Cisco-av-pair

Similar Messages

• ISE 1.1.1 cisco-av-pair:Wireless-WCS

  Hello,
  Has anyone configured ISE yet to authenticate WCS against ISE using RADIUS?  I have created the Authorization Profiles with rule0=SuperUsers, tack0=...ect, but I am wondering how everyone has done the authentication and authorization rules.  Any lessons learned would be great.
  Kyle

  Yes, I have patch 1 installed.  I am trying to add the following cisco-av-pairs:
  Wireless-WCS:role0=Admin
  Wireless-WCS:task0=Users and Groups
  Wireless-WCS:task1=Virtual Domain Management
  Wireless-WCS:task2=Audit Trails
  Wireless-WCS:task3=TACACS+ Servers
  Wireless-WCS:task4=RADIUS Servers
  Wireless-WCS:task5=Logging
  Wireless-WCS:task6=License Center
  Wireless-WCS:task7=Scheduled Tasks and Data Collection
  Wireless-WCS:task8=User Preferences
  Wireless-WCS:task9=System Settings
  Wireless-WCS:task10=View Alerts and Events
  Wireless-WCS:task11=Email Notification
  Wireless-WCS:task12=Delete and Clear Alerts
  Wireless-WCS:task13=Pick and Unpick Alerts
  Wireless-WCS:task14=Ack and Unack Alerts
  Wireless-WCS:task15=Configure Controllers
  Wireless-WCS:task16=Configure Templates
  Wireless-WCS:task17=Configure Config Groups
  Wireless-WCS:task18=Configure Access Points
  Wireless-WCS:task19=Scheduled Configuration Tasks
  Wireless-WCS:task20=Migration Templates
  Wireless-WCS:task21=Configure Choke Points
  Wireless-WCS:task22=Configure Spectrum Experts
  Wireless-WCS:task23=Configure ACS View Servers
  Wireless-WCS:task24=Auto Provisioning
  Wireless-WCS:task25=Monitor Controllers
  Wireless-WCS:task26=Monitor Access Points
  Wireless-WCS:task27=Monitor Clients
  Wireless-WCS:task28=Monitor Tags
  Wireless-WCS:task29=Monitor Security
  Wireless-WCS:task30=Monitor Chokepoints
  Wireless-WCS:task31=Monitor Spectrum Experts
  Wireless-WCS:task32=RRM Dashboard
  Wireless-WCS:task33=Mesh Reports
  Wireless-WCS:task34=Client Reports
  Wireless-WCS:task35=Performance Reports
  Wireless-WCS:task36=Security Reports
  Wireless-WCS:task37=Compliance Assistance Reports
  Wireless-WCS:task38=Voice Audit Report
  Wireless-WCS:task39=Config Audit Dashboard
  Wireless-WCS:task40=Location Server Management
  Wireless-WCS:task41=View Location Notifications
  Wireless-WCS:task42=Maps Read Only
  Wireless-WCS:task43=Maps Read Write
  Wireless-WCS:task44=Client Location
  Wireless-WCS:task45=Rogue Location
  Wireless-WCS:task46=Planning Mode
  Wireless-WCS:task47=High Availability Configuration
  Wireless-WCS:task48=Health Monitor Details
  Wireless-WCS:task49=Configure WIPS Profiles
  Wireless-WCS:task50=Global SSID Groups
  Wireless-WCS:task51=WIPS Service
  Wireless-WCS:task52=Configure Lightweight Access Point Templates
  Wireless-WCS:task53=Configure Autonomous Access Point Templates
  Wireless-WCS:task54=Guest Reports
  Wireless-WCS:task55=Handover Server Management
  Wireless-WCS:task56=Monitor Handover Server
  Wireless-WCS:task57=Configure Ethernet Switch Ports
  Wireless-WCS:task58=Configure Ethernet Switches
  Wireless-WCS:task59=Monitor Interferers
  Wireless-WCS:task60=Device Reports
  Wireless-WCS:task61=Network Summary Reports
  Wireless-WCS:task62=Compliance Reports
  Wireless-WCS:task63=CleanAir Reports
  Wireless-WCS:task64=Report Launch Pad
  Wireless-WCS:task65=Run Reports List
  Wireless-WCS:task66=Saved Reports List
  Wireless-WCS:task67=Report Run History
  Wireless-WCS:task68=Automated Feedback
  Wireless-WCS:task69=TAC Case Attachment Tool
  Wireless-WCS:task70=Ack and Unack Security Index Issues
  Wireless-WCS:task71=View Security Index Issues
  Wireless-WCS:task72=Monitor Media Streams
  Wireless-WCS:task73=Voice Diagnostics
  Wireless-WCS:task74=ContextAware Reports
  Thanks,
  Kyle

• Cisco ISE with cisco-av-pair

  Hi All
  I am deploying a Cisco ISE together with a WLC to provide guest services. After the authentication the users will be redirected to the device registration page, this is done via the radius attribute "cisco-av-pair = url-redirect=https://FQDN:8443/guestportal/gateway?sessionId=SesionIdValue&portal=..." returned by the ISE. My problem is that there is no internal DNS server in the guest network (point to public DNS servers), so the clients cannot resolve the FQDN. We can manually add the redirect URL, however the SessionIdValue in the URL is a dynamic value, is there a way to put a dynamic value in the attributes manually?
  Thanks a lot!
  Leo

  Thanks Tarik, I saw u helped a lot of ppl on ISE configuration, really appreciate for your help.
  In ISE there is a place to set the default URL for Sponsor and My device, not sure why not for Guest portal. As the DNS server is not available at this moment, we are using the WLC to do the redirect (so not CWA), the downside is we cannot have a whitelist since all request will be redirected to the guest portal.

• Cisco av-pairs SSID vs Dynamic Vlan Assignment

  Hello,
  Once upon a time, there was a Cisco av-pairs attribute to allow a Wireless user to a given SSID through Radius servers.
  If I'm not wrong, this feature has not been supported anymore (for several years) on WLC.
  Dynamic vlan assignment is an alternative way to control user acces to a given vlan. It simplifies the architecture, because only one SSID is needed and the user traffic is then redirected to the right vlan. But... There is an important issue with it, since only one SSID (and BSSID) is used, broadcast packets from all vlans are transmitted to everybody. It is an issue when some services use broadcast to announce their features (IPv6 autoconf, Bonjour, and so on...).
  So the question is if a working alternative to SSID av-pairs exists.
  Thanks.     

  To be honest, I have never heard of this SSID av-pair ever working in wireless:)
  You would need at least two ssids and the radius server would need to ability to send a CoA to dissassociate the device so that the device would join the other SSID. The radius server would also have to push out the wireless profile to the client for the SSID they need to associate to. This can be done using Cisco ISE, but not Microsoft radius or even Cisco ACS.  
  You can still use aaa overuse to place devices on specific vlans and use the WLC to allow bonjour or  ACLs to filter what you don't want going out of the vlan.  WLC has bonjour capabilities and thus you can specify that on the interface and not on the WLAN.  If course their are limitations, but with newer requirements means that there is no one answer.  You might be able to meet certain requirements, but other you will have to sort of figure out.  
  -Scott

• Cisco ISE - CWA redirect in another way than cisco-av-pair?

  Hello.
  I'm trying to set up ISE as a CWA.
  I have made all the rules in both Authenticatin and Authorization, and I also see the clients hitting the right rules. The Authorizaton rule redirects the client to a captive web portal within ISE like this: cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=etc.
  But here is the problem: We use Aerohive as Accesspoints. And Aerohive does not support cisco-av-pair attributtes, since it's Cisco proprietary.
  Therefore, even if ISE says everything is fine, it's not, because Aerohive does not understand what's been sent to it.
  So the big question: Is there way to make the same redirect using standard radius attributes?
  Thank you.

  Unfortunately there isn't. I have done a project with ISE and Aerohive before and outside of basic 802.1x authentications, I was not able to deploy any of the other ISE features. There isn't an interoperability guide for ISE but just a compatibility one:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
  If could be wrong here so if someone else has done this before pls chime in.
  Thank you for rating helpful posts! 

• VLAN Assignment of SSID using Cisco AV Pair or Dot1x ?

  Hi.
  I am looking to setup wireless access to 2 of my internal VLANs. I am using Cisco 1130AG, PEAP and RADIUS for the authentication as one network is for employees only and one restricted to guests only.
  I was wondering which was the most recommended solution.
  1. To have 2 SSIDs, with one in each VLAN with the access restricted using the Cisco AV Pair attribute in RADIUS
  or
  2. Use one SSID and use Dot1x and the Tunnel attribute to assign the VLAN?
  This option I feel is more complicated and I am still unsure how this works in reality as the SSID itself can only be part of one VLAN????
  Do I have to configure a Dot11Radio and Fastethernet interface for each intended vlan in this case?
  Could someone please explain and suggest their preferred option.
  Thanks.

  You should have two ssid's one for your internal and one for guest. You should use 802.1x for your internal and your guest should be open with a Login page of some sort. You can still use dynamic vlan assignments so that your internal users who try to access the guest page will be put on the internal vlan. Of course the guest will always be placed on the guest vlan. If you have a WLC, the login page and setup is easier, because in autonomous you will have to use something like ZoneCD for guest if you want a HotSpot type wifi.

• LMS , AAA via Radius and cisco AV pair

  We are trying to authenticate users on a Ciscoworks LMS server 2.6 using Radius.
  Is there a radius vendor specific attribute that can be used to make the authenticated user part of the admin groups ?
  Ex : a Cisco-AV-pair , ?LMS?:groups="Network Administrator"
  I have tried a few, but none seem to work. And i havent found documentation on this.

  No, It is pure authentication that is done.
  There is not way to select a role in LMS based on an AV pair.
  With tacacs+ something like that is possible.
  Cheers,
  Michel

• ZBF: Assign zone to interface via Cisco AV Pair

  Hello,
  I am terminating ADSL connections via an L2TP tunnel from a service provider and have configured Cisco AV Pairs to assign incoming sessions into different VRFs based on the username of the remote router. I am also using Zone Based Firewall configuration and need to also assign the created virtual access interface into a zone in the same manner as I am assigning VRFs.
  I am assigning VRFs like so:
  Cisco-AVpair+=ip:vrf-id=<vrf-name>
  I have tried assigning a zone with the following configuration but with no luck:
  Cisco-AVpair+=ip:interface-config=zone-member security <zone-name>
  Cisco-AVpair+=lcp:interface-config=zone-member security <zone-name>
  I have looked around but am unable to find a definitive list of Cisco AV Pairs to determine if there is one suitable specifically to assign a zone or a more generic AV Pair that can assign arbitrary configuration.
  Any help appreciated.
  Thanks.

  For anyone else who has a similar issue, I raised the issue with Cisco TAC and the solution was to use a Cisco AVpair of
  lcp:interface-config=zone security <zonename>
  I also had to add:
  aaa policy interface-config allow-subinterface
  Once I did this it worked a treat.

• ACS - cisco-av-pair

  Hi Sir,
  I have some doubts about the attribute in ACS: cisco-av-pair. I setup some ACLs in this attribute and hope this attribute can be sent from ACS to my PIX/ASA for future filtering usage if an user passes the first authentication attempt. I found that this attribute can not be installed in the PIX (when I checked the PIX using 'show access-list') even though the user passes the authentication. What is the reason?

  Hello,
  I am using ASA8.0 software. I also tried to use 'downloadable ACL' attribute, this attribute does the job as its name says. But cisco-av-pair cannot. Is there another possible reason?
  Thanks.

• Replace both Supervisor Engines on Cisco VSS pair

  Hi ,
  I have a VSS pair with one SUP on each switch , I'm preparing for a task to replace  SUP on Switch 1 , and switch 2  , I'm trying to see what are my options to do this task , 
  option1 : replace the SUP on both switches at the same time and built the VSS again , then apply the configuration  (this requires a maintenance window)
  option 2 : replace the SUP on switch2 (using the procedure on  http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-virtual-switching-system-1440/109334-replace-vss-sup-proc-v1.html)  , then do it again for Switch 1.
  if anyone did this change before , please share you experiences ,any ideas will be helpful.
  regards,

  Thanks Leo , 
  This is what I was  thinking also , to do a clean VSS configuration, I was more concerned about the configuration after the rebuild,  is it better to just copy the config file using tftp or copy the running config directly to the VSS CLI. , our VSS contains huge configuration with multiple routing protocol , filtering , MPLS , security ...etc , so if I chose to just copy the config and paste on the  VSS cli , I need to know the correct order ,of each set of commands , for example , I need to paste the Ip prefixes and acl before the route map command ..etc .
  anyway , thanks for your advice.

• ACS4.2, NX-OS und Cisco AV-Pair

  Hi
  Although i configured the aaa stuff on the Nexus5k and the ACS with the Shell exec and role information i still end up with the default role "network-operator" in the Nexus
  I attached the main configuration for this feature.
  Does anybody has an idea where the problem could be found.
  Apparently the output of the debug aaa all is not very usfull - in this case NX-OS is not like IOS
  ACS 4.2 Configuration:
  User Config:
  shell exec (enabled)
  shell:roles*"network-admin"  (actually i tried also the shell:roles="network-admin")
  After Login - the output of the command "show user-account" says:
  user:ude3964
          roles:network-operator
  account created through REMOTE authentication
  AAA Configuration:
  rzsgwu3s097# sh run aaa
  version 4.1(3)N2(1a)
  aaa authentication login default group tacacs local
  aaa authentication login console group tacacs local
  aaa authorization config-commands default group tacacs
  aaa authorization commands default group tacacs
  aaa authentication login error-enable
  tacacs-server directed-request
  rzsgwu3s097# sh run tacacs+
  version 4.1(3)N2(1a)
  feature tacacs+
  tacacs-server timeout 3
  tacacs-server host 172.28.193.35 key 7 "xx"
  aaa group server tacacs+ tacacs
      server 172.28.193.35
      source-interface Vlan501
  In the ACS passed Authentication Report everything looks fine.
  Any hints?
  Cheers
  Patrick

  On ACS set the log level detail to full, reproduce the problem, collect a package.cab, then look at the auth.log and TCS.log files, see if any hints appear there.
  Also, consider capturing the traffic between the NX-OS switch and ACS, to see what ACS is receiving from the switch and what is sending back.

• Cisco ISE Guest Portal - DNS Issue - External Zone

  Hello,
  I have a customer that has the following sceanrio :
  In a wireless deployment and a Cisco ISE 1.1.3 deployment with CWA, when the wireless guest receives the redictect  URL  from ISE (URL to access the ISE Guest Portal), this URL is based on  the  ISE DNS name, not on its IP address; so, the PC can't resolve  this via DNS name since there is no DNS in the External zone (for guets) or by using the ISP DNS servers addresses provided  by the  DHCP server, and, so, it can't access the Guest Portal at all ;
  I know that in trying to manually code the IP address - this does not work (ie in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
  cisco-av-pair=url-redirect=https://10.10.10.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa, )
  since the sessionIdValue variable is not replaced by its real value when sent to the wireless client)
  My question is : Has this issue been addressed in version Cisco ISE 1.2 - has anyone tried it if has been addressed? If not in Cisco 1.2 - does anyone know iof this feature will become available?
  Thank-you in advance for your replies.
  Robert C.

  Robert,
  Manual assignment has been made available in ISE 1.2 release.
  M.

• Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.

  Hi to all,
  I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
  I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID.  The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
  Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
  Error: Resource not found.
  Resource: /guestportal/
  Does anyone have any ideas why the portal is doing this?
  Thanks
  Paul

  Hello,
  As you are not able to  get the guest portal, then you need to assure the following things:-
  1) Ensure that the  two  Cisco av-pairs that are configured on the  authorization profile should  exactly match the example below. (Note: Do  not replace the "IP" with the  actual Cisco ISE IP address.)
  –url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
  –url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also  defined on the access switch)
  2) Ensure that the URL redirection portion of the ACL have been  applied  to the session by entering the show epm session ip   command on the switch. (Where the session IP is the IP address  that is  passed to the client machine by the DHCP server.)
  Admission feature : DOT1X
  AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
  URL Redirect ACL : ACL-WEBAUTH-REDIRECT
  URL Redirect :
  https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
  0000A45A2444BFC2&action=cpp
  3) Ensure that the preposture assessment DACL that is enforced from  the  Cisco ISE authorization profile contains the following command  lines:
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  remark ping
  permit icmp any any
  permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
  permit tcp any host 80.0.80.2 eq www --> Provides access to internet
  permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
  port
  permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8906 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  deny ip any any
  Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
  4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on  the switch as follows:
  ip access-list extended ACL-WEBAUTH-REDIRECT
  deny ip any host 80.0.80.2
  permit ip any any
  5) Ensure that the http and https servers are running on the switch:
  ip http server
  ip http secure-server
  6) Ensure that, if the client machine employs any kind of personal  firewall, it is disabled.
  7) Ensure that the client machine browser is not configured to use any  proxies.
  8) Verify connectivity between the client machine and the Cisco ISE IP  address.
  9) If Cisco ISE is deployed in a distributed environment, make sure  that  the client machines are aware of the Policy Service ISE node FQDN.
  10) Ensure that the Cisco ISE FQDN is resolved and reachable from the  client machine.
  11) Or you need to do re-image again.

• Cisco 28xx easy vpn server & MS NPS (RADIUS server)

  Здравстуйте.
  Имеется LAN (192.168.11.0/24) с граничным роутером cisco 2821 (192.168.11.1), на котором настроен Easy VPN Server с локальной авторизацией удаленных пользователей, использующих для подключения Cisco VPN Client v 5.0. Все работает. В той же LAN имеется MS Windows Server 2012 Essensial в качестве DC AD.
  Возникла необходимость перенести авторизацию удаленных пользователей на RADIUS сервер. В качестве RADIUS сервера хочется использовать MS Network Policy Server (NPS) 2012 Essensial (192.168.11.9).
  На сервере поднята соответствующая политика, NPS сервер зарегистрирован в AD, создан RADIUS-клиент (192.168.11.1), настроена Сетевая политика. В AD создана группа VPN-USERS, в которую помимо удаленных пользователей добавлен служебный пользователь EasyVPN с паролем "cisco".
  Ниже выдежка из сонфига cisco 2821:
  aaa new-model
  aaa authentication login rausrs local
  aaa authentication login VPN-XAUTH group radius
  aaa authorization network ragrps local
  aaa authorization network VPN-GROUP local
  aaa session-id common
  crypto isakmp policy 10
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp client configuration address-pool local RAPOOL
  crypto isakmp client configuration group ra1grp
  key key-for-remote-access
  domain domain.local
  pool RAPOOL
  acl split-acl
  split-dns 192.168.11.9
  crypto isakmp client configuration group EasyVPN
  key qwerty123456
  domain domain.local
  pool RAPOOL
  acl split-acl
  split-dns 192.168.11.9
  crypto isakmp profile RA-profile
     description profile for remote access VPN
     match identity group ra1grp
     client authentication list rausrs
     isakmp authorization list ragrps
     client configuration address respond
  crypto isakmp profile VPN-IKMP-PROFILE
     description profile for remote access VPN via RADIUS
     match identity group EasyVPN
     client authentication list VPN-XAUTH
     isakmp authorization list VPN-GROUP
     client configuration address respond
  crypto ipsec transform-set tset1 esp-aes esp-sha-hmac
  crypto dynamic-map dyn-cmap 100
  set transform-set tset1
  set isakmp-profile RA-profile
  reverse-route
  crypto dynamic-map dyn-cmap 101
  set transform-set tset1
  set isakmp-profile VPN-IKMP-PROFILE
  reverse-route
  crypto map stat-cmap 100 ipsec-isakmp dynamic dyn-cmap
  int Gi0/1
  descrition -- to WAN --
  crypto map stat-cmap
  В результате на cisco вылезает следующая ошибка (выделено жирным):
  RADIUS/ENCODE(000089E0):Orig. component type = VPN_IPSEC
  RADIUS:  AAA Unsupported Attr: interface         [157] 14
  RADIUS:   31 39 34 2E 38 38 2E 31 33 39 2E 31              [194.88.139.1]
  RADIUS(000089E0): Config NAS IP: 192.168.11.1
  RADIUS/ENCODE(000089E0): acct_session_id: 35296
  RADIUS(000089E0): sending
  RADIUS(000089E0): Send Access-Request to 192.168.11.9:1645 id 1645/61, len 103
  RADIUS:  authenticator 4A B1 DB 2D B7 58 B2 BF - 7F 12 6F 96 01 99 32 91
  RADIUS:  User-Name           [1]   9   "EasyVPN"
  RADIUS:  User-Password       [2]   18  *
  RADIUS:  Calling-Station-Id  [31]  16  "aaa.bbb.ccc.137"
  RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  RADIUS:  NAS-Port            [5]   6   1
  RADIUS:  NAS-Port-Id         [87]  16  "aaa.bbb.ccc.136"
  RADIUS:  Service-Type        [6]   6   Outbound                  [5]
  RADIUS:  NAS-IP-Address      [4]   6   192.168.11.1
  RADIUS: Received from id 1645/61 192.168.11.9:1645, Access-Reject, len 20
  RADIUS:  authenticator A8 08 69 44 44 8B 13 A5 - 06 C2 95 8D B4 C4 E9 01
  RADIUS(000089E0): Received from id 1645/61
  MS NAS выдает ошибку 6273:
  Сервер сетевых политик отказал пользователю в доступе.
  За дополнительными сведениями обратитесь к администратору сервера сетевых политик.
  Пользователь:
      ИД безопасности:            domain\VladimirK
      Имя учетной записи:            VladimirK
      Домен учетной записи:           domain
      Полное имя учетной записи:   domain.local/Users/VladimirK
  Компьютер клиента:
      ИД безопасности:            NULL SID
      Имя учетной записи:            -
      Полное имя учетной записи:    -
      Версия ОС:            -
      Идентификатор вызываемой станции:        -
      Идентификатор вызывающей станции:       aaa.bbb.ccc.137
  NAS:
      Адрес IPv4 NAS:        192.168.11.1
      Адрес IPv6 NAS:        -
      Идентификатор NAS:            -
      Тип порта NAS:            Виртуальная
      Порт NAS:            0
  RADIUS-клиент:
      Понятное имя клиента:        Cisco2821
      IP-адрес клиента:            192.168.11.1
  Сведения о проверке подлинности:
      Имя политики запроса на подключение:    Использовать проверку подлинности Windows для всех пользователей
      Имя сетевой политики:        Подключения к другим серверам доступа
      Поставщик проверки подлинности:        Windows
      Сервер проверки подлинности:        DC01.domain.local
      Тип проверки подлинности:        PAP
      Тип EAP:            -
      Идентификатор сеанса учетной записи:        -
      Результаты входа в систему:            Сведения об учетных данных были записаны в локальный файл журнала.
      Код причины:            66
      Причина:                Пользователь пытался применить способ проверки подлинности, не включенный в соответствующей сетевой политике.
  Игры с Cisco AV Pairs и прочими параметрами настройки Сетевой политики на RADIUS выдают аналогичный результат.
  Штудирование "Network Policy Server Technical Reference" и "Configuring IPSec Between a Cisco IOS Router and a Cisco VPN Client 4.x for Windows Using RADIUS for User Authentication" Document ID: 21060 ответа не дали.
  Если кто практиковал подобное, прошу дать направление для поиска решения.

  Going through your post, I could see that radius is sending access-reject because radius access-request is sending a vpn group name in the user name field. I was in a discussion of same problem few days before and that got resolved by making 2 changes.
  replace the authorization from radius to local
  and
  changing the encryption type in transform set
  However, in your configuration, your configuration already have those changes.
  Here you can check the same : https://supportforums.cisco.com/thread/2226065
  Could you please tell me what exactly radius server complaining? Can you please paste the error you're getting on the radius server.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ISE version 1.0 - Unable to get management access for cisco devices

  Hi All,
  I want to manage all cisco devices with read and write privilege with ISE 1.0.
  Is this functionality is available in this version?
  I configured the 2960 switch.  On switch  redius test is successful. When I telnet to the switch, it ask for username and password. But message is authorization fail. But on ISE shows authentication is successful.
  Is it configuration issue or this feature is not available in this version?
  Regards,
  Hanumant

  Hanumant,
  You will have to create an authorization profile to send back the privilege level for the user:
  Here is the attribute (cisco-av-pair) you will have to send back:
  shell:priv-lvl=xx