Dave, After further testing the following is what you need.
tunnel-type=VLAN (13) tunnel-medium-type=ALL_802 (6) tunnel-private-group-id=10 On Fri, Jan 29, 2010 at 2:50 PM, Tyson Scott <[email protected]> wrote: > Dave, > > You can see that from the Debug output it says > > parse unknown cisco vsa "cisco-avpair". The box that is created in > the user account already has that attribute set. So it is kindof like > you are saying > > cisco-avpair=cisco-avpair=tunnel-type(#64)=VLAN(13) > > That is why it doesn't understand it. > > On Fri, Jan 29, 2010 at 2:46 PM, Tyson Scott <[email protected]> wrote: >> Dave, >> >> You need to remove >> cisco-avpair= >> >> In ACS put >> tunnel-type(#64)=VLAN(13) >> tunnel-medium-type(#65)=802 media(6) >> tunnel-private-group-ID(#81)=200 >> >> Not >> cisco-avpair=tunnel-type(#64)=VLAN(13) >> cisco-avpair=tunnel-medium-type(#65)=802 media(6) >> cisco-avpair=tunnel-private-group-ID(#81)=200 >> >> You only put cisco-avpair= when you are working with Unix based ACS. >> >> On Fri, Jan 29, 2010 at 2:22 PM, Mack, David A (Dave) <[email protected]> >> wrote: >>> Stu, >>> >>> If by changing my client, you mean going to the Network >>> Configuration section of the ACS and then setting the “Authenticate Using” >>> drop down to “RADIUS (Cisco IOS/PIX 6.0)”, then yes I did that. As for the >>> switch itself, I have the basics: >>> >>> >>> >>> aaa new-model >>> >>> aaa authentication dot1x default group radius >>> >>> aaa authorization network default group radius >>> >>> aaa session-id common >>> >>> radius-server host 10.20.20.101 auth-port 1812 acct-port 1813 >>> >>> radius-server key cisco123! >>> >>> >>> >>> In addition I have this: >>> >>> radius-server vsa send authentication >>> >>> >>> >>> >>> >>> What else is there to set? >>> >>> >>> >>> Thanks! >>> Dave >>> >>> From: Stuart Hare [mailto:[email protected]] >>> Sent: Friday, January 29, 2010 2:11 PM >>> To: Mack, David A (Dave) >>> Cc: [email protected] >>> Subject: Re: [OSL | CCIE_Security] Dot1X Radius Config >>> >>> >>> >>> Dave, >>> >>> >>> >>> Im not familiar with Yusuf's lab book, but you say it worked with IETF >>> attributes but not with Cisco AV Pairs. >>> >>> When you changed to AV Pairs, did you also change the AAA Client >>> Authentication method? >>> >>> For instance I take it for the IETF to work you had your AAA client cfg'd >>> for RADIUS (IETF), did you try changing the client to RADIUS(Cisco IOS/PIX)? >>> >>> >>> >>> Stu >>> >>> On Fri, Jan 29, 2010 at 6:54 PM, Mack, David A (Dave) <[email protected]> >>> wrote: >>> >>> Hello All! >>> This is follow-on to me earlier dot1x question. Here is the >>> situation: >>> >>> I have a Windows XP client connected to Cat 3650 and a configured ACS >>> server. With the Cat configured as RAIDUS IETF client in the ACS, I can >>> authenticate the XP PC and get the VLAN pushed back to the Cat. All >>> works fine. So now I want to try setting the Cat to be a RADIUS (Cisco >>> IOS/PIX 6.x) client in the ACS. I would expect to have to use the >>> configuration Yusuf shows in his book on pages 339-341. Now here is >>> where the problem starts. First, if you look at his debug output you see >>> that Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group are pushed >>> back from ACS as BOTH Cisco AV-PAIRs and as IETF RADIUS attributes. Why >>> are both methods used?? I tried used using just the IETF values and it >>> works just fine. So why use the Cisco AV-PAIRS? Now If try to add the >>> AV-PAIRS to the ACS, entered exactly as figure 11-8, the Switch does not >>> recognize them: >>> >>> >>> *Mar 17 23:21:18.222: RADIUS: Message-Authenticato[80] 18 >>> *Mar 17 23:21:18.222: RADIUS: 16 DF 78 4A FF DD 02 62 E2 45 CA 35 74 >>> E7 53 F5 [ xJbE5tS] >>> *Mar 17 23:21:18.222: RADIUS: Vendor, Cisco [26] 49 >>> *Mar 17 23:21:18.222: RADIUS: Cisco AVpair [1] 43 >>> "audit-session-id=0A1414040000003F5767FE11" >>> *Mar 17 23:21:18.222: RADIUS: NAS-Port >>> SEC-CAT4(config-if)#-Type [61] 6 Ethernet [15] >>> *Mar 17 23:21:18.222: RADIUS: NAS-Port [5] 6 50018 >>> >>> *Mar 17 23:21:18.222: RADIUS: NAS-Port-Id [87] 21 >>> "GigabitEthernet0/18" >>> *Mar 17 23:21:18.222: RADIUS: State [24] 27 >>> *Mar 17 23:21:18.222: RADIUS: 45 41 50 3D 30 2E 32 30 31 2E 34 39 37 >>> 2E 31 3B [EAP=0.201.497.1;] >>> *Mar 17 23:21:18.222: RADIUS: 53 56 43 3D 30 2E 31 64 3B [ >>> SVC=0.1d;] >>> *Mar 17 23:21:18.222: RADIUS: NAS-IP-A >>> SEC-CAT4(config-if)#ddress [4] 6 10.20.20.4 >>> *Mar 17 23:21:18.247: RADIUS: Received from id 1645/84 >>> 10.20.20.101:1812, Access-Accept, len 243 >>> *Mar 17 23:21:18.247: RADIUS: authenticator 34 14 2D BA 5D 79 93 70 - >>> 88 91 01 F4 39 14 79 24 >>> >>> Note that the AV-PAIRS below appear exactly as they do on page 341 >>> >>> *Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 49 >>> *Mar 17 23:21:18.247: RADIUS: Cisco AVpair [1] 43 >>> "cisco-avpair= "tunnel-type(#64)=VLAN(13)"" >>> *Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 60 >>> *Mar 17 23:21:18.247: RADIUS: Cis >>> SEC-CAT4(config-if)#co AVpair [1] 54 "cisco-avpair= >>> "tunnel-medium-type(#65)=802 media(6)"" >>> *Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 56 >>> *Mar 17 23:21:18.247: RADIUS: Cisco AVpair [1] 50 >>> "cisco-avpair= "tunnel-private-group-ID(#81)=200"" >>> *Mar 17 23:21:18.247: RADIUS: Framed-IP-Address [8] 6 >>> 255.255.255.255 >>> *Mar 17 23:21:18.247: RADIUS: EAP-Message [79] 6 >>> *Mar 17 23:21:18.247: RADIUS: 03 21 00 04 [ !] >>> *Mar 17 23:21:18.247: RADIUS: Clas >>> SEC-CAT4(config-if)#s [25] 28 >>> *Mar 17 23:21:18.247: RADIUS: 43 41 43 53 3A 30 2F 33 35 34 32 64 2F >>> 61 31 34 [CACS:0/3542d/a14] >>> *Mar 17 23:21:18.247: RADIUS: 31 34 30 34 2F 35 30 30 31 38 [ >>> 1404/50018] >>> *Mar 17 23:21:18.247: RADIUS: Message-Authenticato[80] 18 >>> *Mar 17 23:21:18.247: RADIUS: 31 CE 78 F1 01 A9 A8 DB EA 36 73 A2 A8 >>> C6 74 5D [ 1x6st]] >>> *Mar 17 23:21:18.247: RADIUS(00000042): Received from id 1645/84 >>> >>> But, the switch does not know what do with them... >>> >>> *Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa "cisco >>> <====================== >>> SEC-CAT4(config-if)#-avpair" - IGNORE >>> *Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa >>> "cisco-avpair" - IGNORE <====================== >>> *Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa >>> "cisco-avpair" - IGNORE <====================== >>> *Mar 17 23:21:18.247: RADIUS/DECODE: EAP-Message fragments, 4, total 4 >>> bytes >>> *Mar 17 23:21:18.256: dot1x-packet(Gi0/18): Received an EAP Success >>> *Mar 17 23:21:18.256: %DOT1X-5-SUCCESS: Authentication successful for >>> client (0008.7492.2c0e) on Interface Gi0/18 >>> *Mar 17 23:21:18.256: dot1x-ev(Gi0/18): Sending event (2) >>> SEC-CAT4(config-if)#to Auth Mgr for 0008.7492.2c0e >>> *Mar 17 23:21:18.256: %AUTHMGR-7-RESULT: Authentication result 'success' >>> from 'dot1x' for client (0008.7492.2c0e) on Interface Gi0/1 >>> >>> Has anyone got this to work?? What is the "Secret Sauce"? >>> >>> Thanks! >>> Dave >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >>> -- >>> Regards, >>> >>> Stuart Hare >>> CCIE #25616 (Security), CCSP, Microsoft MCP >>> Sr. Support Engineer – IPexpert, Inc. >>> URL: http://www.IPexpert.com >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >> >> >> -- >> Tyson Scott - CCIE #13513 R&S and Security >> Technical Instructor - IPexpert, Inc. >> >> Telephone: +1.810.326.1444 >> Fax: +1.810.454.0130 >> Mailto: [email protected] >> >> Join our free online support and peer group communities: >> http://www.IPexpert.com/communities >> >> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On >> Demand and Audio Certification Training Tools for the Cisco CCIE R&S >> Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and >> CCIE Storage Lab Certifications. >> > > > > -- > Tyson Scott - CCIE #13513 R&S and Security > Technical Instructor - IPexpert, Inc. > > Telephone: +1.810.326.1444 > Fax: +1.810.454.0130 > Mailto: [email protected] > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand and Audio Certification Training Tools for the Cisco CCIE R&S > Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and > CCIE Storage Lab Certifications. > -- Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
