That's a very strange statement to me - that we must use cisco av-pairs to pass those attributes to cisco switches: - cisco-avpair= "tunnel-type(#64)=VLAN(13)" - cisco-avpair= "tunnel-medium-type(#65)=802 media(6)" - cisco-avpair= "tunnel-private-group-ID(#81)=vlan_name or vlan_id"
All my life I have been using RADIUS IETF attributes 64,65 and 81 directly, and it always worked for me (for cats, for aironets). On cisco ACS you will find these attributes under IETF RADIUS Attributes section of user or group setup. As for the comprehensive list of all cisco av-pairs that may be used - that thing is simply missing on cco. The quickest way (and sometimes the only one) to see what av-pair is requesting a device is to debug the radius messages, and to view the failed attempts on ACS (with most details on). ======================================================= In reply to: Date: Wed, 27 Jan 2010 10:08:07 -0500 From: "Tyson Scott" <[email protected]> Subject: Re: [OSL | CCIE_Security] dot1x ACS RADIUS Config To: "'Mack, David A \(Dave\)'" <[email protected]>, "'Kingsley Charles'" <[email protected]> Cc: [email protected] Message-ID: <007b01ca9f62$891d9870$9b58c9...@com> Content-Type: text/plain; charset="us-ascii" David, The IETF Attributes are in the 3560 configuration page. http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1 2.2_46_se/configuration/guide/sw8021x.html#wp1289244 All that you need to know to configure them as Cisco AV Pairs is to type it out as you have shown below. But if you go to that section that I gave the link above and you click the url at the bottom of the section it will take you to the following. This is what you are looking for. http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1 2.2_46_se/configuration/guide/swauthen.html#wpxref83693 Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Mack, David A (Dave) Sent: Wednesday, January 27, 2010 9:51 AM To: Kingsley Charles Cc: [email protected] Subject: Re: [OSL | CCIE_Security] dot1x ACS RADIUS Config Kings, Thanks for the quick response! I see that link leads to an exhaustive list of all the RADIUS attributes available. However I am seeking the location in CCO documentation where I can find VSA requirements for RADIUS (Cisco IOS/PIX 6.0) to support 802.1x. I need to be able to drill down exactly that location when I take the lab. >From Yusuf's book, here is the exact quote: "When RADIUS (Cisco IOS/PIX 6.0) server is selected as the NAS type in Cisco Secure ACS, the vendor-specific AV-Pair (Attribute 26) must be used to download attribute 64, 65, and 81, to be returned to the switch for 802.1x authentication: [RADIUS Attribute 26] Vendor Specific Attribute (VSA) - cisco-avpair= "tunnel-type(#64)=VLAN(13)" - cisco-avpair= "tunnel-medium-type(#65)=802 media(6)" - cisco-avpair= "tunnel-private-group-ID(#81)=vlan_name or vlan_id" " Where would I find this specification? Thanks! Dave _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
