Mark, I already discussed the same topic with kings in the post dated at 11.07. Try to find it in the archives.
Regards, Piotr 2011/8/9 Mark Senteza <[email protected]> > Good to know, and thanks alot. One more thing, when configuring NAC what > attributes would the radius NAS need to send to the ACS when using the > "radius-server vsa send authentication" command? > > I've also seen it configured with 802.1x authentication, but without any > attributes set up, so I was well confused about the requirement for the > command. > > Mark > > On Tue, Aug 9, 2011 at 8:13 AM, Tyson Scott > <[email protected]>wrote: > >> You only need VSA when doing Network Profiling, aka NAC >> >> >> On Mon, Aug 8, 2011 at 10:52 PM, Mark Senteza <[email protected]>wrote: >> >>> Thanks a huge lot Tyson. That worked a treat. >>> >>> So what is the purpose of those two command lines ? >>> >>> R2>telnet 4.4.4.4 >>> Trying 4.4.4.4 ... Open >>> >>> >>> >>> User Access Verification >>> >>> Username: limited >>> Password: >>> >>> R4>show parser view >>> Current view is 'limited' >>> >>> ************** >>> >>> Debug output: >>> >>> >>> Aug 9 02:46:00.892: RADIUS/ENCODE(0000000E): ask "Username: " >>> Aug 9 02:46:00.892: RADIUS/ENCODE(0000000E): send packet; GET_USER >>> Aug 9 02:46:03.076: RADIUS/ENCODE(0000000E): ask "Password: " >>> Aug 9 02:46:03.076: RADIUS/ENCODE(0000000E): send packet; GET_PASSWORD >>> Aug 9 02:46:05.024: RADIUS/ENCODE(0000000E):Orig. component type = EXEC >>> Aug 9 02:46:05.024: RADIUS: AAA Unsupported Attr: interface >>> [175] 6 >>> Aug 9 02:46:05.024: RADIUS: 74 74 79 >>> 35 [tty5] >>> Aug 9 02:46:05.024: RADIUS/ENCODE(0000000E): dropping service type, >>> "radius-server attribute 6 on-for-login-auth" is off >>> Aug 9 02:46:05.024: RADIUS(0000000E): Config NAS IP: 4.4.4.4 >>> Aug 9 02:46:05.024: RADIUS/ENCODE(0000000E): acct_session_id: 11 >>> Aug 9 02:46:05.024: RADIUS(0000000E): sending >>> Aug 9 02:46:05.024: RADIUS(0000000E): Send Access-Request to >>> 10.49.49.100:1645 id 1645/11, len 85 >>> Aug 9 02:46:05.024: RADIUS: authenticator E2 EE D2 67 09 09 13 47 - FF >>> DD 10 08 35 F7 FD 3C >>> Aug 9 02:46:05.024: RADIUS: User-Name [1] 9 "limited" >>> Aug 9 02:46:05.024: RADIUS: User-Password [2] 18 * >>> Aug 9 02:46:05.024: RADIUS: NAS-Port [5] 6 >>> 514 >>> Aug 9 02:46:05.024: RADIUS: NAS-Port-Id [87] 8 "tty514" >>> Aug 9 02:46:05.024: RADIUS: NAS-Port-Type [61] 6 >>> Virtual [5] >>> Aug 9 02:46:05.024: RADIUS: Calling-Station-Id [31] 12 "10.56.56.2" >>> Aug 9 02:46:05.024: RADIUS: NAS-IP-Address [4] 6 >>> 4.4.4.4 >>> Aug 9 02:46:05.032: RADIUS: Received from id 1645/11 10.49.49.100:1645, >>> Access-Accept, len 93 >>> Aug 9 02:46:05.032: RADIUS: authenticator 15 61 33 0D 36 95 C6 BB - 70 >>> D0 93 2F C1 E3 2C 9A >>> Aug 9 02:46:05.032: RADIUS: Framed-IP-Address [8] 6 >>> 255.255.255.255 >>> Aug 9 02:46:05.032: RADIUS: Vendor, Cisco [26] 35 >>> Aug 9 02:46:05.032: RADIUS: Cisco AVpair [1] 29 >>> "shell:cli-view-name=limited" >>> Aug 9 02:46:05.032: RADIUS: Service-Type [6] 6 NAS >>> Prompt [7] >>> Aug 9 02:46:05.032: RADIUS: Class [25] 26 >>> Aug 9 02:46:05.032: RADIUS: 43 41 43 53 3A 30 2F 35 33 30 33 36 2F 34 >>> 30 34 [CACS:0/53036/404] >>> Aug 9 02:46:05.032: RADIUS: 30 34 30 34 2F 35 31 >>> 34 [0404/514] >>> Aug 9 02:46:05.032: RADIUS(0000000E): Received from id 1645/11 >>> >>> >>> >>> >>> >>> On Mon, Aug 8, 2011 at 7:29 PM, Tyson Scott < >>> [email protected]> wrote: >>> >>>> Remove what you have in red. do debug radius authentication. See why >>>> it is saying it is failing. >>>> >>>> On Mon, Aug 8, 2011 at 9:54 PM, Mark Senteza >>>> <[email protected]>wrote: >>>> >>>>> Hey all, >>>>> >>>>> I'm trying to configure CLI Views using RADIUS, but cant get it to >>>>> work. I authenticate fine, but the CLI View is never applied. What am I >>>>> doing wrong? >>>>> >>>>> My ACS User configuration is: >>>>> >>>>> Username: limited >>>>> password: cisco >>>>> >>>>> Cisco IOS/PIX 6.x RADIUS Attributes >>>>> >>>>> [x] [009/001] cisco-av-pair >>>>> shell:cli-view-name=limited >>>>> >>>>> IETF RADIUS Attributes >>>>> >>>>> [x] Service-Type "NAS Prompt" selected from the drop-down listbox >>>>> >>>>> ****************** >>>>> >>>>> My router configuration is: >>>>> >>>>> enable secret cisco >>>>> >>>>> aaa new-model >>>>> >>>>> aaa authentication login CONSOLE none >>>>> aaa authentication login VTY group radius >>>>> >>>>> aaa authorization exec CONSOLE none >>>>> aaa authorization exec VTY group radius >>>>> >>>>> *radius-server attribute 6 mandatory* >>>>> <- Is this a prerequisite command for CLI Views with Radius >>>>> radius-server host 10.49.49.100 auth-port 1645 acct-port 1646 >>>>> radius-server key cisco >>>>> *radius-server vsa send authentication* >>>>> <- Is this a prerequisite command for CLI Views with Radius >>>>> >>>>> ip radius source-interface Loopback0 >>>>> >>>>> line vty 0 4 >>>>> password ciscoccie >>>>> authorization exec VTY >>>>> login authentication VTY >>>>> >>>>> parser view limited >>>>> secret 5 $1$i0td$AjMze0pO6bfxePI936yKr. >>>>> commands exec include show ip interface brief >>>>> commands exec include show ip interface >>>>> commands exec include show ip >>>>> commands exec include show clock >>>>> commands exec include show version >>>>> commands exec include show logging >>>>> commands exec include show >>>>> >>>>> ***************** >>>>> >>>>> R4#show parser view >>>>> Current view is 'root' >>>>> >>>>> I'm not sure if this IOS version is supported, but I'm using 12.4(24)T >>>>> Advanced Enterprise Services >>>>> >>>>> R4#show version >>>>> Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version >>>>> 12.4(24)T, RELEASE SOFTWARE (fc1) >>>>> System image file is "flash:c2800nm-adventerprisek9-mz.124-24.T.bin" >>>>> >>>>> ***************** >>>>> When I telnet from another router to R4 (cli view enabled router), the >>>>> cli view is not set on the user >>>>> >>>>> R2#telnet 10.56.56.4 >>>>> Trying 10.56.56.4 ... Open >>>>> >>>>> >>>>> User Access Verification >>>>> >>>>> Username: limited >>>>> Password: >>>>> >>>>> R4>en >>>>> Password: >>>>> R4#show parser view >>>>> No view is active ! Currently in Privilege Level Context >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>> www.PlatinumPlacement.com >>>>> >>>> >>>> >>> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
