Can't auth to Nortels networks devices using RADIUS with ACS 5.1
Hi,
I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
I can't manage to login using RADIUS and i get the following message.
"Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
But in my ACS View, I can see : "Authentication succeeded."
I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
I've got no problems with RADIUS Auth using other brand devices
Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS Authentication ?
Regards.
Are you sure that setting up a compound condition will help ?
To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
Here is my steps in the ACS View
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - radius
24212 Found User in Internal Users IDStore
22037 Authentication Passed
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
11002 Returned RADIUS Access-Accept
So I think the ACS does its job
Similar Messages
-
AAA authentication for networking devices using ACS 4.1 SE
Hi!!!
I want to perform AAA authentication for networking devices using ACS 4.1 SE.
I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
For all users i need to have different privilege levels based upon which access will be granted.
could u plz send me the config that is required to be done in the active devices as well as ACS!!!!Pradeep,
Are you planning MAC authentication for some users while using EAP for others?
For MAC authentication, just use the following in your AP.
aaa authentication login mac_methods group radius
In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
In your SSID configuration, under client authentication settings,
check "open authentication" and also select "MAC Authentication" from the drop-down list.
If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
You will not need to change anything in XP.
NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
HTH -
Can I unlock my Droid Charge and use it with a sim card in India?
How can I unlock my Droid Charge and use it with a sim card in India?
You just have to call VZW Global TS and as long as you meet all of the requirments you will be able to unlock your phone.
Must be a Verizon Wireless customer.
The device being unlocked must be active on a VZW line of service.
The line of service must be active for at least 60 days.
For converted accounts from acquisitions or mergers (i.e. Alltel, Unicel/RCC, etc.), the line of service must be active in the VZW billing system for 60 days from the conversion date.
The line of service must be in good standing for the past 60 days. Good Standing is defined as:
Balance must be current
No service suspensions or hotlines in the past 60 days.
Customer may only have one 3G SIM unlock per line every 10 months.
The customer's manufacturer's device warranty is not affected by a 3G SIM unlock as long as the customer remains with VZW. -
Can I create a home network withous dsl connection with airport express
can I create a home network without dsl connection with airport express?
So it means I can't connect to my HP Airprint/Wireless printer without exretnal connection through ISP?? Just need to print from my Mac and iphone. I have Vodafone Prepaid connection, which is directly connected to my Mac. Does that make an internal network possible?You have to set up the Air Port with an internet connection to set up a network. Do you have a modem? If yes you can set up the network.
-
When legally ipad2 with 3G would be available in Thailand? Can I buy it from US and use it with 3G operator in Thailand?
The iPad 2 is available in Thailand now, though I don't know whether you can find one it stock. The iPad 2 continues to be in short supply everywhere in the world. A US iPad with GSM 3G should be able to work with any carrier worldwide that offers GSM service and a suitable data plan. You'll need to be sure you purchase the AT&T version of the iPad if you purchase in the US, NOT the Verizon version which uses a different cell technology.
This has been asked and answered in these forums multiple times already, by the way. A quick search or browse of the forums and you would not have had to wait for a response.
Regards. -
So can i Recover to the factory setting using F11 with no disk ?
So can i Recover to the factory setting using F11 with no disk ?
This question was solved.
View Solution.Hi,
If your Recovery Partition is OK, then you should have no problem with this method.
Regards,
DP-K
****Click the White thumb to say thanks****
****Please mark Accept As Solution if it solves your problem****
****I don't work for HP****
Microsoft MVP - Windows Experience -
I can't get a full screen picture using iPhoto with yosemite. how can i do that?
i can't get a full screen picture using iPhoto with yosemite. how can i do that?
Click the green button in the top left corner.
Matt -
Why can't I send i-message and use facetime with my iphone 4s(BTW, there is nothing wrong with my apple account))
It functioned well originally, but a month ago I could not use facetime and send i-message anymore. I think there is nothing wrong with my apple ID because I can still download apps in apple store.Try turning both iMessages and Facetime off in SETTINGS then re-enable iMessages and then Facetime. See if that helps.
-
Error importing network device using CSV file
While importing a CSV file of a single network device, I am getting this error:
Value for attribute TrustSecDeviceID is Mandatory
In the CSV template (downloaded from ISE web gui), I don't see a field TrustSecDeviceID. What is the error referring to?Kashish,
This looks like a bug but I attached a template that you can use and i tested with my ise 1.1.1 patch 1 and it worked fine, just replace the fields that I entered and you should be good to go! Were you able to get the password reset successfully on the PSNs?
Good luck!
Tarik Admani
*Please rate helpful posts* -
Can I conect and read my files form an external storage device, using the USB conection, on an I-pad2
The camera connection kit USB connector can only be used for import of photos & videos. Can't be used for export of any files.
Cheers, Tom -
SSH to network devices using "name" or "IP" - What is the industry norm?
Hi Everyone,
Looking for anyone to provide feedback on the "Industry Norm" for accessing network devices, by DNS Name or IP? If anyone has any opinions or information about this I would certainly appreciate the information. I use name, which I have been told "is not the industry norm" so obviously I would like some level of validation on comment.
Thanks!I'd most definitely consider it the norm!
I’ve worked in both pure tech companies and in tech teams in the banking industry and we’ve always had some form of name resolution for our devices. Normally using internal DNS but worse case scenario is a hosts file on the NMS.
Trying to retain IP addresses for anything more than a handful of devices is just tiresome, especially if you are in a fault situation. I think most network teams out there with the support of some decent network management infrastructure or experience would consider it vital and take it for granted.
Having said that, I’m a little pedantic when it comes to name resolution and have forward and reverse resolution for almost every numbered interface in our (not insubstantial) network, it makes traceroutes all the more powerful. -
If I purchase an iPhone 3g, can I then use it with the apple golf app without having cell or data service?
You do not need have cell service for the GPS to work.
If the iphone is new, then you would have to activate it with a carrier in order for it to work at all.
If it is used, then you can use it without wireless service:
Using an iPhone without a wireless service plan -
AAA using Radius with 802.1x
Hello there,
We're going to be implementing 802.1x on our network of some reaallly old switches (6509 Cat OS with MSFC 2). We use radius for AAA authentication and I've been reading that .1x uses radius. How is that going to work? Do I just add another radius server in my radius server command and, more importantly, will .1x work on Cat OS running 8.2.1? I've been trowling the forums and I can't seem to find anyone who's actually running .1x on the old Cat OS switches to see what kind of gotchas I can expect to run into.
Any advise, assistance would be greatly appreciated!
Thanks
KileySalodh,
Thanks but that document is for a 2950 and we have a 6509 but, the good thing is I just found out our Tier 3 engineers will not be adding dot1x to the 6509 since it has only trunks - no access ports. Thanks very much for your reply! -
Control access using Radius without ACS
I want to log into my IPS using my existing RSA SecurID using Radius. Is it possible to use a Radius attribute in the RSA to tell the IPS what privillege\role the user is? The idea is I dont create users on the IPS, if a user tries to logon it authenticates them via radius running on the RSA server and if the user is allowed to log onto that clietn IP (the IPS) then it will allow them to logon but also pass a message back to the IPS to say this person has full admin access. Is that possible using an attribute? ANy guidance would be great.
Yes, you should be able to specify the user role on the radius server.
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_setup.html#wp1276213
Regards,
Sawan Gupta -
HT1373 How can I make all of my devices use the same iTunes library?
I have an iMac, Macbook Air, Macbook, iPad, iPhone and an iTouch. So, as you can imagine, I have many devices that need to be on the same page at all times. I take my Air to campus with me and use it for classes, along with my iPad, so I usually plug my iPad into my laptop for updates, dowloads, transfers, charging, etc... The same with my iPhone. However, when I get home and I plug my iPad or iPhone into my iMac, it does this whole (This iPad is currently synced to another library, would you like to Erase & Sync to this library). No. I want my Air and iMac to be the same so I can plug my devices up to either of them without having to worry about erasing or adding anything that I don't want erased or added.
How, if at all, can I accomplish this?
Thanks!You can't. An iOS device can still be synced with only one computer. That is making sense have it referer to multiple files from your computer (backup, iTunes medias, sync information).
As you will only sync your iOS with one computer, it is iCloud you need to use to keep all your content in sync. While on the go, you use your iPad for a purchase for exemple, iCloud will allow you to push that purchase to all your devices automatically. Though, it doesn't mean that it will sync with any devices.
iCloud will allow you, once properly configure, to use any documents, media, purchases, apps, bookmarks, content, calendar, email... and so one in sync from any of your devices without the assle to sync from an iOS device.
Maybe you are looking for
-
A FORUM WITH GOOD SPECIFIC DETAILED PROVEN ANSWERS TO SPECIFIC QUESTIONS
1) QUESTION AND GOOD ANSWER IN THIS FORUM WOULD BE "MOVED" HERE BY THE MODERATOR FROM OTHER FORUMS AND WOULD NOT HAVE ANY "ANSWER" CAPABILITIES 2) IF ANYONE WANTS TO PURSUE SUBJECT FURTHER THEY WOULD DO SO BY A LINK BACK TO THE ORIGINAL
-
PPlease help
-
Help needed with Copying DVD error in Toast Titanium 6
(I tried to post to Roxio forum but couldn't get registered) ... hope someone can help I made an iDVD of a school event (Métis Gathering) and burned it to DVD through the iDVD program (iDVD 6) I used Toast (6.0.3) to make 8 copies of the dvd. Now I n
-
Get the new value from an event structure block
Hello! I'm using an event structure block. I've edited an event wich its event sources are an indicator an a variable (a real matrix). I want to get (to catch) the new value of the indicator and the variable from the frame placed at the left top, but
-
Can't import music from iTunes! Please help.
We installed Yosemite, updated iMovie and iTunes. When we attempt to import music from iTunes into iMovie for a project by clicking on iTunes in the "Content Library," nothing shows up in the window that says, "The contents of your iTunes Library wil