Dave, You need to remove cisco-avpair=
In ACS put tunnel-type(#64)=VLAN(13) tunnel-medium-type(#65)=802 media(6) tunnel-private-group-ID(#81)=200 Not cisco-avpair=tunnel-type(#64)=VLAN(13) cisco-avpair=tunnel-medium-type(#65)=802 media(6) cisco-avpair=tunnel-private-group-ID(#81)=200 You only put cisco-avpair= when you are working with Unix based ACS. On Fri, Jan 29, 2010 at 2:22 PM, Mack, David A (Dave) <[email protected]> wrote: > Stu, > > If by changing my client, you mean going to the Network > Configuration section of the ACS and then setting the “Authenticate Using” > drop down to “RADIUS (Cisco IOS/PIX 6.0)”, then yes I did that. As for the > switch itself, I have the basics: > > > > aaa new-model > > aaa authentication dot1x default group radius > > aaa authorization network default group radius > > aaa session-id common > > radius-server host 10.20.20.101 auth-port 1812 acct-port 1813 > > radius-server key cisco123! > > > > In addition I have this: > > radius-server vsa send authentication > > > > > > What else is there to set? > > > > Thanks! > Dave > > From: Stuart Hare [mailto:[email protected]] > Sent: Friday, January 29, 2010 2:11 PM > To: Mack, David A (Dave) > Cc: [email protected] > Subject: Re: [OSL | CCIE_Security] Dot1X Radius Config > > > > Dave, > > > > Im not familiar with Yusuf's lab book, but you say it worked with IETF > attributes but not with Cisco AV Pairs. > > When you changed to AV Pairs, did you also change the AAA Client > Authentication method? > > For instance I take it for the IETF to work you had your AAA client cfg'd > for RADIUS (IETF), did you try changing the client to RADIUS(Cisco IOS/PIX)? > > > > Stu > > On Fri, Jan 29, 2010 at 6:54 PM, Mack, David A (Dave) <[email protected]> > wrote: > > Hello All! > This is follow-on to me earlier dot1x question. Here is the > situation: > > I have a Windows XP client connected to Cat 3650 and a configured ACS > server. With the Cat configured as RAIDUS IETF client in the ACS, I can > authenticate the XP PC and get the VLAN pushed back to the Cat. All > works fine. So now I want to try setting the Cat to be a RADIUS (Cisco > IOS/PIX 6.x) client in the ACS. I would expect to have to use the > configuration Yusuf shows in his book on pages 339-341. Now here is > where the problem starts. First, if you look at his debug output you see > that Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group are pushed > back from ACS as BOTH Cisco AV-PAIRs and as IETF RADIUS attributes. Why > are both methods used?? I tried used using just the IETF values and it > works just fine. So why use the Cisco AV-PAIRS? Now If try to add the > AV-PAIRS to the ACS, entered exactly as figure 11-8, the Switch does not > recognize them: > > > *Mar 17 23:21:18.222: RADIUS: Message-Authenticato[80] 18 > *Mar 17 23:21:18.222: RADIUS: 16 DF 78 4A FF DD 02 62 E2 45 CA 35 74 > E7 53 F5 [ xJbE5tS] > *Mar 17 23:21:18.222: RADIUS: Vendor, Cisco [26] 49 > *Mar 17 23:21:18.222: RADIUS: Cisco AVpair [1] 43 > "audit-session-id=0A1414040000003F5767FE11" > *Mar 17 23:21:18.222: RADIUS: NAS-Port > SEC-CAT4(config-if)#-Type [61] 6 Ethernet [15] > *Mar 17 23:21:18.222: RADIUS: NAS-Port [5] 6 50018 > > *Mar 17 23:21:18.222: RADIUS: NAS-Port-Id [87] 21 > "GigabitEthernet0/18" > *Mar 17 23:21:18.222: RADIUS: State [24] 27 > *Mar 17 23:21:18.222: RADIUS: 45 41 50 3D 30 2E 32 30 31 2E 34 39 37 > 2E 31 3B [EAP=0.201.497.1;] > *Mar 17 23:21:18.222: RADIUS: 53 56 43 3D 30 2E 31 64 3B [ > SVC=0.1d;] > *Mar 17 23:21:18.222: RADIUS: NAS-IP-A > SEC-CAT4(config-if)#ddress [4] 6 10.20.20.4 > *Mar 17 23:21:18.247: RADIUS: Received from id 1645/84 > 10.20.20.101:1812, Access-Accept, len 243 > *Mar 17 23:21:18.247: RADIUS: authenticator 34 14 2D BA 5D 79 93 70 - > 88 91 01 F4 39 14 79 24 > > Note that the AV-PAIRS below appear exactly as they do on page 341 > > *Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 49 > *Mar 17 23:21:18.247: RADIUS: Cisco AVpair [1] 43 > "cisco-avpair= "tunnel-type(#64)=VLAN(13)"" > *Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 60 > *Mar 17 23:21:18.247: RADIUS: Cis > SEC-CAT4(config-if)#co AVpair [1] 54 "cisco-avpair= > "tunnel-medium-type(#65)=802 media(6)"" > *Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 56 > *Mar 17 23:21:18.247: RADIUS: Cisco AVpair [1] 50 > "cisco-avpair= "tunnel-private-group-ID(#81)=200"" > *Mar 17 23:21:18.247: RADIUS: Framed-IP-Address [8] 6 > 255.255.255.255 > *Mar 17 23:21:18.247: RADIUS: EAP-Message [79] 6 > *Mar 17 23:21:18.247: RADIUS: 03 21 00 04 [ !] > *Mar 17 23:21:18.247: RADIUS: Clas > SEC-CAT4(config-if)#s [25] 28 > *Mar 17 23:21:18.247: RADIUS: 43 41 43 53 3A 30 2F 33 35 34 32 64 2F > 61 31 34 [CACS:0/3542d/a14] > *Mar 17 23:21:18.247: RADIUS: 31 34 30 34 2F 35 30 30 31 38 [ > 1404/50018] > *Mar 17 23:21:18.247: RADIUS: Message-Authenticato[80] 18 > *Mar 17 23:21:18.247: RADIUS: 31 CE 78 F1 01 A9 A8 DB EA 36 73 A2 A8 > C6 74 5D [ 1x6st]] > *Mar 17 23:21:18.247: RADIUS(00000042): Received from id 1645/84 > > But, the switch does not know what do with them... > > *Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa "cisco > <====================== > SEC-CAT4(config-if)#-avpair" - IGNORE > *Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa > "cisco-avpair" - IGNORE <====================== > *Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa > "cisco-avpair" - IGNORE <====================== > *Mar 17 23:21:18.247: RADIUS/DECODE: EAP-Message fragments, 4, total 4 > bytes > *Mar 17 23:21:18.256: dot1x-packet(Gi0/18): Received an EAP Success > *Mar 17 23:21:18.256: %DOT1X-5-SUCCESS: Authentication successful for > client (0008.7492.2c0e) on Interface Gi0/18 > *Mar 17 23:21:18.256: dot1x-ev(Gi0/18): Sending event (2) > SEC-CAT4(config-if)#to Auth Mgr for 0008.7492.2c0e > *Mar 17 23:21:18.256: %AUTHMGR-7-RESULT: Authentication result 'success' > from 'dot1x' for client (0008.7492.2c0e) on Interface Gi0/1 > > Has anyone got this to work?? What is the "Secret Sauce"? > > Thanks! > Dave > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > -- > Regards, > > Stuart Hare > CCIE #25616 (Security), CCSP, Microsoft MCP > Sr. Support Engineer – IPexpert, Inc. > URL: http://www.IPexpert.com > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
