David,
The IETF Attributes are in the 3560 configuration page. http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1 2.2_46_se/configuration/guide/sw8021x.html#wp1289244 All that you need to know to configure them as Cisco AV Pairs is to type it out as you have shown below. But if you go to that section that I gave the link above and you click the url at the bottom of the section it will take you to the following. This is what you are looking for. http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1 2.2_46_se/configuration/guide/swauthen.html#wpxref83693 Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Mack, David A (Dave) Sent: Wednesday, January 27, 2010 9:51 AM To: Kingsley Charles Cc: [email protected] Subject: Re: [OSL | CCIE_Security] dot1x ACS RADIUS Config Kings, Thanks for the quick response! I see that link leads to an exhaustive list of all the RADIUS attributes available. However I am seeking the location in CCO documentation where I can find VSA requirements for RADIUS (Cisco IOS/PIX 6.0) to support 802.1x. I need to be able to drill down exactly that location when I take the lab. From Yusuf's book, here is the exact quote: "When RADIUS (Cisco IOS/PIX 6.0) server is selected as the NAS type in Cisco Secure ACS, the vendor-specific AV-Pair (Attribute 26) must be used to download attribute 64, 65, and 81, to be returned to the switch for 802.1x authentication: [RADIUS Attribute 26] Vendor Specific Attribute (VSA) - cisco-avpair= "tunnel-type(#64)=VLAN(13)" - cisco-avpair= "tunnel-medium-type(#65)=802 media(6)" - cisco-avpair= "tunnel-private-group-ID(#81)=vlan_name or vlan_id" " Where would I find this specification? Thanks! Dave From: Kingsley Charles [mailto:[email protected]] Sent: Wednesday, January 27, 2010 9:42 AM To: Mack, David A (Dave) Cc: [email protected] Subject: Re: [OSL | CCIE_Security] dot1x ACS RADIUS Config Hi Dave You can find the TACACS and Radius attributes at the floowing location: http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/se c_rad_ov_ietf_attr_ps6441_TSD_Products_Configuration_Guide_Chapter.html With regards Kings On Wed, Jan 27, 2010 at 7:47 PM, Mack, David A (Dave) <[email protected]> wrote: Hello All! I am studying up on dot1x and read in Yusuf's book that there are two options for the RADIUS on the ACS. On page 338, he shows the config (Attributes) for RADIUS (IETF) and on page 339, he shows the config for RADIUS (Cisco IOS/PIX 6.0). As I read it, we can use either. The challenge is that there is no question marks on the CLI for ACS and we can't browse the menus/buttons on the ACS either. We have to know cold the exact text to enter in the dialog boxes. Knowing that I want to be able to find the magical incantations in the CCO documents. I can find the RADIUS (IETF) attributes in the Catalyst 3560 Switch Software Configuration Guide in the Using IEEE 802.1X Authentication with VLAN Assignment. I can't find a document for RADIUS (Cisco IOS/PIX 6.0). Does anyone know where to find it? Thanks! Dave _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
