ACS 5 Radius IP Assignment

We have number of GPRS terminals, they work in our private APN. Can we assign static or dynamic IPs to them?
Terminals work with IP, not with PPP. We have direct connect with ISP via serial interface. ISP forwards all Radius traffic to our ACS appliance.

You may assign a static ip address. You may try this:

Similar Messages

  • 802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

    Currently Being Moderated
    802.1X for wired environments  using Radius/ACS for Dynamic Vlan Assignment
    Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
    If possible show:
    1. ACS/Radius Configurations.
    2. End User Switch Configurations
    Variables:
    Switch A
    MAC Address aaaa.bbbb.cccc     Vlan 10
                bbbb.cccc.dddd     Vlan 20
    Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
    Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
    Thanks in advance. .

    Hi Guys,
        Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
       So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
       Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
        Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
        If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

  • Acs and Dynamic vlan assignment problem

    Hi all,
    I'm unable to dinamically pass the Radius attribute , about assigned vlan, to 802.1x clients.
    I'm sure that everything is well configured but the only way to do it is configuring these attributes directly on user or group properties.
    When i try to pass these attributes by appliction of a Shared RAC (acs 4.2) or NAP (ACS 5.0) the only message that i can find on the switch, where the vlan has to be configured, is:
    dot1x-ev:Received VLAN is No Vlan
    dot1x-ev:Received VLAN Id -1
    The user is still authenticated successfully ( and all the profiles correctly assigned) but remain in the vlan statically configured on the interface.
    The logic is working, but transmission do not.
    Is this a bug ?

    test the authentication again.If is still fails, set the logging to full on the ACS server using:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00800afec1.shtml#setting_acs
    Also Check if you are running another RADIUS product on the same server as the ACS services and the same decryption was being used.Reset shared key on switch and radius server.

  • ACS Express radius authentication AD authorization

    I work at a University and for some reason we have multiple systems for authentication and authorization.  That being said I am trying to use radius to do authentication and AD for authorization for VPNs.  I have the radius authentication working against our radius server.  I have my ACS express setup to join the AD domain and everything looks good there.  I setup the AD server as a radius object in AAA server groups on my ASA.  Then I add the server below in the servers in selected groups window.  I put all the info in there and when I hit test I click authorization and put in the username that I know is in the domain group I have associated with this on the ACS.  The test fails and with authorization failed with invalid password.  When I look at the logs on the ACS I see
    01/06/2011 20:14:26 acsxp/server Warning Server 0 AD Agent Plain Text Authentication Failed for user: username@domain
    01/06/2011 20:14:26 acsxp/server Warning Server 0 Authentication for user username failed for reason = 0
    01/06/2011 20:14:26 acsxp/server Error Protocol 0 Request from 172.20.5.2: User username rejected . by RemoteServer: AD (InvalidPassword). 
    Username and domain are correct I just edited them for posting.  It seems like it is trying to authenticate rather than authorize.  All I want it to do is say yes the user is in this group or no the user is not in this group?  You can't even fill in the password when testing authorization?  Maybe I have something setup wrong on the ACS side but when I look at AD under users and identity stores, it says it is joined to the domain.  When I do AD domain diagnostics under troubleshooting everything looks good.  I have the ASA I am testing from defined as a device and in the ASA device group.  Under access services in Radius access services I have one service that I setup that connects to the AD and it found the group so I know it is connecting.  Any idea what I am doing wrong or where to look?
    Any help would be GREATLY appreciated!
    Thanks
    Joe

    Hi Joe,
    We could take a deeper look at what is happening through some logs and debugs:
    1. On ACS Express, under
    Reports & Troubleshooting > Troubleshooting > Server Logs
    please set the Express Server Trace Level to 5 and the Web Server Trace Level to 4.
    Also, for the Log Level under OS Logging, please set its value to "Debug".
    If previous old logs are not essential to you, you may also wanna delete all the log files first, so that we capture logs for the last day only.
    2. On the ASA, please enable the following debugs
    debug aaa authentication
    debug aaa authorization
    debug radius
    3. Then please first recreate a successful authentication attempt, and then recreate the authorization test issue with the same user account for which you tested the successful authentication.
    4. After the issue is recreated, please attach the debugs from the ASA and following files from the ACS Server Logs:
    acsxp_adagent.log
    acsxp_agent_server.log
    acsxp_mcd.log
    acsxp_server.log
    acsxp_server_trace.log
    Regards,
    Fede
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Secure-ACS: Special RADIUS-Attributes for Enterasys E7

    Hi,
    we were running a pretty old version of the  Cisco Secure ACS for AAA our network devices.
    Unfortunately the  server crashed an we had to install and set it up with a new server.
    Using  TACACS+ for our Cisco devices works fine.
    We have a couple of  switches made by a vendor called Nexans, which only support RADIUS -  this works fine too.
    Furthermore we still have some Enterasys E7  and with those RADIUS doesn't work at all.
    Sniffering the packets,  everything looks good.
    With the old server it worked well.
    Does  anybody know if there are special configurations (e.g. attributes) when  configuring an ACS for Enterasys RADIUS-Clients?
    Thanks,
    Rolf

    We have this configuration and works fine with our network and associate in a good manner also the policy which we have configured it on Enterasys in this way
    Filter-Id===>
    Enterasys:version=1:mgmt=su:policy=Administrator
    After we make the update to ACS 5, the "ASA" consider this filter-id as access-list so it consider the field after the filter-id as the name of the acl, and diconnect the VPN connection.
    Could soneone help me to resolve that.

  • Nortel switches authenticating to both ACS via RADIUS

    Dual ACS solution (4.2) with one ACS doing the authenticating, the other acting as a standby.
    Recently when accessing nortel switches, they authenticate to both ACS, as some are going to ACS2 despite their primary RADIUS server being ACS1.
    The ACS solution has other network devices, using TACACS+ and they seem fine. DB replication is fine between the ACS and nothing I believe has changed in the configuration between the two.
    Any ideas? (all I can think is the response from ACS1 is exceeding the timeout and the switches then select ACS2, but there's no evidence to suggest a problem in network delay).

    I am unfamiliar with the Nortel switches. If a cisco switch queries a AAA server and it fails to respond, it will mark it as dead and move to the next. When the AAA server is back online, the switch will not revert to the previous server. It will remain on the current AAA server until AAA is disabled or the current AAA server fails to respond.
    Network delay would cause this. Maybe the services were disabled or replication was occuring while the device was trying to authenticate.
    Thank You,
    Dan Laden

  • ACS v4 & radius

    A device wants to talk to the ACS server to get authentication services. It wants to use CHAP. Where is the CHAP option as applied to the radius authentication function? How do  you set up radius in ACS to accept CHAP passwords authentication for radius requests?
    Specifically, Qradar wants to query Cisco ACS v4.2 to see if users logging into Qradar are authorized to do so. This fails because I can't find the place (if any) in ACS where CHAP can be used.

    ACS can act as both as RADIUS and TACACS server,
    when you say what kind of issues to expect: you need to check for open caveats in the release notes of ACS 4.1.
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/index.htm

  • Unsucessful ACS to RADIUS token server exchange

    Hello team:
    We are getting a hard time in trying to make our ACS 4.2 talk to an external FreeRadius token server.
    When our ACS sends the Access-Request message, our FreeRadius token server answers with an Access-Accept message with zero atributes on the message. This answer, according to ACS documentation, should be perfectly accepted by ACS when it works as a RADIUS client. However, our ACS considers this answer as an error and so the transaction fails.
    In order to compare with another platform working of radius server of our , we replaced our FreeRadius token server by another CS ACS. With this scenario, everything works! So we sniffed the ACS to ACS transaction and found that two RADIUS attributes are sent with the Access-Accept message:
    (1) Framed-IP = 255.255.255.255
    (2) Class = 0x434143533a302f356662622f37663030303030312f31383133
    We got back to our FreeRadius as the external RADIUS server of our ACS, and managed it to generate and return exactly the previous kind of message to the ACS working as radius client, however when our ACS receives the RADIUS Access-Accept with these attributes, it still rejects the answer and fails.
    So we are missing something.
    ¿Did anyone manage to make ACS query an external RADIUS server with success? We would appreciate any hints!!
    thank you very much in advance
    Rogelio Alvez
    Argentina

    Thanks for the interest Tarik!
    Here you have the debug from both sides ACS 4.2 and Freeradius in the same authentication event:
    ACS Debug from a terminal monitor
    2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='(undef)')
    2w1d: AAA/AUTHEN (4096347873): status = GETUSER
    2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)
    2w1d: AAA/AUTHEN (4096347873): status = GETPASS
    2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='camara/829113')
    2w1d: AAA/AUTHEN (4096347873): status = GETPASS
    2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)
    2w1d: RADIUS: ustruct sharecount=1
    2w1d: RADIUS: Initial Transmit tty7 id 175 192.168.0.3:1645, Access-Request, len 86
    2w1d:         Attribute 4 6 C0A800CB
    2w1d:         Attribute 5 6 00000007
    2w1d:         Attribute 61 6 00000005
    2w1d:         Attribute 1 15 63616D61
    2w1d:         Attribute 31 15 3139322E
    2w1d:         Attribute 2 18 893A4B64
    2w1d: RADIUS: Received from id 175 192.168.0.3:1645, Access-Reject, len 32
    2w1d:         Attribute 18 12 52656A65
    2w1d: RADIUS: saved authorization data for user 80E8A88C at 0
    2w1d: AAA/AUTHEN (4096347873): status = FAIL
    2w1d: AAA/AUTHEN/ABORT: (4096347873) because Invalid password.
    2w1d: AAA/MEMORY: free_user (0x80E8A88C) user='camara/829113' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1
    2w1d: AAA: parse name=tty7 idb type=-1 tty=-1
    2w1d: AAA: name=tty7 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=7 channel=0
    2w1d: AAA/MEMORY: create_user (0x80E8B920) user='' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1
    2w1d: AAA/AUTHEN/START (2072451976): port='tty7' list='pepe' action=LOGIN service=LOGIN
    2w1d: AAA/AUTHEN/START (2072451976): found list pepe
    2w1d: AAA/AUTHEN/START (2072451976): Method=radius (radius)
    2w1d: AAA/AUTHEN (2072451976): status = GETUSER
    Freeradius Debug
    rad_recv: Access-Request packet from host 192.168.0.3 port 3912, id=23, length=94
        User-Name = "camara/829113"
        NAS-IP-Address = 192.168.0.3
        NAS-Port = 6372
        NAS-Identifier = "CiscoSecure ACS v4.2(0.124)"
        User-Password = "\277\241\340t\312/\2303^;\216\233\3618\2179"
    # Executing section authorize from file /etc/freeradius/sites-enabled/vuserver
    +- entering group authorize {...}
    ++[preprocess] returns ok
    [auth_log]     expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714
    [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714
    [auth_log]     expand: %t -> Sat Jul 14 18:42:32 2012
    ++[auth_log] returns ok
    [IPASS] Looking up realm "camara" for User-Name = "camara/829113"
    [IPASS] Found realm "DEFAULT"
    [IPASS] Adding Stripped-User-Name = "829113"
    [IPASS] Adding Realm = "DEFAULT"
    [IPASS] Authentication realm is LOCAL.
    ++[IPASS] returns ok
    [suffix] Request already proxied.  Ignoring.
    ++[suffix] returns ok
    ++[files] returns noop
    ++[control] returns noop
    rlm_perl: Response: 201: Succeeded
    rlm_perl: Added pair User-Name = camara/829113
    rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179
    rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)
    rlm_perl: Added pair Realm = DEFAULT
    rlm_perl: Added pair Stripped-User-Name = 829113
    rlm_perl: Added pair NAS-Port = 6372
    rlm_perl: Added pair NAS-IP-Address = 192.168.0.3
    rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133
    rlm_perl: Added pair Framed-IP-Address = 255.255.255.255
    rlm_perl: Added pair Auth-Type = Perl
    ++[perl] returns ok
    ++[expiration] returns noop
    ++[logintime] returns noop
    Found Auth-Type = Perl
    # Executing group from file /etc/freeradius/sites-enabled/vuserver
    +- entering group Perl {...}
    rlm_perl: Added pair User-Name = camara/829113
    rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)
    rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179
    rlm_perl: Added pair Realm = DEFAULT
    rlm_perl: Added pair NAS-IP-Address = 192.168.0.3
    rlm_perl: Added pair NAS-Port = 6372
    rlm_perl: Added pair Stripped-User-Name = 829113
    rlm_perl: Added pair Framed-IP-Address = 255.255.255.255
    rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133
    rlm_perl: Added pair Auth-Type = Perl
    ++[perl] returns ok
      WARNING: Empty post-auth section.  Using default return values.
    # Executing section post-auth from file /etc/freeradius/sites-enabled/vuserver
    Sending Access-Accept of id 23 to 192.168.0.3 port 3912
        Framed-IP-Address = 255.255.255.255
        Class = 0x434143533a302f3265662f37663030303030312f31383133
    Finished request 3.
    Going to the next request
    Waking up in 4.9 seconds.
    Cleaning up request 3 ID 23 with timestamp +575
    Ready to process requests.
    Inside the file archive.zip you`ll find
    cap_freeradius.cap (communication sniffed between the ACS and the Freeradius)
    captura2acsOK.pcapng (communication sniffed between the ACS 1 and the ACS 2 where everything its ok)
    If you need more information or output please let me know.
    Rogelio

  • SG300: MAC authentication with Radius VLAN assignment problems

    Hi,
    I just can't get the dynamic vlans working. I've tried everything, switch in L3 mode, switch in L2, several port configs, several tunnel configs in Radius server (freeradius 2.1.1)
    Here's the final switch config:
    config-file-header
    switchf460dc
    v1.3.7.18 / R750_NIK_1_35_647_358
    CLI v1.0
    set system mode switch
    file SSD indicator encrypted
    ssd-control-start
    ssd config
    ssd file passphrase control unrestricted
    no ssd file integrity control
    ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
    no spanning-tree
    vlan database
    vlan 12,100,110,666
    exit
    voice vlan oui-table add 0001e3 Siemens_AG_phone________
    voice vlan oui-table add 00036b Cisco_phone_____________
    voice vlan oui-table add 00096e Avaya___________________
    voice vlan oui-table add 000fe2 H3C_Aolynk______________
    voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
    voice vlan oui-table add 00d01e Pingtel_phone___________
    voice vlan oui-table add 00e075 Polycom/Veritel_phone___
    voice vlan oui-table add 00e0bb 3Com_phone______________
    dot1x system-auth-control
    no bonjour enable
    hostname switchf460dc
    line ssh
    exec-timeout 0
    exit
    encrypted radius-server host 192.168.99.93 key xXx priority 1 usage dot1.x
    logging host 1.2.3.4 severity debugging
    passwords aging 0
    ip ssh server
    snmp-server server
    snmp-server community public ro 192.168.99.93 view Default
    clock timezone " " +1
    clock summer-time web recurring eu
    clock source sntp
    sntp unicast client enable
    sntp server 172.16.1.1
    interface vlan 12
     ip address 192.168.99.170 255.255.255.0
     no ip address dhcp
    interface gigabitethernet5
     dot1x host-mode multi-sessions
     dot1x reauthentication
     dot1x authentication mac
     dot1x radius-attributes vlan static
     dot1x port-control auto
     switchport mode general
     switchport general allowed vlan add 100,110,666 untagged
     no macro auto smartport
    interface gigabitethernet6
     switchport mode access
     switchport access vlan 110
    interface gigabitethernet9
     switchport mode access
     switchport access vlan 12
    interface gigabitethernet10
     switchport trunk allowed vlan add 12,100,110
    exit
    ip default-gateway 192.168.99.1
    On the switch side I would expect VLAN 666 to be set but it's not there:
    switchf460dc#show dot1x users
                              MAC               Auth   Auth   Session        VLAN
    Port     Username         Address           Method Server Time
    gi5      0090dca15880     00:90:dc:a1:58:80 MAC    Remote 01:09:25
    This is the radius users file. It's a simple file for test.
    DEFAULT Auth-Type := Accept
            Tunnel-Type = VLAN,
            Tunnel-Medium-Type = IEEE-802,
            Tunnel-Private-Group-Id = 666
    I am attaching a screenshot of the Radius reply sent by the server.
    I also tried setting "copy_request_to_tunnel = yes" and "use_tunneled_reply = yes" as found in another post, no success.
    It may be that the tag is missing in the Radius reply? If yes, how do I add it?
    Any ideas?
    Thanks.
    Update Dec 11: I tried with FW 1.4.0, and using the same config the switch doesn't perform any Radius requests at all anymore.

    I was wrong when I said that 1.4.0 wouldn't work at all. I simply had a device connected which didn't produce much traffic. My bad.
    So 1.4.0 works as far as the auth is concerned, but no improvement as far as dynamic VLAN is concerned. So there is no improvement over 1.3.7, or there is a config issue.
    I have opened SR 633001533 although the last appointment for WebEx went by without anyone getting back to me. I'll try again on Monday.
    Feel free to get back to me if you need anything to make experiments. I'll keep this thread updated too.

  • Using ACS for VLAN assignment

    Hi Guys, I have been looking at the use of Cisco ACS server for VLAN assignment. So far I have searched through a number of threads and no found what I am looking for specifically so here it goes.
    1) When the RADIUS attributes have been configured in ACS (64, 65 + 81), and in my case I have them in the group configuration. For the VLANs to be assigned to the various users at their ports will every VLAN name in the RADIUS settings have to in the switches which are used for access?
    2) Is there a limit to the number of VLANs that can be assigned by the RADIUS(IETF) portion of ACS or would it be better to use RADIUS(IOS/PIX)? I am thinking of about 15 VLANS.
    I am using a Catalyst 4500 (IOS supervisor) and 2950s and 2970s at the closets.
    Thanks for any help...
    Kelvin

    Access Control Lists..I am thinking it is better to apply the ACLs at the closet (access) switches where I can specify the servers that should be reached by the hosts my test VLAN and deny those which they should not.
    I used a named extended ACL for my tests however, it did not go well. With the ACL below applied I cannot reach anything including the server I actually want to reach. My intention was to allow the hosts in the test VLAN 172.16.12.0/24 to reach 2 particular servers and their gateway however with the list applied I cannot reach anything at all. The setup is one 2950 connected to a 4507 the 2 VLANs I am working with are trunked to the 2950 and dhcp is running. I have IP routing enable on the 4507 and it is the server for the VTP domain.
    ip access-list extended guest
    permit ip 172.16.12.0 255.255.255.0 host 172.16.12.1
    permit ip 172.16.12.0 255.255.255.0 host 172.16.2.254
    permit udp 172.16.12.0 255.255.255.0 host 172.16.2.245 eq 53
    deny ip any any
    Any advice on how I can restrict the hosts which will be on this VLAN from accessing the rest of the network?

  • ACS 5.1 - RADIUS Proxy Accounting Logs

    Recently I'm using ACS 5.1 to support external RADIUS Servers, and read the manauls to process with the following workflow.
    Install Linux RADIUS Service (this part was tested)
    Install FreeRADIUS Service
    Add new linux user account
    Cisco ACS 5.1
    Add External RADIUS servers
    Network Resources -> External RADIUS Servers
    Add informations.
    Add RADIUS Proxy Serivce
    Access Policies -> Access Services
    Create with User Selected Service Type , RADIUS Proxy
    Advanced Options -> Accounting
    Remote Accounting and Local Accounting enabledAccess Policies -> Access Services -> Service Selection Rules
    Create #1 rule , Conditions : match Radius , Results : RADIUS Service
    Add Network Resources for accepting network
    Network Device Groups -> Network Devices and AAA Clients
    Enable RADIUS Debug Messages
    System Administration > Configuration > Log Configuration  > Logging Categories > Global > Edit: "RADIUS Diagnostics"
    Configure Log Category Log Severity : DEBUG
    Add 3GPP VSA
    Send out Radius Accounting Packet to ACS
    ACS got the Packet, but didn't redirect to External Radius Server
    I got this message from ACS 5.1
    Others is 'Failed to forward request to current remote RADIUS server; an invalid response was received.' in the iv.csv file.
    There are two problem.
    RADIUS Accounting Packets didn't redirect to external server, but it works without proxy. (Auth is ok.)
    Other Attributes didn't collect all informations, and even the debug is enabled.

    Hi Steve,
    The shared secret is 100% correct.
    Finally I find out that there may be some white lists for attributes.
    If I keep NAS-Identifier , it will work.
    But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
    The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
    When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
    The RADIUS Server gets the message from NSA.
    Of course, there is the Proxy-State attribute.
    In this condition, the ACS has incorrect output in the sub-attribute.
    Now I try 5.2 to see the problem exist or not.

  • ACS 5.1 RADIUS Proxy - Adding RADIUS attributes

    Is there anyway under ACS 5.1 to add RADIUS attributes to outgoing RADIUS proxy auth requests or failing this to RADIUS proxy accounting updates?
    As soon as I configure a RADIUS proxy services, there is little config I can do other than to say whether or not the prefix and suffix is to be stripped.
    I can add these attributes if using an external RADIUS box as an identity store, but I cannot do this for this particular service and instead I need to use RADIUS proxying.
    Thanks
    Paul

    Hi Steve,
    The shared secret is 100% correct.
    Finally I find out that there may be some white lists for attributes.
    If I keep NAS-Identifier , it will work.
    But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
    The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
    When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
    The RADIUS Server gets the message from NSA.
    Of course, there is the Proxy-State attribute.
    In this condition, the ACS has incorrect output in the sub-attribute.
    Now I try 5.2 to see the problem exist or not.

  • Using a BM 3.8 RADIUS Server to Assign Users to VLANs

    I'm trying to use Bordermanager 3.8 RADIUS to assign VLANs to users. The
    users are accessing the network via Cisco 1100 Aironet Wireless Access
    Points. We have defined two VLANs on the network. One goes directly to
    the internet for GUEST, VLAN1, and the other goes to our private network
    MEMBERS, VLAN2. The problem I'm having is getting the RADIUS to assign
    attributes to the user accounts. I need attribute: IETF 64 (Tunnel Type)
    set to VLAN, IETF 54 (Tunnel Medium Type) set to 802, and IETF (Tunnel
    Private Group ID) set the VLAN-ID which is 1 or 2. These attribute are
    not available in the RADIUS.ATR file. Is there some way of editing the
    ATR file to add these attributes? Is there another solution to assign
    VLANs with Bordermanager?

    > I need attributes: IETF 64 (Tunnel Type) set to VLAN, IETF 65 (Tunnel
    Medium Type) set to 802, and IETF 81 (Tunnel Private Group ID) set the
    VLAN-ID which is 1 or 2. These attribute are not available in the
    RADIUS.ATR file. Is there some way of editing the ATR file to add these
    attributes? Is there another solution to assign VLANs with Bordermanager?

  • Configuring AAA network client on ACS v5.1 using the same RADIUS atributes from ACS v3.3

    Hello,
    I was wondering if i should use the same RADIUS VSA attribute on ACS v5.1 to authenticate AAA clients as those i was using on my old     ACS v3.3 server.
    Exemple : under ACS v3.3 i was using RADIUS (Cisco Aironet) attribute to authenticate AP & WLC, should i do the same under ACS v5.1 ?
    Best regards.

    Hello,
    When defining AAA client on the new ACS 5.x server you just select TACACS+ or RADIUS. We no longer define the RADIUS "vendor"/"VSA" when creating the AAA Client entry. All AAA client would be defined as RADIUS or TACACS+ only.
    If you were using specific VSA Attributes then you need to send those attributes back configuring Authorization Profiles on the ACS 5.x. You will find the specific VSA attributes there. Refer to the following screenshots:
    And here are the available attributes for the ACS for RADIUS Aironet:

  • ACS Radius + Peap + MSChapV2

    I am using a wireless setup
    Aironet 1100, ACS 4.0, 3rd party Client adapter
    I am able to connect to my wireless network by keying in username&pass created on the ACS user setup. Also by using a self signed certificate from the ACS.
    Doubts: In ACS logs - Radius accounting is empty.
    Failed attempts.csv shows "Authen failed, EAP-TLS or PEAP authentication failed during SSL handshake"
    But i am able to authenticate my users successfully into the wireless network. What went wrong?

    Hi
    Try enabling the Passed Authentications report and see whats in there. It could be that the failure is perhaps purely transient and rectified by a subsequent attempt.
    For example a re-key authentication requires SSL state on the ACS, it could be that the supplicant and ACS have to revert to performing a full authentication.
    Im guessing but it is entirely possible to have entries in the failed attempts and still get access.
    Darran

Maybe you are looking for

  • How do i get the volume on screen display meter back?

    Hello,  I have a minor problem... for some reason the on screen display meter for my volume when pressing on the keyboard suddenly disappeared, I would like to get this back.  I found this thread in the forum http://h30434.www3.hp.com/t5/Notebook-Dis

  • SuSE, kernel 2.4.12 RAM consumption

    Hi, Linux related but I thought would be interesting for others. On the system with SuSE 7.2 kernel 2.4.12 'free' shows total RAM 900M which is 124M less then is in reality. With kernel 2.4.4- 4GB or the same 2.4.12 kernel without frame buffer suppor

  • Would like to buy iPhone 4 in England ... Is there stock available?

    i want to ask about if there any iphone 4 available on the uk (free sim) on this days .. is there on the apple store in london or other places ?? thanks for your help itzik

  • Cleaning up my BlackBerry!

    Hello everyone! For quite a while now i have been installing & uninstalling apps on my BB, when i look at the file system there ore tons of files & remnants left from old unwanted apps, would anybody by any chance know if there is an app or some meth

  • Les documentations d'oracle application et bases de données

    Slt à tous,je suis conseiller commercial et je fais mes premiers pas vers la connaissance des produits oracle,et vraiment mon inquiétude c'est d'arriver à maitriser les fonctionnalités en langage simple afin de pouvoir mieux les vendre. Dans ce sens,