Adding RADIUS VSAs on ACS 3.2 SE
I have tried to add a VSA to enable a Packeteer to authenticate using RADIUS on the ACS.
Using RDBMS synchronization to import the csv file below.
SequenceId,Priority,GroupName,Action,ValueName ,Value1,Value2,Value3
1,1,External,163,26,access=look,2334,1
The group name is 'External', Action is 163 which corresponds to ADD_RADIUS_ATTR.
From RDBMS Sychronization Import Definitions (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user/ag.htm#wp35130)
To add a vendor-specific attribute (VSA), set VN = "26" and use V2 and V3 as follows:
V2 = IETF vendor ID (which in this case is 2334)
V3 = VSA attribute ID (1)
V1 = In this case 'access=look'
After a couple of attempts I got the format correct but when I try and import the file I don't get an "INFO" message in the "Reports" section of the ACS indicating that the process was successful. I don't get any message at all, WARNING, ERROR or INFO.
From the FTP server I can confirm that the file was transferred.
What I should get is an INFO message similar to:
08/30/2004 16:27:50 INFO Sync complete: 1 transaction(s) 0 parse error(s) 0 process error(s)
Any ideas as to what is wrong would be much appreciated.
Cheers,
Aylmer.
HI you need to import the RADIUS VSA for PAcketeer from their site.
The link to the steps as shown below is ( might require u to subscribe & login)
https://packeteer.custhelp.com/cgi-bin/packeteer.cfg/php/enduser/std_adp.php?p_faqid=399&p_created=1046793530&p_sid=gszcDFBh&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PWRmbHQmcF9ncmlkc29ydD0mcF9yb3dfY250PTImcF9wcm9kcz0wJnBfY2F0cz0wJnBfcHY9JnBfY3Y9JnBfc2VhcmNoX3R5cGU9YW5zd2Vycy5zZWFyY2hfZm5sJnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9YWNz&p_li=&p_topview=1
IN any case the same content is copied below:-
Also the stpes on how to do them is listed here
Create a User Defined Vendor
First, you need to create a User Defined Vendor.
1. Create a text file (packet.ini) and enter the following:
[User Defined Vendor]
Name=Packeteer
IETF Code=2334
VSA 1=Packeteer-AVPair
[Packeteer-AVPair]
Type=STRING
Profile=OUT
2. Name the file packet.ini.
Add the Vendor to the Database
Next, you need to add the above vendor to the database.
1. Go to the command prompt, and change the directory to the Cisco Secure utils directory (typically C:\Program Files\CiscoSecure ACS v3.0\Utils).
2. The instructions below install the vendor into User Defined slot 0. If you have other vendors, you need to change this number to a free slot. To see a list of slots and their assignments, use the csutil -listudv command. For example:
C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
UDV 0 - Unassigned
UDV 1 - Unassigned
UDV 2 - Unassigned
UDV 3 - Unassigned
UDV 4 - Unassigned
UDV 5 - Unassigned
UDV 6 - Unassigned
UDV 7 - Unassigned
UDV 8 - Unassigned
UDV 9 - Unassigned
3. Run csutil -addudv to and add Packeteer to UDV (User Defined Vendor) slot 0 or the next
open slot.
C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -addudv 0 c:\temp\packet.ini
CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
Adding or removing vendors requires ACS services to be re-started.
Please make sure regedit is not running as it can prevent registry
backup/restore operations
Are you sure you want to proceed? (y/n)y
Parsing [c:\temp\packet.ini] for addition at UDV slot [0]
Stopping any running services
Creating backup of current config
Adding Vendor [Packeteer] added as [RADIUS (Packeteer)]
Adding VSA [Packeteer-AVPair]
Done
Checking new configuration...
New configuration OK
Re-starting stopped services
Verify that Packeteer was added.
C:\Program Files\CiscoSecure ACS v3.0\Utils>
C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
UDV 0 - RADIUS (Packeteer)
UDV 1 - Unassigned
UDV 2 - Unassigned
UDV 3 - Unassigned
UDV 4 - Unassigned
UDV 5 - Unassigned
UDV 6 - Unassigned
UDV 7 - Unassigned
UDV 8 - Unassigned
UDV 9 - Unassigned
4. Return to ACS Admin and select Network Configuration.
From the main screen select Network Configurtion and add the PacketShaper by supplying the AAA client Hostname, IP address: , Key. Scroll through the Authenticate Using choices and select RADIUS (Packeteer).
5. From the main screen select User Setup and enter a user name for a Touch or Look access user to the Packet Shaper. Supply the PAP/CHAP password. Leave other fields at defaults and scroll to the bottom
of the form. Be sure the Packeteer-AVPair box is selected and supply either
"access=touch" or "access=look" in the available entry space.
Similar Messages
-
ACS 5.1 RADIUS Proxy - Adding RADIUS attributes
Is there anyway under ACS 5.1 to add RADIUS attributes to outgoing RADIUS proxy auth requests or failing this to RADIUS proxy accounting updates?
As soon as I configure a RADIUS proxy services, there is little config I can do other than to say whether or not the prefix and suffix is to be stripped.
I can add these attributes if using an external RADIUS box as an identity store, but I cannot do this for this particular service and instead I need to use RADIUS proxying.
Thanks
PaulHi Steve,
The shared secret is 100% correct.
Finally I find out that there may be some white lists for attributes.
If I keep NAS-Identifier , it will work.
But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
The RADIUS Server gets the message from NSA.
Of course, there is the Proxy-State attribute.
In this condition, the ACS has incorrect output in the sub-attribute.
Now I try 5.2 to see the problem exist or not. -
RADIUS VSAs for Airespace and ACS 3.3
How/Where do we get the RADIUS VSA downloads for ACS 3.3 for the Airespace hardware?
I can only find reference to them in ACS 4.0 documentation.Did you manage to get these???
Cheers,
Dean -
Add new OPNET VSA in ACS 4.2
I need to add OPNET Radius attributes in ACS 4.2. How should I add a new VSA in ACS? The google search is pointing me to CSUtil.exe, and I cannot find this utility in the ACS install files.
These are the values that I need added for OPNET.
When configuring the RADIUS server to support the ACE Live Appliance, use the following Vendor Code and Vendor Specific Attribute (VSA):
Vendor Code: 7119
VSA: 33
Thanks for your help.
FasihWell Well Well, you can use the RDBMS synchronization feature to add the new custom vendor to acs with its custom attributes that complement the standard list of IETF.
What you need to do is to define the accountactions.csv file with the actions needed to add the new custom vendor as well as its attributes.
As a reference to the way how to implement the accountactions.csv file please check the following link:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/A_RDBMS.html#wp148322
Walk throught the whole chapter described above.
One more thing you need to find the dictionary file for OPNET with their custom attributes.
If You need the fish , just provide the dictionary file and i will make the file to you.
Pleae make sure to rate correct answers -
APC (UPS) RADIUS authentication with ACS 5.X
I am trying to do RADIUS authentication for APC (UPS) using ACS 5.2 Appliance. It is working fine with ACS 4.2, but unfortunately not with ACS 5.2. I tried creating RADIUS VSA (Vendor Specific Attributes) for APC in ACS 5.2.
According to the APC dictionary file
VENDOR APC 318
# Attributes
ATTRIBUTE APC-Service-Type 1 integer APC
ATTRIBUTE APC-Outlets 2 string APC
VALUE APC-Service-Type Admin 1
VALUE APC-Service-Type Device 2
VALUE APC-Service-Type ReadOnly 3
# For devices with outlet users only
VALUE APC-Service-Type Outlet 4
I have added the attributes in blue(attached), how do I add the VALUE's (shown red) in ACS 5.2? What else should I do to get this working?
The hit count on the ACS shows that it is getting authentication request from the APC appliance.
Thanks in advance.Hi,
I am working on the same issue and i manage to login (using Ldap A/D backend authentication). When using the standard Radius attribute Service-Type (1 for read-only and 6 for admin) i manage to get this working. I am however trying to use the APC VSAs (as above) without any success. The objective is to have outlet management for specific users, admin or read-only others. Did u manage to get this working and how?
./G -
Hello,
I was wondering if i should use the same RADIUS VSA attribute on ACS v5.1 to authenticate AAA clients as those i was using on my old ACS v3.3 server.
Exemple : under ACS v3.3 i was using RADIUS (Cisco Aironet) attribute to authenticate AP & WLC, should i do the same under ACS v5.1 ?
Best regards.Hello,
When defining AAA client on the new ACS 5.x server you just select TACACS+ or RADIUS. We no longer define the RADIUS "vendor"/"VSA" when creating the AAA Client entry. All AAA client would be defined as RADIUS or TACACS+ only.
If you were using specific VSA Attributes then you need to send those attributes back configuring Authorization Profiles on the ACS 5.x. You will find the specific VSA attributes there. Refer to the following screenshots:
And here are the available attributes for the ACS for RADIUS Aironet: -
Set-up Radius Server to ACS 4.2 and AD server
Hi Guys,
I would like to ask help from you on how to set-up Radius server in ACS 4.2 (step-by-step guide or link), wireless client will be authenticated via Active Directory when connecting to our Wireless AP so it means that our Wireless AP is added as client to Radius server.
Thanks in advance!
regards,
GagamboyHi Colin
thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.
I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).
Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)
Regards
Dominic -
Pack and unpack Radius VSA attributes
Hi
As far as I know there are some methods to pack radius VSA attributes. Here are:
As the part of Cisco-AVPair
26 - VSA
Length
9 - Vendor ID
1 - Vendor Type (Cisco-AVPair Attribute ID)
Attribute Name=Value
In the Vendor Specific attribute ("throught attribute ID")
26 - VSALength
9 - Vendor ID
2 - Vendor Type (Attribute ID)
Vendor Length
Attribute Name=Value
In the Vendor Specific attribute ("throught attribute ID")
26 - VSA
Length
9 - Vendor ID
2 - Vendor Type (Attribute ID)
Value
i.e. with attribute name and witout.
How to understand which attribute needs attribute name in value string?
For example:
26|Length|9|2|Vendor Length|1|h323-incoming-conf-id=82b5fc8cd6f411dfa3c6080027716a9a
26|Length|9|2|Vendor Length|35|h323-incoming-conf-id=82b5fc8cd6f411dfa3c6080027716a9a
26|Length|9|2|Vendor Length|35|82b5fc8cd6f411dfa3c6080027716a9a
which of the methods is right?Hi,
For the specific VSA you used in the example (h323-incoming-conf-id), (1) is the correct encoding, since Cisco VSA vendor type 1 (also more commonly referred to as cisco AV Pair) is always encoded in strings with the format of "attribute=value". This applies to other cisco VSAs that use string encoding as well. For VSA's that don't use string encoding, eg., fax-pages (vendor type 5, encoding integer), it typically doesn't include the value. You should be able to check that against the vendor dictionary to confirm. Please also see:
http://www.cisco.com/en/US/docs/ios/voice/cdr/developer/guide/cdrdefs.html
Thanks,
Wen -
How to monitor Radius services on ACS 5.4
Hi All,
I want to monitor Radius services of ACS 5.4, In case of failure any radius service on ACS.
ACS should send alert to Syslogs or email notification
Is there any way to monitor Radius services ? Anyone have any idea how to monitor.
Regards.Hi Narinder,
I dont think so there is any particular way you can do that, Because ACS 5.x doesnt have any particluar Radius service.
The services which are available and can be viewed through CLI and GUI are following:
Database
Management (ACS management subsystem)
Ntpd
Runtime (ACS runtime subsystem)
View-alertmanager
View-collector
View-database
View-jobmanager
View-logprocessor
htt https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-ususer/guide/acsuserguide/viewer_sys_ops.html#pgfId-1052845
Cheers
Minakshi -
Adding AAA servers to ACS to use Proxy RADIUS distribution Table
Hello,
I've added two non ACS radius servers (Radiator) to the AAA servers on Network Config, in order to use them on a proxy distribution table.
I had problems authenticating users through those servers and I did a sniffer trace on the outside interface of the ACS.
What I saw is that ACS sends packets to the AAA server configured as RADIUS on port 1645, not 1812, the expected standard, and port to which the others servers are listening to. How can I change this behaviour?
Thanks
GustavoACS by default will listen on both ports 1645 and 1812, the two "standard" Radius ports. However, when talking to a proxy server it will only send them on 1645, by default. To change this you have to go into the registry and change it as follows:
Under [HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.x\Hosts\\RADIUS] (where is the server you want to send the 1812 reuests to, and note that you may have to add the RADIUS key if it isn't there already), you can add the following:
"authPort"=dword:0000066e <<---- 1645
"acctPort"=dword:0000066d <<---- 1646
"timeout"=dword:00000001
"single connection"=dword:00000000
"strip users"=dword:00000000
You don't need all of them, you can just change the authPort to 1812 (714 in hex) and acctPort to 1813 (0x715) and you should be good to go. Make sure you reboot the server after making the registry changes. Keys are case-sensitive too so make sure you type them in EXACTLY as I've shown above. -
Cisco-assign-ip-pool RADIUS VSA is an integer?
Hi all,
I'm trying to configure IP pool selection by RADIUS on ACS 5-3-0-40-7.
So, I went to configuring the cisco-assign-ip-pool (Cisco VSA 218) attribute within some test authorization profile but discovered that cisco-assign-ip-pool is an integer (?!) and (therefore) accepts digits only.
As far as I can remember, we used to put pool *names* within ip:addr-pool (something along those lines: cisco-avpair = "ip:addr-pool=test-pool-1").
So how should we configure the values for this attribute in ACS 5?If your NAS is "RADIUS (Cisco IOS/PIX)" it will use a Cisco-AVPair attribute with "ip:addr-pool=poolname" inside it.
If your NAS is just about any other RADIUS type, it will use attribute 88, Framed-Pool.
Use the dictionary Radius-Cisco and then select cisco av-pair in the radius authorization profile.
After that configure:
ip:addr-pool=poolname
The pool should be defined on the device itself like ASA. The ACS will only push the name of it.
Jatin Katyal
- Do rate helpful posts - -
Greetings all,
I recently received a SF302-08 to configure and I have to say quite an improvement over the SRW208 I had earlier. One thing bugs me though, with authentication requests it does not send the Service-Request parameter. On our Catalyst switches I have been experimenting with adding vsa keys to the requests and replies but on the SF302-08 I cannot find that feature yet. Can anyone tell me if it is at all possible to add custom or cisco proprietary vsa keys to an authentication request?
Thanks in advance,
Chris SchaatsbergenThat would be a pity, but maybe you can help me a supported vsa set to work properly. I am Radius VLAN assignment and am unable to get it to work properly.
I am sending the attributes as described but it fails on the Tunnel-Private-Group-ID.
For the Dynamic VLAN Assignment feature to work, the switch requires the
following VLAN attributes to be sent by the RADIUS server (as defined in
RFC 3580):
[64] Tunnel-Type = VLAN (type 13)
[65] Tunnel-Medium-Type = 802 (type 6)
[81] Tunnel-Private-Group-Id = VLAN ID
VLAN 7 (Guest) is the VLAN that the port should be assigned to, but for the different ways of sending the data I get these results.
"7"
Mar 2 12:53:53 10.1.1.181 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:22:15:8e:a4:ac was rejected on port e1 because Radius accept message does not contain VLAN ID
"Guest"
Mar 2 12:57:36 10.1.1.181 %AAAEAP-W-RADIUSREPLY: Invalid attribute 81 ignored - wrong length
7
Mar 2 13:04:00 10.1.1.181 %AAAEAP-W-RADIUSREPLY: Invalid attribute 81 ignored - cannot decode VLANID
Any thoughts? -
Trying to import VSAs into ACS 1113 4.2
I have some VSAs to import into my 1113 box, but I am stuck before I can even start :-( I have an accountActions.csv file containing some VSAs (this is just a test csv file.) I also have an FTP server that is accessible from the 1113 system.
When at the GUI for the 1113 I do System Configuration --> RDBMS Synchronization I get the RDBSM Synchronization Setup screen all right. I have entered all the parameters associated with the FTP server, and selected manual synchronization. The problem is that there are no entries in the AAA Servers window at the Synchronization Partners section at the bottom, and therefore I can't get the 1113 to retrieve my accountActions.csv file, an action that (I guess) is triggered by clicking on the Synchronize Now button.
I do have an AAA Server defined in the 1113. It's a RADIUS server called Self, not assigned to any NDG.
I guess I do not understand this at all. I just want to import some external VSAs. Do I need to have an external AAA server to accomplish this? If not, how do I get my local Self server to appear in the list of synchronization partners?The problem was that Self was defined with the wrong type - RADIUS, rather than CiscoSecureACS. Moving on to importing the VSAs.
-
Radius Authentication in ACS 5.2 with AD
Friend,
I have a questión about radius authenticaction with AD, when I log in into the network with user in AD and I make a mistake in password my radius authenticaction event in ACS 5.2 dont show me this logg. only show the authentication succeeded but dont show me the authentication failed. Maybe i must to enable same service to show the authentiaction failed. The Voice authetication works fine..
This is the confg in the port of the switch:
interface FastEthernet0/12
switchport mode access
switchport access vlan 2
switchport voice vlan 10
authentication port-control auto
authentication host-mode multi-domain
authentication violation protect
authentication event fail action authorize vlan 11
authentication event fail retry 2 action authorize vlan 11
authentication event no-response action authorize vlan 11
authentication periodic
authentication timer reauthenticate 60
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 3
spanning-tree portfast
end
Vlan 2: DATA
Vlan 10: VOICE
Vlan 11: GUEST
thank...
MarcoHi Marco,
When you type in the wrong password do you see the login fail on the device you entered it? Depending on how you have configured fallback mechanisms on ACS, an attempt can still be permited eventhough the authentication failed.
It would be best to take a look at the authentication steps under the RADIUS authentication log for an attempt you beleive should have failed to see what ACS is doing with the request.
Steve. -
Adding WCS server in ACS for AAA
Hi,
I tried to add WCS into ACS server and I have done the all the required configuration but still WCS is unable to authenticate thro ACS. There is no passed or failed auth report on ACS for WCS users. Can you guide me on how to fix it?
Thanks,
HassanCurious... Did you load the WCS attributes from WCS to ACS?
Example
role0=SuperUsers
task0=Users and Groups
task1=Audit Trails
task2=TACACS+ Servers
task3=RADIUS Servers
task4=Logging
task5=License Center
task6=Scheduled Tasks and Data Collection
task7=User Preferences
task8=System Settings
task9=Diagnostic Information
task10=View Alerts and Events
task11=Email Notification
task12=Delete and Clear Alerts
task13=Pick and Unpick Alerts
task14=Configure Controllers
task15=Configure Templates
task16=Configure Config Groups
task17=Configure Access Points
task18=Configure Access Point Templates
task19=Configure Choke Points
task20=Monitor Controllers
task21=Monitor Access Points
task22=Monitor Clients
task23=Monitor Tags
task24=Monitor Security
task25=Monitor Chokepoints
task26=Mesh Reports
task27=Client Reports
task28=Performance Reports
task29=Security Reports
task30=Location Server Management
task31=View Location Notifications
task32=Maps Read Only
task33=Maps Read Write
task34=Client Location
task35=Rogue Location
task36=Planning Mode
task37=Ack and Unack Alerts
task38=Migration Templates
task39=Configure Spectrum Experts
task40=Monitor Spectrum Experts
task41=Virtual Domain Management
task42=High Availability Configuration
task43=Health Monitor Details
task44=Configure WIPS Profiles
task45=Global SSID Groups
task46=Configure Lightweight Access Point Templates
task47=Configure Autonomous Access Point Templates
task48=Scheduled Configuration Tasks
task49=Configure Location Sensors
task50=Configure ACS View Servers
task51=Auto Provisioning
task52=Monitor Location Sensors
task53=RRM Dashboard
task54=Compliance Assistance Reports
task55=Voice Audit Report
task56=Config Audit Dashboard
task57=Handover Server Management
task58=Monitor Handover Server
task59=Configure Ethernet Switch Ports
task60=Configure Ethernet Switches
task61=Monitor Interferers
task62=Device Reports
task63=Network Summary Reports
task64=Compliance Reports
task65=CleanAir Reports
task66=Report Launch Pad
task67=Run Reports List
task68=Saved Reports List
task69=Report Run History
task70=Automated Feedback
task71=TAC Case Attachment Tool
Maybe you are looking for
-
How do i reset my wi-fi address on my ipod touch?
There was a problem with our wi-fi so my dad bought a new router and now i need to reset my ipod touch with the new router address but i can figure out how to reset it on my ipod touch? Any ideas on how to reset it??
-
403 Forbidden Error while trying to access External SharePoint site in SP 2010
I am trying to access external Claims based SP site and trying to download the file from a doc library. I am receiving the 403 Forbidden error when executing the code. I am using SP 2010 and Client Object Model. PFB the code I am running. using (SPCO
-
Receiver File Adapter -- EndSeparator not 0d0a but 0a
Hi everybody, I've got a problem sending a file from XI. When the file is created, the character written each end of line is, in hex code, 0d0a. But it seems that, the machine receiving the file, does not accept that code as a carriage return. How co
-
.: Modifing JSP View to show just part of a select with a WHERE :.
Friends, I have a table and for this table I've created a view. I want to use this view in order to show just records for some id. I can do this using a where clause, but I would like to know where can I put this where clause. Anybody knos it? Thanks
-
I've received a message saying that my payment was refused, then that my subscription was cancelled which I´ve never done. I've updated my credit card details but I'm not able to renew my subscription. In the email i received it says that I have up t