AAA & RADIUS

In a laboratory, when I set the following there is no recording of the show in the switch using telnet/ssh:

AAA new-model

Group AAA authentication login default RADIUS

RADIUS group AAA authorization exec default authenticated if

start-stop radius group AAA accounting exec by default

I have configured the following Cisco on the AAA server AV-pair:

Shell: priv-lvl = 15

When I login via telnet/ssh, there is no problem at all. However, when I connect via the console, I get no priv level? It authenticates me to user exec but not more details.

If anyone has seen this, I would appreciate greatly any help.

Thank you

HII christ

Try this aaa authorization console command

where u set the value of shell or RADIUS ietf att av pair.

Try a brand something the exec button and then set in previll level 15

Concerning

Manish

Tags: Cisco Security

EAP authentication

In order to troubleshoot the interaction between the WLC and the authentication server (RADIUS external or internal to the EAP server), use the command debug AAA all turn on, which shows the required details. This command must be used after the client to debug command and can be combined with other commands to debug as needed (for example, transfer).

 (Cisco Controller) >debug client 00:00:00:00:00:00 (Cisco Controller) >debug aaa all enable (Cisco Controller) >show debug MAC address ................................ 00:00:00:00:00:00 Debug Flags Enabled: aaa detail enabled. aaa events enabled. aaa packet enabled. aaa packet enabled. aaa ldap enabled. aaa local-auth db enabled. aaa local-auth eap framework errors enabled. aaa local-auth eap framework events enabled. aaa local-auth eap framework packets enabled. aaa local-auth eap framework state machine enabled. aaa local-auth eap method errors enabled. aaa local-auth eap method events enabled. aaa local-auth eap method packets enabled. aaa local-auth eap method state machine enabled. aaa local-auth shim enabled. aaa tacacs enabled. dhcp packet enabled. dot11 mobile enabled. dot11 state enabled dot1x events enabled dot1x states enabled. mobility handoff enabled. pem events enabled. pem state enabled.

AAA RADIUS 3750 x

Hello!

I'm troubleshooting an installation of battery new 3750 x - everything is wonderful save two issues, being the RADIUS. I have reflected the config a another pile of identical work but I am having no love with my DEPARTMENT. Debug RADIUS auth showed this - any ideas?

I tried a few things including specifying my management interface VLAN as source for RADIUS, but it had no effect.

I am running 15.0 (2) SE-IPBASEK9-m

10:22:43: RADIUS: AAA Attr not supported: interface [221] 4

10:22:43: RADIUS: 74 74 [tt]

Thanks for your help

HI John,.

Take a look at this.

AAA group Group1 radius server

Server 10.10.220.130 auth-port 182 acct-port 1813

The RADIUS authehtication listen on port 1812. Try this reconfiguration as below.

AAA group Group1 radius server

ACCT-port of the server 10.10.220.130 auth-port 1812 1813

Concerning

Najaf

Please rate when there is place or useful!

privilege level of the AAA RADIUS server control

I had the radius authentication on my switch, but I'm trying to allow two types of connection of users using Windows Active Directory. NetworkUsers that can display the configuration and NetworkAdmins who can do what either. I would like to NetworkAdmins when they log on, go directly to the privilege level 15 but could not get that part to work. Here is my configuration:

Domain controller for Windows 2008 R2 with NPS installed.

RADIUS client: I have the IP address of the switch as well as the key. I selected under the name of the Vendor tab in advance of cisco

Network policies:

NetworkAdmins which has the Group networkadmin in conditions and under settings I have nothing the standard and for the individual seller I have:

Cisco Cisco-AV-pair shell: priv-lvl = 15

My config switch:

AAA new-model
!
!
RADIUS AAA server group MTFAAA
Server name dc-01
Server name dc-02
!
Group AAA authentication login NetworkAdmins local MTFAAA
Group AAA authorization exec NetworkAdmins local MTFAAA

dc-01 RADIUS server
address ipv4 10.0.1.10 auth-1645 acct-port of 1646
7 button *.
!
dc-02 RADIUS server
ipv4 10.0.1.11 address auth-1645 acct-port of 1646
7 button *.
!

No matter what I do, it is not the default privilege level 15 when I login. All thoughts

You have specified the permission under line vty group? I think it is the authorization exec command. Something like that.

AAA + RADIUS on Catalyst switches

The command "Switch (config) - radius... Server. 'doesn´t appear on my catalyst 3500. The catalyst IOS version is c3500xl-c3h2s - mz.120.5.WC5

How do I set the Ip address of the RADIUS server and port!

Concerning

I think I have the same version. As you can see below, the command is there.

#sh worm

Cisco Internetwork Operating System software

(Tm) C3500xl software IOS (C3500xl-C3H2S-M), Version 12.0 (5) WC5, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2002 by cisco Systems, Inc.

Updated Wednesday 28 May 02 11:41 by devgoyal

Image text-base: 0 x 00003000, database: 0x0034A3C8

ROM: Bootstrap program is boot loader C3500xl

availability is 40 weeks, 15 hours, 35 minutes

System return to the ROM to reload

System restarted at 23:17:01 PUTS DST Monday, August 19, 2002

System image file is "flash: c3500xl-c3h2s - mz.120 - 5.WC5.bin.

processor of Cisco WS-C3524-XL (PowerPC403) (revision 0 x 01) with 8192K / 1024K bytes

memory.

Card processor ID FAB0513V068, with revision hardware 0 x 00

Last warm-reset Reset

Processor running Enterprise edition software

Control cluster capable switch

Switch to capable cluster member

24 FastEthernet/IEEE 802.3 interfaces

2 gigabit Ethernet/IEEE 802.3 interfaces

32K bytes memory simulated by flash not volatile configuration.

Basic Ethernet MAC address: 00:05: 9B: 93:13:80

Number of the motherboard: 73-3904-11

Power supply part number: 0851-34-02

Motherboard serial number: FAB051240RK

Power supply serial number: PHI050204Z8

Revision number of the model: A0

Model number: WS-C3524-XL-EN

System serial number: FAB0513V068

Configuration register is 0xF

#conf t

Enter configuration commands, one per line. End with CNTL/Z.

(config) #rad

(config) #radius-server?

attribute to customize certain attributes of RADIUS

challenge-noecho data the display echoing is disabled during the Access-Challenge

Configure nas try to download static routes and IP pools at startup

Deadtime time to stop using a server that is not responding

realized application allow the user to specify the radius server to use with [email protected]/ * /'

the host to specify a RADIUS server

encryption key by key shared with radius servers

The first application of RADIUS can be made without asking for a password optional-passwords

Specify the number of attempts the Active Server to retransmit

wait time wait time for a RADIUS server address

configuration of the provider attribute specific VSA

Hope this helps you

Leo

AAA RADIUS authentication for the only user group

Hello

I use ACS3.1 and tries to use authentication radius for all network switches in my company.

Meet the im problem now is how to restrict only a user group to access the connection/exec switches? It seems that all user IDS in my acs able to telnet (user access) to the switch (using their login credentials).

I would like to limit still from telnet by using their ID except administrator group.

Counsel on how this is possible.

TKS!

The GBA, you need admin users in their own ACS group separated, leaving other users in their own group also.

Change the group that contains the users you don't want to give access to and under the heading of restricted access network (OAN), in "Group defined Network Access Restrictions", check the "Define based on IP access restrictions", choose "Rejected the call point" and enter switches in the table below (put a * in the port and address).

This prevents standard users authentication to switches. You can add all your switches in a group of network devices (NDG) to this, then you have to add that, in the section NAR rather than adding each switch individually.

No remote access after you activate the Radius AAA

Hello

I can't access our catalyst 4006 after activating the AAA for RADIUS. I have install IAS on our domain controller configuration / a catalyst as a Radius client and configured a remote access policy that points to an ad group to allow access to the switch. When I try to connect to catalyst by my user information in AD, it seems to crash after I type my password, asks for the password again, then says access denied. This happens both on the console and through a telnet session. I have included below the configuration of my AAA.

What Miss me?

Tim

(Cisco IOS 12.2 v software (25) EWA14)

AAA new-model

!

RADIUS-server host 10.100.x.x auth-port 1812 acct-port 1813 key xxxxxxxxxx

Server RADIUS ports source-1645-1646

!

AAA Radius Server Group server RADIUS

Server 10.100.x.x auth-port 1812 acct-port 1813

!

AAA authentication login default group local line Radius servers

the AAA authentication enable default group, select Radius servers

Authentication servers-Radius AAA dot1x default group

Group AAA authorization exec default for authenticated if Radius servers

Group AAA authorization network default Radius servers

AAA dot1x default arrhythmic accounting Radius Servers group

AAA accounting by default start-stop group Radius servers directly

!

line vty 0 4

by default the authentication of connection

Tim

I think that the immediate problem is that the source address of your switch ussed is not address who is pregnant with Ray. The Radius Server is 10.100.182.250 and it is in the subnet of the interface vlan 182. If the address of the interface vlan 182 will be the source address of the Radius request. Difficulty which is to use the command of source ip range address and specify the address at which you want the switch to be used. Of course, in the short term, it would be easier to change the Radius Server to wait 10.100.182.2 as the address of the customer.

HTH

Rick

Cisco Catalyst 2960-S switch configured for 802. 1 x sends a query to access the Radius Server Radius

Setup

Cisco Catalyst 2960-S running 15.0.2 - SE8

Under Centos freeRadius 6.4 RADIUS server

Client (supplicant) running Windows 7

When Windows client is connected to the port (port 12 in my setup) with authentication of 802. 1 x active switch, show of Wireshark that catalyst sends ask EAP and the client responds with EAP response. But it made not the request to the Radius server. The RADIUS test utility 'aaa RADIUS testuser password new-code test group' works.
Here is my config running. Any advice would be greatly appreciated.
#show running mySwitch-
mySwitch #show running-config
Building configuration...

Current configuration: 2094 bytes
!
version 12.2
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname myswitch
!
boot-start-marker
boot-end-marker
!
activate the password secret 5 $1$ Z1z6$ kqvVYRQdVRZ0h8aDTV5DR0 enable password!
!
!
AAA new-model
!
!
AAA dot1x group group radius aaa accounting dot1x default start-stop radius authentication group!
!
!
AAA - the id of the joint session
1 supply ws-c2960s-24ts-l switch
!
!
!
!
!
control-dot1x system-auth
pvst spanning-tree mode
spanning tree extend id-system
!
!
!
!
internal allocation policy of VLAN no ascendant interface FastEthernet0 no stop ip address!
GigabitEthernet1/0/1 interface
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
switchport mode access
Auto control of the port of authentication
dot1x EAP authenticator
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
IP 10.1.2.12 255.255.255.0
!
IP http server
IP http secure server
activate the IP sla response alerts
recording of debug trap
10.1.2.1 host connection tcp port 514 RADIUS-server host 10.1.2.1 transport auth-port 1812 acct-port 1646 timeout 3 retransmit testing123 key 3.
Line con 0
line vty 0 4
password password
line vty 5 15
password password
!
end

interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20

Have you run wireshark on the server because the request to switch? If so you make sure that there is a response from the server? For Windows network POLICY Server (I've never tried Centos), you must ensure that the request is related to a policy which then authenticates, or denies access. Usually, it is a matter of such attributes and the seller.

Regarding the configuration, it seems a bit out of the AAA. Try to remove the:

line "aaa dot1x group service radius authentication" and this by using instead:

"aaa dot1x default radius authentication group". After the dot1x word you are supposed to provide a list of the authentication or the default Word if you do not want to use a list.

AAA new-model

How this command works "activate the aaa group by default RADIUS authentication? I served my Radius Cisco Secure ACS 4.2 server but I can not connect... Y does it have someone here can give me a understanding on this command? Need this for my CCNA security exam... Help, please...

Additional information:

IETF Radius attributes: NAS calls

Here is my config on R1:

!

!

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

!

hostname R1

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$e.TZ$EXkOaZ0rkd/GBGLA/8GrD/

!

AAA new-model

!

!

the AAA authentication enable default group RADIUS

!

!

AAA - the id of the joint session

!

!

resources policy

!

memory iomem size 5

IP cef

!

!

!

!

no ip domain search

IP domain name aida.com

property intellectual ssh version 2

!

!

username mark password privilege 15 7 110418171C

username 050A081B29434010 password 7 anthony

!

interface Loopback1

IP 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0

IP 192.168.5.1 255.255.255.248

automatic duplex

automatic speed

!

interface FastEthernet0/1

IP 10.10.10.1 255.255.255.252

automatic duplex

automatic speed

!

Router eigrp 100

1.1.1.1 to network 0.0.0.0

Network 10.10.10.0 0.0.0.3

network 192.168.5.0 0.0.0.7

No Auto-resume

!

!

!

no ip address of the http server

no ip http secure server

!

!

RADIUS-server host 172.16.178.3 auth-port 1645 acct-port 1646 borders 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx

!

!

!

control plan

!

!

Line con 0

exec-timeout 0 0

Synchronous recording

line to 0

line vty 0 4

local connection

entry ssh transport

!

!

end

Hi Bro

The command 'aaa activate by default group radius authentication' means your enable password, you want the router to make reference to the ACS server and obtain the credentials.

Another example, the command 'aaa radius of group by default authentication enable enable' means your enable password, you want the router to make reference to the ACS server and obtain the credentials. In case your ACS is down, you want the router to see the local enable password and get the credentials.

I saw what you are trying to achieve and you can do this on the SHELF as well, but I personally prefer GANYMEDE + where possible.

!

AAA new-model

!

AAA authentication login default local radius group

AAA authentication enable default group enable RADIUS

AAA authorization exec default local

!

RADIUS-server host 10.0.0.100 auth-port 1645 acct-port 1646 cisco123 keys

Note: $enab15$, this is because you do not have configured aaa authorization orders. You can add a fictitious user name $enab15$ in your ACS or you could paste the following commands below into your router.

username admin privilege 15 password 0 cisco123

operator privilege 7 password cisco123 0 username

P/S: Please rate this comment, if you find this feedback useful :-)

DHCP Radius account management

We tried to apply DHCP using RADIUS accounting. All of the configuration made as in http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801543c7.html

but it seems that appointed accountant lists do not work att.

I.e.

Group of power for the RADIUS-GROUP1 RGROUP-1 AAA accounting network

IP dhcp WIRELESS-POOL pool

accounting RADIUS-GROUP1

does not. How can I properly configure DHCP accounting? An example of work?

PS: 7206, c7200 - is - mz.123 - 16.bin

In this network of Accountants order aaa RADIUS-arrhythmic GROUP1 group RGROUP-1 tent with various options instead of the word network. See the following URL for more information

http://www.Cisco.com/univercd/CC/TD/doc/product/software/ios122/122newft/122T/122t15/ftdhcpac.htm#wp1086397

Backup AAA for PIX

I have a PIX with the following configuration:

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + (inside) host 192.168.1.1 77777 timeout 5

RADIUS Protocol RADIUS AAA server

AAA-RADIUS (inside) host 192.168.1.1 Server 77777 timeout 10

AAA-server local LOCAL Protocol

AAA authentication GANYMEDE serial console +.

AAA authentication enable console GANYMEDE +.

order of AAA for authorization GANYMEDE +.

AAA accounting correspond to aaa_acl inside RADIUS

Everything works fine when the RADIUS server is available. When he is not available, I can log in with the username "PIX" and "password". The problem is, once I connected, I can't get permission to execute orders. Does anyone know of a command that is similar to the "if-certified" for routers that I can use?

There is no method of backup for authorization for the PIX. As you know, if the RADIUS server is down, you can connect with "pix" and the password enable, but it doesn't help a permission. The only thing you can do is wait the GANYMEDE server back to the top. I'm sorry.

AAA w/RSA: "any type of permission...". »

I've set up a router and a switch to AAA using a server RADIUS of RSA. Both are RSA 'Agent hosts' with identical configurations. Router (2621XM/EntServ Version 12.4 (18)) and switch (3560-24PS/IPBase - 12.2 (25) SEB2) have identical configs AAA, and RADIUS/RSA is very well regarding the access code will be accepted. But the switch won't let me:

**********************

User name:

Password:

PASSWORD accepted

% Failed authorization.

**************************

When I do "deb radius authentication" on each, the outputs are the same until the last 2 lines. The router that works says:

000055.: Jan 16 12:22:51 CEST: RADIUS (00000005): receipt of id 1645/3

000056:. Jan 16 12:22:51 IS: RADIUS/DECODE: fragments of response Message, 19, total 19 bytes

But the switch says:

000284: Jan 16 12:20:47 UTC: RADIUS: saved the authorization for user 3030220 to 3034440 data

000285: Jan 16 12:20:47 UTC: RADIUS: no type of permission for the user.

The only other difference I can think of is that I use ssh for router and switch telent (IPBase apparently no habla "crypto", I could use another IOS I think.)

Any clue? TIA

Paul

If I were you, I would like to 'disable' permission

on the catalyst 3560. I n an identical

Setup like yours on mine Catalyst 2960 and it

works very well. See below:

[[email protected] / * / root] # telnet 192.168.0.5

192.168.0.5 by train...

Connected to 192.168.0.5 (192.168.0.5).

[Escape character is ' ^]'.

C

*****************

User access audit

Username: test4

Password:

Enter your new PIN, containing 4-8 digit.

or

to cancel the procedure of the new PIN:

Please re - enter new PIN code:

Wait for the code on your card to change, and then sign in with the new PIN code

Enter the PASSWORD:

C2960 #sh worm

Cisco IOS software, software C2960 (C2960-LANBASEK9-M), Version 12.2 (25) SEE4, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Updated Tuesday 16 July 07 02:53 by myl

Image text-base: 0 x 00003000, database: 0x00CC0000

ROM: Bootstrap program is C2960 boot loader

BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) 12.2 (25r) the SEE1, release SOFTWARE (fc1)

C2960 uptime is 2 weeks, 6 days, 14 hours, 10 minutes

System to regain the power ROM

System restarted at 23:20:30 GMT Wednesday, December 26, 2007

System image file is "flash: c2960-lanbasek9 - mz.122 - 25.SEE4.bin".

This product contains cryptographic features and is under the United States

States and local laws governing the import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third party approval to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. laws and local countries. By using this product you

agree to comply with the regulations and laws in force. If you are unable

to satisfy the United States and local laws, return the product.

A summary of U.S. laws governing Cisco cryptographic products to:

http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html

If you need assistance please contact us by mail at

[email protected] / * /.

processor of WS-C2960G-24TC-L (PowerPC405) Cisco (revision B0) with 61440K / 4088K bytes of memory.

Card processor ID FOC1036X0F1

Last reset of tension

2 virtual Ethernet interfaces

24 gigabit Ethernet interfaces

Password recovery mechanism is activated.

64K bytes of memory simulated by flash not volatile configuration.

Basic Ethernet MAC address: 00:19:55:1 B: D6:00

Number of the motherboard: 73-10015-05

Power supply part number: 341-0098-02

Motherboard serial number: FOC10352NF2

Power supply serial number: AZS103402ZF

Revision number of the model: B0

Motherboard revision number: B0

Model number: WS-C2960G-24TC-L

System serial number: FOC1036X0F1

Top Assembly part number: 800-26673-02

Top of page revision number of the Assembly: C0

Version ID: V02

CLEI Code number: COM3G00BRA

Revision number of hardware consulting: 0x01

SW Version SW Image model switch ports

------ ----- ----- ---------- ----------

* 1 WS-C2960G-24TC-L 12.2 24 (25) SEE4 C2960-LANBASEK9-M

Configuration register is 0xF

C2960 #sh run | AAA Inc.

AAA new-model

AAA RADIUS local group authentication connection test

AAA authentication login test1 group Ganymede + local

AAA authentication login notac local

Group AAA dot1x default authentication RADIUS

AAA - the id of the joint session

C2960 #.

CCIE Security

AAA secondary ACS entry

Hello

I have 802.1 x and MAB configured. I added a second ACS server and added the definition of the switch.
My problem is that the ACS works well when it is set as primary option in the switch. But when it is configured as the backup and I force a failure on the primary, he does not try to use backup ACS th.

Can my configuration below, someone please give me some pointers?

Thank you

AAA radius rrrr server group
private server 10.4.25.117 auth-port 1645 acct-port 1646 borders 7 01100F175804575D72
private server 10.4.25.114 auth-port 1645 acct-port 1646 borders 7 01100F175804575D72
radius of the IP source-interface Vlan200
!
AAA new-model

AAA dot1x of default authentication group rrrr
AAA authorization exec default local authenticated by FIS
AAA authorization network default group rrrr
AAA accounting dot1x default start-stop rrrr group

interface FastEthernet0/1
switchport access vlan 200
switchport mode access
switchport voice vlan 2
authentication-sense in
authentication event failure action allow vlan 100
action of death event authentication server allow vlan 100
no response from the authentication event action allow vlan 100
multi-domain of host-mode authentication
authentication order dot1x mab
Auto control of the port of authentication
protect the violation of authentication
MAB
dot1x EAP authenticator
dot1x quiet-period of waiting 3
dot1x tx-period 4
spanning tree portfast

Hi Tiago,

The fix was set up the following:

restransmit RADIUS server 2

radius0server timeout 3

to allow the transition to the secondary ACS server before starting methods. He was trying to authenticate before it move on to the second ACS.

Thanks for your help.

What do I have to apply RADIUS server?

We intend to implement server GANYMEDE +.

I need to know what exactly I need to set up this server? what I have to buy GANYMEDE + appliance based provider or I can just buy the software and install it on one of my new or existing server. is there any software to open source very good that I can use? What advantages and disadvantages of each options?

I'm the management of hundreds of routers and switches on our society and on customer sites via internet.

one last question: is Cisco ACS 5.5 material or can be installed in any server?

I know it's very long or issues, but I know that you are very friendly and nice people :)

1.] most of the large company or class operator network device manufacturers supported by GANYMEDE. Some providers that are supported on the GANYMEDE Protocol + are: Adtran, Alcatel/Lucent, Arbor, Aruba, Brocade/Foundry, Cisco/Linksys, Ericsson/Redback, Extreme, Fortinet, HP/3Com, Huawei, Juniper, Netgear, Nortel and others. However, I personally would say ACS 5.x

Source - http://tacacs.net/faq.asp

2.] cisco Secure ACS 5.5 is available as a closed and hardened based on Linux SNS 3415/3495 device or as an image for VMware ESX/ESXi 5.0/5.1operating system.

Cisco Secure ACS 5.5 supports two distinct protocols for authentication, authorization and accounting (AAA): RADIUS access control network and GANYMEDE + to access network device control.

3.] for more information about the product and the license, you must go through the links listed below.

Order ACS 5.5 Guide

Data sheet ACS 5.5

Kind regards

Jatin kone

* Does the rate of useful messages *.

The AAA authentication and VRF-Lite

Hello!

I encountered a strange problem, when you use authentication Radius AAA and VRF-Lite.

The setting is as follows. A/31 linknet is configured between PE and THIS (7206/g1 and C1812), where the EP sub-si is part of a MPLS VPN and VRF-Lite CE uses to maintain separate local services (where more than one VPN is used..).

Access to the this, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following configuration:

--> Config start<>

AAA new-model

!

!

Group AA radius RADIUS-auth server

Server x.x.4.23 auth-port 1645 acct-port 1646

Server x.x.7.139 auth-port 1645 acct-port 1646

!

AAA authentication login default group auth radius local

enable AAA, enable authentication by default group RADIUS-auth

...

touch of 1646-Server RADIUS host x.x.4.23 auth-port 1645 acct-port

touch of 1646-Server RADIUS host x.x.7.139 auth-port 1645 acct-port

...

source-interface IP vrf 10 RADIUS

---> Config ends<>

The VRF-Lite instance is configured like this:

---> Config start<>

VRF IP-10

RD 65001:10

---> Config ends<>

Now - if I remove the configuration VRF-Lite and use global routing on the CE (which is OK for a simple vpn installation), AAA/RADIUS authentication works very well. "" When I activate transfer ip vrf "10" on the interface of the outside and inside, AAA/RADIUS service is unable to reach the two defined servers.

I compared the routing table when using VRF-Lite and global routing, and they are identical. All roads are correctly imported via BGP, and the service as a whole operates without problem, in other words, the AAA/RADIUS part is the only service does not.

It may be necessary to include a vrf-transfer command in the config of Group server as follows:

AAA radius RADIUS-auth server group

Server-private x.x.x.x auth-port 1645 acct-port

1646 key ww

IP vrf forwarding 10

See the document below for more details:

http://www.Cisco.com/en/us/partner/docs/iOS/12_4/secure/configuration/guide/hvrfaaa.html

AAA & RADIUS

Similar Questions

EAP authentication

Maybe you are looking for

AAA &amp; RADIUS

Similar Questions

EAP authentication

Maybe you are looking for

AAA & RADIUS