OK. thanks for that information On Tue, Aug 9, 2011 at 12:23 PM, Piotr Matusiak <[email protected]> wrote:
> In most cases only VSA send command is required. All mandatory attributes > is then send over by the NAS (at least it is my observation). > > > Regards, > Piotr > > > 2011/8/9 Mark Senteza <[email protected]> > >> Piotr, >> >> in that thread you stated what features require you to run the >> "radius-server send vsa authentication" command, but not the additional >> attributes that you need to be configured along with it. Its those >> particular attributes as configured under "radius-server attributes" that I >> was asking about. Do we need to configure any particular ones, say for >> example in the case of NAC, or is the "radius-server send vsa >> authentication" all that needs to be configured ? >> >> Mark >> >> >> On Tue, Aug 9, 2011 at 11:19 AM, Piotr Matusiak <[email protected]> wrote: >> >>> Mark, >>> >>> I already discussed the same topic with kings in the post dated at 11.07. >>> Try to find it in the archives. >>> >>> Regards, >>> Piotr >>> >>> >>> >>> 2011/8/9 Mark Senteza <[email protected]> >>> >>>> Good to know, and thanks alot. One more thing, when configuring NAC what >>>> attributes would the radius NAS need to send to the ACS when using the >>>> "radius-server vsa send authentication" command? >>>> >>>> I've also seen it configured with 802.1x authentication, but without any >>>> attributes set up, so I was well confused about the requirement for the >>>> command. >>>> >>>> Mark >>>> >>>> On Tue, Aug 9, 2011 at 8:13 AM, Tyson Scott < >>>> [email protected]> wrote: >>>> >>>>> You only need VSA when doing Network Profiling, aka NAC >>>>> >>>>> >>>>> On Mon, Aug 8, 2011 at 10:52 PM, Mark Senteza <[email protected] >>>>> > wrote: >>>>> >>>>>> Thanks a huge lot Tyson. That worked a treat. >>>>>> >>>>>> So what is the purpose of those two command lines ? >>>>>> >>>>>> R2>telnet 4.4.4.4 >>>>>> Trying 4.4.4.4 ... Open >>>>>> >>>>>> >>>>>> >>>>>> User Access Verification >>>>>> >>>>>> Username: limited >>>>>> Password: >>>>>> >>>>>> R4>show parser view >>>>>> Current view is 'limited' >>>>>> >>>>>> ************** >>>>>> >>>>>> Debug output: >>>>>> >>>>>> >>>>>> Aug 9 02:46:00.892: RADIUS/ENCODE(0000000E): ask "Username: " >>>>>> Aug 9 02:46:00.892: RADIUS/ENCODE(0000000E): send packet; GET_USER >>>>>> Aug 9 02:46:03.076: RADIUS/ENCODE(0000000E): ask "Password: " >>>>>> Aug 9 02:46:03.076: RADIUS/ENCODE(0000000E): send packet; >>>>>> GET_PASSWORD >>>>>> Aug 9 02:46:05.024: RADIUS/ENCODE(0000000E):Orig. component type = >>>>>> EXEC >>>>>> Aug 9 02:46:05.024: RADIUS: AAA Unsupported Attr: interface >>>>>> [175] 6 >>>>>> Aug 9 02:46:05.024: RADIUS: 74 74 79 >>>>>> 35 [tty5] >>>>>> Aug 9 02:46:05.024: RADIUS/ENCODE(0000000E): dropping service type, >>>>>> "radius-server attribute 6 on-for-login-auth" is off >>>>>> Aug 9 02:46:05.024: RADIUS(0000000E): Config NAS IP: 4.4.4.4 >>>>>> Aug 9 02:46:05.024: RADIUS/ENCODE(0000000E): acct_session_id: 11 >>>>>> Aug 9 02:46:05.024: RADIUS(0000000E): sending >>>>>> Aug 9 02:46:05.024: RADIUS(0000000E): Send Access-Request to >>>>>> 10.49.49.100:1645 id 1645/11, len 85 >>>>>> Aug 9 02:46:05.024: RADIUS: authenticator E2 EE D2 67 09 09 13 47 - >>>>>> FF DD 10 08 35 F7 FD 3C >>>>>> Aug 9 02:46:05.024: RADIUS: User-Name [1] 9 "limited" >>>>>> Aug 9 02:46:05.024: RADIUS: User-Password [2] 18 * >>>>>> Aug 9 02:46:05.024: RADIUS: NAS-Port [5] 6 >>>>>> 514 >>>>>> Aug 9 02:46:05.024: RADIUS: NAS-Port-Id [87] 8 "tty514" >>>>>> Aug 9 02:46:05.024: RADIUS: NAS-Port-Type [61] 6 >>>>>> Virtual [5] >>>>>> Aug 9 02:46:05.024: RADIUS: Calling-Station-Id [31] 12 >>>>>> "10.56.56.2" >>>>>> Aug 9 02:46:05.024: RADIUS: NAS-IP-Address [4] 6 >>>>>> 4.4.4.4 >>>>>> Aug 9 02:46:05.032: RADIUS: Received from id 1645/11 >>>>>> 10.49.49.100:1645, Access-Accept, len 93 >>>>>> Aug 9 02:46:05.032: RADIUS: authenticator 15 61 33 0D 36 95 C6 BB - >>>>>> 70 D0 93 2F C1 E3 2C 9A >>>>>> Aug 9 02:46:05.032: RADIUS: Framed-IP-Address [8] 6 >>>>>> 255.255.255.255 >>>>>> Aug 9 02:46:05.032: RADIUS: Vendor, Cisco [26] 35 >>>>>> Aug 9 02:46:05.032: RADIUS: Cisco AVpair [1] 29 >>>>>> "shell:cli-view-name=limited" >>>>>> Aug 9 02:46:05.032: RADIUS: Service-Type [6] 6 NAS >>>>>> Prompt [7] >>>>>> Aug 9 02:46:05.032: RADIUS: Class [25] 26 >>>>>> Aug 9 02:46:05.032: RADIUS: 43 41 43 53 3A 30 2F 35 33 30 33 36 2F >>>>>> 34 30 34 [CACS:0/53036/404] >>>>>> Aug 9 02:46:05.032: RADIUS: 30 34 30 34 2F 35 31 >>>>>> 34 [0404/514] >>>>>> Aug 9 02:46:05.032: RADIUS(0000000E): Received from id 1645/11 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Aug 8, 2011 at 7:29 PM, Tyson Scott < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Remove what you have in red. do debug radius authentication. See >>>>>>> why it is saying it is failing. >>>>>>> >>>>>>> On Mon, Aug 8, 2011 at 9:54 PM, Mark Senteza < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hey all, >>>>>>>> >>>>>>>> I'm trying to configure CLI Views using RADIUS, but cant get it to >>>>>>>> work. I authenticate fine, but the CLI View is never applied. What am I >>>>>>>> doing wrong? >>>>>>>> >>>>>>>> My ACS User configuration is: >>>>>>>> >>>>>>>> Username: limited >>>>>>>> password: cisco >>>>>>>> >>>>>>>> Cisco IOS/PIX 6.x RADIUS Attributes >>>>>>>> >>>>>>>> [x] [009/001] cisco-av-pair >>>>>>>> shell:cli-view-name=limited >>>>>>>> >>>>>>>> IETF RADIUS Attributes >>>>>>>> >>>>>>>> [x] Service-Type "NAS Prompt" selected from the drop-down >>>>>>>> listbox >>>>>>>> >>>>>>>> ****************** >>>>>>>> >>>>>>>> My router configuration is: >>>>>>>> >>>>>>>> enable secret cisco >>>>>>>> >>>>>>>> aaa new-model >>>>>>>> >>>>>>>> aaa authentication login CONSOLE none >>>>>>>> aaa authentication login VTY group radius >>>>>>>> >>>>>>>> aaa authorization exec CONSOLE none >>>>>>>> aaa authorization exec VTY group radius >>>>>>>> >>>>>>>> *radius-server attribute 6 mandatory* >>>>>>>> <- Is this a prerequisite command for CLI Views with Radius >>>>>>>> radius-server host 10.49.49.100 auth-port 1645 acct-port 1646 >>>>>>>> radius-server key cisco >>>>>>>> *radius-server vsa send authentication* >>>>>>>> <- Is this a prerequisite command for CLI Views with Radius >>>>>>>> >>>>>>>> ip radius source-interface Loopback0 >>>>>>>> >>>>>>>> line vty 0 4 >>>>>>>> password ciscoccie >>>>>>>> authorization exec VTY >>>>>>>> login authentication VTY >>>>>>>> >>>>>>>> parser view limited >>>>>>>> secret 5 $1$i0td$AjMze0pO6bfxePI936yKr. >>>>>>>> commands exec include show ip interface brief >>>>>>>> commands exec include show ip interface >>>>>>>> commands exec include show ip >>>>>>>> commands exec include show clock >>>>>>>> commands exec include show version >>>>>>>> commands exec include show logging >>>>>>>> commands exec include show >>>>>>>> >>>>>>>> ***************** >>>>>>>> >>>>>>>> R4#show parser view >>>>>>>> Current view is 'root' >>>>>>>> >>>>>>>> I'm not sure if this IOS version is supported, but I'm using >>>>>>>> 12.4(24)T Advanced Enterprise Services >>>>>>>> >>>>>>>> R4#show version >>>>>>>> Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), >>>>>>>> Version 12.4(24)T, RELEASE SOFTWARE (fc1) >>>>>>>> System image file is "flash:c2800nm-adventerprisek9-mz.124-24.T.bin" >>>>>>>> >>>>>>>> ***************** >>>>>>>> When I telnet from another router to R4 (cli view enabled router), >>>>>>>> the cli view is not set on the user >>>>>>>> >>>>>>>> R2#telnet 10.56.56.4 >>>>>>>> Trying 10.56.56.4 ... Open >>>>>>>> >>>>>>>> >>>>>>>> User Access Verification >>>>>>>> >>>>>>>> Username: limited >>>>>>>> Password: >>>>>>>> >>>>>>>> R4>en >>>>>>>> Password: >>>>>>>> R4#show parser view >>>>>>>> No view is active ! Currently in Privilege Level Context >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>> please visit www.ipexpert.com >>>>>>>> >>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>>> www.PlatinumPlacement.com >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
