In most cases only VSA send command is required. All mandatory attributes is then send over by the NAS (at least it is my observation).
Regards, Piotr 2011/8/9 Mark Senteza <[email protected]> > Piotr, > > in that thread you stated what features require you to run the > "radius-server send vsa authentication" command, but not the additional > attributes that you need to be configured along with it. Its those > particular attributes as configured under "radius-server attributes" that I > was asking about. Do we need to configure any particular ones, say for > example in the case of NAC, or is the "radius-server send vsa > authentication" all that needs to be configured ? > > Mark > > > On Tue, Aug 9, 2011 at 11:19 AM, Piotr Matusiak <[email protected]> wrote: > >> Mark, >> >> I already discussed the same topic with kings in the post dated at 11.07. >> Try to find it in the archives. >> >> Regards, >> Piotr >> >> >> >> 2011/8/9 Mark Senteza <[email protected]> >> >>> Good to know, and thanks alot. One more thing, when configuring NAC what >>> attributes would the radius NAS need to send to the ACS when using the >>> "radius-server vsa send authentication" command? >>> >>> I've also seen it configured with 802.1x authentication, but without any >>> attributes set up, so I was well confused about the requirement for the >>> command. >>> >>> Mark >>> >>> On Tue, Aug 9, 2011 at 8:13 AM, Tyson Scott < >>> [email protected]> wrote: >>> >>>> You only need VSA when doing Network Profiling, aka NAC >>>> >>>> >>>> On Mon, Aug 8, 2011 at 10:52 PM, Mark Senteza >>>> <[email protected]>wrote: >>>> >>>>> Thanks a huge lot Tyson. That worked a treat. >>>>> >>>>> So what is the purpose of those two command lines ? >>>>> >>>>> R2>telnet 4.4.4.4 >>>>> Trying 4.4.4.4 ... Open >>>>> >>>>> >>>>> >>>>> User Access Verification >>>>> >>>>> Username: limited >>>>> Password: >>>>> >>>>> R4>show parser view >>>>> Current view is 'limited' >>>>> >>>>> ************** >>>>> >>>>> Debug output: >>>>> >>>>> >>>>> Aug 9 02:46:00.892: RADIUS/ENCODE(0000000E): ask "Username: " >>>>> Aug 9 02:46:00.892: RADIUS/ENCODE(0000000E): send packet; GET_USER >>>>> Aug 9 02:46:03.076: RADIUS/ENCODE(0000000E): ask "Password: " >>>>> Aug 9 02:46:03.076: RADIUS/ENCODE(0000000E): send packet; GET_PASSWORD >>>>> Aug 9 02:46:05.024: RADIUS/ENCODE(0000000E):Orig. component type = >>>>> EXEC >>>>> Aug 9 02:46:05.024: RADIUS: AAA Unsupported Attr: interface >>>>> [175] 6 >>>>> Aug 9 02:46:05.024: RADIUS: 74 74 79 >>>>> 35 [tty5] >>>>> Aug 9 02:46:05.024: RADIUS/ENCODE(0000000E): dropping service type, >>>>> "radius-server attribute 6 on-for-login-auth" is off >>>>> Aug 9 02:46:05.024: RADIUS(0000000E): Config NAS IP: 4.4.4.4 >>>>> Aug 9 02:46:05.024: RADIUS/ENCODE(0000000E): acct_session_id: 11 >>>>> Aug 9 02:46:05.024: RADIUS(0000000E): sending >>>>> Aug 9 02:46:05.024: RADIUS(0000000E): Send Access-Request to >>>>> 10.49.49.100:1645 id 1645/11, len 85 >>>>> Aug 9 02:46:05.024: RADIUS: authenticator E2 EE D2 67 09 09 13 47 - >>>>> FF DD 10 08 35 F7 FD 3C >>>>> Aug 9 02:46:05.024: RADIUS: User-Name [1] 9 "limited" >>>>> Aug 9 02:46:05.024: RADIUS: User-Password [2] 18 * >>>>> Aug 9 02:46:05.024: RADIUS: NAS-Port [5] 6 >>>>> 514 >>>>> Aug 9 02:46:05.024: RADIUS: NAS-Port-Id [87] 8 "tty514" >>>>> Aug 9 02:46:05.024: RADIUS: NAS-Port-Type [61] 6 >>>>> Virtual [5] >>>>> Aug 9 02:46:05.024: RADIUS: Calling-Station-Id [31] 12 >>>>> "10.56.56.2" >>>>> Aug 9 02:46:05.024: RADIUS: NAS-IP-Address [4] 6 >>>>> 4.4.4.4 >>>>> Aug 9 02:46:05.032: RADIUS: Received from id 1645/11 >>>>> 10.49.49.100:1645, Access-Accept, len 93 >>>>> Aug 9 02:46:05.032: RADIUS: authenticator 15 61 33 0D 36 95 C6 BB - >>>>> 70 D0 93 2F C1 E3 2C 9A >>>>> Aug 9 02:46:05.032: RADIUS: Framed-IP-Address [8] 6 >>>>> 255.255.255.255 >>>>> Aug 9 02:46:05.032: RADIUS: Vendor, Cisco [26] 35 >>>>> Aug 9 02:46:05.032: RADIUS: Cisco AVpair [1] 29 >>>>> "shell:cli-view-name=limited" >>>>> Aug 9 02:46:05.032: RADIUS: Service-Type [6] 6 NAS >>>>> Prompt [7] >>>>> Aug 9 02:46:05.032: RADIUS: Class [25] 26 >>>>> Aug 9 02:46:05.032: RADIUS: 43 41 43 53 3A 30 2F 35 33 30 33 36 2F >>>>> 34 30 34 [CACS:0/53036/404] >>>>> Aug 9 02:46:05.032: RADIUS: 30 34 30 34 2F 35 31 >>>>> 34 [0404/514] >>>>> Aug 9 02:46:05.032: RADIUS(0000000E): Received from id 1645/11 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Mon, Aug 8, 2011 at 7:29 PM, Tyson Scott < >>>>> [email protected]> wrote: >>>>> >>>>>> Remove what you have in red. do debug radius authentication. See why >>>>>> it is saying it is failing. >>>>>> >>>>>> On Mon, Aug 8, 2011 at 9:54 PM, Mark Senteza <[email protected] >>>>>> > wrote: >>>>>> >>>>>>> Hey all, >>>>>>> >>>>>>> I'm trying to configure CLI Views using RADIUS, but cant get it to >>>>>>> work. I authenticate fine, but the CLI View is never applied. What am I >>>>>>> doing wrong? >>>>>>> >>>>>>> My ACS User configuration is: >>>>>>> >>>>>>> Username: limited >>>>>>> password: cisco >>>>>>> >>>>>>> Cisco IOS/PIX 6.x RADIUS Attributes >>>>>>> >>>>>>> [x] [009/001] cisco-av-pair >>>>>>> shell:cli-view-name=limited >>>>>>> >>>>>>> IETF RADIUS Attributes >>>>>>> >>>>>>> [x] Service-Type "NAS Prompt" selected from the drop-down >>>>>>> listbox >>>>>>> >>>>>>> ****************** >>>>>>> >>>>>>> My router configuration is: >>>>>>> >>>>>>> enable secret cisco >>>>>>> >>>>>>> aaa new-model >>>>>>> >>>>>>> aaa authentication login CONSOLE none >>>>>>> aaa authentication login VTY group radius >>>>>>> >>>>>>> aaa authorization exec CONSOLE none >>>>>>> aaa authorization exec VTY group radius >>>>>>> >>>>>>> *radius-server attribute 6 mandatory* >>>>>>> <- Is this a prerequisite command for CLI Views with Radius >>>>>>> radius-server host 10.49.49.100 auth-port 1645 acct-port 1646 >>>>>>> radius-server key cisco >>>>>>> *radius-server vsa send authentication* >>>>>>> <- Is this a prerequisite command for CLI Views with Radius >>>>>>> >>>>>>> ip radius source-interface Loopback0 >>>>>>> >>>>>>> line vty 0 4 >>>>>>> password ciscoccie >>>>>>> authorization exec VTY >>>>>>> login authentication VTY >>>>>>> >>>>>>> parser view limited >>>>>>> secret 5 $1$i0td$AjMze0pO6bfxePI936yKr. >>>>>>> commands exec include show ip interface brief >>>>>>> commands exec include show ip interface >>>>>>> commands exec include show ip >>>>>>> commands exec include show clock >>>>>>> commands exec include show version >>>>>>> commands exec include show logging >>>>>>> commands exec include show >>>>>>> >>>>>>> ***************** >>>>>>> >>>>>>> R4#show parser view >>>>>>> Current view is 'root' >>>>>>> >>>>>>> I'm not sure if this IOS version is supported, but I'm using >>>>>>> 12.4(24)T Advanced Enterprise Services >>>>>>> >>>>>>> R4#show version >>>>>>> Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), >>>>>>> Version 12.4(24)T, RELEASE SOFTWARE (fc1) >>>>>>> System image file is "flash:c2800nm-adventerprisek9-mz.124-24.T.bin" >>>>>>> >>>>>>> ***************** >>>>>>> When I telnet from another router to R4 (cli view enabled router), >>>>>>> the cli view is not set on the user >>>>>>> >>>>>>> R2#telnet 10.56.56.4 >>>>>>> Trying 10.56.56.4 ... Open >>>>>>> >>>>>>> >>>>>>> User Access Verification >>>>>>> >>>>>>> Username: limited >>>>>>> Password: >>>>>>> >>>>>>> R4>en >>>>>>> Password: >>>>>>> R4#show parser view >>>>>>> No view is active ! Currently in Privilege Level Context >>>>>>> >>>>>>> _______________________________________________ >>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>> please visit www.ipexpert.com >>>>>>> >>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>> www.PlatinumPlacement.com >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
