Piotr, in that thread you stated what features require you to run the "radius-server send vsa authentication" command, but not the additional attributes that you need to be configured along with it. Its those particular attributes as configured under "radius-server attributes" that I was asking about. Do we need to configure any particular ones, say for example in the case of NAC, or is the "radius-server send vsa authentication" all that needs to be configured ?
Mark On Tue, Aug 9, 2011 at 11:19 AM, Piotr Matusiak <[email protected]> wrote: > Mark, > > I already discussed the same topic with kings in the post dated at 11.07. > Try to find it in the archives. > > Regards, > Piotr > > > > 2011/8/9 Mark Senteza <[email protected]> > >> Good to know, and thanks alot. One more thing, when configuring NAC what >> attributes would the radius NAS need to send to the ACS when using the >> "radius-server vsa send authentication" command? >> >> I've also seen it configured with 802.1x authentication, but without any >> attributes set up, so I was well confused about the requirement for the >> command. >> >> Mark >> >> On Tue, Aug 9, 2011 at 8:13 AM, Tyson Scott <[email protected] >> > wrote: >> >>> You only need VSA when doing Network Profiling, aka NAC >>> >>> >>> On Mon, Aug 8, 2011 at 10:52 PM, Mark Senteza >>> <[email protected]>wrote: >>> >>>> Thanks a huge lot Tyson. That worked a treat. >>>> >>>> So what is the purpose of those two command lines ? >>>> >>>> R2>telnet 4.4.4.4 >>>> Trying 4.4.4.4 ... Open >>>> >>>> >>>> >>>> User Access Verification >>>> >>>> Username: limited >>>> Password: >>>> >>>> R4>show parser view >>>> Current view is 'limited' >>>> >>>> ************** >>>> >>>> Debug output: >>>> >>>> >>>> Aug 9 02:46:00.892: RADIUS/ENCODE(0000000E): ask "Username: " >>>> Aug 9 02:46:00.892: RADIUS/ENCODE(0000000E): send packet; GET_USER >>>> Aug 9 02:46:03.076: RADIUS/ENCODE(0000000E): ask "Password: " >>>> Aug 9 02:46:03.076: RADIUS/ENCODE(0000000E): send packet; GET_PASSWORD >>>> Aug 9 02:46:05.024: RADIUS/ENCODE(0000000E):Orig. component type = EXEC >>>> Aug 9 02:46:05.024: RADIUS: AAA Unsupported Attr: interface >>>> [175] 6 >>>> Aug 9 02:46:05.024: RADIUS: 74 74 79 >>>> 35 [tty5] >>>> Aug 9 02:46:05.024: RADIUS/ENCODE(0000000E): dropping service type, >>>> "radius-server attribute 6 on-for-login-auth" is off >>>> Aug 9 02:46:05.024: RADIUS(0000000E): Config NAS IP: 4.4.4.4 >>>> Aug 9 02:46:05.024: RADIUS/ENCODE(0000000E): acct_session_id: 11 >>>> Aug 9 02:46:05.024: RADIUS(0000000E): sending >>>> Aug 9 02:46:05.024: RADIUS(0000000E): Send Access-Request to >>>> 10.49.49.100:1645 id 1645/11, len 85 >>>> Aug 9 02:46:05.024: RADIUS: authenticator E2 EE D2 67 09 09 13 47 - FF >>>> DD 10 08 35 F7 FD 3C >>>> Aug 9 02:46:05.024: RADIUS: User-Name [1] 9 "limited" >>>> Aug 9 02:46:05.024: RADIUS: User-Password [2] 18 * >>>> Aug 9 02:46:05.024: RADIUS: NAS-Port [5] 6 >>>> 514 >>>> Aug 9 02:46:05.024: RADIUS: NAS-Port-Id [87] 8 "tty514" >>>> Aug 9 02:46:05.024: RADIUS: NAS-Port-Type [61] 6 >>>> Virtual [5] >>>> Aug 9 02:46:05.024: RADIUS: Calling-Station-Id [31] 12 "10.56.56.2" >>>> Aug 9 02:46:05.024: RADIUS: NAS-IP-Address [4] 6 >>>> 4.4.4.4 >>>> Aug 9 02:46:05.032: RADIUS: Received from id 1645/11 10.49.49.100:1645, >>>> Access-Accept, len 93 >>>> Aug 9 02:46:05.032: RADIUS: authenticator 15 61 33 0D 36 95 C6 BB - 70 >>>> D0 93 2F C1 E3 2C 9A >>>> Aug 9 02:46:05.032: RADIUS: Framed-IP-Address [8] 6 >>>> 255.255.255.255 >>>> Aug 9 02:46:05.032: RADIUS: Vendor, Cisco [26] 35 >>>> Aug 9 02:46:05.032: RADIUS: Cisco AVpair [1] 29 >>>> "shell:cli-view-name=limited" >>>> Aug 9 02:46:05.032: RADIUS: Service-Type [6] 6 NAS >>>> Prompt [7] >>>> Aug 9 02:46:05.032: RADIUS: Class [25] 26 >>>> Aug 9 02:46:05.032: RADIUS: 43 41 43 53 3A 30 2F 35 33 30 33 36 2F 34 >>>> 30 34 [CACS:0/53036/404] >>>> Aug 9 02:46:05.032: RADIUS: 30 34 30 34 2F 35 31 >>>> 34 [0404/514] >>>> Aug 9 02:46:05.032: RADIUS(0000000E): Received from id 1645/11 >>>> >>>> >>>> >>>> >>>> >>>> On Mon, Aug 8, 2011 at 7:29 PM, Tyson Scott < >>>> [email protected]> wrote: >>>> >>>>> Remove what you have in red. do debug radius authentication. See why >>>>> it is saying it is failing. >>>>> >>>>> On Mon, Aug 8, 2011 at 9:54 PM, Mark Senteza >>>>> <[email protected]>wrote: >>>>> >>>>>> Hey all, >>>>>> >>>>>> I'm trying to configure CLI Views using RADIUS, but cant get it to >>>>>> work. I authenticate fine, but the CLI View is never applied. What am I >>>>>> doing wrong? >>>>>> >>>>>> My ACS User configuration is: >>>>>> >>>>>> Username: limited >>>>>> password: cisco >>>>>> >>>>>> Cisco IOS/PIX 6.x RADIUS Attributes >>>>>> >>>>>> [x] [009/001] cisco-av-pair >>>>>> shell:cli-view-name=limited >>>>>> >>>>>> IETF RADIUS Attributes >>>>>> >>>>>> [x] Service-Type "NAS Prompt" selected from the drop-down listbox >>>>>> >>>>>> ****************** >>>>>> >>>>>> My router configuration is: >>>>>> >>>>>> enable secret cisco >>>>>> >>>>>> aaa new-model >>>>>> >>>>>> aaa authentication login CONSOLE none >>>>>> aaa authentication login VTY group radius >>>>>> >>>>>> aaa authorization exec CONSOLE none >>>>>> aaa authorization exec VTY group radius >>>>>> >>>>>> *radius-server attribute 6 mandatory* >>>>>> <- Is this a prerequisite command for CLI Views with Radius >>>>>> radius-server host 10.49.49.100 auth-port 1645 acct-port 1646 >>>>>> radius-server key cisco >>>>>> *radius-server vsa send authentication* >>>>>> <- Is this a prerequisite command for CLI Views with Radius >>>>>> >>>>>> ip radius source-interface Loopback0 >>>>>> >>>>>> line vty 0 4 >>>>>> password ciscoccie >>>>>> authorization exec VTY >>>>>> login authentication VTY >>>>>> >>>>>> parser view limited >>>>>> secret 5 $1$i0td$AjMze0pO6bfxePI936yKr. >>>>>> commands exec include show ip interface brief >>>>>> commands exec include show ip interface >>>>>> commands exec include show ip >>>>>> commands exec include show clock >>>>>> commands exec include show version >>>>>> commands exec include show logging >>>>>> commands exec include show >>>>>> >>>>>> ***************** >>>>>> >>>>>> R4#show parser view >>>>>> Current view is 'root' >>>>>> >>>>>> I'm not sure if this IOS version is supported, but I'm using 12.4(24)T >>>>>> Advanced Enterprise Services >>>>>> >>>>>> R4#show version >>>>>> Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version >>>>>> 12.4(24)T, RELEASE SOFTWARE (fc1) >>>>>> System image file is "flash:c2800nm-adventerprisek9-mz.124-24.T.bin" >>>>>> >>>>>> ***************** >>>>>> When I telnet from another router to R4 (cli view enabled router), the >>>>>> cli view is not set on the user >>>>>> >>>>>> R2#telnet 10.56.56.4 >>>>>> Trying 10.56.56.4 ... Open >>>>>> >>>>>> >>>>>> User Access Verification >>>>>> >>>>>> Username: limited >>>>>> Password: >>>>>> >>>>>> R4>en >>>>>> Password: >>>>>> R4#show parser view >>>>>> No view is active ! Currently in Privilege Level Context >>>>>> >>>>>> _______________________________________________ >>>>>> For more information regarding industry leading CCIE Lab training, >>>>>> please visit www.ipexpert.com >>>>>> >>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>> www.PlatinumPlacement.com >>>>>> >>>>> >>>>> >>>> >>> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
