Add RADIUS attributes under "Group Setup" in ACS 4.2

Similar Messages

• ACS 4.2 - add RADIUS Attributs

  Hello,
  I want to add Radius attribut to Radware devices , so I will have the option to grant "read only" permission to users.
  as I understand I need to add VSA for the "read only" permission, or configure specific "Service-Type value 255"
  in the following picture you can see the required information from Radware:
  Thanks

  anyone know of that?
  Thanks

• How to add an attribute to "group" element in the DataTemplate dataStructur

  Hi,
  I want to add an attribute to the group element in the dataStructure section of DataTemplate. I want my output XML file to look like:
  <G_EMP xmlns:xsd="http://www.w3.org">
  <ENAME>John</ENAME>
  </G_EMP>
  This can be done in Oracle Reports 6i by setting a value to the XMLTag attribute in the property pallette of G_EMP group in the report. Please let me know if there is a way to do the same in the Data Template.
  So far I've observed only three attibutes that can be used with group element (name,dataType,source). Is there any other attribute that I can use to get the afore mentioned XML structure.

  Moved to the LiveCycle Designer forum: http://forums.adobe.com/community/livecycle/livecycle_modules_and_development_tools/livecy cle_designer_es?view=discussions

• ACS 5.1 RADIUS Proxy - Adding RADIUS attributes

  Is there anyway under ACS 5.1 to add RADIUS attributes to outgoing RADIUS proxy auth requests or failing this to RADIUS proxy accounting updates?
  As soon as I configure a RADIUS proxy services, there is little config I can do other than to say whether or not the prefix and suffix is to be stripped.
  I can add these attributes if using an external RADIUS box as an identity store, but I cannot do this for this particular service and instead I need to use RADIUS proxying.
  Thanks
  Paul

  Hi Steve,
  The shared secret is 100% correct.
  Finally I find out that there may be some white lists for attributes.
  If I keep NAS-Identifier , it will work.
  But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
  The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
  When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
  The RADIUS Server gets the message from NSA.
  Of course, there is the Proxy-State attribute.
  In this condition, the ACS has incorrect output in the sub-attribute.
  Now I try 5.2 to see the problem exist or not.

• Why RADIUS is not listed on ACS "Group Setup" list ?

  On ACS 3.3, I go to main menu,
  I choose "Interface Configuration".
  I make sure that "IETF RADIUS Attributes" is selected.
  Then I refresh the browser, I go to "Group Setup".
  On the top of the page, I attempt to pick "RADIUS" configuration. However it doesn't appear listed there.
  As you can see on the attached bitmap, only few options are available even though I selected a number of them from User Interface as an exercise.
  Please note that I already mapped a couple of Windows groups to the respective ACS Groups so
  that I configure VPN and Wireless authentication.
  Any idea what am I missing here ?
  Why RADIUS configuration option doesn't show up ?
  I already attempted to close and relaunch ACS Admin,
  no progress.

  In fact I don't recall I added a "RADIUS device";
  Is that just a configuration or do I need to physically connect a special server there ?
  Sorry for my ignorance, but I thought that the ACS server I am working on would be the provider of RADIUS services ? Can you clarify that ?

• ACS 5.5 Radius Attribute not listed in Radius Directory

                     Hello Community,
  iam on the evaluation on Cisco ACS 5.5, and iam trying some scenarios for my company.
  I have to authenticate a ip phone . here i need one VLan tagged and one vlan untagged.
  In the authorization profile u can add the Radius Attributes, we got hp switches and i need the attribute  with the ID-56, but this ID ist not listed in the Authorization Profiles--> Radius Attributes-->select Part.
  But it is listed under system-administration->Configuration-->dictionaries-->Protocols->Radius--> Radius IETF
  come somebody tell me how i can selct this Attributes under Authorization Profiles--> Radius Attributes-->select Part. ??
  Thanks a lot
  regards

  Hi
  As you are using HP switches, certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality, and are therefore not supported with non-Cisco devices.
  For more information regarding Authorization profile configuration, please go through the following link:
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/pol_elem.html

• ACS 4.2 Windows Radius Attributes for VPN-dial-in

  Hello,
  this Situation:
  Remote-User establish a VPN-Connection (AnyConnect) to a ASA 8.4, ASA forwards Authentication to ACS 4.2. , ACS should assign IP-Adress from a Adress-Pool dependent on GroupMembership (LDAP)
  the Problem:
  the User gets an IP-Config with a Default-Gateway which is always the 3.Address of the IP-Pool (IP-Pools are /28 Ranges), the Mask is ok (/32).
  On the ASA-Log I can see a Message:
  %ASA-6-110002: Failed to locate egress interface for protocol from src interface:src IP/src port to dest IP/dest port
  I've assigned following Attibutes:
  IP Assignement: Assigned from AAA server pool (the accordant pool is selected)
  IETF Radius Attributes:
  006 Service Type: Framed
  007 Framed Protocol: ppp
  009 Framed-IP-Netmask: 255.255.255.255
  (not sure about) 022 Framed-Route: 0.0.0.0
  025 Class: <Group-Policy of ASA>
  does anyone of you know, what I'm making wrong?
  on The ASA I can't find any settings.
  Thanks for any advice

  O'Brien Simon
  Did you manage to get a reply to your question about the timeout period for dynamic users in ACS 4.2 ?  As this is what I was about to ask but noticed your post.
  Many thanks
  florrieford

• [Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid

  Hi,
  I got many Cisco AP which are linked to 2 Cisco WLC.
  On each WLC, I configured a primary and a secondary RADIUS Server.
  RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
  Primary and secondary ACS configurations are synchronized.
  There are no problem between primary WLC and Cisco ACS (primary and secondary).
  When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"
  Secondary WLC automatically contacts secondary Cisco ACS and it works fine.
  Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."
  The two Cisco ACS are synchronized so I should have same error on them...
  Why does primary ACS generate this error?
  Thanks for your help,
  Patrick

  Tarik Admani wrote:Amjad,That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.Thanks,Tarik Admani
  *Please rate helpful posts*
  Yes. That is a good point.
  With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).
  The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.
  Rating useful replies is more useful than saying "Thank you"

• Adding VSA Attributes under /Radius/Profiles

  Product
  Cisco Access Registrar (Standard Version)
  AR-Standard 3.5
  AR-CPU 3.5
  How to add a VSA under
  [ //localhost/Radius/Profiles/Test-Profile/Attributes ]
  From User-guide
  According to Table A-1 Tcl Attribute Dictionary Methods
  addProfile
  $dict addProfile <profile> [<mode>]
  Copies all of the attributes in the profile <profile> into the dictionary. Note, <profile> must be the name of one of the profiles listed in the server configuration
  Can we get more info on how to configure the Profiles.
  Thanks,
  Santosh

  You've probably meant "how to add an attribute, for example VSA"
  So under:
  /localhost/Radius/Profiles/Test-Profile/Attributes
  use:
  set Cisco-SSG-Account-Info test
  (or any other attribute, in this example Cisco VSA was used)
  --> ls
  [ /localhost/Radius/Profiles/Test-Profile/Attributes ]
  Cisco-SSG-Account-Info = test
  The excerpt from user guide you have provided is used in TCL scripts and it's not relevant to your problem.
  I assume you already have your VSA defined in attribute dictionaty.

• Add RADIUS IETF attribute to ISE System Dictionary

  Hello
  I'm looking to migrate an ACS5.4 config to ISE. Part of the ACS5.4 config involves:
  define a RADIUE IETF attribute in the ACS RADIUS dictionary
  inject this attribute into RADIUS requests that are proxied to another RADIUS server.
  This works fine in ACS but I can't Add/Modify attributes in the ISE System RADIUS IETF dictionary. Is this functionality roadmapped for ISE?
  Thanks
  Andy

  Forgot to mention that I'm currently using ISE 1.1.3. I fround the following in the new ISE 1.2 documentation:
  Cisco ISE also creates dictionary defaults for the IETF RADIUS set of attributes that are also a part of
  the system-defined dictionaries, which are defined by the Internet Engineering Task Force (IETF). You
  can edit all free IETF RADIUS attribute fields except the ID.
  Cisco ISE also creates dictionary defaults for the IETF RADIUS set of attributes that are also a part of
  the system-defined dictionaries, which are defined by the Internet Engineering Task Force (IETF). You
  can edit all free IETF RADIUS attribute fields except the ID.
  I'll upgrade and see if I can edit the attribute that I need.

• ACS 3.3 Send Radius Attribute 135 & 136

  Hi
  I need an ACS box to return IETF RADIUS attributes 135 & 136 to a NAS for the assignment of DNS servers to clients.
  The ACS 3.3 user guide lists these as supported IETF RADIUS Attributes however they don't seem to be available under Interface Configuration--> Radius IETF.
  Would anyone know how I can enable these ?
  Thanks
  Leon

  Hi Leon,
  That is quite strange. You should have those attributes.
  As you mentioned you have ACS SE, if you could console into it. Issue command,
  stop csadmin
  start csadmin
  Or rebooting ACS SE will re-start the CSAdmin server.
  If you are restarting services from, System Configuration > Service Control, then that wont restart the CSAdmin service.
  Give that a try.
  Regards,
  Prem

• How to add attribute to groups.

  When I add a groups, Identity askme name of group and member for suscrib. I need add attribute to groups, attribute that not exits in groupsofuniquenames.
  Thanks

  Hi Venkat,
  We don't make any design changes in production box. Usually you make changes in Development box then transport that object with request to Quality box. You test the changed object there, if no inconsistancies found you will transport the object to Production box with same request.
  In development box, if you want to add the new attribute to the characterstic, you need to delete the complete data in the characterstic.
  Thanks
  Sreekanth

• Cisco 2960-X & ISE accounting- username Radius attribute missing

  Hi,
  I'm facing an issue with cisco 2960 switch radius accounting with Cisco ISE1.2.1 .here is my senario:
  - Username (vendor1) is configured in ISE local database, under  group (VENDOR)
  - Authentication protocol : wired  MAB 
  - Authentication method : webauth  using guest portal  , the user is a  vendor  , so no dot1x configured on his NIC .
  the problem is that , the switch is not sending the username as a part of radius attribute , in the authentication log , the username shown as the MAC address of the user machine , therefor , I can not configure my authorization condition using  internaluser:Name  Equal  vendor1
  while if  I configure the condition using the identity group condition  IdentityGroup:Name  Equal  VENDOR  , it works .
  The same configuration is working on 3750 switch  with no issue .
  Here is my Switch config:
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius 
  aaa authorization auth-proxy default group radius 
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting update periodic 5
  username admin password 
  username radius-test password 
  aaa server radius dynamic-author
   client 172.16.2.20 server-key 7 04490A0206345F450C00
   client 172.16.2.21 server-key 7 03165A0F0F1A32474B10
  radius server ISE-RADIUS-1
   address ipv4 172.16.2.20 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key 7 111B18011E0718070133
  radius server ISE-RADIUS-2
   address ipv4 172.16.2.21 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key 7 0214055F02131C2A4957
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server attribute 31 mac format ietf upper-case
  radius-server attribute 31 send nas-port-detail
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  any help  !!!

  Thanks for your reply , I know what's MAB , if you read my explanation again , i mentioned that the user is authenticated in the guest portal which mean that I have web authentication , and it is working fine .. The only issue is that I can not use the vendor1 username as part of authorization condition and this is because the switch is not sending the radius attribute type 1 to the ISE , thus , on the ise authentication log the MAC address  of the client machine is shown as a username not the actual username ( vendor1) 
  as I mentioned also , I have exactly the same setup with ise 1.2 and 3750 switch and I do not have this issue .I experience this with 2960x only . 

• Parse Error: Reason - Radius attribute not outbound

  I am trying to add the RADIUS IETF Attribute - 'Login-LAT-Group' to a user using RDBMS sync but unable to do so.
  I see the below error in the ACS logs - 
  Parse Error: Reason - Radius attribute not outbound
  What am I missing ?

  Refer " outbound radius attributes"
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/ad.html

• CAR radius attributes

  hello,
  We have a Cisco Access Registrar and it work great with an cisco asn-gateway. we have the CAR server give out an sal profile when it authenticates a device (the authentication is done using domain name on the device). the sla profile is matched with the QOS info on the asn-gateway router and thus the service flow is created. We are trying out another Vendor called Wichorus for their asn-gateway. under their config the router is expecting back couple of radius attributes to setup the service flow with the proper qos info. These are the values is expecting back:
  service-data-flow-id
  service-profile-id
  I was wondering if anyone has had any luck with different radius attributes on the CAR. This is what Wichorus has configured on their AAA server for a certain profile:
           Wimax-PFD := 0x01,
           Wimax-PDFID := 1,
           Wimax-SDFID := 1,
           Wimax-SProfileID := 1
  CAR ver  - 4.2.2
  Thanks.

  You mean add your own custom attribute?
  Vanilla or Vendor Specific?
  Im 99% sure you cant do this because
  1) what would the router do with it?
  2) Most IETF no's are used already
  3) You cant add new Cisco VSAs
  4) A Cisco device wont like you adding non Cisco VSAs