Radius Attribute Issue

Hi,
I'm having some issues on implementing radius accounting. Below are my configurations
aaa group server radius ClearBox
server 192.168.111.8 auth-port 1812 acct-port 1813
accounting accept ClearBox
aaa accounting exec default start-stop group ClearBox
aaa accounting network default start-stop group ClearBox
aaa accounting connection h323 start-stop group ClearBox
aaa accounting resource default start-stop group ClearBox
aaa session-id common
gw-accounting aaa
radius-server attribute list ClearBox
attribute 1,4-6,25-26,28-31,40-41,44,46,49,61
radius-server host 192.168.111.8 auth-port 1812 acct-port 1813
radius-server key 7 12481603171B5B55
radius-server vsa send accounting
I am using ClearBox as my radius server. It seems that the ff attributes (h323-connect-time,h323-disconnect-time,h323-disconnect-cause,) was not recorded on the ClearBox. See attached file for the screenshot. May be you can help me on this issue.

Try to enable the following debugs:
debug isdn q931
debug ppp negotiation
debug aaa authen
debug aaa accounting
debug radius

Similar Messages

  • Cisco 2960-X & ISE accounting- username Radius attribute missing

    Hi,
    I'm facing an issue with cisco 2960 switch radius accounting with Cisco ISE1.2.1 .here is my senario:
    - Username (vendor1) is configured in ISE local database, under  group (VENDOR)
    - Authentication protocol : wired  MAB 
    - Authentication method : webauth  using guest portal  , the user is a  vendor  , so no dot1x configured on his NIC .
    the problem is that , the switch is not sending the username as a part of radius attribute , in the authentication log , the username shown as the MAC address of the user machine , therefor , I can not configure my authorization condition using  internaluser:Name  Equal  vendor1
    while if  I configure the condition using the identity group condition  IdentityGroup:Name  Equal  VENDOR  , it works .
    The same configuration is working on 3750 switch  with no issue .
    Here is my Switch config:
    aaa authentication login default local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius 
    aaa authorization auth-proxy default group radius 
    aaa accounting auth-proxy default start-stop group radius
    aaa accounting dot1x default start-stop group radius
    aaa accounting update periodic 5
    username admin password 
    username radius-test password 
    aaa server radius dynamic-author
     client 172.16.2.20 server-key 7 04490A0206345F450C00
     client 172.16.2.21 server-key 7 03165A0F0F1A32474B10
    radius server ISE-RADIUS-1
     address ipv4 172.16.2.20 auth-port 1812 acct-port 1813
     automate-tester username radius-test idle-time 15
     key 7 111B18011E0718070133
    radius server ISE-RADIUS-2
     address ipv4 172.16.2.21 auth-port 1812 acct-port 1813
     automate-tester username radius-test idle-time 15
     key 7 0214055F02131C2A4957
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server attribute 31 mac format ietf upper-case
    radius-server attribute 31 send nas-port-detail
    radius-server dead-criteria time 5 tries 3
    radius-server vsa send accounting
    radius-server vsa send authentication
    any help  !!!

    Thanks for your reply , I know what's MAB , if you read my explanation again , i mentioned that the user is authenticated in the guest portal which mean that I have web authentication , and it is working fine .. The only issue is that I can not use the vendor1 username as part of authorization condition and this is because the switch is not sending the radius attribute type 1 to the ISE , thus , on the ise authentication log the MAC address  of the client machine is shown as a username not the actual username ( vendor1) 
    as I mentioned also , I have exactly the same setup with ise 1.2 and 3750 switch and I do not have this issue .I experience this with 2960x only . 

  • [Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid

    Hi,
    I got many Cisco AP which are linked to 2 Cisco WLC.
    On each WLC, I configured a primary and a secondary RADIUS Server.
    RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
    Primary and secondary ACS configurations are synchronized.
    There are no problem between primary WLC and Cisco ACS (primary and secondary).
    When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"
    Secondary WLC automatically contacts secondary Cisco ACS and it works fine.
    Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."
    The two Cisco ACS are synchronized so I should have same error on them...
    Why does primary ACS generate this error?
    Thanks for your help,
    Patrick

    Tarik Admani wrote:Amjad,That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.Thanks,Tarik Admani
    *Please rate helpful posts*
    Yes. That is a good point.
    With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).
    The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.
    Rating useful replies is more useful than saying "Thank you"

  • Radius Attributes Supported by WLC? Guest bandwidth limiting

    Hello all..
    I've seen several mentions of limited guest user traffic usage by QoS settings and policy maps.. But my issue with this is, it's a global setting for that SSID. In my case, I have a 'Submit' button our Guest Internet page that does a hidden login of the user Guest. In the past, I would apply a sesion time out of 3hours and limit the bandwidth by quite a bit. However, for vendors and visitors that come in, there was a login section that they could input their uesr/pass given to them by the helpdesk and with radius attributes have an extended time out with greater bandwidth. However, I haven't been able to get this to work on the Controller based service, other then the time-out attribute. Is anyone doing it this way? What attributes does the WLC support?

    Have you looked at the v4.2 code? You can create different QoS Roles, and then assign different people to different roles.
    I've never tried this through RADIUS though.
    Regards,
    Richard

  • Radius Attributes for WAP321 AP

    Hi
    Is there a list with the supported radius attributes for wlan-user-authentication? Now I have the following freeradius entry in my users file:
    DEFAULT Ldap-Group == 'wlanusers', Huntgroup-Name == 'accesspoint'
            Service-Type := Login,
            Fall-Through := No
    But it doesn't work. Have I forgotten some attributes?
    thx for any help
    Matthias

    Hi,
    Can you please take a screenshot of your configuiration and attach so that it will be used to root cause the issue.
    Regards,
    Phanikrishna

  • ACS 3.3 Send Radius Attribute 135 & 136

    Hi
    I need an ACS box to return IETF RADIUS attributes 135 & 136 to a NAS for the assignment of DNS servers to clients.
    The ACS 3.3 user guide lists these as supported IETF RADIUS Attributes however they don't seem to be available under Interface Configuration--> Radius IETF.
    Would anyone know how I can enable these ?
    Thanks
    Leon

    Hi Leon,
    That is quite strange. You should have those attributes.
    As you mentioned you have ACS SE, if you could console into it. Issue command,
    stop csadmin
    start csadmin
    Or rebooting ACS SE will re-start the CSAdmin server.
    If you are restarting services from, System Configuration > Service Control, then that wont restart the CSAdmin service.
    Give that a try.
    Regards,
    Prem

  • Radius Attribute in authentication packet

    I'm new to Radius, so bear with me.
    Is it possible, or does anyone knows how to make use of the vendor specific attribute sent in the authentication request. What I'm looking at is that based on the value of a specific VSA, the value of another radius attribute is set and sent in the authentication response.

    More information on Radius Vendor-specific attribute (VSA) is given in the document.
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fappendx/fradattr/scfrdat3.pdf

  • Cisco ISE throws "11036 The Message-Authenticator RADIUS attribute is invalid "

    Hello,
    I am trying to authenticate my server(running an NMS) with an Cisco ISE with EAP-TLS protocol.
    I am seeing "11036 The Message-Authenticator RADIUS attribute is invalid " in the ISE when the ACCESS-REQUEST is sent from NMSServer to ISE. The RADIUS shared secret key is same in both the NMS server and the ISE server .
    Is the some java samples for Message authenticator attribute which I can refer. I think, I am missing something in Message authenticator attribute.
    Any pointers or suggestions to overcome this ?

    To login to Prime GUI, the authentication will be done by ISE.
    The flow goes like this, Admins will login to Prime GUI with default username/pwd and add the RADIUS/ISE details to it which will be used by prime for authentication/authorization.
    Once its done, any other user who tries to login to Prime GUI with their own credentials will be validated against the Identity details in ISE. So even to login to Prime GUI, authentication should be successful in ISE.

  • ACS 4.2 Windows Radius Attributes for VPN-dial-in

    Hello,
    this Situation:
    Remote-User establish a VPN-Connection (AnyConnect) to a ASA 8.4, ASA forwards Authentication to ACS 4.2. , ACS should assign IP-Adress from a Adress-Pool dependent on GroupMembership (LDAP)
    the Problem:
    the User gets an IP-Config with a Default-Gateway which is always the 3.Address of the IP-Pool (IP-Pools are /28 Ranges), the Mask is ok (/32).
    On the ASA-Log I can see a Message:
    %ASA-6-110002: Failed to locate egress interface for protocol from src interface:src IP/src port to dest IP/dest port
    I've assigned following Attibutes:
    IP Assignement: Assigned from AAA server pool (the accordant pool is selected)
    IETF Radius Attributes:
    006 Service Type: Framed
    007 Framed Protocol: ppp
    009 Framed-IP-Netmask: 255.255.255.255
    (not sure about) 022 Framed-Route: 0.0.0.0
    025 Class: <Group-Policy of ASA>
    does anyone of you know, what I'm making wrong?
    on The ASA I can't find any settings.
    Thanks for any advice

    O'Brien Simon
    Did you manage to get a reply to your question about the timeout period for dynamic users in ACS 4.2 ?  As this is what I was about to ask but noticed your post.
    Many thanks
    florrieford

  • ACS 5.1 RADIUS Proxy - Adding RADIUS attributes

    Is there anyway under ACS 5.1 to add RADIUS attributes to outgoing RADIUS proxy auth requests or failing this to RADIUS proxy accounting updates?
    As soon as I configure a RADIUS proxy services, there is little config I can do other than to say whether or not the prefix and suffix is to be stripped.
    I can add these attributes if using an external RADIUS box as an identity store, but I cannot do this for this particular service and instead I need to use RADIUS proxying.
    Thanks
    Paul

    Hi Steve,
    The shared secret is 100% correct.
    Finally I find out that there may be some white lists for attributes.
    If I keep NAS-Identifier , it will work.
    But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
    The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
    When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
    The RADIUS Server gets the message from NSA.
    Of course, there is the Proxy-State attribute.
    In this condition, the ACS has incorrect output in the sub-attribute.
    Now I try 5.2 to see the problem exist or not.

  • ACS 5.5 Radius Attribute not listed in Radius Directory

                       Hello Community,
    iam on the evaluation on Cisco ACS 5.5, and iam trying some scenarios for my company.
    I have to authenticate a ip phone . here i need one VLan tagged and one vlan untagged.
    In the authorization profile u can add the Radius Attributes, we got hp switches and i need the attribute  with the ID-56, but this ID ist not listed in the Authorization Profiles--> Radius Attributes-->select Part.
    But it is listed under system-administration->Configuration-->dictionaries-->Protocols->Radius--> Radius IETF
    come somebody tell me how i can selct this Attributes under Authorization Profiles--> Radius Attributes-->select Part. ??
    Thanks a lot
    regards

    Hi
    As you are using HP switches, certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality, and are therefore not supported with non-Cisco devices.
    For more information regarding Authorization profile configuration, please go through the following link:
    http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/pol_elem.html

  • RADIUS Attribute 198

    Hi there,
    i am trying to get the radius attribute 198 from dial-in router (AS5300, C2610) with ios 12.3.
    With "debug radius" the following output apears:
    *Mar 1 01:06:02.679: RADIUS: Acct-Session-Id [44] 10 "00000009"
    *Mar 1 01:06:02.679: RADIUS: Framed-Protocol [7] 6 PPP
    [1]
    *Mar 1 01:06:02.679: RADIUS: Framed-IP-Address [8] 6 192.168.1.1
    *Mar 1 01:06:02.679: RADIUS: Vendor, Cisco [26] 35
    *Mar 1 01:06:02.679: RADIUS: Cisco AVpair [1] 29 "connect-progress=L
    AN Ses Up"
    *Mar 1 01:06:02.679: RADIUS: Acct-Session-Time [46] 6 23
    *Mar 1 01:06:02.683: RADIUS: Acct-Input-Octets [42] 6 1377
    *Mar 1 01:06:02.683: RADIUS: Acct-Output-Octets [43] 6 106
    *Mar 1 01:06:02.683: RADIUS: Acct-Input-Packets [47] 6 14
    *Mar 1 01:06:02.683: RADIUS: Acct-Output-Packets [48] 6 7
    *Mar 1 01:06:02.683: RADIUS: Acct-Terminate-Cause[49] 6 user-request
    [1]
    *Mar 1 01:06:02.683: RADIUS: Vendor, Cisco [26] 39
    *Mar 1 01:06:02.683: RADIUS: Cisco AVpair [1] 33 "disc-cause-ext=PPP
    Receive Term"
    *Mar 1 01:06:02.683: RADIUS: Authentic [45] 6 RADIUS
    [1]
    *Mar 1 01:06:02.687: RADIUS: User-Name [1] 6 "test"
    *Mar 1 01:06:02.687: RADIUS: Acct-Status-Type [40] 6 Stop
    [2]
    *Mar 1 01:06:02.687: RADIUS: Vendor, Cisco [26] 16
    *Mar 1 01:06:02.687: RADIUS: cisco-nas-port [2] 10 "BRI0/0:1"
    *Mar 1 01:06:02.687: RADIUS: NAS-Port [5] 6 30001
    *Mar 1 01:06:02.687: RADIUS: Vendor, Cisco [26] 26
    *Mar 1 01:06:02.687: RADIUS: Cisco AVpair [1] 20 "interface=BRI0/0:1
    *Mar 1 01:06:02.687: RADIUS: NAS-Port-Type [61] 6 ISDN
    [2]
    *Mar 1 01:06:02.691: RADIUS: Calling-Station-Id [31] 12 "3334277535"
    *Mar 1 01:06:02.691: RADIUS: Called-Station-Id [30] 8 "289981"
    *Mar 1 01:06:02.691: RADIUS: Service-Type [6] 6 Framed
    [2]
    *Mar 1 01:06:02.691: RADIUS: NAS-IP-Address [4] 6 192.168.255.104
    *Mar 1 01:06:02.691: RADIUS: Acct-Delay-Time [41] 6 0
    Where is the attribute 198?
    Thanks,
    Oliver

    Hello Martin,
    here is the information:
    Cisco:
    aaa new-model
    aaa group server radius hamlet
    server x.x.x.x auth-port 1812 acct-port 1813
    aaa group server radius dialin-user
    server x.x.x.x auth-port 1812 acct-port 1813
    aaa authentication login default group hamlet local
    aaa authentication sgbp default local
    aaa authentication ppp default group dialin-user
    aaa authorization exec default group hamlet
    aaa accounting network default start-stop group dialin-user
    aaa session-id common
    radius-server host x.x.x.x auth-port 1812 acct-port 1813 key 7 xxx
    A1507
    radius-server host x.x.x.x auth-port 1812 acct-port 1813 key 7 xxx
    radius-server vsa send accounting
    radius-server vsa send authentication
    We are using FreeRadius 0.8.1.
    Regards,
    Oliver

  • ACS 4.2 - add RADIUS Attributs

    Hello,
    I want to add Radius attribut to Radware devices , so I will have the option to grant "read only" permission to users.
    as I understand I need to add VSA for the "read only" permission, or configure specific "Service-Type value 255"
    in the following picture you can see the required information from Radware:
    Thanks

    anyone know of that?
    Thanks

  • Filter RADIUS Attributes transmitted by WLC?

    Afternoon all,
    I've got an 8510 on the latest 7.6.120.0 software and I have a standard WPA2/802.1x Wireless LAN.  When Users authenticate we send their traffic off to a RADIUS Server, but when we do, the WLC includes all sorts of superfluous RADIUS attributes in the request (various things like default VLAN ID and all sorts of Cisco Airespace bits)
    The RADIUS Server we're using can't filter these attributes out, so I'd like to find a way of having the WLC not send them in the first place...  Any suggestions?
    Cheers,
    Richard

    Hi Richard,
    As far as I know you cannot do anything on WLC to stop this. 
    Did you speak to TAC and ask about this ? Not sure any hidden commands to do this though.
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • Add RADIUS attributes under "Group Setup" in ACS 4.2

    Hi Security Experts,
    I need to add RADIUS attributes for a custom vendor under "Group Setup" page in ACS 4.2. As of now, I see Cisco Aironet RADIUS Attributes,
    IETF RADIUS Attributes etc in "Group Setup" page. How can I make sure that the RADIUS attributes for a vendor also appear on that page?
    PS: I rate useful posts
    Thanks,
    Kashish

    Under "Interface" you can enable which RADIUS-Attributes you want to display. Probably there's just one checkmark missing for your vendor.
    The Options for RADIUS are described here:
    http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/A_RADAtr.html

Maybe you are looking for

  • Enable User task is not getting triggered

    Hi All We have a provisioning workflow configured. "Enable User" task is not getting triggered while the user is enabled in OIM. Can anyone give a clue as to how to get it triggerd? Rest all the tasks are fine (Create, Disable, Delete, and other cust

  • Leopard compatibility on older G4 macs

    I have 5 macs of various vintages. 2 G4 cubes, 1 G4 Titanium notebook, 1 G4 tower that all came with OS X 10.1 and one 17" iMac that came with OS X 10.2 Jaguar. It would seem that according to the specs on Leopard, my Macs will not run 10.5. So what

  • How do I email a document?

    I have created a document and want to send it to a colleague by e mail.    When I hit File no Share option comes up, not is there an icon for this.   There always used to be!

  • Data Series Missing in the chart.

    Hi , I have included 4 data series in the chart item. But its displaying only one data series in the output. that is its displaying only the last series. for eg i have included Data series1,Data series2,Data series3,Data series4, in output its displa

  • EWA for Java Systems

    Dear All, we had configured some java instances on our solution manager (Ehp1 sp 7). But if we try to add the systems to the solution and schedule the ewa report the solution try to connect to sdccn. Based on what i was able to read in other posts th