ACS 5 Radius IP Assignment
We have number of GPRS terminals, they work in our private APN. Can we assign static or dynamic IPs to them?
Terminals work with IP, not with PPP. We have direct connect with ISP via serial interface. ISP forwards all Radius traffic to our ACS appliance.
You may assign a static ip address. You may try this:
Similar Messages
-
802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment
Currently Being Moderated
802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment
Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
If possible show:
1. ACS/Radius Configurations.
2. End User Switch Configurations
Variables:
Switch A
MAC Address aaaa.bbbb.cccc Vlan 10
bbbb.cccc.dddd Vlan 20
Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
Thanks in advance. .Hi Guys,
Hmmm, well if your just looking for Mac based authentication the good news is that is very easy. Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc. Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address. Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password. Then check the Separate(Chap/MS-Chap/ARAP) box. Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward. -
Acs and Dynamic vlan assignment problem
Hi all,
I'm unable to dinamically pass the Radius attribute , about assigned vlan, to 802.1x clients.
I'm sure that everything is well configured but the only way to do it is configuring these attributes directly on user or group properties.
When i try to pass these attributes by appliction of a Shared RAC (acs 4.2) or NAP (ACS 5.0) the only message that i can find on the switch, where the vlan has to be configured, is:
dot1x-ev:Received VLAN is No Vlan
dot1x-ev:Received VLAN Id -1
The user is still authenticated successfully ( and all the profiles correctly assigned) but remain in the vlan statically configured on the interface.
The logic is working, but transmission do not.
Is this a bug ?test the authentication again.If is still fails, set the logging to full on the ACS server using:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00800afec1.shtml#setting_acs
Also Check if you are running another RADIUS product on the same server as the ACS services and the same decryption was being used.Reset shared key on switch and radius server. -
ACS Express radius authentication AD authorization
I work at a University and for some reason we have multiple systems for authentication and authorization. That being said I am trying to use radius to do authentication and AD for authorization for VPNs. I have the radius authentication working against our radius server. I have my ACS express setup to join the AD domain and everything looks good there. I setup the AD server as a radius object in AAA server groups on my ASA. Then I add the server below in the servers in selected groups window. I put all the info in there and when I hit test I click authorization and put in the username that I know is in the domain group I have associated with this on the ACS. The test fails and with authorization failed with invalid password. When I look at the logs on the ACS I see
01/06/2011 20:14:26 acsxp/server Warning Server 0 AD Agent Plain Text Authentication Failed for user: username@domain
01/06/2011 20:14:26 acsxp/server Warning Server 0 Authentication for user username failed for reason = 0
01/06/2011 20:14:26 acsxp/server Error Protocol 0 Request from 172.20.5.2: User username rejected . by RemoteServer: AD (InvalidPassword).
Username and domain are correct I just edited them for posting. It seems like it is trying to authenticate rather than authorize. All I want it to do is say yes the user is in this group or no the user is not in this group? You can't even fill in the password when testing authorization? Maybe I have something setup wrong on the ACS side but when I look at AD under users and identity stores, it says it is joined to the domain. When I do AD domain diagnostics under troubleshooting everything looks good. I have the ASA I am testing from defined as a device and in the ASA device group. Under access services in Radius access services I have one service that I setup that connects to the AD and it found the group so I know it is connecting. Any idea what I am doing wrong or where to look?
Any help would be GREATLY appreciated!
Thanks
JoeHi Joe,
We could take a deeper look at what is happening through some logs and debugs:
1. On ACS Express, under
Reports & Troubleshooting > Troubleshooting > Server Logs
please set the Express Server Trace Level to 5 and the Web Server Trace Level to 4.
Also, for the Log Level under OS Logging, please set its value to "Debug".
If previous old logs are not essential to you, you may also wanna delete all the log files first, so that we capture logs for the last day only.
2. On the ASA, please enable the following debugs
debug aaa authentication
debug aaa authorization
debug radius
3. Then please first recreate a successful authentication attempt, and then recreate the authorization test issue with the same user account for which you tested the successful authentication.
4. After the issue is recreated, please attach the debugs from the ASA and following files from the ACS Server Logs:
acsxp_adagent.log
acsxp_agent_server.log
acsxp_mcd.log
acsxp_server.log
acsxp_server_trace.log
Regards,
Fede
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Secure-ACS: Special RADIUS-Attributes for Enterasys E7
Hi,
we were running a pretty old version of the Cisco Secure ACS for AAA our network devices.
Unfortunately the server crashed an we had to install and set it up with a new server.
Using TACACS+ for our Cisco devices works fine.
We have a couple of switches made by a vendor called Nexans, which only support RADIUS - this works fine too.
Furthermore we still have some Enterasys E7 and with those RADIUS doesn't work at all.
Sniffering the packets, everything looks good.
With the old server it worked well.
Does anybody know if there are special configurations (e.g. attributes) when configuring an ACS for Enterasys RADIUS-Clients?
Thanks,
RolfWe have this configuration and works fine with our network and associate in a good manner also the policy which we have configured it on Enterasys in this way
Filter-Id===>
Enterasys:version=1:mgmt=su:policy=Administrator
After we make the update to ACS 5, the "ASA" consider this filter-id as access-list so it consider the field after the filter-id as the name of the acl, and diconnect the VPN connection.
Could soneone help me to resolve that. -
Nortel switches authenticating to both ACS via RADIUS
Dual ACS solution (4.2) with one ACS doing the authenticating, the other acting as a standby.
Recently when accessing nortel switches, they authenticate to both ACS, as some are going to ACS2 despite their primary RADIUS server being ACS1.
The ACS solution has other network devices, using TACACS+ and they seem fine. DB replication is fine between the ACS and nothing I believe has changed in the configuration between the two.
Any ideas? (all I can think is the response from ACS1 is exceeding the timeout and the switches then select ACS2, but there's no evidence to suggest a problem in network delay).I am unfamiliar with the Nortel switches. If a cisco switch queries a AAA server and it fails to respond, it will mark it as dead and move to the next. When the AAA server is back online, the switch will not revert to the previous server. It will remain on the current AAA server until AAA is disabled or the current AAA server fails to respond.
Network delay would cause this. Maybe the services were disabled or replication was occuring while the device was trying to authenticate.
Thank You,
Dan Laden -
A device wants to talk to the ACS server to get authentication services. It wants to use CHAP. Where is the CHAP option as applied to the radius authentication function? How do you set up radius in ACS to accept CHAP passwords authentication for radius requests?
Specifically, Qradar wants to query Cisco ACS v4.2 to see if users logging into Qradar are authorized to do so. This fails because I can't find the place (if any) in ACS where CHAP can be used.ACS can act as both as RADIUS and TACACS server,
when you say what kind of issues to expect: you need to check for open caveats in the release notes of ACS 4.1.
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/index.htm -
Unsucessful ACS to RADIUS token server exchange
Hello team:
We are getting a hard time in trying to make our ACS 4.2 talk to an external FreeRadius token server.
When our ACS sends the Access-Request message, our FreeRadius token server answers with an Access-Accept message with zero atributes on the message. This answer, according to ACS documentation, should be perfectly accepted by ACS when it works as a RADIUS client. However, our ACS considers this answer as an error and so the transaction fails.
In order to compare with another platform working of radius server of our , we replaced our FreeRadius token server by another CS ACS. With this scenario, everything works! So we sniffed the ACS to ACS transaction and found that two RADIUS attributes are sent with the Access-Accept message:
(1) Framed-IP = 255.255.255.255
(2) Class = 0x434143533a302f356662622f37663030303030312f31383133
We got back to our FreeRadius as the external RADIUS server of our ACS, and managed it to generate and return exactly the previous kind of message to the ACS working as radius client, however when our ACS receives the RADIUS Access-Accept with these attributes, it still rejects the answer and fails.
So we are missing something.
¿Did anyone manage to make ACS query an external RADIUS server with success? We would appreciate any hints!!
thank you very much in advance
Rogelio Alvez
ArgentinaThanks for the interest Tarik!
Here you have the debug from both sides ACS 4.2 and Freeradius in the same authentication event:
ACS Debug from a terminal monitor
2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='(undef)')
2w1d: AAA/AUTHEN (4096347873): status = GETUSER
2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)
2w1d: AAA/AUTHEN (4096347873): status = GETPASS
2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='camara/829113')
2w1d: AAA/AUTHEN (4096347873): status = GETPASS
2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)
2w1d: RADIUS: ustruct sharecount=1
2w1d: RADIUS: Initial Transmit tty7 id 175 192.168.0.3:1645, Access-Request, len 86
2w1d: Attribute 4 6 C0A800CB
2w1d: Attribute 5 6 00000007
2w1d: Attribute 61 6 00000005
2w1d: Attribute 1 15 63616D61
2w1d: Attribute 31 15 3139322E
2w1d: Attribute 2 18 893A4B64
2w1d: RADIUS: Received from id 175 192.168.0.3:1645, Access-Reject, len 32
2w1d: Attribute 18 12 52656A65
2w1d: RADIUS: saved authorization data for user 80E8A88C at 0
2w1d: AAA/AUTHEN (4096347873): status = FAIL
2w1d: AAA/AUTHEN/ABORT: (4096347873) because Invalid password.
2w1d: AAA/MEMORY: free_user (0x80E8A88C) user='camara/829113' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1
2w1d: AAA: parse name=tty7 idb type=-1 tty=-1
2w1d: AAA: name=tty7 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=7 channel=0
2w1d: AAA/MEMORY: create_user (0x80E8B920) user='' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1
2w1d: AAA/AUTHEN/START (2072451976): port='tty7' list='pepe' action=LOGIN service=LOGIN
2w1d: AAA/AUTHEN/START (2072451976): found list pepe
2w1d: AAA/AUTHEN/START (2072451976): Method=radius (radius)
2w1d: AAA/AUTHEN (2072451976): status = GETUSER
Freeradius Debug
rad_recv: Access-Request packet from host 192.168.0.3 port 3912, id=23, length=94
User-Name = "camara/829113"
NAS-IP-Address = 192.168.0.3
NAS-Port = 6372
NAS-Identifier = "CiscoSecure ACS v4.2(0.124)"
User-Password = "\277\241\340t\312/\2303^;\216\233\3618\2179"
# Executing section authorize from file /etc/freeradius/sites-enabled/vuserver
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714
[auth_log] expand: %t -> Sat Jul 14 18:42:32 2012
++[auth_log] returns ok
[IPASS] Looking up realm "camara" for User-Name = "camara/829113"
[IPASS] Found realm "DEFAULT"
[IPASS] Adding Stripped-User-Name = "829113"
[IPASS] Adding Realm = "DEFAULT"
[IPASS] Authentication realm is LOCAL.
++[IPASS] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
++[files] returns noop
++[control] returns noop
rlm_perl: Response: 201: Succeeded
rlm_perl: Added pair User-Name = camara/829113
rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179
rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)
rlm_perl: Added pair Realm = DEFAULT
rlm_perl: Added pair Stripped-User-Name = 829113
rlm_perl: Added pair NAS-Port = 6372
rlm_perl: Added pair NAS-IP-Address = 192.168.0.3
rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133
rlm_perl: Added pair Framed-IP-Address = 255.255.255.255
rlm_perl: Added pair Auth-Type = Perl
++[perl] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = Perl
# Executing group from file /etc/freeradius/sites-enabled/vuserver
+- entering group Perl {...}
rlm_perl: Added pair User-Name = camara/829113
rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)
rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179
rlm_perl: Added pair Realm = DEFAULT
rlm_perl: Added pair NAS-IP-Address = 192.168.0.3
rlm_perl: Added pair NAS-Port = 6372
rlm_perl: Added pair Stripped-User-Name = 829113
rlm_perl: Added pair Framed-IP-Address = 255.255.255.255
rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133
rlm_perl: Added pair Auth-Type = Perl
++[perl] returns ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /etc/freeradius/sites-enabled/vuserver
Sending Access-Accept of id 23 to 192.168.0.3 port 3912
Framed-IP-Address = 255.255.255.255
Class = 0x434143533a302f3265662f37663030303030312f31383133
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 23 with timestamp +575
Ready to process requests.
Inside the file archive.zip you`ll find
cap_freeradius.cap (communication sniffed between the ACS and the Freeradius)
captura2acsOK.pcapng (communication sniffed between the ACS 1 and the ACS 2 where everything its ok)
If you need more information or output please let me know.
Rogelio -
SG300: MAC authentication with Radius VLAN assignment problems
Hi,
I just can't get the dynamic vlans working. I've tried everything, switch in L3 mode, switch in L2, several port configs, several tunnel configs in Radius server (freeradius 2.1.1)
Here's the final switch config:
config-file-header
switchf460dc
v1.3.7.18 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
no spanning-tree
vlan database
vlan 12,100,110,666
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
no bonjour enable
hostname switchf460dc
line ssh
exec-timeout 0
exit
encrypted radius-server host 192.168.99.93 key xXx priority 1 usage dot1.x
logging host 1.2.3.4 severity debugging
passwords aging 0
ip ssh server
snmp-server server
snmp-server community public ro 192.168.99.93 view Default
clock timezone " " +1
clock summer-time web recurring eu
clock source sntp
sntp unicast client enable
sntp server 172.16.1.1
interface vlan 12
ip address 192.168.99.170 255.255.255.0
no ip address dhcp
interface gigabitethernet5
dot1x host-mode multi-sessions
dot1x reauthentication
dot1x authentication mac
dot1x radius-attributes vlan static
dot1x port-control auto
switchport mode general
switchport general allowed vlan add 100,110,666 untagged
no macro auto smartport
interface gigabitethernet6
switchport mode access
switchport access vlan 110
interface gigabitethernet9
switchport mode access
switchport access vlan 12
interface gigabitethernet10
switchport trunk allowed vlan add 12,100,110
exit
ip default-gateway 192.168.99.1
On the switch side I would expect VLAN 666 to be set but it's not there:
switchf460dc#show dot1x users
MAC Auth Auth Session VLAN
Port Username Address Method Server Time
gi5 0090dca15880 00:90:dc:a1:58:80 MAC Remote 01:09:25
This is the radius users file. It's a simple file for test.
DEFAULT Auth-Type := Accept
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 666
I am attaching a screenshot of the Radius reply sent by the server.
I also tried setting "copy_request_to_tunnel = yes" and "use_tunneled_reply = yes" as found in another post, no success.
It may be that the tag is missing in the Radius reply? If yes, how do I add it?
Any ideas?
Thanks.
Update Dec 11: I tried with FW 1.4.0, and using the same config the switch doesn't perform any Radius requests at all anymore.I was wrong when I said that 1.4.0 wouldn't work at all. I simply had a device connected which didn't produce much traffic. My bad.
So 1.4.0 works as far as the auth is concerned, but no improvement as far as dynamic VLAN is concerned. So there is no improvement over 1.3.7, or there is a config issue.
I have opened SR 633001533 although the last appointment for WebEx went by without anyone getting back to me. I'll try again on Monday.
Feel free to get back to me if you need anything to make experiments. I'll keep this thread updated too. -
Hi Guys, I have been looking at the use of Cisco ACS server for VLAN assignment. So far I have searched through a number of threads and no found what I am looking for specifically so here it goes.
1) When the RADIUS attributes have been configured in ACS (64, 65 + 81), and in my case I have them in the group configuration. For the VLANs to be assigned to the various users at their ports will every VLAN name in the RADIUS settings have to in the switches which are used for access?
2) Is there a limit to the number of VLANs that can be assigned by the RADIUS(IETF) portion of ACS or would it be better to use RADIUS(IOS/PIX)? I am thinking of about 15 VLANS.
I am using a Catalyst 4500 (IOS supervisor) and 2950s and 2970s at the closets.
Thanks for any help...
KelvinAccess Control Lists..I am thinking it is better to apply the ACLs at the closet (access) switches where I can specify the servers that should be reached by the hosts my test VLAN and deny those which they should not.
I used a named extended ACL for my tests however, it did not go well. With the ACL below applied I cannot reach anything including the server I actually want to reach. My intention was to allow the hosts in the test VLAN 172.16.12.0/24 to reach 2 particular servers and their gateway however with the list applied I cannot reach anything at all. The setup is one 2950 connected to a 4507 the 2 VLANs I am working with are trunked to the 2950 and dhcp is running. I have IP routing enable on the 4507 and it is the server for the VTP domain.
ip access-list extended guest
permit ip 172.16.12.0 255.255.255.0 host 172.16.12.1
permit ip 172.16.12.0 255.255.255.0 host 172.16.2.254
permit udp 172.16.12.0 255.255.255.0 host 172.16.2.245 eq 53
deny ip any any
Any advice on how I can restrict the hosts which will be on this VLAN from accessing the rest of the network? -
ACS 5.1 - RADIUS Proxy Accounting Logs
Recently I'm using ACS 5.1 to support external RADIUS Servers, and read the manauls to process with the following workflow.
Install Linux RADIUS Service (this part was tested)
Install FreeRADIUS Service
Add new linux user account
Cisco ACS 5.1
Add External RADIUS servers
Network Resources -> External RADIUS Servers
Add informations.
Add RADIUS Proxy Serivce
Access Policies -> Access Services
Create with User Selected Service Type , RADIUS Proxy
Advanced Options -> Accounting
Remote Accounting and Local Accounting enabledAccess Policies -> Access Services -> Service Selection Rules
Create #1 rule , Conditions : match Radius , Results : RADIUS Service
Add Network Resources for accepting network
Network Device Groups -> Network Devices and AAA Clients
Enable RADIUS Debug Messages
System Administration > Configuration > Log Configuration > Logging Categories > Global > Edit: "RADIUS Diagnostics"
Configure Log Category Log Severity : DEBUG
Add 3GPP VSA
Send out Radius Accounting Packet to ACS
ACS got the Packet, but didn't redirect to External Radius Server
I got this message from ACS 5.1
Others is 'Failed to forward request to current remote RADIUS server; an invalid response was received.' in the iv.csv file.
There are two problem.
RADIUS Accounting Packets didn't redirect to external server, but it works without proxy. (Auth is ok.)
Other Attributes didn't collect all informations, and even the debug is enabled.Hi Steve,
The shared secret is 100% correct.
Finally I find out that there may be some white lists for attributes.
If I keep NAS-Identifier , it will work.
But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
The RADIUS Server gets the message from NSA.
Of course, there is the Proxy-State attribute.
In this condition, the ACS has incorrect output in the sub-attribute.
Now I try 5.2 to see the problem exist or not. -
ACS 5.1 RADIUS Proxy - Adding RADIUS attributes
Is there anyway under ACS 5.1 to add RADIUS attributes to outgoing RADIUS proxy auth requests or failing this to RADIUS proxy accounting updates?
As soon as I configure a RADIUS proxy services, there is little config I can do other than to say whether or not the prefix and suffix is to be stripped.
I can add these attributes if using an external RADIUS box as an identity store, but I cannot do this for this particular service and instead I need to use RADIUS proxying.
Thanks
PaulHi Steve,
The shared secret is 100% correct.
Finally I find out that there may be some white lists for attributes.
If I keep NAS-Identifier , it will work.
But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
The RADIUS Server gets the message from NSA.
Of course, there is the Proxy-State attribute.
In this condition, the ACS has incorrect output in the sub-attribute.
Now I try 5.2 to see the problem exist or not. -
Using a BM 3.8 RADIUS Server to Assign Users to VLANs
I'm trying to use Bordermanager 3.8 RADIUS to assign VLANs to users. The
users are accessing the network via Cisco 1100 Aironet Wireless Access
Points. We have defined two VLANs on the network. One goes directly to
the internet for GUEST, VLAN1, and the other goes to our private network
MEMBERS, VLAN2. The problem I'm having is getting the RADIUS to assign
attributes to the user accounts. I need attribute: IETF 64 (Tunnel Type)
set to VLAN, IETF 54 (Tunnel Medium Type) set to 802, and IETF (Tunnel
Private Group ID) set the VLAN-ID which is 1 or 2. These attribute are
not available in the RADIUS.ATR file. Is there some way of editing the
ATR file to add these attributes? Is there another solution to assign
VLANs with Bordermanager?> I need attributes: IETF 64 (Tunnel Type) set to VLAN, IETF 65 (Tunnel
Medium Type) set to 802, and IETF 81 (Tunnel Private Group ID) set the
VLAN-ID which is 1 or 2. These attribute are not available in the
RADIUS.ATR file. Is there some way of editing the ATR file to add these
attributes? Is there another solution to assign VLANs with Bordermanager? -
Hello,
I was wondering if i should use the same RADIUS VSA attribute on ACS v5.1 to authenticate AAA clients as those i was using on my old ACS v3.3 server.
Exemple : under ACS v3.3 i was using RADIUS (Cisco Aironet) attribute to authenticate AP & WLC, should i do the same under ACS v5.1 ?
Best regards.Hello,
When defining AAA client on the new ACS 5.x server you just select TACACS+ or RADIUS. We no longer define the RADIUS "vendor"/"VSA" when creating the AAA Client entry. All AAA client would be defined as RADIUS or TACACS+ only.
If you were using specific VSA Attributes then you need to send those attributes back configuring Authorization Profiles on the ACS 5.x. You will find the specific VSA attributes there. Refer to the following screenshots:
And here are the available attributes for the ACS for RADIUS Aironet: -
ACS Radius + Peap + MSChapV2
I am using a wireless setup
Aironet 1100, ACS 4.0, 3rd party Client adapter
I am able to connect to my wireless network by keying in username&pass created on the ACS user setup. Also by using a self signed certificate from the ACS.
Doubts: In ACS logs - Radius accounting is empty.
Failed attempts.csv shows "Authen failed, EAP-TLS or PEAP authentication failed during SSL handshake"
But i am able to authenticate my users successfully into the wireless network. What went wrong?Hi
Try enabling the Passed Authentications report and see whats in there. It could be that the failure is perhaps purely transient and rectified by a subsequent attempt.
For example a re-key authentication requires SSL state on the ACS, it could be that the supplicant and ACS have to revert to performing a full authentication.
Im guessing but it is entirely possible to have entries in the failed attempts and still get access.
Darran
Maybe you are looking for
-
How do i get the volume on screen display meter back?
Hello, I have a minor problem... for some reason the on screen display meter for my volume when pressing on the keyboard suddenly disappeared, I would like to get this back. I found this thread in the forum http://h30434.www3.hp.com/t5/Notebook-Dis
-
SuSE, kernel 2.4.12 RAM consumption
Hi, Linux related but I thought would be interesting for others. On the system with SuSE 7.2 kernel 2.4.12 'free' shows total RAM 900M which is 124M less then is in reality. With kernel 2.4.4- 4GB or the same 2.4.12 kernel without frame buffer suppor
-
Would like to buy iPhone 4 in England ... Is there stock available?
i want to ask about if there any iphone 4 available on the uk (free sim) on this days .. is there on the apple store in london or other places ?? thanks for your help itzik
-
Cleaning up my BlackBerry!
Hello everyone! For quite a while now i have been installing & uninstalling apps on my BB, when i look at the file system there ore tons of files & remnants left from old unwanted apps, would anybody by any chance know if there is an app or some meth
-
Les documentations d'oracle application et bases de données
Slt à tous,je suis conseiller commercial et je fais mes premiers pas vers la connaissance des produits oracle,et vraiment mon inquiétude c'est d'arriver à maitriser les fonctionnalités en langage simple afin de pouvoir mieux les vendre. Dans ce sens,