Good to know, and thanks alot. One more thing, when configuring NAC what attributes would the radius NAS need to send to the ACS when using the "radius-server vsa send authentication" command?
I've also seen it configured with 802.1x authentication, but without any attributes set up, so I was well confused about the requirement for the command. Mark On Tue, Aug 9, 2011 at 8:13 AM, Tyson Scott <[email protected]>wrote: > You only need VSA when doing Network Profiling, aka NAC > > > On Mon, Aug 8, 2011 at 10:52 PM, Mark Senteza <[email protected]>wrote: > >> Thanks a huge lot Tyson. That worked a treat. >> >> So what is the purpose of those two command lines ? >> >> R2>telnet 4.4.4.4 >> Trying 4.4.4.4 ... Open >> >> >> >> User Access Verification >> >> Username: limited >> Password: >> >> R4>show parser view >> Current view is 'limited' >> >> ************** >> >> Debug output: >> >> >> Aug 9 02:46:00.892: RADIUS/ENCODE(0000000E): ask "Username: " >> Aug 9 02:46:00.892: RADIUS/ENCODE(0000000E): send packet; GET_USER >> Aug 9 02:46:03.076: RADIUS/ENCODE(0000000E): ask "Password: " >> Aug 9 02:46:03.076: RADIUS/ENCODE(0000000E): send packet; GET_PASSWORD >> Aug 9 02:46:05.024: RADIUS/ENCODE(0000000E):Orig. component type = EXEC >> Aug 9 02:46:05.024: RADIUS: AAA Unsupported Attr: interface >> [175] 6 >> Aug 9 02:46:05.024: RADIUS: 74 74 79 >> 35 [tty5] >> Aug 9 02:46:05.024: RADIUS/ENCODE(0000000E): dropping service type, >> "radius-server attribute 6 on-for-login-auth" is off >> Aug 9 02:46:05.024: RADIUS(0000000E): Config NAS IP: 4.4.4.4 >> Aug 9 02:46:05.024: RADIUS/ENCODE(0000000E): acct_session_id: 11 >> Aug 9 02:46:05.024: RADIUS(0000000E): sending >> Aug 9 02:46:05.024: RADIUS(0000000E): Send Access-Request to >> 10.49.49.100:1645 id 1645/11, len 85 >> Aug 9 02:46:05.024: RADIUS: authenticator E2 EE D2 67 09 09 13 47 - FF >> DD 10 08 35 F7 FD 3C >> Aug 9 02:46:05.024: RADIUS: User-Name [1] 9 "limited" >> Aug 9 02:46:05.024: RADIUS: User-Password [2] 18 * >> Aug 9 02:46:05.024: RADIUS: NAS-Port [5] 6 >> 514 >> Aug 9 02:46:05.024: RADIUS: NAS-Port-Id [87] 8 "tty514" >> Aug 9 02:46:05.024: RADIUS: NAS-Port-Type [61] 6 >> Virtual [5] >> Aug 9 02:46:05.024: RADIUS: Calling-Station-Id [31] 12 "10.56.56.2" >> Aug 9 02:46:05.024: RADIUS: NAS-IP-Address [4] 6 >> 4.4.4.4 >> Aug 9 02:46:05.032: RADIUS: Received from id 1645/11 10.49.49.100:1645, >> Access-Accept, len 93 >> Aug 9 02:46:05.032: RADIUS: authenticator 15 61 33 0D 36 95 C6 BB - 70 >> D0 93 2F C1 E3 2C 9A >> Aug 9 02:46:05.032: RADIUS: Framed-IP-Address [8] 6 >> 255.255.255.255 >> Aug 9 02:46:05.032: RADIUS: Vendor, Cisco [26] 35 >> Aug 9 02:46:05.032: RADIUS: Cisco AVpair [1] 29 >> "shell:cli-view-name=limited" >> Aug 9 02:46:05.032: RADIUS: Service-Type [6] 6 NAS >> Prompt [7] >> Aug 9 02:46:05.032: RADIUS: Class [25] 26 >> Aug 9 02:46:05.032: RADIUS: 43 41 43 53 3A 30 2F 35 33 30 33 36 2F 34 >> 30 34 [CACS:0/53036/404] >> Aug 9 02:46:05.032: RADIUS: 30 34 30 34 2F 35 31 >> 34 [0404/514] >> Aug 9 02:46:05.032: RADIUS(0000000E): Received from id 1645/11 >> >> >> >> >> >> On Mon, Aug 8, 2011 at 7:29 PM, Tyson Scott <[email protected] >> > wrote: >> >>> Remove what you have in red. do debug radius authentication. See why it >>> is saying it is failing. >>> >>> On Mon, Aug 8, 2011 at 9:54 PM, Mark Senteza <[email protected]>wrote: >>> >>>> Hey all, >>>> >>>> I'm trying to configure CLI Views using RADIUS, but cant get it to work. >>>> I authenticate fine, but the CLI View is never applied. What am I doing >>>> wrong? >>>> >>>> My ACS User configuration is: >>>> >>>> Username: limited >>>> password: cisco >>>> >>>> Cisco IOS/PIX 6.x RADIUS Attributes >>>> >>>> [x] [009/001] cisco-av-pair >>>> shell:cli-view-name=limited >>>> >>>> IETF RADIUS Attributes >>>> >>>> [x] Service-Type "NAS Prompt" selected from the drop-down listbox >>>> >>>> ****************** >>>> >>>> My router configuration is: >>>> >>>> enable secret cisco >>>> >>>> aaa new-model >>>> >>>> aaa authentication login CONSOLE none >>>> aaa authentication login VTY group radius >>>> >>>> aaa authorization exec CONSOLE none >>>> aaa authorization exec VTY group radius >>>> >>>> *radius-server attribute 6 mandatory* >>>> <- Is this a prerequisite command for CLI Views with Radius >>>> radius-server host 10.49.49.100 auth-port 1645 acct-port 1646 >>>> radius-server key cisco >>>> *radius-server vsa send authentication* >>>> <- Is this a prerequisite command for CLI Views with Radius >>>> >>>> ip radius source-interface Loopback0 >>>> >>>> line vty 0 4 >>>> password ciscoccie >>>> authorization exec VTY >>>> login authentication VTY >>>> >>>> parser view limited >>>> secret 5 $1$i0td$AjMze0pO6bfxePI936yKr. >>>> commands exec include show ip interface brief >>>> commands exec include show ip interface >>>> commands exec include show ip >>>> commands exec include show clock >>>> commands exec include show version >>>> commands exec include show logging >>>> commands exec include show >>>> >>>> ***************** >>>> >>>> R4#show parser view >>>> Current view is 'root' >>>> >>>> I'm not sure if this IOS version is supported, but I'm using 12.4(24)T >>>> Advanced Enterprise Services >>>> >>>> R4#show version >>>> Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version >>>> 12.4(24)T, RELEASE SOFTWARE (fc1) >>>> System image file is "flash:c2800nm-adventerprisek9-mz.124-24.T.bin" >>>> >>>> ***************** >>>> When I telnet from another router to R4 (cli view enabled router), the >>>> cli view is not set on the user >>>> >>>> R2#telnet 10.56.56.4 >>>> Trying 10.56.56.4 ... Open >>>> >>>> >>>> User Access Verification >>>> >>>> Username: limited >>>> Password: >>>> >>>> R4>en >>>> Password: >>>> R4#show parser view >>>> No view is active ! Currently in Privilege Level Context >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
