Stu,
If by changing my client, you mean going to the Network
Configuration section of the ACS and then setting the "Authenticate
Using" drop down to "RADIUS (Cisco IOS/PIX 6.0)", then yes I did that.
As for the switch itself, I have the basics:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
radius-server host 10.20.20.101 auth-port 1812 acct-port 1813
radius-server key cisco123!
In addition I have this:
radius-server vsa send authentication
What else is there to set?
Thanks!
Dave
From: Stuart Hare [mailto:[email protected]]
Sent: Friday, January 29, 2010 2:11 PM
To: Mack, David A (Dave)
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] Dot1X Radius Config
Dave,
Im not familiar with Yusuf's lab book, but you say it worked with IETF
attributes but not with Cisco AV Pairs.
When you changed to AV Pairs, did you also change the AAA Client
Authentication method?
For instance I take it for the IETF to work you had your AAA client
cfg'd for RADIUS (IETF), did you try changing the client to RADIUS(Cisco
IOS/PIX)?
Stu
On Fri, Jan 29, 2010 at 6:54 PM, Mack, David A (Dave)
<[email protected]> wrote:
Hello All!
This is follow-on to me earlier dot1x question. Here is the
situation:
I have a Windows XP client connected to Cat 3650 and a configured ACS
server. With the Cat configured as RAIDUS IETF client in the ACS, I can
authenticate the XP PC and get the VLAN pushed back to the Cat. All
works fine. So now I want to try setting the Cat to be a RADIUS (Cisco
IOS/PIX 6.x) client in the ACS. I would expect to have to use the
configuration Yusuf shows in his book on pages 339-341. Now here is
where the problem starts. First, if you look at his debug output you see
that Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group are pushed
back from ACS as BOTH Cisco AV-PAIRs and as IETF RADIUS attributes. Why
are both methods used?? I tried used using just the IETF values and it
works just fine. So why use the Cisco AV-PAIRS? Now If try to add the
AV-PAIRS to the ACS, entered exactly as figure 11-8, the Switch does not
recognize them:
*Mar 17 23:21:18.222: RADIUS: Message-Authenticato[80] 18
*Mar 17 23:21:18.222: RADIUS: 16 DF 78 4A FF DD 02 62 E2 45 CA 35 74
E7 53 F5 [ xJbE5tS]
*Mar 17 23:21:18.222: RADIUS: Vendor, Cisco [26] 49
*Mar 17 23:21:18.222: RADIUS: Cisco AVpair [1] 43
"audit-session-id=0A1414040000003F5767FE11"
*Mar 17 23:21:18.222: RADIUS: NAS-Port
SEC-CAT4(config-if)#-Type [61] 6 Ethernet [15]
*Mar 17 23:21:18.222: RADIUS: NAS-Port [5] 6 50018
*Mar 17 23:21:18.222: RADIUS: NAS-Port-Id [87] 21
"GigabitEthernet0/18"
*Mar 17 23:21:18.222: RADIUS: State [24] 27
*Mar 17 23:21:18.222: RADIUS: 45 41 50 3D 30 2E 32 30 31 2E 34 39 37
2E 31 3B [EAP=0.201.497.1;]
*Mar 17 23:21:18.222: RADIUS: 53 56 43 3D 30 2E 31 64 3B [
SVC=0.1d;]
*Mar 17 23:21:18.222: RADIUS: NAS-IP-A
SEC-CAT4(config-if)#ddress [4] 6 10.20.20.4
*Mar 17 23:21:18.247: RADIUS: Received from id 1645/84
10.20.20.101:1812, Access-Accept, len 243
*Mar 17 23:21:18.247: RADIUS: authenticator 34 14 2D BA 5D 79 93 70 -
88 91 01 F4 39 14 79 24
Note that the AV-PAIRS below appear exactly as they do on page 341
*Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 49
*Mar 17 23:21:18.247: RADIUS: Cisco AVpair [1] 43
"cisco-avpair= "tunnel-type(#64)=VLAN(13)""
*Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 60
*Mar 17 23:21:18.247: RADIUS: Cis
SEC-CAT4(config-if)#co AVpair [1] 54 "cisco-avpair=
"tunnel-medium-type(#65)=802 media(6)""
*Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 56
*Mar 17 23:21:18.247: RADIUS: Cisco AVpair [1] 50
"cisco-avpair= "tunnel-private-group-ID(#81)=200""
*Mar 17 23:21:18.247: RADIUS: Framed-IP-Address [8] 6
255.255.255.255
*Mar 17 23:21:18.247: RADIUS: EAP-Message [79] 6
*Mar 17 23:21:18.247: RADIUS: 03 21 00 04 [ !]
*Mar 17 23:21:18.247: RADIUS: Clas
SEC-CAT4(config-if)#s [25] 28
*Mar 17 23:21:18.247: RADIUS: 43 41 43 53 3A 30 2F 33 35 34 32 64 2F
61 31 34 [CACS:0/3542d/a14]
*Mar 17 23:21:18.247: RADIUS: 31 34 30 34 2F 35 30 30 31 38 [
1404/50018]
*Mar 17 23:21:18.247: RADIUS: Message-Authenticato[80] 18
*Mar 17 23:21:18.247: RADIUS: 31 CE 78 F1 01 A9 A8 DB EA 36 73 A2 A8
C6 74 5D [ 1x6st]]
*Mar 17 23:21:18.247: RADIUS(00000042): Received from id 1645/84
But, the switch does not know what do with them...
*Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa "cisco
<======================
SEC-CAT4(config-if)#-avpair" - IGNORE
*Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa
"cisco-avpair" - IGNORE <======================
*Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa
"cisco-avpair" - IGNORE <======================
*Mar 17 23:21:18.247: RADIUS/DECODE: EAP-Message fragments, 4, total 4
bytes
*Mar 17 23:21:18.256: dot1x-packet(Gi0/18): Received an EAP Success
*Mar 17 23:21:18.256: %DOT1X-5-SUCCESS: Authentication successful for
client (0008.7492.2c0e) on Interface Gi0/18
*Mar 17 23:21:18.256: dot1x-ev(Gi0/18): Sending event (2)
SEC-CAT4(config-if)#to Auth Mgr for 0008.7492.2c0e
*Mar 17 23:21:18.256: %AUTHMGR-7-RESULT: Authentication result 'success'
from 'dot1x' for client (0008.7492.2c0e) on Interface Gi0/1
Has anyone got this to work?? What is the "Secret Sauce"?
Thanks!
Dave
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
--
Regards,
Stuart Hare
CCIE #25616 (Security), CCSP, Microsoft MCP
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
