Dave, Im not familiar with Yusuf's lab book, but you say it worked with IETF attributes but not with Cisco AV Pairs. When you changed to AV Pairs, did you also change the AAA Client Authentication method? For instance I take it for the IETF to work you had your AAA client cfg'd for RADIUS (IETF), did you try changing the client to RADIUS(Cisco IOS/PIX)?
Stu On Fri, Jan 29, 2010 at 6:54 PM, Mack, David A (Dave) <[email protected]>wrote: > Hello All! > This is follow-on to me earlier dot1x question. Here is the > situation: > > I have a Windows XP client connected to Cat 3650 and a configured ACS > server. With the Cat configured as RAIDUS IETF client in the ACS, I can > authenticate the XP PC and get the VLAN pushed back to the Cat. All > works fine. So now I want to try setting the Cat to be a RADIUS (Cisco > IOS/PIX 6.x) client in the ACS. I would expect to have to use the > configuration Yusuf shows in his book on pages 339-341. Now here is > where the problem starts. First, if you look at his debug output you see > that Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group are pushed > back from ACS as BOTH Cisco AV-PAIRs and as IETF RADIUS attributes. Why > are both methods used?? I tried used using just the IETF values and it > works just fine. So why use the Cisco AV-PAIRS? Now If try to add the > AV-PAIRS to the ACS, entered exactly as figure 11-8, the Switch does not > recognize them: > > > *Mar 17 23:21:18.222: RADIUS: Message-Authenticato[80] 18 > *Mar 17 23:21:18.222: RADIUS: 16 DF 78 4A FF DD 02 62 E2 45 CA 35 74 > E7 53 F5 [ xJbE5tS] > *Mar 17 23:21:18.222: RADIUS: Vendor, Cisco [26] 49 > *Mar 17 23:21:18.222: RADIUS: Cisco AVpair [1] 43 > "audit-session-id=0A1414040000003F5767FE11" > *Mar 17 23:21:18.222: RADIUS: NAS-Port > SEC-CAT4(config-if)#-Type [61] 6 Ethernet [15] > *Mar 17 23:21:18.222: RADIUS: NAS-Port [5] 6 50018 > > *Mar 17 23:21:18.222: RADIUS: NAS-Port-Id [87] 21 > "GigabitEthernet0/18" > *Mar 17 23:21:18.222: RADIUS: State [24] 27 > *Mar 17 23:21:18.222: RADIUS: 45 41 50 3D 30 2E 32 30 31 2E 34 39 37 > 2E 31 3B [EAP=0.201.497.1;] > *Mar 17 23:21:18.222: RADIUS: 53 56 43 3D 30 2E 31 64 3B [ > SVC=0.1d;] > *Mar 17 23:21:18.222: RADIUS: NAS-IP-A > SEC-CAT4(config-if)#ddress [4] 6 10.20.20.4 > *Mar 17 23:21:18.247: RADIUS: Received from id 1645/84 > 10.20.20.101:1812, Access-Accept, len 243 > *Mar 17 23:21:18.247: RADIUS: authenticator 34 14 2D BA 5D 79 93 70 - > 88 91 01 F4 39 14 79 24 > > Note that the AV-PAIRS below appear exactly as they do on page 341 > > *Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 49 > *Mar 17 23:21:18.247: RADIUS: Cisco AVpair [1] 43 > "cisco-avpair= "tunnel-type(#64)=VLAN(13)"" > *Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 60 > *Mar 17 23:21:18.247: RADIUS: Cis > SEC-CAT4(config-if)#co AVpair [1] 54 "cisco-avpair= > "tunnel-medium-type(#65)=802 media(6)"" > *Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 56 > *Mar 17 23:21:18.247: RADIUS: Cisco AVpair [1] 50 > "cisco-avpair= "tunnel-private-group-ID(#81)=200"" > *Mar 17 23:21:18.247: RADIUS: Framed-IP-Address [8] 6 > 255.255.255.255 > *Mar 17 23:21:18.247: RADIUS: EAP-Message [79] 6 > *Mar 17 23:21:18.247: RADIUS: 03 21 00 04 [ !] > *Mar 17 23:21:18.247: RADIUS: Clas > SEC-CAT4(config-if)#s [25] 28 > *Mar 17 23:21:18.247: RADIUS: 43 41 43 53 3A 30 2F 33 35 34 32 64 2F > 61 31 34 [CACS:0/3542d/a14] > *Mar 17 23:21:18.247: RADIUS: 31 34 30 34 2F 35 30 30 31 38 [ > 1404/50018] > *Mar 17 23:21:18.247: RADIUS: Message-Authenticato[80] 18 > *Mar 17 23:21:18.247: RADIUS: 31 CE 78 F1 01 A9 A8 DB EA 36 73 A2 A8 > C6 74 5D [ 1x6st]] > *Mar 17 23:21:18.247: RADIUS(00000042): Received from id 1645/84 > > But, the switch does not know what do with them... > > *Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa "cisco > <====================== > SEC-CAT4(config-if)#-avpair" - IGNORE > *Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa > "cisco-avpair" - IGNORE <====================== > *Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa > "cisco-avpair" - IGNORE <====================== > *Mar 17 23:21:18.247: RADIUS/DECODE: EAP-Message fragments, 4, total 4 > bytes > *Mar 17 23:21:18.256: dot1x-packet(Gi0/18): Received an EAP Success > *Mar 17 23:21:18.256: %DOT1X-5-SUCCESS: Authentication successful for > client (0008.7492.2c0e) on Interface Gi0/18 > *Mar 17 23:21:18.256: dot1x-ev(Gi0/18): Sending event (2) > SEC-CAT4(config-if)#to Auth Mgr for 0008.7492.2c0e > *Mar 17 23:21:18.256: %AUTHMGR-7-RESULT: Authentication result 'success' > from 'dot1x' for client (0008.7492.2c0e) on Interface Gi0/1 > > Has anyone got this to work?? What is the "Secret Sauce"? > > Thanks! > Dave > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > -- Regards, Stuart Hare CCIE #25616 (Security), CCSP, Microsoft MCP Sr. Support Engineer – IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
