ISE RADIUS authorization NX-OS

Anybody could confirm if RADIUS authorization is not supported on NX-OS?
If it's not supported, how should it be configured with ISE once ISE doesn't support TACACS?
NX-OS(config)# aaa authorization config-commands default group radius local
Radius group is not supported for command authorization
could not update aaa configuration

Jan is correct, you can't configure NX-OS based device the same way you would IOS based one when it comes to AAA. NX-OS devices do not "understand" privilege level. Instead, they use RBAC (Role Based Access Control). As a result, you have to return a shell role from your Radius server:
shell:roles=user_role
For more info take a look at the latest "NX-OS Security Configuration Guide" or this link:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x_chapter_0110.html#task_1074483
Hope this helps!
Thank you for rating helpful posts!

Similar Messages

ISE Radius - Access-accept is returned with no autorization policy

Hello,
With ISE Radius service / PAP, the authentication passes OK, but the Network Element which send the autorization request, returns message "not enough user priviledges to execute command" and the HTTP page is blank.
The reason for that is, the Network Element is sending in the Access-Request with Service-Type value = 8, which means Authenticate-Only (and this can be seen at ISE . This causes the Radius server to authenticate, but not to send the authorization parameters back to the NE in the Access-Accept, causing the login to fail. A bit inside of the RFC:
5.6. Service-Type
    Description
       This Attribute indicates the type of service the user has
      requested, or the type of service to be provided. It MAY be used
      in both Access-Request and Access-Accept packets. A NAS is not
      required to implement all of these service types, and MUST treat
      unknown or unsupported Service-Types as though an Access-Reject
      had been received instead.
   Type
       6 for Service-Type.
      The Value field is four octets.
       1      Login
       2      Framed
       3      Callback Login
       4      Callback Framed
       5      Outbound
       6      Administrative
       7      NAS Prompt
       8      Authenticate Only
       9      Callback NAS Prompt
      10      Call Check
      11      Callback Administrative
There is no way to modify the value on the network element in the Access-Request packet.
Question: Is there a way to for the Cisco ISE to ignore the service type value (Authenticate Only), and return the autorization parametes back with the Access-Accept packet?
Thanks,
Lucho

Lucho,
I Checked the rfc and the answer is no, rfc states that no authorzation information needs to returned for this request.
http://www.ietf.org/rfc/rfc2865.txt
Thanks,
Tarik

Radius Authorization question

Can you configure Radius authorization to access a router or not.
I am confused because the Practical Studies book says "Use the local database for authorization instead of RADIUS because is incapable of understanding CLI":
aaa new-model
aaa authentication login default group radius
aaa authorization default local
Now in the Cisco website, says you can after configuring the following:
Cisco Secure NT RADIUS
Follow these steps to configure the server. http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml
IETF, Service-type (attribute 6) = Nas-Prompt
In the CiscoRADIUS area, check AV-Pair, and in the rectangular box underneath, enter shell:priv-lvl=7.
aaa new-model
aaa authentication login default tacacs+|radius local
aaa authorization exec tacacs+|radius local
username backup privilege xxx password xxxx
radius-server host 171.x.x.x
radius-server key xxxx
privilege configure level 7 snmp-server host
privilege configure level 7 snmp-server enable
privilege configure level 7 snmp-server
privilege exec level 7 ping
privilege exec level 7 configure terminal
privilege exec level 7 configure

You can specify the exec privelege level for certain user on specific AAA client using RADIUS.
Based on that certain user can run all the commands that are part of that particular Privelege exec level.
Now if you want to allow certain set of commands from particular privilege exec level you need to use tacacs+ protocol
and enable command authorization sets command on your AAA server.
Check the following links as references on command authorization:
http://www.cisco.com/en/US/partner/products/ps9911/products_configuration_example09186a0080bc8514.shtml
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Please make sure to rate correct answers

Radius authorization for WAAS CM GUI

Hi,
We would like to enable radius authorization to the WAAS Central Manager GUI. We are having some problems doing this. Also this is only documented for TACACS and not for Radius.
We've seen the waas_rbac_groups attribute that can be delivered via Tacacs, can this attribute also travel in the radius attributes? We've already tried: shell:waas_rbac_groups on a Cisco-AV-Pair but that doesn't do it.
There should be a way; knowning that the TACACS is very rare these days.
Please help us
Regards,
Erik

Hi Prabnu,
Google Chrome has the same strange behaviour.;-( See the attachment.
Roman

AP Cannot join WLC, i have RADIUS authorization is pending for the AP Error

Hi Support,
I'm new in installing WIFI, I have WLC 2504 using 7.4.100.0
I have AP 1600 (AIR-CAP1602E-E-K9)
I installed the WLC and AP in a cisco poe switch, wlc and ap are in the same subnet and can ping ap from WLC, but the AP cannot join the wlc. i have this error message
(Cisco Controller) >show ap join stats detailed 00:06:f6:d6:03:f0
Sync phase statistics
- Time at sync request received............................ Not applicable
- Time at sync completed................................... Not applicable
Discovery phase statistics
- Discovery requests received.............................. 124
- Successful discovery responses sent...................... 124
- Unsuccessful discovery request processing................ 0
- Reason for last unsuccessful discovery attempt........... Not applicable
- Time at last successful discovery attempt................ Jun 11 11:56:46.133
- Time at last unsuccessful discovery attempt.............. Not applicable
Join phase statistics
- Join requests received................................... 62
- Successful join responses sent........................... 0
- Unsuccessful join request processing..................... 62
- Reason for last unsuccessful join attempt................ RADIUS authorization is pending for the AP
- Time at last successful join attempt..................... Not applicable
- Time at last unsuccessful join attempt................... Jun 11 11:56:56.606
Another this is from AP cli, i cannot have the command configure terminal
Can you please help me

Thanks Scott, i'm in Gabon (Central Africa) there is no Gabon in coutries list, then i chosen France.
this is the new status
(Cisco Controller) >show ap join stats detailed 00:06:f6:d6:03:f0
Sync phase statistics
- Time at sync request received............................ Not applicable
- Time at sync completed................................... Not applicable
Discovery phase statistics
- Discovery requests received.............................. 126
- Successful discovery responses sent...................... 126
- Unsuccessful discovery request processing................ 0
- Reason for last unsuccessful discovery attempt........... Not applicable
- Time at last successful discovery attempt................ Jun 11 13:38:37.411
- Time at last unsuccessful discovery attempt.............. Not applicable
Join phase statistics
- Join requests received................................... 63
- Successful join responses sent........................... 1
- Unsuccessful join request processing..................... 62
- Reason for last unsuccessful join attempt................ RADIUS authorization is pending for the AP
- Time at last successful join attempt..................... Jun 11 13:38:49.888
- Time at last unsuccessful join attempt................... Jun 11 11:56:56.606
Configuration phase statistics
--More-- or (q)uit
- Configuration requests received.......................... 0
- Successful configuration responses sent.................. 0
- Unsuccessful configuration request processing............ 0
- Reason for last unsuccessful configuration attempt....... Not applicable
- Time at last successful configuration attempt............ Not applicable
- Time at last unsuccessful configuration attempt.......... Not applicable
Last AP message decryption failure details
- Reason for last message decryption failure............... Not applicable
Last AP disconnect details
- Reason for last AP connection failure.................... Timed out while waiting for ECHO repsonse from the AP
- Last AP disconnect reason................................ Not applicable
Last join error summary
- Type of error that occurred last......................... AP got or has been disconnected
- Reason for error that occurred last...................... Timed out while waiting for ECHO repsonse from the AP
- Time at which the last join error occurred............... Jun 11 13:40:31.432
AP disconnect details
- Reason for last AP connection failure.................... Timed out while waiting for ECHO repsonse from the AP
Ethernet Mac : 00:06:f6:d6:03:f0 Ip Address : 172.25.100.84
--More-- or (q)uit
(Cisco Controller) >

Configuring Cisco ISE for Authorization with External Radius Server attribute

Hi,
I'm trying to integrate an external radius server with Cisco ISE.
I created an External Identity Store>Radius Token Server.
I created a Identity Store sequence with just one identity store just as creadted above.
And I was able to authenticate successfully.
But when it comes to authorization.
I observed we just have one tab named Authorization while creating Radius Token server.
And it always refers to ACS:attribute_name.
If I want to define a IETF radius attribute, (lets say class with attribute id as 25), how could I do it.
In Cisco ACS we have a direct entry option in authorization tab where we can define the radius (IETF) attribute within Radius token server creation (within radius token server>Directory attribute tab).
How ever I try to define the IETF attribute here (class,IETF:Class) I am not able to authorize with this attribute value.
I tried with just one single authorization rule where it could hit.But observed it to go the default(as none of the rules defined matches the condition).
Can anyone guide me how can we define a IETF radius attribute for authorization within Cisco ISE and what policy could we set it to work as authorization.
Thanks in advance
Senthil K

This is the step of Creating and Editing RADIUS Vendors
To create and edit a RADIUS vendor, complete the following steps:
Step 1 From the Administration mega menu, choose Resources > RADIUS Vendors.
The RADIUS Vendors page appears with a list of RADIUS vendors that ISE supports.
Step 2 Click Create to create a new RADIUS vendor or click the radio button next to the RADIUS vendor that
you want to edit and click Edit.
Step 3 Enter the following information:
• Name—(Required) Name of the RADIUS vendor.
• Description—An optional description for the vendor.
• Vendor ID—(Required) The Internet Assigned Numbers Authority (IANA)-approved ID for the
vendor.
• Vendor Attribute Type Field Length—(Required) The number of bytes taken from the attribute value
to be used to specify the attribute type. Valid values are 1, 2, and 4. The default value is 1.
• Vendor Attribute Size Field Length—(Required) The number of bytes taken from the attribute value
to be used to specify the attribute length. Valid values are 0 and 1. The default value is 1.
Step 4 Click Submit to save the RADIUS vendor.

Cisco ISE - radius proxy

Hi,
Is the following possible:
- let the ISE do the authentication and then proxy to another radius server which does the authorization.
At the moment we have a freeradius server that does the following:
1) authenticates 802.1x requests (eap-tls)
2) during authorization the server checks an external database that determines the vlan that should be returned (in radius attribute) based on originating switch and/or mac address.
I am checking if I can migrate to ISE but then the above would have to work.
For MAB I can easily do authentication/authorization on freeradius so I will proxy MAB requests to there.
regards
Thomas

ISE acts as a RADIUS proxy server by proxying the requests from a network access device (NAD) to a RADIUS server. The RADIUS server processes the request and returns the result to Cisco ISE. Cisco ISE then sends the response to the NAD
FYI
you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

ISE Radius device administration authentication possible?

Hi,
does anybody know if Radius device administration authentication and authorization is possible with the actual ISE release? I know that TACACS will be available in future release.
Regards
Joerg

Yes it's possible according to "Ask the experts" forum :
https://supportforums.cisco.com/thread/2172532
"If you use RADIUS for device administration, ISE can be utilized using authorization policy elements that return Cisco av-pairs. But personally, I think ACS is currently superior to ISE for this task."
Anyway, I'm about to test "device admin" and "network access" simultaneously in the same switch with Radius and ISE.
Please rate if it helps

IOS SSL VPN WITH RADIUS Authorization

Hi
I'm trying to authenitcate and authorize the users loggining into SSLVPN via ACS and although the ACS loggs and "TEST" command on the router shw succeeful authentication i receive the flollowing debug
*Jun 6 22:39:50.157: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4346
Rack1R1(config)#
*Jun 6 22:40:09.409: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4357
Rack1R1(config)#
*Jun 6 22:40:21.409: WV-AAA: AAA authentication request sent for user: "SSLUSER"
*Jun 6 22:40:21.409: RADIUS/ENCODE(00000000):Orig. component type = INVALID
*Jun 6 22:40:21.409: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jun 6 22:40:21.409: RADIUS(00000000): Config NAS IP: 150.1.1.1
*Jun 6 22:40:21.409: RADIUS(00000000): sending
*Jun 6 22:40:21.409: RADIUS(00000000): Send Access-Request to 10.0.0.100:1645 id 1645/27, len 60
*Jun 6 22:40:21.409: RADIUS: authenticator AC 16 B3 54 46 72 37 05 - 4C 00 19 21 81 97 40 6E
*Jun 6 22:40:21.409: RADIUS: User-Name           [1]   16 "SSLUSER@SSLVPN"
Rack1R1(config)#
*Jun 6 22:40:21.409: RADIUS: User-Password       [2]   18 *
*Jun 6 22:40:21.409: RADIUS: NAS-IP-Address      [4]   6   150.1.1.1
*Jun 6 22:40:21.669: RADIUS: Received from id 1645/27 10.0.0.100:1645, Access-Accept, len 282
*Jun 6 22:40:21.669: RADIUS: authenticator 2D 2C B0 39 89 4C 41 88 - 40 32 E2 09 0D 7F 6B 0C
*Jun 6 22:40:21.669: RADIUS: Framed-IP-Address   [8]   6   255.255.255.255
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco       [26] 28
*Jun 6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   22 "webvpn:svc-enabled=1"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco       [26] 29
*Jun 6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   23 "webvpn:svc-required=1"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco       [26] 50
*Jun 6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   44 "webvpn:split-include=6.6.6.0 255.255.255.0"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco       [26] 35
*Jun 6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   29 "webvpn:keep-svc-installed=1"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco       [26] 31
*Jun 6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   25 "webvpn:addr-pool=SSLVPN"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco       [26] 41
*Jun 6 22:40:21.669: RADIUS: Service-Type        [6]   6   Outbound                  [5]
*Jun 6 22:40:21.669: RADIUS: Class               [25] 36
*Jun 6 22:40:21.669: RADIUS:   43 41 43 53 3A 30 2F 34 37 30 2F 39 36 30 31 30 [CACS:0/470/96010]
*Jun 6 22:40:21.669: RADIUS:   31 30 31 2F 53 53 4C 55 53 45 52 40 53 53 4C 56 [101/SSLUSER@SSLV]
*Jun 6 22:40:21.669: RADIUS:   50 4E                                            [PN]
*Jun 6 22:40:21.673: RADIUS(00000000): Received from id 1645/27
*Jun 6 22:40:21.673: RADIUS(00000000): Unique id not in use
Rack1R1(config)#
*Jun 6 22:40:21.673: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored
*Jun 6 22:40:21.673: AAA/AUTHOR (0x0): Pick method list 'RAD'
Rack1R1(config)#
*Jun 6 22:40:23.673: WV-AAA: AAA Authentication Failed!
Rack1R1(config)#
*Jun 6 22:40:24.069: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4359
Rack1R1(config)#
router Configuration
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Rack1R1
boot-start-marker
boot-end-marker
! card type command needed for slot/vwic-slot 0/1
logging message-counter syslog
enable password cisco
aaa new-model
aaa authentication login RAD group radius
aaa authorization network RAD group radius
aaa session-id common
dot11 syslog
ip source-route
ip cef
no ip domain lookup
ip domain name INE.com
ip host cisco.com 136.1.121.1
ip host www.cisco.com 136.1.121.1
ip host www.google.com 136.1.121.1
ip host www.ripe.net 136.1.121.1
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-3354934498
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3354934498
revocation-check none
rsakeypair TP-self-signed-3354934498
crypto pki certificate chain TP-self-signed-3354934498
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333534 39333434 3938301E 170D3132 30363036 31333030
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33353439
33343439 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1E5 889BEB9A 31DFC0D4 7C7F698F 0F52E404 0849263A BD443A96 13C6A440
DCBD4345 EF301E91 0D4AADD9 3C2A17F2 E26E5E96 90F96809 D8FCCF32 7EB58100
74E4772C 6395E03C 1B7F1AF5 482F861F DD62D079 F9977FE2 0E544E18 5FAAF290
DF665B45 EF10D3EC D924E87A 5F827F07 06DE8961 F361C3FA EDBE5F68 452221C8
B9570203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603
551D1104 13301182 0F526163 6B315231 2E494E45 2E636F6D 301F0603 551D2304
18301680 140B00B8 FD9B58CF 8A6F51BE 25DEC6C5 85E14495 05301D06 03551D0E
04160414 0B00B8FD 9B58CF8A 6F51BE25 DEC6C585 E1449505 300D0609 2A864886
F70D0101 04050003 81810006 4192E2DB ABAF533E 9C4BF24E DF6BFD45 144A6AE9
C874E311 27B23E7B E8DB18C3 4FFB4ACA 4B09F63E 62501578 D8F58D73 D08F016F
49C99B8D DA1073E5 A141C1C7 505BD191 FC58EA7F 54BD9B98 579E1726 7C1CA619
A45DDABC 8F315EE9 D20A30A8 2BD5D67D B744BD69 353B4670 E5BA4540 47059E60
9DC4C940 E91AACBB 4EAFFA
        quit
username admin privilege 15 password 0 admin
username SSLUSER@SSLVPN password 0 cisco
archive
log config
hidekeys
crypto ipsec client ezvpn EZVPN_CLIENT
connect auto
mode client
xauth userid mode interactive
ip tcp synwait-time 5
interface Loopback0
ip address 150.1.1.1 255.255.255.0
interface Loopback6
ip address 6.6.6.6 255.255.255.0
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet0/1
no ip address
duplex auto
speed auto
interface FastEthernet0/1.11
encapsulation dot1Q 12
ip address 136.1.11.1 255.255.255.0
interface FastEthernet0/1.121
encapsulation dot1Q 121
ip address 136.1.121.1 255.255.255.0
interface FastEthernet0/0/0
interface FastEthernet0/0/1
interface FastEthernet0/0/2
interface FastEthernet0/0/3
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
interface Vlan1
no ip address
router rip
version 2
passive-interface FastEthernet0/1.11
network 136.1.0.0
network 150.1.0.0
no auto-summary
ip local pool SSLVPN 40.0.0.1 40.0.0.254
ip forward-protocol nd
ip route 10.0.0.0 255.255.255.0 136.1.121.12
ip http server
ip http secure-server
ip dns server
ip access-list extended SPLIT
permit ip 136.1.11.0 0.0.0.255 10.0.0.0 0.0.0.255
ip radius source-interface Loopback0
radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
line vty 0 4
password cisco
scheduler allocate 20000 1000
webvpn gateway SSLVPN
ip interface Loopback0 port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-3354934498
logging enable
inservice
webvpn install svc flash:/webvpn/anyconnect-win-2.5.3055-k9.pkg sequence 1
webvpn context SSLVPN
title "**SSLVPN **"
ssl encryption rc4-md5
ssl authenticate verify all
aaa authentication list RAD
aaa authentication domain @SSLVPN
aaa authorization list RAD
gateway SSLVPN
inservice
end
Any Idea?

Hi,
As I understand , you need to know if you can assign static ip to a user and also is there any other way of assiging a ip other than local pool.
There are three ways of assinging an ip address to VPN client: using local pool, AAA server,DHCP.
You can use the following link for more information:-
Assigning static ip for user present locally on ASA:-
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a7afb2.shtml
For user present on Active Directory:-
http://technet.microsoft.com/en-us/library/cc786213%28WS.10%29.aspx
The following is the link for assigning ip address using DHCP:-
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml
I hope it helps.
Thanks,
Shilpa

ISE: Dynamic Authorization Failed

Hi,
I am gettning warning messages in ISE saying
Cause:
Dynamic Authorization Failed for Device: 0002SWC003 (switch)
Details:
Dynamic Authorization Failed
It is not only on that switch but on all switches I have configured. I am using 3560 IPBase 12.2(55)SE6. I have configured them according to Trustsec 2.1.
My end devices are none-802.1x.
I can't figure out what is causing this error.
The thing is that I have not experienced any problem. In Live Authentications there are some 'Unknown' and 'Profiled' devices hitting the DenyAccess rule, but other then that everying is beeing Authorized fine.
Anyone got an idea what could be causing this error?
Regards,
Philip

This is what I have found out.. Using ISE Version 1.1.1.268. If you go the logs page
Jan 10,13 7:39:12.147 AM
Dynamic Authorization failed
and then go to the details...
Failure Reason > Authentication Failure Code Lookup
Failure Reason :
11213 No response received from Network Access Device
Generated on:January 10, 2013 8:08:17 AM PST
Description
No response received from Network Access Device.
Resolution Steps
Check the connectivity between ISE and Network Access Device. Ensure that ISE is defined as Dynamic Authorization Client on Network Access Device and that CoA is supported on device.
...next check into Resolution Steps...

Ise and authorization vlans

ineed to know for sure (and with detailed official documentation links or experience if possible)
if ISE for CoA accepts vlan names rather than vlan id numbers (multiple vtp domains: we have multiple vlan id numbers under the same consistant naming)
thank you in advance for your response

Not a problem, in the link that I posted at the end that is covered. Here is the comments that I was referring to:
Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these attributes to the switch:
–[64] Tunnel-Type = VLAN
–[65] Tunnel-Medium-Type = 802
–[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the 802.1X-authenticated user.
Thanks,
Tarik Admani
*Please rate helpful posts*

ISE first authorization sucess and then fail (MAB)

Hi,
Using ISE 1.1.1 and Switch 3650 12.2(55)SE6.
I have a client (computer) that should be authenticated with MAB and then the switch port should be asigned a DACL and VLAN 90. I do get
"Authorization succeeded" but directly after it fails and I can't figure out why. ISE only shows the successful authentication under "Live Authenticaions".
As you can se from the log below 802.1x fails, as it should, and then MAB succeed, asigns the VLAN and then fails:
0002SWC002(config)#int fa0/13
0002SWC002(config-if)#shut
0002SWC002(config-if)#
Jan 7 13:26:59.640: %LINK-5-CHANGED: Interface FastEthernet0/13, changed state to administratively down
Jan 7 13:27:00.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to down
0002SWC002(config-if)#no shut
0002SWC002(config-if)#
Jan 7 13:27:19.689: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down
Jan 7 13:27:22.063: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
Jan 7 13:27:22.776: %AUTHMGR-5-START: Starting 'dot1x' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000
020D7C192D1
Jan 7 13:27:23.070: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up
Jan 7 13:27:51.054: %DOT1X-5-FAIL: Authentication failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID
Jan 7 13:27:51.054: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (f04d.a223.8f43) on Interface Fa
0/13 AuditSessionID 0A0005FC00000020D7C192D1
Jan 7 13:27:51.054: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0
A0005FC00000020D7C192D1
Jan 7 13:27:51.054: %AUTHMGR-5-START: Starting 'mab' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC0000002
0D7C192D1
Jan 7 13:27:51.088: %MAB-5-SUCCESS: Authentication successful for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005
FC00000020D7C192D1
Jan 7 13:27:51.088: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
Jan 7 13:27:51.088: %AUTHMGR-5-VLANASSIGN: VLAN 90 assigned to Interface Fa0/13 AuditSessionID 0A0005FC00000020D7C192D1
Jan 7 13:27:51.096: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT APPLY
Jan 7 13:27:51.096: %EPM-6-IPEVENT: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT
IP-WAIT
Jan 7 13:27:51.255: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A00
05FC00000020D7C192D1
Jan 7 13:27:52.027: %EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENTReplacing duplicate ACE entry for host 10.90.5.1
Jan 7 13:27:52.036: %AUTHMGR-5-FAIL: Authorization failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00
000020D7C192D1
Jan 7 13:27:52.036: %EPM-6-POLICY_REQ: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000020D7C192D1| AUTHTYPE DOT1X| EVENT REMOVE
After this the proces starts over again.
This is the switch port config:
interface FastEthernet0/13
description VoIP/Data
switchport mode access
switchport voice vlan 20
switchport port-security
switchport port-security violation restrict
ip access-group ACL-ALLOW in
srr-queue bandwidth share 1 70 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 2.00 1.00
storm-control multicast level 2.00 1.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast
service-policy input ax-qos_butnet
ip dhcp snooping limit rate 5
end
Is there a problem with the client (computer) or in ISE/Switch?

Hi Tarik,
First off; thank you for helping me troubleshoot this problem.
I think the "IP-" part of "IP-ACL-IWMAC" is beeing added automaticly (in the switch maby?). I see this behaviour on other dACL too. I did not change the name of the ACL.
You seem to have a valid theory about the icmp statement. I changed it to "permit icmp any any" and it seems to work. But I can't explain why this is happening.
When I look at the debugs I see this difference
With the original ACL I get this:
%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT APPLYReplacing duplicate ACE entry for host 10.90.5.1
%EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT IP-RELEASE
%EPM-6-IPEVENT: IP 10.90.5.1| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000053E70733F4| AUTHTYPE DOT1X| EVENT IP-WAIT
%AUTHMGR-5-FAIL: Authorization failed for client (f04d.a223.8f43) on Interface Fa0/13 AuditSessionID 0A0005FC00000053E70733F4
When using "permit icmp any any" i get this:
%EPM-6-POLICY_REQ: IP 0.0.0.0| MAC f04d.a223.8f43| AuditSessionID 0A0005FC00000055E70B8E7D| AUTHTYPE DOT1X| EVENT APPLY
%EPM-6-AAA: POLICY xACSACLx-IP-ACL-IWMAC-50eea905| EVENT DOWNLOAD-REQUEST
I tried googeling but can't find what "Replacing duplicate ACE entry for host xxx" means.
I have added debugs in attachment.
device1_orig_acl - the none working device with original ACL
device1_any_any - the none working device with permit icmp any any
working_device_orig_acl - the device that works with the original ACL
Do you have an answer to why this is happening?
Regards,
Philip

10.6.4 Server L2TP VPN using external RADIUS - Authorization Failed

I'm using 10.6.4 with VPN L2TP configured successfully using local user database for authentication. Now i want to configure the VPN to use Steel Belted Radius server for authentication (that hooked up to another LDAP server) for authentication.
I've configured the VPN service to use the radius server, authentication to radius is occurring but i'm getting errors that the user is not authorized to use the VPN service.
Is there a way to configure 10.6's VPN service to authorize any user that successfully authenticates against Radius?
NOTE: I've played around with Server Admin's access for VPN, with it set to all users, everyone ect, this did not make any difference to the error i'm getting from the vpn service.
Here's the log out put when the connection fails.
2010-08-27 12:52:34 PDT Loading plugin /System/Library/Extensions/L2TP.ppp
2010-08-27 12:52:34 PDT Listening for connections...
2010-08-27 12:52:39 PDT Incoming call... Address given to client = 192.168.105.1
Fri Aug 27 12:52:39 2010 : Directory Services Authorization plugin initialized
Fri Aug 27 12:52:39 2010 : L2TP incoming call in progress from '[ip address redacted]'…
Fri Aug 27 12:52:39 2010 : L2TP received SCCRQ
Fri Aug 27 12:52:39 2010 : L2TP sent SCCRP
Fri Aug 27 12:52:39 2010 : L2TP received SCCCN
Fri Aug 27 12:52:39 2010 : L2TP received ICRQ
Fri Aug 27 12:52:39 2010 : L2TP sent ICRP
Fri Aug 27 12:52:39 2010 : L2TP received ICCN
Fri Aug 27 12:52:39 2010 : L2TP connection established.
Fri Aug 27 12:52:39 2010 : using link 0
Fri Aug 27 12:52:39 2010 : Using interface ppp0
Fri Aug 27 12:52:39 2010 : Connect: ppp0 <--> socket[34:18]
Fri Aug 27 12:52:39 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
Fri Aug 27 12:52:39 2010 : lcp_reqci: returning CONFACK.
Fri Aug 27 12:52:39 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
Fri Aug 27 12:52:39 2010 : sent [LCP EchoReq id=0x0 magic=0x55fc9b88]
Fri Aug 27 12:52:39 2010 : sent [CHAP Challenge id=0xc8 <086a03234947113037497f4326585a1f>, name = "OSX SERVER"]
Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoReq id=0x0 magic=0x7e9db3cb]
Fri Aug 27 12:52:39 2010 : sent [LCP EchoRep id=0x0 magic=0x55fc9b88]
Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoRep id=0x0 magic=0x7e9db3cb]
Fri Aug 27 12:52:39 2010 : rcvd [CHAP Response id=0xc8 <5ad3c0cb063694e473f51c9252e007f400000000000000003701b4fa8e7b844e072cddeceefa73 173d7415c85cae976700>, name = "USERNAME"]
Fri Aug 27 12:52:40 2010 : sent [CHAP Success id=0xc8 "S=934D6E79F45791A61C378789A4D719BC6F249574"]
*Fri Aug 27 12:52:40 2010 : CHAP peer authentication succeeded for USERNAME*
*Fri Aug 27 12:52:40 2010 : DSAccessControl plugin: User 'USERNAME' not authorized for access*
*Fri Aug 27 12:52:40 2010 : sent [LCP TermReq id=0x2 "Authorization failed"]*
Fri Aug 27 12:52:40 2010 : Connection terminated.
Fri Aug 27 12:52:40 2010 : L2TP disconnecting...
Fri Aug 27 12:52:40 2010 : L2TP sent CDN
Fri Aug 27 12:52:40 2010 : L2TP sent StopCCN
Fri Aug 27 12:52:40 2010 : L2TP disconnected
2010-08-27 12:52:40 PDT --> Client with address = 192.168.105.1 has hungup
Message was edited by: sarah mays

I'm using 10.6.4 with VPN L2TP configured successfully using local user database for authentication. Now i want to configure the VPN to use Steel Belted Radius server for authentication (that hooked up to another LDAP server) for authentication.
I've configured the VPN service to use the radius server, authentication to radius is occurring but i'm getting errors that the user is not authorized to use the VPN service.
Is there a way to configure 10.6's VPN service to authorize any user that successfully authenticates against Radius?
NOTE: I've played around with Server Admin's access for VPN, with it set to all users, everyone ect, this did not make any difference to the error i'm getting from the vpn service.
Here's the log out put when the connection fails.
2010-08-27 12:52:34 PDT Loading plugin /System/Library/Extensions/L2TP.ppp
2010-08-27 12:52:34 PDT Listening for connections...
2010-08-27 12:52:39 PDT Incoming call... Address given to client = 192.168.105.1
Fri Aug 27 12:52:39 2010 : Directory Services Authorization plugin initialized
Fri Aug 27 12:52:39 2010 : L2TP incoming call in progress from '[ip address redacted]'…
Fri Aug 27 12:52:39 2010 : L2TP received SCCRQ
Fri Aug 27 12:52:39 2010 : L2TP sent SCCRP
Fri Aug 27 12:52:39 2010 : L2TP received SCCCN
Fri Aug 27 12:52:39 2010 : L2TP received ICRQ
Fri Aug 27 12:52:39 2010 : L2TP sent ICRP
Fri Aug 27 12:52:39 2010 : L2TP received ICCN
Fri Aug 27 12:52:39 2010 : L2TP connection established.
Fri Aug 27 12:52:39 2010 : using link 0
Fri Aug 27 12:52:39 2010 : Using interface ppp0
Fri Aug 27 12:52:39 2010 : Connect: ppp0 <--> socket[34:18]
Fri Aug 27 12:52:39 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
Fri Aug 27 12:52:39 2010 : lcp_reqci: returning CONFACK.
Fri Aug 27 12:52:39 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x7e9db3cb> <pcomp> <accomp>]
Fri Aug 27 12:52:39 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x55fc9b88> <pcomp> <accomp>]
Fri Aug 27 12:52:39 2010 : sent [LCP EchoReq id=0x0 magic=0x55fc9b88]
Fri Aug 27 12:52:39 2010 : sent [CHAP Challenge id=0xc8 <086a03234947113037497f4326585a1f>, name = "OSX SERVER"]
Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoReq id=0x0 magic=0x7e9db3cb]
Fri Aug 27 12:52:39 2010 : sent [LCP EchoRep id=0x0 magic=0x55fc9b88]
Fri Aug 27 12:52:39 2010 : rcvd [LCP EchoRep id=0x0 magic=0x7e9db3cb]
Fri Aug 27 12:52:39 2010 : rcvd [CHAP Response id=0xc8 <5ad3c0cb063694e473f51c9252e007f400000000000000003701b4fa8e7b844e072cddeceefa73 173d7415c85cae976700>, name = "USERNAME"]
Fri Aug 27 12:52:40 2010 : sent [CHAP Success id=0xc8 "S=934D6E79F45791A61C378789A4D719BC6F249574"]
*Fri Aug 27 12:52:40 2010 : CHAP peer authentication succeeded for USERNAME*
*Fri Aug 27 12:52:40 2010 : DSAccessControl plugin: User 'USERNAME' not authorized for access*
*Fri Aug 27 12:52:40 2010 : sent [LCP TermReq id=0x2 "Authorization failed"]*
Fri Aug 27 12:52:40 2010 : Connection terminated.
Fri Aug 27 12:52:40 2010 : L2TP disconnecting...
Fri Aug 27 12:52:40 2010 : L2TP sent CDN
Fri Aug 27 12:52:40 2010 : L2TP sent StopCCN
Fri Aug 27 12:52:40 2010 : L2TP disconnected
2010-08-27 12:52:40 PDT --> Client with address = 192.168.105.1 has hungup
Message was edited by: sarah mays

Documentation for ISE RADIUS messages?

In ISE, clicking on Operations => Authentications, => Show Live Authentications brings up a list of authentication attempts. Clicking on Details on any one of the attempts brings up a list of authentication steps, each of which has an ID number and a description:
11001          Received RADIUS Access-Request
11017          RADIUS created a new session
15049          Evaluating Policy Group
15008          Evaluating Service Selection Policy
15048          Queried PIP
15048          Queried PIP
15004          Matched rule
11507          Extracted EAP-Response/Identity
12300          Prepared EAP-Request proposing PEAP with challenge
etc.....
Is there a document that describes these messages? I am a newb at this and I am unable to find anything.
Thanks,
-Jeff

Source: Cisco Internal DB.
Google can serach a troubleshooting guide for you:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html
~BR
Jatin Katyal
**Do rate helpful posts**

Ise radius/nac

Can ISE 1.1 act as a RADIUS for WGB through WLC?
thank you

Tarik,
Thanks for your answer, here is the problem !!!
In order to do PROFILING/POSTURING and all that for wireless clients here is what's needed:
Need to go to WLC (wireless controller) and choose RADIUS/NAC for the SSID.
So SSID = test RADIUS/NAC - then all normal clients go through ISE and get postured and profiled and all that works fine except...
WGBs cannot connect to SSID=test at all and they do not appear on ISE as an attempt at all.
As soon as I remove option RADIUS/NAC from WLC wgb connects and shows up on ISE fine and get authenticated ---> you would say well there you go that's ur problem , well yeah but if i DISABLE Radius/Nac option from WLC I lose the ability to control normal users that connect to SSID=test so it would just be PERMIT/DENY ACCESS based on username and the whole point of ISE would be ACS or Simple Radius Server.
Do you get my point?
Thank you.
P.s so for me to POSTURE/PROFILE wireless clients I need to use RADIUS/NAC option and for WGBs I have to setup a NEW SSID and leave that SSID without RADIUS/NAC option so it can only authenticate through ISE and not posture/profile clients, and I do not need to posture/profile clients behind WGB (it would be great but I don't necessarily need to, and I know they don't support CoA Change of Access attribute in RADIUS)

ISE RADIUS authorization NX-OS

Similar Messages

Maybe you are looking for