Dave, You can see that from the Debug output it says
parse unknown cisco vsa "cisco-avpair". The box that is created in the user account already has that attribute set. So it is kindof like you are saying cisco-avpair=cisco-avpair=tunnel-type(#64)=VLAN(13) That is why it doesn't understand it. On Fri, Jan 29, 2010 at 2:46 PM, Tyson Scott <[email protected]> wrote: > Dave, > > You need to remove > cisco-avpair= > > In ACS put > tunnel-type(#64)=VLAN(13) > tunnel-medium-type(#65)=802 media(6) > tunnel-private-group-ID(#81)=200 > > Not > cisco-avpair=tunnel-type(#64)=VLAN(13) > cisco-avpair=tunnel-medium-type(#65)=802 media(6) > cisco-avpair=tunnel-private-group-ID(#81)=200 > > You only put cisco-avpair= when you are working with Unix based ACS. > > On Fri, Jan 29, 2010 at 2:22 PM, Mack, David A (Dave) <[email protected]> > wrote: >> Stu, >> >> If by changing my client, you mean going to the Network >> Configuration section of the ACS and then setting the “Authenticate Using” >> drop down to “RADIUS (Cisco IOS/PIX 6.0)”, then yes I did that. As for the >> switch itself, I have the basics: >> >> >> >> aaa new-model >> >> aaa authentication dot1x default group radius >> >> aaa authorization network default group radius >> >> aaa session-id common >> >> radius-server host 10.20.20.101 auth-port 1812 acct-port 1813 >> >> radius-server key cisco123! >> >> >> >> In addition I have this: >> >> radius-server vsa send authentication >> >> >> >> >> >> What else is there to set? >> >> >> >> Thanks! >> Dave >> >> From: Stuart Hare [mailto:[email protected]] >> Sent: Friday, January 29, 2010 2:11 PM >> To: Mack, David A (Dave) >> Cc: [email protected] >> Subject: Re: [OSL | CCIE_Security] Dot1X Radius Config >> >> >> >> Dave, >> >> >> >> Im not familiar with Yusuf's lab book, but you say it worked with IETF >> attributes but not with Cisco AV Pairs. >> >> When you changed to AV Pairs, did you also change the AAA Client >> Authentication method? >> >> For instance I take it for the IETF to work you had your AAA client cfg'd >> for RADIUS (IETF), did you try changing the client to RADIUS(Cisco IOS/PIX)? >> >> >> >> Stu >> >> On Fri, Jan 29, 2010 at 6:54 PM, Mack, David A (Dave) <[email protected]> >> wrote: >> >> Hello All! >> This is follow-on to me earlier dot1x question. Here is the >> situation: >> >> I have a Windows XP client connected to Cat 3650 and a configured ACS >> server. With the Cat configured as RAIDUS IETF client in the ACS, I can >> authenticate the XP PC and get the VLAN pushed back to the Cat. All >> works fine. So now I want to try setting the Cat to be a RADIUS (Cisco >> IOS/PIX 6.x) client in the ACS. I would expect to have to use the >> configuration Yusuf shows in his book on pages 339-341. Now here is >> where the problem starts. First, if you look at his debug output you see >> that Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group are pushed >> back from ACS as BOTH Cisco AV-PAIRs and as IETF RADIUS attributes. Why >> are both methods used?? I tried used using just the IETF values and it >> works just fine. So why use the Cisco AV-PAIRS? Now If try to add the >> AV-PAIRS to the ACS, entered exactly as figure 11-8, the Switch does not >> recognize them: >> >> >> *Mar 17 23:21:18.222: RADIUS: Message-Authenticato[80] 18 >> *Mar 17 23:21:18.222: RADIUS: 16 DF 78 4A FF DD 02 62 E2 45 CA 35 74 >> E7 53 F5 [ xJbE5tS] >> *Mar 17 23:21:18.222: RADIUS: Vendor, Cisco [26] 49 >> *Mar 17 23:21:18.222: RADIUS: Cisco AVpair [1] 43 >> "audit-session-id=0A1414040000003F5767FE11" >> *Mar 17 23:21:18.222: RADIUS: NAS-Port >> SEC-CAT4(config-if)#-Type [61] 6 Ethernet [15] >> *Mar 17 23:21:18.222: RADIUS: NAS-Port [5] 6 50018 >> >> *Mar 17 23:21:18.222: RADIUS: NAS-Port-Id [87] 21 >> "GigabitEthernet0/18" >> *Mar 17 23:21:18.222: RADIUS: State [24] 27 >> *Mar 17 23:21:18.222: RADIUS: 45 41 50 3D 30 2E 32 30 31 2E 34 39 37 >> 2E 31 3B [EAP=0.201.497.1;] >> *Mar 17 23:21:18.222: RADIUS: 53 56 43 3D 30 2E 31 64 3B [ >> SVC=0.1d;] >> *Mar 17 23:21:18.222: RADIUS: NAS-IP-A >> SEC-CAT4(config-if)#ddress [4] 6 10.20.20.4 >> *Mar 17 23:21:18.247: RADIUS: Received from id 1645/84 >> 10.20.20.101:1812, Access-Accept, len 243 >> *Mar 17 23:21:18.247: RADIUS: authenticator 34 14 2D BA 5D 79 93 70 - >> 88 91 01 F4 39 14 79 24 >> >> Note that the AV-PAIRS below appear exactly as they do on page 341 >> >> *Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 49 >> *Mar 17 23:21:18.247: RADIUS: Cisco AVpair [1] 43 >> "cisco-avpair= "tunnel-type(#64)=VLAN(13)"" >> *Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 60 >> *Mar 17 23:21:18.247: RADIUS: Cis >> SEC-CAT4(config-if)#co AVpair [1] 54 "cisco-avpair= >> "tunnel-medium-type(#65)=802 media(6)"" >> *Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 56 >> *Mar 17 23:21:18.247: RADIUS: Cisco AVpair [1] 50 >> "cisco-avpair= "tunnel-private-group-ID(#81)=200"" >> *Mar 17 23:21:18.247: RADIUS: Framed-IP-Address [8] 6 >> 255.255.255.255 >> *Mar 17 23:21:18.247: RADIUS: EAP-Message [79] 6 >> *Mar 17 23:21:18.247: RADIUS: 03 21 00 04 [ !] >> *Mar 17 23:21:18.247: RADIUS: Clas >> SEC-CAT4(config-if)#s [25] 28 >> *Mar 17 23:21:18.247: RADIUS: 43 41 43 53 3A 30 2F 33 35 34 32 64 2F >> 61 31 34 [CACS:0/3542d/a14] >> *Mar 17 23:21:18.247: RADIUS: 31 34 30 34 2F 35 30 30 31 38 [ >> 1404/50018] >> *Mar 17 23:21:18.247: RADIUS: Message-Authenticato[80] 18 >> *Mar 17 23:21:18.247: RADIUS: 31 CE 78 F1 01 A9 A8 DB EA 36 73 A2 A8 >> C6 74 5D [ 1x6st]] >> *Mar 17 23:21:18.247: RADIUS(00000042): Received from id 1645/84 >> >> But, the switch does not know what do with them... >> >> *Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa "cisco >> <====================== >> SEC-CAT4(config-if)#-avpair" - IGNORE >> *Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa >> "cisco-avpair" - IGNORE <====================== >> *Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa >> "cisco-avpair" - IGNORE <====================== >> *Mar 17 23:21:18.247: RADIUS/DECODE: EAP-Message fragments, 4, total 4 >> bytes >> *Mar 17 23:21:18.256: dot1x-packet(Gi0/18): Received an EAP Success >> *Mar 17 23:21:18.256: %DOT1X-5-SUCCESS: Authentication successful for >> client (0008.7492.2c0e) on Interface Gi0/18 >> *Mar 17 23:21:18.256: dot1x-ev(Gi0/18): Sending event (2) >> SEC-CAT4(config-if)#to Auth Mgr for 0008.7492.2c0e >> *Mar 17 23:21:18.256: %AUTHMGR-7-RESULT: Authentication result 'success' >> from 'dot1x' for client (0008.7492.2c0e) on Interface Gi0/1 >> >> Has anyone got this to work?? What is the "Secret Sauce"? >> >> Thanks! >> Dave >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >> -- >> Regards, >> >> Stuart Hare >> CCIE #25616 (Security), CCSP, Microsoft MCP >> Sr. Support Engineer – IPexpert, Inc. >> URL: http://www.IPexpert.com >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > > > -- > Tyson Scott - CCIE #13513 R&S and Security > Technical Instructor - IPexpert, Inc. > > Telephone: +1.810.326.1444 > Fax: +1.810.454.0130 > Mailto: [email protected] > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand and Audio Certification Training Tools for the Cisco CCIE R&S > Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and > CCIE Storage Lab Certifications. > -- Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
