Cisco-av-pair
Hi all,
i'm trying to configure ACS Radius and a Pix to work as Proxy Cut-Through.
i wanna set up some acl to have a certain type of traffic for some users and another one for some others.
I tried by downloadable acl but it doesn't work (could it be caused from a bug on IOS?), now i'm tring to set up cisco-av-pair and i have another problem...
if i write
ip:inacl#1=permit tcp any any
ip:inacl#2=permit udp any any
ip:inacl#3=permit ip any any
ip:inacl#4=permit icmp any any
ip:inacl#5=deny tcp any any
it works fine... but if i configure with this one
ip:inacl#1=permit tcp any any eq 20
ip:inacl#2=permit udp any any eq 20
ip:inacl#3=permit ip any any eq 20
ip:inacl#5=permit tcp any any eq 21
ip:inacl#6=permit udp any any eq 21
ip:inacl#7=permit ip any any eq 21
ip:inacl#8=permit tcp any any eq 80
ip:inacl#9=permit ip any any eq 80
ip:inacl#101=deny tcp any any
ip:inacl#102=deny ip any any
ip:inacl#103=deny udp any any
the pix denies everything.
which is the mistake?
thanks in advaces.
Try...
ip:inacl#101=permit tcp any any eq 20
ip:inacl#102=permit udp any any eq 20
ip:inacl#103=permit ip any any eq 20
ip:inacl#104=permit tcp any any eq 21
ip:inacl#105=permit udp any any eq 21
ip:inacl#106=permit ip any any eq 21
ip:inacl#107=permit tcp any any eq 80
ip:inacl#108=permit ip any any eq 80
ip:inacl#109=deny tcp any any
ip:inacl#110=deny ip any any
ip:inacl#111=deny udp any any
Similar Messages
-
ISE 1.1.1 cisco-av-pair:Wireless-WCS
Hello,
Has anyone configured ISE yet to authenticate WCS against ISE using RADIUS? I have created the Authorization Profiles with rule0=SuperUsers, tack0=...ect, but I am wondering how everyone has done the authentication and authorization rules. Any lessons learned would be great.
KyleYes, I have patch 1 installed. I am trying to add the following cisco-av-pairs:
Wireless-WCS:role0=Admin
Wireless-WCS:task0=Users and Groups
Wireless-WCS:task1=Virtual Domain Management
Wireless-WCS:task2=Audit Trails
Wireless-WCS:task3=TACACS+ Servers
Wireless-WCS:task4=RADIUS Servers
Wireless-WCS:task5=Logging
Wireless-WCS:task6=License Center
Wireless-WCS:task7=Scheduled Tasks and Data Collection
Wireless-WCS:task8=User Preferences
Wireless-WCS:task9=System Settings
Wireless-WCS:task10=View Alerts and Events
Wireless-WCS:task11=Email Notification
Wireless-WCS:task12=Delete and Clear Alerts
Wireless-WCS:task13=Pick and Unpick Alerts
Wireless-WCS:task14=Ack and Unack Alerts
Wireless-WCS:task15=Configure Controllers
Wireless-WCS:task16=Configure Templates
Wireless-WCS:task17=Configure Config Groups
Wireless-WCS:task18=Configure Access Points
Wireless-WCS:task19=Scheduled Configuration Tasks
Wireless-WCS:task20=Migration Templates
Wireless-WCS:task21=Configure Choke Points
Wireless-WCS:task22=Configure Spectrum Experts
Wireless-WCS:task23=Configure ACS View Servers
Wireless-WCS:task24=Auto Provisioning
Wireless-WCS:task25=Monitor Controllers
Wireless-WCS:task26=Monitor Access Points
Wireless-WCS:task27=Monitor Clients
Wireless-WCS:task28=Monitor Tags
Wireless-WCS:task29=Monitor Security
Wireless-WCS:task30=Monitor Chokepoints
Wireless-WCS:task31=Monitor Spectrum Experts
Wireless-WCS:task32=RRM Dashboard
Wireless-WCS:task33=Mesh Reports
Wireless-WCS:task34=Client Reports
Wireless-WCS:task35=Performance Reports
Wireless-WCS:task36=Security Reports
Wireless-WCS:task37=Compliance Assistance Reports
Wireless-WCS:task38=Voice Audit Report
Wireless-WCS:task39=Config Audit Dashboard
Wireless-WCS:task40=Location Server Management
Wireless-WCS:task41=View Location Notifications
Wireless-WCS:task42=Maps Read Only
Wireless-WCS:task43=Maps Read Write
Wireless-WCS:task44=Client Location
Wireless-WCS:task45=Rogue Location
Wireless-WCS:task46=Planning Mode
Wireless-WCS:task47=High Availability Configuration
Wireless-WCS:task48=Health Monitor Details
Wireless-WCS:task49=Configure WIPS Profiles
Wireless-WCS:task50=Global SSID Groups
Wireless-WCS:task51=WIPS Service
Wireless-WCS:task52=Configure Lightweight Access Point Templates
Wireless-WCS:task53=Configure Autonomous Access Point Templates
Wireless-WCS:task54=Guest Reports
Wireless-WCS:task55=Handover Server Management
Wireless-WCS:task56=Monitor Handover Server
Wireless-WCS:task57=Configure Ethernet Switch Ports
Wireless-WCS:task58=Configure Ethernet Switches
Wireless-WCS:task59=Monitor Interferers
Wireless-WCS:task60=Device Reports
Wireless-WCS:task61=Network Summary Reports
Wireless-WCS:task62=Compliance Reports
Wireless-WCS:task63=CleanAir Reports
Wireless-WCS:task64=Report Launch Pad
Wireless-WCS:task65=Run Reports List
Wireless-WCS:task66=Saved Reports List
Wireless-WCS:task67=Report Run History
Wireless-WCS:task68=Automated Feedback
Wireless-WCS:task69=TAC Case Attachment Tool
Wireless-WCS:task70=Ack and Unack Security Index Issues
Wireless-WCS:task71=View Security Index Issues
Wireless-WCS:task72=Monitor Media Streams
Wireless-WCS:task73=Voice Diagnostics
Wireless-WCS:task74=ContextAware Reports
Thanks,
Kyle -
Hi All
I am deploying a Cisco ISE together with a WLC to provide guest services. After the authentication the users will be redirected to the device registration page, this is done via the radius attribute "cisco-av-pair = url-redirect=https://FQDN:8443/guestportal/gateway?sessionId=SesionIdValue&portal=..." returned by the ISE. My problem is that there is no internal DNS server in the guest network (point to public DNS servers), so the clients cannot resolve the FQDN. We can manually add the redirect URL, however the SessionIdValue in the URL is a dynamic value, is there a way to put a dynamic value in the attributes manually?
Thanks a lot!
LeoThanks Tarik, I saw u helped a lot of ppl on ISE configuration, really appreciate for your help.
In ISE there is a place to set the default URL for Sponsor and My device, not sure why not for Guest portal. As the DNS server is not available at this moment, we are using the WLC to do the redirect (so not CWA), the downside is we cannot have a whitelist since all request will be redirected to the guest portal. -
Cisco av-pairs SSID vs Dynamic Vlan Assignment
Hello,
Once upon a time, there was a Cisco av-pairs attribute to allow a Wireless user to a given SSID through Radius servers.
If I'm not wrong, this feature has not been supported anymore (for several years) on WLC.
Dynamic vlan assignment is an alternative way to control user acces to a given vlan. It simplifies the architecture, because only one SSID is needed and the user traffic is then redirected to the right vlan. But... There is an important issue with it, since only one SSID (and BSSID) is used, broadcast packets from all vlans are transmitted to everybody. It is an issue when some services use broadcast to announce their features (IPv6 autoconf, Bonjour, and so on...).
So the question is if a working alternative to SSID av-pairs exists.
Thanks.To be honest, I have never heard of this SSID av-pair ever working in wireless:)
You would need at least two ssids and the radius server would need to ability to send a CoA to dissassociate the device so that the device would join the other SSID. The radius server would also have to push out the wireless profile to the client for the SSID they need to associate to. This can be done using Cisco ISE, but not Microsoft radius or even Cisco ACS.
You can still use aaa overuse to place devices on specific vlans and use the WLC to allow bonjour or ACLs to filter what you don't want going out of the vlan. WLC has bonjour capabilities and thus you can specify that on the interface and not on the WLAN. If course their are limitations, but with newer requirements means that there is no one answer. You might be able to meet certain requirements, but other you will have to sort of figure out.
-Scott -
Cisco ISE - CWA redirect in another way than cisco-av-pair?
Hello.
I'm trying to set up ISE as a CWA.
I have made all the rules in both Authenticatin and Authorization, and I also see the clients hitting the right rules. The Authorizaton rule redirects the client to a captive web portal within ISE like this: cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=etc.
But here is the problem: We use Aerohive as Accesspoints. And Aerohive does not support cisco-av-pair attributtes, since it's Cisco proprietary.
Therefore, even if ISE says everything is fine, it's not, because Aerohive does not understand what's been sent to it.
So the big question: Is there way to make the same redirect using standard radius attributes?
Thank you.Unfortunately there isn't. I have done a project with ISE and Aerohive before and outside of basic 802.1x authentications, I was not able to deploy any of the other ISE features. There isn't an interoperability guide for ISE but just a compatibility one:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
If could be wrong here so if someone else has done this before pls chime in.
Thank you for rating helpful posts! -
VLAN Assignment of SSID using Cisco AV Pair or Dot1x ?
Hi.
I am looking to setup wireless access to 2 of my internal VLANs. I am using Cisco 1130AG, PEAP and RADIUS for the authentication as one network is for employees only and one restricted to guests only.
I was wondering which was the most recommended solution.
1. To have 2 SSIDs, with one in each VLAN with the access restricted using the Cisco AV Pair attribute in RADIUS
or
2. Use one SSID and use Dot1x and the Tunnel attribute to assign the VLAN?
This option I feel is more complicated and I am still unsure how this works in reality as the SSID itself can only be part of one VLAN????
Do I have to configure a Dot11Radio and Fastethernet interface for each intended vlan in this case?
Could someone please explain and suggest their preferred option.
Thanks.You should have two ssid's one for your internal and one for guest. You should use 802.1x for your internal and your guest should be open with a Login page of some sort. You can still use dynamic vlan assignments so that your internal users who try to access the guest page will be put on the internal vlan. Of course the guest will always be placed on the guest vlan. If you have a WLC, the login page and setup is easier, because in autonomous you will have to use something like ZoneCD for guest if you want a HotSpot type wifi.
-
LMS , AAA via Radius and cisco AV pair
We are trying to authenticate users on a Ciscoworks LMS server 2.6 using Radius.
Is there a radius vendor specific attribute that can be used to make the authenticated user part of the admin groups ?
Ex : a Cisco-AV-pair , ?LMS?:groups="Network Administrator"
I have tried a few, but none seem to work. And i havent found documentation on this.No, It is pure authentication that is done.
There is not way to select a role in LMS based on an AV pair.
With tacacs+ something like that is possible.
Cheers,
Michel -
ZBF: Assign zone to interface via Cisco AV Pair
Hello,
I am terminating ADSL connections via an L2TP tunnel from a service provider and have configured Cisco AV Pairs to assign incoming sessions into different VRFs based on the username of the remote router. I am also using Zone Based Firewall configuration and need to also assign the created virtual access interface into a zone in the same manner as I am assigning VRFs.
I am assigning VRFs like so:
Cisco-AVpair+=ip:vrf-id=<vrf-name>
I have tried assigning a zone with the following configuration but with no luck:
Cisco-AVpair+=ip:interface-config=zone-member security <zone-name>
Cisco-AVpair+=lcp:interface-config=zone-member security <zone-name>
I have looked around but am unable to find a definitive list of Cisco AV Pairs to determine if there is one suitable specifically to assign a zone or a more generic AV Pair that can assign arbitrary configuration.
Any help appreciated.
Thanks.For anyone else who has a similar issue, I raised the issue with Cisco TAC and the solution was to use a Cisco AVpair of
lcp:interface-config=zone security <zonename>
I also had to add:
aaa policy interface-config allow-subinterface
Once I did this it worked a treat. -
Hi Sir,
I have some doubts about the attribute in ACS: cisco-av-pair. I setup some ACLs in this attribute and hope this attribute can be sent from ACS to my PIX/ASA for future filtering usage if an user passes the first authentication attempt. I found that this attribute can not be installed in the PIX (when I checked the PIX using 'show access-list') even though the user passes the authentication. What is the reason?Hello,
I am using ASA8.0 software. I also tried to use 'downloadable ACL' attribute, this attribute does the job as its name says. But cisco-av-pair cannot. Is there another possible reason?
Thanks. -
Replace both Supervisor Engines on Cisco VSS pair
Hi ,
I have a VSS pair with one SUP on each switch , I'm preparing for a task to replace SUP on Switch 1 , and switch 2 , I'm trying to see what are my options to do this task ,
option1 : replace the SUP on both switches at the same time and built the VSS again , then apply the configuration (this requires a maintenance window)
option 2 : replace the SUP on switch2 (using the procedure on http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-virtual-switching-system-1440/109334-replace-vss-sup-proc-v1.html) , then do it again for Switch 1.
if anyone did this change before , please share you experiences ,any ideas will be helpful.
regards,Thanks Leo ,
This is what I was thinking also , to do a clean VSS configuration, I was more concerned about the configuration after the rebuild, is it better to just copy the config file using tftp or copy the running config directly to the VSS CLI. , our VSS contains huge configuration with multiple routing protocol , filtering , MPLS , security ...etc , so if I chose to just copy the config and paste on the VSS cli , I need to know the correct order ,of each set of commands , for example , I need to paste the Ip prefixes and acl before the route map command ..etc .
anyway , thanks for your advice. -
ACS4.2, NX-OS und Cisco AV-Pair
Hi
Although i configured the aaa stuff on the Nexus5k and the ACS with the Shell exec and role information i still end up with the default role "network-operator" in the Nexus
I attached the main configuration for this feature.
Does anybody has an idea where the problem could be found.
Apparently the output of the debug aaa all is not very usfull - in this case NX-OS is not like IOS
ACS 4.2 Configuration:
User Config:
shell exec (enabled)
shell:roles*"network-admin" (actually i tried also the shell:roles="network-admin")
After Login - the output of the command "show user-account" says:
user:ude3964
roles:network-operator
account created through REMOTE authentication
AAA Configuration:
rzsgwu3s097# sh run aaa
version 4.1(3)N2(1a)
aaa authentication login default group tacacs local
aaa authentication login console group tacacs local
aaa authorization config-commands default group tacacs
aaa authorization commands default group tacacs
aaa authentication login error-enable
tacacs-server directed-request
rzsgwu3s097# sh run tacacs+
version 4.1(3)N2(1a)
feature tacacs+
tacacs-server timeout 3
tacacs-server host 172.28.193.35 key 7 "xx"
aaa group server tacacs+ tacacs
server 172.28.193.35
source-interface Vlan501
In the ACS passed Authentication Report everything looks fine.
Any hints?
Cheers
PatrickOn ACS set the log level detail to full, reproduce the problem, collect a package.cab, then look at the auth.log and TCS.log files, see if any hints appear there.
Also, consider capturing the traffic between the NX-OS switch and ACS, to see what ACS is receiving from the switch and what is sending back. -
Cisco ISE Guest Portal - DNS Issue - External Zone
Hello,
I have a customer that has the following sceanrio :
In a wireless deployment and a Cisco ISE 1.1.3 deployment with CWA, when the wireless guest receives the redictect URL from ISE (URL to access the ISE Guest Portal), this URL is based on the ISE DNS name, not on its IP address; so, the PC can't resolve this via DNS name since there is no DNS in the External zone (for guets) or by using the ISP DNS servers addresses provided by the DHCP server, and, so, it can't access the Guest Portal at all ;
I know that in trying to manually code the IP address - this does not work (ie in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
cisco-av-pair=url-redirect=https://10.10.10.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa, )
since the sessionIdValue variable is not replaced by its real value when sent to the wireless client)
My question is : Has this issue been addressed in version Cisco ISE 1.2 - has anyone tried it if has been addressed? If not in Cisco 1.2 - does anyone know iof this feature will become available?
Thank-you in advance for your replies.
Robert C.Robert,
Manual assignment has been made available in ISE 1.2 release.
M. -
Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.
Hi to all,
I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID. The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
Error: Resource not found.
Resource: /guestportal/
Does anyone have any ideas why the portal is doing this?
Thanks
PaulHello,
As you are not able to get the guest portal, then you need to assure the following things:-
1) Ensure that the two Cisco av-pairs that are configured on the authorization profile should exactly match the example below. (Note: Do not replace the "IP" with the actual Cisco ISE IP address.)
–url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
–url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also defined on the access switch)
2) Ensure that the URL redirection portion of the ACL have been applied to the session by entering the show epm session ip command on the switch. (Where the session IP is the IP address that is passed to the client machine by the DHCP server.)
Admission feature : DOT1X
AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
URL Redirect ACL : ACL-WEBAUTH-REDIRECT
URL Redirect :
https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
0000A45A2444BFC2&action=cpp
3) Ensure that the preposture assessment DACL that is enforced from the Cisco ISE authorization profile contains the following command lines:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on the switch as follows:
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 80.0.80.2
permit ip any any
5) Ensure that the http and https servers are running on the switch:
ip http server
ip http secure-server
6) Ensure that, if the client machine employs any kind of personal firewall, it is disabled.
7) Ensure that the client machine browser is not configured to use any proxies.
8) Verify connectivity between the client machine and the Cisco ISE IP address.
9) If Cisco ISE is deployed in a distributed environment, make sure that the client machines are aware of the Policy Service ISE node FQDN.
10) Ensure that the Cisco ISE FQDN is resolved and reachable from the client machine.
11) Or you need to do re-image again. -
Cisco 28xx easy vpn server & MS NPS (RADIUS server)
Здравстуйте.
Имеется LAN (192.168.11.0/24) с граничным роутером cisco 2821 (192.168.11.1), на котором настроен Easy VPN Server с локальной авторизацией удаленных пользователей, использующих для подключения Cisco VPN Client v 5.0. Все работает. В той же LAN имеется MS Windows Server 2012 Essensial в качестве DC AD.
Возникла необходимость перенести авторизацию удаленных пользователей на RADIUS сервер. В качестве RADIUS сервера хочется использовать MS Network Policy Server (NPS) 2012 Essensial (192.168.11.9).
На сервере поднята соответствующая политика, NPS сервер зарегистрирован в AD, создан RADIUS-клиент (192.168.11.1), настроена Сетевая политика. В AD создана группа VPN-USERS, в которую помимо удаленных пользователей добавлен служебный пользователь EasyVPN с паролем "cisco".
Ниже выдежка из сонфига cisco 2821:
aaa new-model
aaa authentication login rausrs local
aaa authentication login VPN-XAUTH group radius
aaa authorization network ragrps local
aaa authorization network VPN-GROUP local
aaa session-id common
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration address-pool local RAPOOL
crypto isakmp client configuration group ra1grp
key key-for-remote-access
domain domain.local
pool RAPOOL
acl split-acl
split-dns 192.168.11.9
crypto isakmp client configuration group EasyVPN
key qwerty123456
domain domain.local
pool RAPOOL
acl split-acl
split-dns 192.168.11.9
crypto isakmp profile RA-profile
description profile for remote access VPN
match identity group ra1grp
client authentication list rausrs
isakmp authorization list ragrps
client configuration address respond
crypto isakmp profile VPN-IKMP-PROFILE
description profile for remote access VPN via RADIUS
match identity group EasyVPN
client authentication list VPN-XAUTH
isakmp authorization list VPN-GROUP
client configuration address respond
crypto ipsec transform-set tset1 esp-aes esp-sha-hmac
crypto dynamic-map dyn-cmap 100
set transform-set tset1
set isakmp-profile RA-profile
reverse-route
crypto dynamic-map dyn-cmap 101
set transform-set tset1
set isakmp-profile VPN-IKMP-PROFILE
reverse-route
crypto map stat-cmap 100 ipsec-isakmp dynamic dyn-cmap
int Gi0/1
descrition -- to WAN --
crypto map stat-cmap
В результате на cisco вылезает следующая ошибка (выделено жирным):
RADIUS/ENCODE(000089E0):Orig. component type = VPN_IPSEC
RADIUS: AAA Unsupported Attr: interface [157] 14
RADIUS: 31 39 34 2E 38 38 2E 31 33 39 2E 31 [194.88.139.1]
RADIUS(000089E0): Config NAS IP: 192.168.11.1
RADIUS/ENCODE(000089E0): acct_session_id: 35296
RADIUS(000089E0): sending
RADIUS(000089E0): Send Access-Request to 192.168.11.9:1645 id 1645/61, len 103
RADIUS: authenticator 4A B1 DB 2D B7 58 B2 BF - 7F 12 6F 96 01 99 32 91
RADIUS: User-Name [1] 9 "EasyVPN"
RADIUS: User-Password [2] 18 *
RADIUS: Calling-Station-Id [31] 16 "aaa.bbb.ccc.137"
RADIUS: NAS-Port-Type [61] 6 Virtual [5]
RADIUS: NAS-Port [5] 6 1
RADIUS: NAS-Port-Id [87] 16 "aaa.bbb.ccc.136"
RADIUS: Service-Type [6] 6 Outbound [5]
RADIUS: NAS-IP-Address [4] 6 192.168.11.1
RADIUS: Received from id 1645/61 192.168.11.9:1645, Access-Reject, len 20
RADIUS: authenticator A8 08 69 44 44 8B 13 A5 - 06 C2 95 8D B4 C4 E9 01
RADIUS(000089E0): Received from id 1645/61
MS NAS выдает ошибку 6273:
Сервер сетевых политик отказал пользователю в доступе.
За дополнительными сведениями обратитесь к администратору сервера сетевых политик.
Пользователь:
ИД безопасности: domain\VladimirK
Имя учетной записи: VladimirK
Домен учетной записи: domain
Полное имя учетной записи: domain.local/Users/VladimirK
Компьютер клиента:
ИД безопасности: NULL SID
Имя учетной записи: -
Полное имя учетной записи: -
Версия ОС: -
Идентификатор вызываемой станции: -
Идентификатор вызывающей станции: aaa.bbb.ccc.137
NAS:
Адрес IPv4 NAS: 192.168.11.1
Адрес IPv6 NAS: -
Идентификатор NAS: -
Тип порта NAS: Виртуальная
Порт NAS: 0
RADIUS-клиент:
Понятное имя клиента: Cisco2821
IP-адрес клиента: 192.168.11.1
Сведения о проверке подлинности:
Имя политики запроса на подключение: Использовать проверку подлинности Windows для всех пользователей
Имя сетевой политики: Подключения к другим серверам доступа
Поставщик проверки подлинности: Windows
Сервер проверки подлинности: DC01.domain.local
Тип проверки подлинности: PAP
Тип EAP: -
Идентификатор сеанса учетной записи: -
Результаты входа в систему: Сведения об учетных данных были записаны в локальный файл журнала.
Код причины: 66
Причина: Пользователь пытался применить способ проверки подлинности, не включенный в соответствующей сетевой политике.
Игры с Cisco AV Pairs и прочими параметрами настройки Сетевой политики на RADIUS выдают аналогичный результат.
Штудирование "Network Policy Server Technical Reference" и "Configuring IPSec Between a Cisco IOS Router and a Cisco VPN Client 4.x for Windows Using RADIUS for User Authentication" Document ID: 21060 ответа не дали.
Если кто практиковал подобное, прошу дать направление для поиска решения.Going through your post, I could see that radius is sending access-reject because radius access-request is sending a vpn group name in the user name field. I was in a discussion of same problem few days before and that got resolved by making 2 changes.
replace the authorization from radius to local
and
changing the encryption type in transform set
However, in your configuration, your configuration already have those changes.
Here you can check the same : https://supportforums.cisco.com/thread/2226065
Could you please tell me what exactly radius server complaining? Can you please paste the error you're getting on the radius server.
~BR
Jatin Katyal
**Do rate helpful posts** -
ISE version 1.0 - Unable to get management access for cisco devices
Hi All,
I want to manage all cisco devices with read and write privilege with ISE 1.0.
Is this functionality is available in this version?
I configured the 2960 switch. On switch redius test is successful. When I telnet to the switch, it ask for username and password. But message is authorization fail. But on ISE shows authentication is successful.
Is it configuration issue or this feature is not available in this version?
Regards,
HanumantHanumant,
You will have to create an authorization profile to send back the privilege level for the user:
Here is the attribute (cisco-av-pair) you will have to send back:
shell:priv-lvl=xx
Maybe you are looking for
-
How do I save a Pages doc as a jpeg on the NEW Pages version?
On the old Pages I could just click print and it came up as an option under the pdf button but the new one doesn't have that. Does anyone know how to do this? thanks!
-
Sync issues with latest version of i tunes
new version of i tunes hasnt installed properly cant sync i pad or i phone why release new versions when they clearly dont work. have re installed to no avail. now what do i do ?
-
"Blend If" indication in Layers Panel
My periodic 18 month request to have an icon Layers Palette to indicate if "Blend If" Blending Option is active. It is playing detective to track a Blend If down. It would be nice to have an indication not only if Blend If Grey, but Blend If R,G and/
-
Edit Date bug in Lightroom 5?
When I create a smart collection with "Edit Date is Today" in LR5, I get my entire library as a result. The same in LR4 returns the expected results. Is this broken in LR5?
-
Smartform table with event tab
hi generally in tables there will be caluclations tab. iseen a diff table in standard form with a table and insted of caluclation its having a event tab. whats that whats the use. how to create? thanks & regards p kavi