Mark, for NAC L3 and L2 IP, this commands need to configured to send "ip_admission" attribute else the request won't fall into the NAP policy. In the CCIE scope of features, I see NAC is the only feature that needs this command.
But as Piotr said have it configured for other features, where you see VSAs are used. With regards Kings On Wed, Aug 10, 2011 at 12:53 AM, Piotr Matusiak <[email protected]> wrote: > In most cases only VSA send command is required. All mandatory attributes > is then send over by the NAS (at least it is my observation). > > > Regards, > Piotr > > > 2011/8/9 Mark Senteza <[email protected]> > >> Piotr, >> >> in that thread you stated what features require you to run the >> "radius-server send vsa authentication" command, but not the additional >> attributes that you need to be configured along with it. Its those >> particular attributes as configured under "radius-server attributes" that I >> was asking about. Do we need to configure any particular ones, say for >> example in the case of NAC, or is the "radius-server send vsa >> authentication" all that needs to be configured ? >> >> Mark >> >> >> On Tue, Aug 9, 2011 at 11:19 AM, Piotr Matusiak <[email protected]> wrote: >> >>> Mark, >>> >>> I already discussed the same topic with kings in the post dated at 11.07. >>> Try to find it in the archives. >>> >>> Regards, >>> Piotr >>> >>> >>> >>> 2011/8/9 Mark Senteza <[email protected]> >>> >>>> Good to know, and thanks alot. One more thing, when configuring NAC what >>>> attributes would the radius NAS need to send to the ACS when using the >>>> "radius-server vsa send authentication" command? >>>> >>>> I've also seen it configured with 802.1x authentication, but without any >>>> attributes set up, so I was well confused about the requirement for the >>>> command. >>>> >>>> Mark >>>> >>>> On Tue, Aug 9, 2011 at 8:13 AM, Tyson Scott < >>>> [email protected]> wrote: >>>> >>>>> You only need VSA when doing Network Profiling, aka NAC >>>>> >>>>> >>>>> On Mon, Aug 8, 2011 at 10:52 PM, Mark Senteza <[email protected] >>>>> > wrote: >>>>> >>>>>> Thanks a huge lot Tyson. That worked a treat. >>>>>> >>>>>> So what is the purpose of those two command lines ? >>>>>> >>>>>> R2>telnet 4.4.4.4 >>>>>> Trying 4.4.4.4 ... Open >>>>>> >>>>>> >>>>>> >>>>>> User Access Verification >>>>>> >>>>>> Username: limited >>>>>> Password: >>>>>> >>>>>> R4>show parser view >>>>>> Current view is 'limited' >>>>>> >>>>>> ************** >>>>>> >>>>>> Debug output: >>>>>> >>>>>> >>>>>> Aug 9 02:46:00.892: RADIUS/ENCODE(0000000E): ask "Username: " >>>>>> Aug 9 02:46:00.892: RADIUS/ENCODE(0000000E): send packet; GET_USER >>>>>> Aug 9 02:46:03.076: RADIUS/ENCODE(0000000E): ask "Password: " >>>>>> Aug 9 02:46:03.076: RADIUS/ENCODE(0000000E): send packet; >>>>>> GET_PASSWORD >>>>>> Aug 9 02:46:05.024: RADIUS/ENCODE(0000000E):Orig. component type = >>>>>> EXEC >>>>>> Aug 9 02:46:05.024: RADIUS: AAA Unsupported Attr: interface >>>>>> [175] 6 >>>>>> Aug 9 02:46:05.024: RADIUS: 74 74 79 >>>>>> 35 [tty5] >>>>>> Aug 9 02:46:05.024: RADIUS/ENCODE(0000000E): dropping service type, >>>>>> "radius-server attribute 6 on-for-login-auth" is off >>>>>> Aug 9 02:46:05.024: RADIUS(0000000E): Config NAS IP: 4.4.4.4 >>>>>> Aug 9 02:46:05.024: RADIUS/ENCODE(0000000E): acct_session_id: 11 >>>>>> Aug 9 02:46:05.024: RADIUS(0000000E): sending >>>>>> Aug 9 02:46:05.024: RADIUS(0000000E): Send Access-Request to >>>>>> 10.49.49.100:1645 id 1645/11, len 85 >>>>>> Aug 9 02:46:05.024: RADIUS: authenticator E2 EE D2 67 09 09 13 47 - >>>>>> FF DD 10 08 35 F7 FD 3C >>>>>> Aug 9 02:46:05.024: RADIUS: User-Name [1] 9 "limited" >>>>>> Aug 9 02:46:05.024: RADIUS: User-Password [2] 18 * >>>>>> Aug 9 02:46:05.024: RADIUS: NAS-Port [5] 6 >>>>>> 514 >>>>>> Aug 9 02:46:05.024: RADIUS: NAS-Port-Id [87] 8 "tty514" >>>>>> Aug 9 02:46:05.024: RADIUS: NAS-Port-Type [61] 6 >>>>>> Virtual [5] >>>>>> Aug 9 02:46:05.024: RADIUS: Calling-Station-Id [31] 12 >>>>>> "10.56.56.2" >>>>>> Aug 9 02:46:05.024: RADIUS: NAS-IP-Address [4] 6 >>>>>> 4.4.4.4 >>>>>> Aug 9 02:46:05.032: RADIUS: Received from id 1645/11 >>>>>> 10.49.49.100:1645, Access-Accept, len 93 >>>>>> Aug 9 02:46:05.032: RADIUS: authenticator 15 61 33 0D 36 95 C6 BB - >>>>>> 70 D0 93 2F C1 E3 2C 9A >>>>>> Aug 9 02:46:05.032: RADIUS: Framed-IP-Address [8] 6 >>>>>> 255.255.255.255 >>>>>> Aug 9 02:46:05.032: RADIUS: Vendor, Cisco [26] 35 >>>>>> Aug 9 02:46:05.032: RADIUS: Cisco AVpair [1] 29 >>>>>> "shell:cli-view-name=limited" >>>>>> Aug 9 02:46:05.032: RADIUS: Service-Type [6] 6 NAS >>>>>> Prompt [7] >>>>>> Aug 9 02:46:05.032: RADIUS: Class [25] 26 >>>>>> Aug 9 02:46:05.032: RADIUS: 43 41 43 53 3A 30 2F 35 33 30 33 36 2F >>>>>> 34 30 34 [CACS:0/53036/404] >>>>>> Aug 9 02:46:05.032: RADIUS: 30 34 30 34 2F 35 31 >>>>>> 34 [0404/514] >>>>>> Aug 9 02:46:05.032: RADIUS(0000000E): Received from id 1645/11 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Aug 8, 2011 at 7:29 PM, Tyson Scott < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Remove what you have in red. do debug radius authentication. See >>>>>>> why it is saying it is failing. >>>>>>> >>>>>>> On Mon, Aug 8, 2011 at 9:54 PM, Mark Senteza < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hey all, >>>>>>>> >>>>>>>> I'm trying to configure CLI Views using RADIUS, but cant get it to >>>>>>>> work. I authenticate fine, but the CLI View is never applied. What am I >>>>>>>> doing wrong? >>>>>>>> >>>>>>>> My ACS User configuration is: >>>>>>>> >>>>>>>> Username: limited >>>>>>>> password: cisco >>>>>>>> >>>>>>>> Cisco IOS/PIX 6.x RADIUS Attributes >>>>>>>> >>>>>>>> [x] [009/001] cisco-av-pair >>>>>>>> shell:cli-view-name=limited >>>>>>>> >>>>>>>> IETF RADIUS Attributes >>>>>>>> >>>>>>>> [x] Service-Type "NAS Prompt" selected from the drop-down >>>>>>>> listbox >>>>>>>> >>>>>>>> ****************** >>>>>>>> >>>>>>>> My router configuration is: >>>>>>>> >>>>>>>> enable secret cisco >>>>>>>> >>>>>>>> aaa new-model >>>>>>>> >>>>>>>> aaa authentication login CONSOLE none >>>>>>>> aaa authentication login VTY group radius >>>>>>>> >>>>>>>> aaa authorization exec CONSOLE none >>>>>>>> aaa authorization exec VTY group radius >>>>>>>> >>>>>>>> *radius-server attribute 6 mandatory* >>>>>>>> <- Is this a prerequisite command for CLI Views with Radius >>>>>>>> radius-server host 10.49.49.100 auth-port 1645 acct-port 1646 >>>>>>>> radius-server key cisco >>>>>>>> *radius-server vsa send authentication* >>>>>>>> <- Is this a prerequisite command for CLI Views with Radius >>>>>>>> >>>>>>>> ip radius source-interface Loopback0 >>>>>>>> >>>>>>>> line vty 0 4 >>>>>>>> password ciscoccie >>>>>>>> authorization exec VTY >>>>>>>> login authentication VTY >>>>>>>> >>>>>>>> parser view limited >>>>>>>> secret 5 $1$i0td$AjMze0pO6bfxePI936yKr. >>>>>>>> commands exec include show ip interface brief >>>>>>>> commands exec include show ip interface >>>>>>>> commands exec include show ip >>>>>>>> commands exec include show clock >>>>>>>> commands exec include show version >>>>>>>> commands exec include show logging >>>>>>>> commands exec include show >>>>>>>> >>>>>>>> ***************** >>>>>>>> >>>>>>>> R4#show parser view >>>>>>>> Current view is 'root' >>>>>>>> >>>>>>>> I'm not sure if this IOS version is supported, but I'm using >>>>>>>> 12.4(24)T Advanced Enterprise Services >>>>>>>> >>>>>>>> R4#show version >>>>>>>> Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), >>>>>>>> Version 12.4(24)T, RELEASE SOFTWARE (fc1) >>>>>>>> System image file is "flash:c2800nm-adventerprisek9-mz.124-24.T.bin" >>>>>>>> >>>>>>>> ***************** >>>>>>>> When I telnet from another router to R4 (cli view enabled router), >>>>>>>> the cli view is not set on the user >>>>>>>> >>>>>>>> R2#telnet 10.56.56.4 >>>>>>>> Trying 10.56.56.4 ... Open >>>>>>>> >>>>>>>> >>>>>>>> User Access Verification >>>>>>>> >>>>>>>> Username: limited >>>>>>>> Password: >>>>>>>> >>>>>>>> R4>en >>>>>>>> Password: >>>>>>>> R4#show parser view >>>>>>>> No view is active ! Currently in Privilege Level Context >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>> please visit www.ipexpert.com >>>>>>>> >>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>>> www.PlatinumPlacement.com >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>> >>> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
