Adding RADIUS VSAs on ACS 3.2 SE

Similar Messages

• ACS 5.1 RADIUS Proxy - Adding RADIUS attributes

  Is there anyway under ACS 5.1 to add RADIUS attributes to outgoing RADIUS proxy auth requests or failing this to RADIUS proxy accounting updates?
  As soon as I configure a RADIUS proxy services, there is little config I can do other than to say whether or not the prefix and suffix is to be stripped.
  I can add these attributes if using an external RADIUS box as an identity store, but I cannot do this for this particular service and instead I need to use RADIUS proxying.
  Thanks
  Paul

  Hi Steve,
  The shared secret is 100% correct.
  Finally I find out that there may be some white lists for attributes.
  If I keep NAS-Identifier , it will work.
  But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
  The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
  When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
  The RADIUS Server gets the message from NSA.
  Of course, there is the Proxy-State attribute.
  In this condition, the ACS has incorrect output in the sub-attribute.
  Now I try 5.2 to see the problem exist or not.

• RADIUS VSAs for Airespace and ACS 3.3

  How/Where do we get the RADIUS VSA downloads for ACS 3.3 for the Airespace hardware?
  I can only find reference to them in ACS 4.0 documentation.

  Did you manage to get these???
  Cheers,
  Dean

• Add new OPNET VSA in ACS 4.2

  I need to add OPNET Radius attributes in ACS 4.2. How should I add a new VSA in ACS?  The google search is pointing me to CSUtil.exe, and I cannot find this utility in the ACS install files. 
  These are the values that I need added for OPNET.
  When configuring the RADIUS server to support the ACE Live Appliance, use the following Vendor Code and Vendor Specific Attribute (VSA):
  Vendor Code: 7119
  VSA: 33
  Thanks for your help.
  Fasih                   

  Well Well Well, you can use the RDBMS synchronization feature to add the new custom vendor to acs with its custom attributes that complement the standard list of IETF.
  What you need to do is to define the accountactions.csv file with the actions needed to add the new custom vendor as well as its attributes.
  As a reference to the way how to implement the accountactions.csv file please check the following link:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/A_RDBMS.html#wp148322
  Walk throught the whole chapter described above.
  One more thing you need to find the dictionary file for OPNET with their custom attributes.
  If You need the fish , just provide the dictionary file and i will make the file to you.
  Pleae make sure to rate correct answers

• APC (UPS) RADIUS authentication with ACS 5.X

  I am trying to do RADIUS authentication for APC (UPS) using ACS 5.2 Appliance. It is working fine with ACS 4.2, but unfortunately not with ACS 5.2. I tried creating RADIUS VSA (Vendor Specific Attributes) for APC in ACS 5.2.
  According to the APC dictionary file
  VENDOR APC 318
  # Attributes
  ATTRIBUTE APC-Service-Type 1 integer APC
  ATTRIBUTE APC-Outlets 2 string APC
  VALUE APC-Service-Type Admin 1
  VALUE APC-Service-Type Device 2
  VALUE APC-Service-Type ReadOnly 3
  # For devices with outlet users only
  VALUE APC-Service-Type Outlet 4
  I have added the attributes in blue(attached), how do I add the VALUE's (shown red) in ACS 5.2? What else should I do to get this working?
  The hit count on the ACS shows that it is getting authentication request from the APC appliance.
  Thanks in advance.

  Hi,
  I am working on the same issue and i manage to login (using Ldap A/D backend authentication). When using the standard Radius attribute Service-Type (1 for read-only and 6 for admin) i manage to get this working. I am however trying to use the APC VSAs (as above) without any success. The objective is to have outlet management for specific users, admin or read-only others. Did u manage to get this working and how?
  ./G

• Configuring AAA network client on ACS v5.1 using the same RADIUS atributes from ACS v3.3

  Hello,
  I was wondering if i should use the same RADIUS VSA attribute on ACS v5.1 to authenticate AAA clients as those i was using on my old     ACS v3.3 server.
  Exemple : under ACS v3.3 i was using RADIUS (Cisco Aironet) attribute to authenticate AP & WLC, should i do the same under ACS v5.1 ?
  Best regards.

  Hello,
  When defining AAA client on the new ACS 5.x server you just select TACACS+ or RADIUS. We no longer define the RADIUS "vendor"/"VSA" when creating the AAA Client entry. All AAA client would be defined as RADIUS or TACACS+ only.
  If you were using specific VSA Attributes then you need to send those attributes back configuring Authorization Profiles on the ACS 5.x. You will find the specific VSA attributes there. Refer to the following screenshots:
  And here are the available attributes for the ACS for RADIUS Aironet:

• Set-up Radius Server to ACS 4.2 and AD server

  Hi Guys,
  I would like to ask help from you on how to set-up Radius server in ACS 4.2  (step-by-step guide or link), wireless client will be authenticated via Active Directory when connecting to our Wireless AP so it means that our Wireless AP is added as client to Radius server.
  Thanks in advance!
  regards,
  Gagamboy

  Hi Colin
  thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.
  I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).
  Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)
  Regards
  Dominic

• Pack and unpack Radius VSA attributes

  Hi
  As far as I know there are some methods to pack radius VSA attributes. Here are:
  As the part of Cisco-AVPair
  26 - VSA
  Length
  9  - Vendor ID
  1  - Vendor Type (Cisco-AVPair Attribute ID)
  Attribute Name=Value
  In the Vendor Specific attribute ("throught attribute ID")
  26  - VSALength
  9 - Vendor ID
  2 - Vendor Type (Attribute ID)
  Vendor Length
  Attribute Name=Value
  In the Vendor Specific attribute ("throught attribute ID") 
  26 - VSA
  Length
  9 - Vendor ID
  2 - Vendor Type (Attribute ID)
  Value
  i.e. with attribute name and witout.
  How to understand which attribute needs attribute name in value string?
  For example:
  26|Length|9|2|Vendor Length|1|h323-incoming-conf-id=82b5fc8cd6f411dfa3c6080027716a9a
  26|Length|9|2|Vendor Length|35|h323-incoming-conf-id=82b5fc8cd6f411dfa3c6080027716a9a
  26|Length|9|2|Vendor Length|35|82b5fc8cd6f411dfa3c6080027716a9a
  which of the methods is right?

  Hi,
  For the specific VSA you used in the example (h323-incoming-conf-id), (1) is the correct encoding, since Cisco VSA vendor type 1 (also more commonly referred to as  cisco AV Pair) is always encoded in strings with the format of "attribute=value". This applies to other cisco VSAs that use string encoding as well. For VSA's that don't use string encoding, eg., fax-pages (vendor type 5, encoding integer), it typically doesn't include the value. You should be able to check that against the vendor dictionary to confirm. Please also see:
  http://www.cisco.com/en/US/docs/ios/voice/cdr/developer/guide/cdrdefs.html
  Thanks,
  Wen

• How to monitor Radius services on ACS 5.4

  Hi All,
  I want to monitor  Radius services of ACS 5.4,  In case of failure any radius service on ACS.
  ACS should send alert to Syslogs  or email notification
  Is there any way to monitor Radius services ? Anyone have any idea how to monitor.
  Regards.

  Hi Narinder,
     I dont think so there is any particular way you can do that, Because ACS 5.x doesnt have any particluar Radius service.
  The services which are available and can be viewed through CLI and GUI are following:
  Database
  Management (ACS management subsystem)
  Ntpd
  Runtime (ACS runtime subsystem)
  View-alertmanager
  View-collector
  View-database
  View-jobmanager
  View-logprocessor
  htt    https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-ususer/guide/acsuserguide/viewer_sys_ops.html#pgfId-1052845
  Cheers 
  Minakshi

• Adding AAA servers to ACS to use Proxy RADIUS distribution Table

  Hello,
  I've added two non ACS radius servers (Radiator) to the AAA servers on Network Config, in order to use them on a proxy distribution table.
  I had problems authenticating users through those servers and I did a sniffer trace on the outside interface of the ACS.
  What I saw is that ACS sends packets to the AAA server configured as RADIUS on port 1645, not 1812, the expected standard, and port to which the others servers are listening to. How can I change this behaviour?
  Thanks
  Gustavo

  ACS by default will listen on both ports 1645 and 1812, the two "standard" Radius ports. However, when talking to a proxy server it will only send them on 1645, by default. To change this you have to go into the registry and change it as follows:
  Under [HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.x\Hosts\\RADIUS] (where is the server you want to send the 1812 reuests to, and note that you may have to add the RADIUS key if it isn't there already), you can add the following:
  "authPort"=dword:0000066e <<---- 1645
  "acctPort"=dword:0000066d <<---- 1646
  "timeout"=dword:00000001
  "single connection"=dword:00000000
  "strip users"=dword:00000000
  You don't need all of them, you can just change the authPort to 1812 (714 in hex) and acctPort to 1813 (0x715) and you should be good to go. Make sure you reboot the server after making the registry changes. Keys are case-sensitive too so make sure you type them in EXACTLY as I've shown above.

• Cisco-assign-ip-pool RADIUS VSA is an integer?

  Hi all,
  I'm trying to configure IP pool selection by RADIUS on ACS 5-3-0-40-7.
  So, I went to configuring the cisco-assign-ip-pool (Cisco VSA 218) attribute within some test authorization profile but discovered that cisco-assign-ip-pool is an integer (?!) and (therefore) accepts digits only.
  As far as I can remember, we used to put pool *names* within ip:addr-pool (something along those lines: cisco-avpair = "ip:addr-pool=test-pool-1").
  So how should we configure the values for this attribute in ACS 5?

  If your NAS is "RADIUS (Cisco IOS/PIX)" it will use a Cisco-AVPair attribute with "ip:addr-pool=poolname" inside it.
  If your NAS is just about any other RADIUS type, it will use attribute 88, Framed-Pool.
  Use the dictionary Radius-Cisco and then select cisco av-pair in the radius authorization profile.
  After that configure:
  ip:addr-pool=poolname
  The pool should be defined on the device itself like ASA. The ACS will only push the name of it.
  Jatin Katyal
  - Do rate helpful posts -

• Sf302-08 and radius vsa keys

  Greetings all,
  I recently received a SF302-08 to configure and I have to say quite an improvement over the SRW208 I had earlier. One thing bugs me though, with authentication requests it does not send the Service-Request parameter. On our Catalyst switches I have been experimenting with adding vsa keys to the requests and replies but on the SF302-08 I cannot find that feature yet. Can anyone tell me if it is at all possible to add custom or cisco proprietary vsa keys to an authentication request?
  Thanks in advance,
  Chris Schaatsbergen

  That would be a pity, but maybe you can help me a supported vsa set to work properly. I am Radius VLAN assignment and am unable to get it to work properly.
  I am sending the attributes as described but it fails on the Tunnel-Private-Group-ID.
  For the Dynamic VLAN Assignment feature to work, the switch requires the
  following VLAN attributes to be sent by the RADIUS server (as defined in
  RFC 3580):
  [64] Tunnel-Type = VLAN (type 13)
  [65] Tunnel-Medium-Type = 802 (type 6)
  [81] Tunnel-Private-Group-Id = VLAN ID
  VLAN 7 (Guest) is the VLAN that the port should be assigned to, but for the different ways of sending the data I get these results.
  "7"
  Mar  2 12:53:53 10.1.1.181 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:22:15:8e:a4:ac was rejected on port e1 because Radius accept message does not contain VLAN ID
  "Guest"
  Mar  2 12:57:36 10.1.1.181 %AAAEAP-W-RADIUSREPLY: Invalid attribute 81 ignored - wrong length
  7
  Mar  2 13:04:00 10.1.1.181 %AAAEAP-W-RADIUSREPLY: Invalid attribute 81 ignored - cannot decode VLANID
  Any thoughts?

• Trying to import VSAs into ACS 1113 4.2

  I have some VSAs to import into my 1113 box, but I am stuck before I can even start :-( I have an accountActions.csv file containing some VSAs (this is just a test csv file.) I also have an FTP server that is accessible from the 1113 system.
  When at the GUI for the 1113 I do System Configuration --> RDBMS Synchronization I get the RDBSM Synchronization Setup screen all right. I have entered all the parameters associated with the FTP server, and selected manual synchronization. The problem is that there are no entries in the AAA Servers window at the Synchronization Partners section at the bottom, and therefore I can't get the 1113 to retrieve my accountActions.csv file, an action that (I guess) is triggered by clicking on the Synchronize Now button.
  I do have an AAA Server defined in the 1113. It's a RADIUS server called Self, not assigned to any NDG.
  I guess I do not understand this at all. I just want to import some external VSAs. Do I need to have an external AAA server to accomplish this? If not, how do I get my local Self server to appear in the list of synchronization partners?

  The problem was that Self was defined with the wrong type - RADIUS, rather than CiscoSecureACS. Moving on to importing the VSAs.

• Radius Authentication in ACS 5.2 with AD

  Friend,
  I have a questión about radius authenticaction with AD, when I log in into the network with user in AD and I make a mistake in password my radius authenticaction event in ACS 5.2 dont show me this logg. only show the authentication succeeded but dont show me the authentication failed. Maybe i must to enable same service to show the authentiaction failed. The Voice authetication works fine..
  This is the confg in the port of the switch:
  interface FastEthernet0/12
  switchport mode access
  switchport access vlan 2
  switchport voice vlan 10
  authentication port-control auto
  authentication host-mode multi-domain
  authentication violation protect
  authentication event fail action authorize vlan 11
  authentication event fail retry 2 action authorize vlan 11
  authentication event no-response action authorize vlan 11
  authentication periodic
  authentication timer reauthenticate 60
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  dot1x max-reauth-req 3
  spanning-tree portfast
  end
  Vlan 2: DATA
  Vlan 10: VOICE
  Vlan 11: GUEST
  thank...
  Marco

  Hi Marco,
  When you type in the wrong password do you see the login fail on the device you entered it? Depending on how you have configured fallback mechanisms on ACS, an attempt can still be permited eventhough the authentication failed.
  It would be best to take a look at the authentication steps under the RADIUS authentication log for an attempt you beleive should have failed to see what ACS is doing with the request.
  Steve.

• Adding WCS server in ACS for AAA

  Hi,
  I tried to add WCS into ACS server and I have done the all the required configuration but still WCS is unable to authenticate thro ACS. There is no passed or failed auth report on ACS for WCS users. Can you  guide me on how to fix it?
  Thanks,
  Hassan

  Curious... Did you load the WCS attributes from WCS to ACS?
  Example
  role0=SuperUsers
  task0=Users and Groups
  task1=Audit Trails
  task2=TACACS+ Servers
  task3=RADIUS Servers
  task4=Logging
  task5=License Center
  task6=Scheduled Tasks and Data Collection
  task7=User Preferences
  task8=System Settings
  task9=Diagnostic Information
  task10=View Alerts and Events
  task11=Email Notification
  task12=Delete and Clear Alerts
  task13=Pick and Unpick Alerts
  task14=Configure Controllers
  task15=Configure Templates
  task16=Configure Config Groups
  task17=Configure Access Points
  task18=Configure Access Point Templates
  task19=Configure Choke Points
  task20=Monitor Controllers
  task21=Monitor Access Points
  task22=Monitor Clients
  task23=Monitor Tags
  task24=Monitor Security
  task25=Monitor Chokepoints
  task26=Mesh Reports
  task27=Client Reports
  task28=Performance Reports
  task29=Security Reports
  task30=Location Server Management
  task31=View Location Notifications
  task32=Maps Read Only
  task33=Maps Read Write
  task34=Client Location
  task35=Rogue Location
  task36=Planning Mode
  task37=Ack and Unack Alerts
  task38=Migration Templates
  task39=Configure Spectrum Experts
  task40=Monitor Spectrum Experts
  task41=Virtual Domain Management
  task42=High Availability Configuration
  task43=Health Monitor Details
  task44=Configure WIPS Profiles
  task45=Global SSID Groups
  task46=Configure Lightweight Access Point Templates
  task47=Configure Autonomous Access Point Templates
  task48=Scheduled Configuration Tasks
  task49=Configure Location Sensors
  task50=Configure ACS View Servers
  task51=Auto Provisioning
  task52=Monitor Location Sensors
  task53=RRM Dashboard
  task54=Compliance Assistance Reports
  task55=Voice Audit Report
  task56=Config Audit Dashboard
  task57=Handover Server Management
  task58=Monitor Handover Server
  task59=Configure Ethernet Switch Ports
  task60=Configure Ethernet Switches
  task61=Monitor Interferers
  task62=Device Reports
  task63=Network Summary Reports
  task64=Compliance Reports
  task65=CleanAir Reports
  task66=Report Launch Pad
  task67=Run Reports List
  task68=Saved Reports List
  task69=Report Run History
  task70=Automated Feedback
  task71=TAC Case Attachment Tool