topic Re: Radius IETF ACS 3.3 in Network Access Control

Radius IETF ACS 3.3

m.alghisi — Sun, 10 Mar 2019 20:55:36 GMT

Hi to everybody.

Why i can't see all the radius attribute from the interface configuration html page ?

I need to set the primary-dns-server (radius attribute number 135) and the secondary-dns-server (radius attribute number 136) radius attribute, but i see only the attribut up to the 91.

Thans a lot

Marco

Re: Radius IETF ACS 3.3

gfullage — Mon, 13 Dec 2004 00:55:06 GMT

You would add these with VSA (Vendor Specific Attributes) that can be added to ACS using CSUtil or RDBMS Sync (since ACS 3.1).

Notice that for ACS SE/Appliance the only method is RDBMS Sync.

So, consult the ACS 3.2 appliance user guide for info about using RDBMS Synch.

Some links:

Topic about RDBMS support for VSA import:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/user/sad.htm#451579

Beginning of RDBMS feature doc:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/user/sad.htm#451426

Synch. codes appendix:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/user/ag.htm

Table with relevant action codes:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/user/ag.htm#1372

Action codes 350 through 355 support custom VSA definition and config.

Re: Radius IETF ACS 3.3

m.alghisi — Mon, 13 Dec 2004 09:22:34 GMT

Thanks a lot, as soon as possibile i will try to test the VSA import.

Best regards

Marco

Re: Radius IETF ACS 3.3

fabrizio.roggerini — Tue, 30 Aug 2005 08:05:22 GMT

Marco, I read your post. I have the same question and I follow the attacched suggestion.

The RDBMS operation ended with success, but I have not reach the results? I didn't see the new parameters ( "135 Primary-DNS-Server" and "136 Secondary-DNS-Server") in the configuration screen.

Had you reach the same results? If not, could you explain me how do you resolve the issue?

Re: Radius IETF ACS 3.3

andrewclymer — Fri, 16 Sep 2005 13:20:23 GMT

Attribute 135 and 136 are part of the base attribute range and not part of a vendor specific set, and as thus can not be defind via the customizable dictionary mechanism.

In ACS 3.3 it seems there is a bug, since these attributes are defined against an Ascend NAS type. But on attempting to view these attributes inside the Ascend dictionary they don't appear to show up

Closer inspection of the Windows registry shows these items to be present. So this leaves me to thinking there is a bug in CiscoSecure. Possibly the list of Ascend supported attributes has grown too large for the GUI.

Ive managed to come up with a work around if you are feeling happy to hack the registry is this.

Assuming you are using ACS 3.3 download the attached registry file and double click on it ( open it in notepad if you want to see what it does ).

Now restart CSADMIN

net stop CSADMIN

net start CSADMIN

Now navigate Interface Configuration -> RADIUS IETF

You should see Attribute 135,136 and the bottom select them for group or user configuration and hit submit

you should then see them in any group or user configuration.

Re: Radius IETF ACS 3.3

andrewclymer — Fri, 16 Sep 2005 13:49:27 GMT

Having just rechecked my 3.3 it appears they were showing up in Ascend. So you shouldn't have to do the registry hack

Simply go to Interface Configuration -> Ascend and enable attribute 135 and 136. They should then appear in the group configuration assuming you are using an Ascend compatible device.

E.g Cisco IOS/PIX

Re: Radius IETF ACS 3.3

andrewclymer — Fri, 16 Sep 2005 14:46:06 GMT

These are not regarded as IETF attributes but Ascend

You need to have a Ascend or Compatible Access Device configured in Network Configuration

E.g. Vendor = Ascend or Cisco IOS/PIX

And then go to Interface configuration

And select Ascend

You should then see 135 and 136 enable them and then they should be present on the group/user config screens

Re: Radius IETF ACS 3.3

dodgybrother — Thu, 27 Sep 2007 04:40:58 GMT

This problem stinks. I have tried the RDBMS for IETF 135 and 136 (Primary DNS and Secondary) and it simply doesn't work. I read in places that the solution is ascend but the thing is I need to use framed routes (IETF) aswell. Is this issue a bug in ACS 3.3 or am I doing something wrong. Why this option wouldn't be included by default eludes me.

Re: Radius IETF ACS 3.3

darpotter — Tue, 02 Oct 2007 09:15:32 GMT

Is it that the config doesnt show up.. or that the attributes do not get sent to the device?

ACS tries to intelligently (ahem) filter inappropriate attributes.

Therefore, if you have Ascend attributes defined in a group, but the device is defined as Cisco... ACS may well filter out the Ascend attributes.

Easily tested, in the ACS network config set the RADIUS client to be Ascend and re-test.

Re: Radius IETF ACS 3.3

dodgybrother — Thu, 04 Oct 2007 01:06:15 GMT

yeah tried setting as ascend and even nortel but it doesn't work for them either. Essentially where the RDBMS is falling over is with the sync. I get a parse error because it doesn't recognise the attribute and that is because I do not know the correct vendor ID for IETF...which I thought was default or at worst 9 (CISCO). Attached is my current CSV file to enable 135 and 136 (IETF).

Re: Radius IETF ACS 3.3

darpotter — Fri, 05 Oct 2007 05:40:33 GMT

Ah, I see the mistake.

These are NOT VSAs. Way back (before VSAs) Ascend simply "stole" a huge chunk of standard attribute numbers for their own purposes.

So use the non-vsa attribute settings actions, eg just like you would for setting something like Session-Timeout and it should be ok.

Re: Radius IETF ACS 3.3

dodgybrother — Wed, 12 Dec 2007 04:23:43 GMT

could you please tell me where to find the "non-vsa" attribute for DNS. Essentially as you describe it the attribute I am after was "stolen" by Ascend and I can't use that? So this still comes back to my point of how do I assign DNS from the Radius when it won't allow me to specify it anywhere? Please help me this is a major flaw with this device.