACS should assign IP-Adress from a Adress-Pool dependent on GroupMembership (LDAP)
  the Problem:
  the User gets an IP-Config with a Default-Gateway which is always the 3.Address of the IP-Pool (IP-Pools are /28 Ranges), the Mask is ok (/32).
  On the ASA-Log I can see a Message:
  %ASA-6-110002: Failed to locate egress interface for protocol from src interface:src IP/src port to dest IP/dest port
  I've assigned following Attibutes:
  IP Assignement: Assigned from AAA server pool (the accordant pool is selected)
  IETF Radius Attributes:
  006 Service Type: Framed
  007 Framed Protocol: ppp
  009 Framed-IP-Netmask: 255.255.255.255
  (not sure about) 022 Framed-Route: 0.0.0.0
  025 Class: <Group-Policy of ASA>
  does anyone of you know, what I'm making wrong?
  on The ASA I can't find any settings.
  Thanks for any advice

  O'Brien Simon
  Did you manage to get a reply to your question about the timeout period for dynamic users in ACS 4.2 ?  As this is what I was about to ask but noticed your post.
  Many thanks
  florrieford

• ACS 3.3 Send Radius Attribute 135 & 136

  Hi
  I need an ACS box to return IETF RADIUS attributes 135 & 136 to a NAS for the assignment of DNS servers to clients.
  The ACS 3.3 user guide lists these as supported IETF RADIUS Attributes however they don't seem to be available under Interface Configuration--> Radius IETF.
  Would anyone know how I can enable these ?
  Thanks
  Leon

  Hi Leon,
  That is quite strange. You should have those attributes.
  As you mentioned you have ACS SE, if you could console into it. Issue command,
  stop csadmin
  start csadmin
  Or rebooting ACS SE will re-start the CSAdmin server.
  If you are restarting services from, System Configuration > Service Control, then that wont restart the CSAdmin service.
  Give that a try.
  Regards,
  Prem

• ACS 5.1 RADIUS Proxy - Adding RADIUS attributes

  Is there anyway under ACS 5.1 to add RADIUS attributes to outgoing RADIUS proxy auth requests or failing this to RADIUS proxy accounting updates?
  As soon as I configure a RADIUS proxy services, there is little config I can do other than to say whether or not the prefix and suffix is to be stripped.
  I can add these attributes if using an external RADIUS box as an identity store, but I cannot do this for this particular service and instead I need to use RADIUS proxying.
  Thanks
  Paul

  Hi Steve,
  The shared secret is 100% correct.
  Finally I find out that there may be some white lists for attributes.
  If I keep NAS-Identifier , it will work.
  But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
  The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
  When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
  The RADIUS Server gets the message from NSA.
  Of course, there is the Proxy-State attribute.
  In this condition, the ACS has incorrect output in the sub-attribute.
  Now I try 5.2 to see the problem exist or not.

• ACS 5.5 Radius Attribute not listed in Radius Directory

                     Hello Community,
  iam on the evaluation on Cisco ACS 5.5, and iam trying some scenarios for my company.
  I have to authenticate a ip phone . here i need one VLan tagged and one vlan untagged.
  In the authorization profile u can add the Radius Attributes, we got hp switches and i need the attribute  with the ID-56, but this ID ist not listed in the Authorization Profiles--> Radius Attributes-->select Part.
  But it is listed under system-administration->Configuration-->dictionaries-->Protocols->Radius--> Radius IETF
  come somebody tell me how i can selct this Attributes under Authorization Profiles--> Radius Attributes-->select Part. ??
  Thanks a lot
  regards

  Hi
  As you are using HP switches, certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality, and are therefore not supported with non-Cisco devices.
  For more information regarding Authorization profile configuration, please go through the following link:
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/pol_elem.html

• Add RADIUS IETF attribute to ISE System Dictionary

  Hello
  I'm looking to migrate an ACS5.4 config to ISE. Part of the ACS5.4 config involves:
  define a RADIUE IETF attribute in the ACS RADIUS dictionary
  inject this attribute into RADIUS requests that are proxied to another RADIUS server.
  This works fine in ACS but I can't Add/Modify attributes in the ISE System RADIUS IETF dictionary. Is this functionality roadmapped for ISE?
  Thanks
  Andy

  Forgot to mention that I'm currently using ISE 1.1.3. I fround the following in the new ISE 1.2 documentation:
  Cisco ISE also creates dictionary defaults for the IETF RADIUS set of attributes that are also a part of
  the system-defined dictionaries, which are defined by the Internet Engineering Task Force (IETF). You
  can edit all free IETF RADIUS attribute fields except the ID.
  Cisco ISE also creates dictionary defaults for the IETF RADIUS set of attributes that are also a part of
  the system-defined dictionaries, which are defined by the Internet Engineering Task Force (IETF). You
  can edit all free IETF RADIUS attribute fields except the ID.
  I'll upgrade and see if I can edit the attribute that I need.

• [Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid

  Hi,
  I got many Cisco AP which are linked to 2 Cisco WLC.
  On each WLC, I configured a primary and a secondary RADIUS Server.
  RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
  Primary and secondary ACS configurations are synchronized.
  There are no problem between primary WLC and Cisco ACS (primary and secondary).
  When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"
  Secondary WLC automatically contacts secondary Cisco ACS and it works fine.
  Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."
  The two Cisco ACS are synchronized so I should have same error on them...
  Why does primary ACS generate this error?
  Thanks for your help,
  Patrick

  Tarik Admani wrote:Amjad,That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.Thanks,Tarik Admani
  *Please rate helpful posts*
  Yes. That is a good point.
  With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).
  The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.
  Rating useful replies is more useful than saying "Thank you"

• Parse Error: Reason - Radius attribute not outbound

  I am trying to add the RADIUS IETF Attribute - 'Login-LAT-Group' to a user using RDBMS sync but unable to do so.
  I see the below error in the ACS logs - 
  Parse Error: Reason - Radius attribute not outbound
  What am I missing ?

  Refer " outbound radius attributes"
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/ad.html

• Cisco ISE throws "11036 The Message-Authenticator RADIUS attribute is invalid "

  Hello,
  I am trying to authenticate my server(running an NMS) with an Cisco ISE with EAP-TLS protocol.
  I am seeing "11036 The Message-Authenticator RADIUS attribute is invalid " in the ISE when the ACCESS-REQUEST is sent from NMSServer to ISE. The RADIUS shared secret key is same in both the NMS server and the ISE server .
  Is the some java samples for Message authenticator attribute which I can refer. I think, I am missing something in Message authenticator attribute.
  Any pointers or suggestions to overcome this ?

  To login to Prime GUI, the authentication will be done by ISE.
  The flow goes like this, Admins will login to Prime GUI with default username/pwd and add the RADIUS/ISE details to it which will be used by prime for authentication/authorization.
  Once its done, any other user who tries to login to Prime GUI with their own credentials will be validated against the Identity details in ISE. So even to login to Prime GUI, authentication should be successful in ISE.

• ACS 5 search in custom attributes

  Hi there
  on ACS 5 we have the possibility to add custom attributes under System Administration > Configuration > Dictionaries > Identity > Internal xxx.
  At the moment there seems no way to search for a value of a custom attribute or even display a column with the custom attribute under Internal Users or Internal Hosts. Does Cisco have plans to implement this in the future?
  Thanks and best regards
  Dominic

  Good question, I'd like to know this as well for the netscreens. For junos, this is how I tried to do it (you would drop the "netscreen" from yours, but not sure if you would add both as mandatory)
  Acs4.x setup
  junos-exec
    local-user-name=readonly
  acs5.2 setup
  attribute -  local-user-name
  value - readonly
  mandatory
  # junos config
      login {
          class admin {
              idle-timeout 30;
              permissions all;
          class read-only {
              idle-timeout 30;
              permissions [ view view-configuration ];
          user admin {                                 
              class admin;                 
          user readonly {                                 
              class read-only;  
  The problem I have though, is this fixes my login to work to my JunOS devices, but it breaks the authentication to my Cisco IOS devices. The AAA logs show that the authentication succeeded, but the router says "authorization failed". Once I remove either the attribute from my shell profile, or make it optional then the Cisco router works for auth, but the JunOS device stops working (The username it tries to use is "remote" instead of the user I am trying to authenticate with).

• CAR radius attributes

  hello,
  We have a Cisco Access Registrar and it work great with an cisco asn-gateway. we have the CAR server give out an sal profile when it authenticates a device (the authentication is done using domain name on the device). the sla profile is matched with the QOS info on the asn-gateway router and thus the service flow is created. We are trying out another Vendor called Wichorus for their asn-gateway. under their config the router is expecting back couple of radius attributes to setup the service flow with the proper qos info. These are the values is expecting back:
  service-data-flow-id
  service-profile-id
  I was wondering if anyone has had any luck with different radius attributes on the CAR. This is what Wichorus has configured on their AAA server for a certain profile:
           Wimax-PFD := 0x01,
           Wimax-PDFID := 1,
           Wimax-SDFID := 1,
           Wimax-SProfileID := 1
  CAR ver  - 4.2.2
  Thanks.

  You mean add your own custom attribute?
  Vanilla or Vendor Specific?
  Im 99% sure you cant do this because
  1) what would the router do with it?
  2) Most IETF no's are used already
  3) You cant add new Cisco VSAs
  4) A Cisco device wont like you adding non Cisco VSAs

• PPPoX Virtual-Template assignment via Radius Attribute

  I'd like to optionally apply ACLs to PPP users (PPPoX).  I see two strategies: a) apply an ACL directly via radius attributes or b) define the ACL in the Virtual-Template on the BRAS and determine the Virtual-Template ID via radius attribute.  Has anyone done this?  If so, any suggestions on the best way to move forward?  I think I'd prefer option B as I could also use it to assign VRFs etc (one Virtual-Template per VRF).
  TIA

  The only way I could get this to work is have the ACS server reference an ACL configured on the switch via name or number and send in the filter-id attribute.  On the switch I configured the default setting for attribute 11 to apply inbound "
  radius-server attribute 11 default direction in".  If you do a "sh authentication sessions interface gx/x" it'll show the filter-ID setting but if you do a "show ip interface gx/x" it still shows the default-acl being applied.  It works, just a bit confusing because of that default-acl still showing up.  Anyone else experience the same?

• Can ACS run TACACS+ adn RADIUS concurrently?

  I know that ACS supports both TACACS+ and RADIUS protocols. My question is can ACS run TACACS+ and RADIUS concurrently?

  Once you go into Network Configuration, you enter the Network Device Group you want to add the device to. Select the option to add a client device and input the information, but enter a different client hostname, with the same IP Address in each seperate Network Device Configuration. You can specify which Network Device Group for the client to use, and in the specific group is where you will specify which resources the client members will be able to access. I specified a few different groups with different access restricitions, because I didn't want the Dial -In or Wireless people to have Admin Access to my TACACS+ configured devices...
  Let me know if this helps...

• ACS 5.3 Stripping Radius User Prefix

  Hi,
  I have configure my ACS 5.3 to strip the prefix of the radius username (Domain\weekwang) it received and I also configured my ACS as the External Radius Server. However, this does not seem to work. The authentication protocol that I am using is PEAP Mschap v2.
  I have read inside this forum that due to the fact that the radius username and password is transited inside the TLS tunnel of the PEAP MsChap v2 thus ACS is not able to do the stripping as it is not allow to touch anything inside the TLS tunnel. Please advice if I have get the concept correctly.
  Rgds

  Hi Steven,
  this is unfortunately correct. Using yourself as radius proxy is a great workaround to strip things.
  However, by design if you use an external database (LDAP or proxy radius server), the mschapv2 encryption of the password makes it impossible to authenticate the user since the tunnel is ended on the first ACS. It will work with PEAP-GTC but all mschapv2 methods will fail.
  Nicolas