topic Re: on-for-login-auth attribute Cisco ISE in Network Access Control https://community.cisco.com/t5/network-access-control/on-for-login-auth-attribute-cisco-ise/m-p/5096216#M589354 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1683156">@Jason2005</a>&nbsp; most of these commands are described in the Cisco ISE wired prescriptive guide <A href="https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515" target="_blank">https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515</A></P> <P>Send the Service-Type attribute in the authentication packets, which is important for ISE to distinguish between the different authentication methods:</P> <PRE>c9300-Sw(config)#radius-server attribute 6 on-for-login-auth</PRE> <P>Send the IP address of an endpoint to the RADIUS server in the access request:</P> <PRE>c9300-Sw(config)#radius-server attribute 8 include-in-access-req</PRE> <P>Include the class attribute in an access request for network access authorization:</P> <PRE>c9300-Sw(config)#radius-server attribute 25 access-request include</PRE> <P>Define how a switch must detect a RADIUS server reachability failure:</P> <PRE>c9300-Sw(config)#radius-server dead-criteria time 10 tries 3</PRE> <P class="codeblock"><SPAN><SPAN class="content">Specifies the number of seconds a switch waits for a reply to a RADIUS request before resending the request. The default is 5 seconds; the range is 1 to 1000.</SPAN></SPAN></P> <PRE class="codeblock"><SPAN>Switch</SPAN>(config)# <KBD class="userinput"><STRONG>radius-server timeout 3</STRONG></KBD></PRE> <P><LI-WRAPPER></LI-WRAPPER><SPAN class="content"><SPAN>Enables the network access server to recognize and use vendor-specific attributes as defined by RADIUS IETF attribute 26</SPAN></SPAN></P> <PRE>Device(config)# radius-server vsa send&nbsp;<SPAN> [<SPAN class="synph"><SPAN class="kwd">accounting</SPAN></SPAN> | <SPAN class="synph"><SPAN class="kwd">authentication</SPAN></SPAN>] </SPAN></PRE> <P><SPAN><A href="https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/multibook/configuration_guide/b_consolidated_config_guide_3850_chapter_0101111.html" target="_blank">https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/multibook/configuration_guide/b_consolidated_config_guide_3850_chapter_0101111.html</A></SPAN></P> Thu, 09 May 2024 14:26:43 GMT Rob Ingram 2024-05-09T14:26:43Z on-for-login-auth attribute Cisco ISE https://community.cisco.com/t5/network-access-control/on-for-login-auth-attribute-cisco-ise/m-p/5096205#M589352 <P>Can someone explain to me each of these commands :&nbsp;<BR />SW2(config-radius-server)#radius-server attribute 6 on-for-login-auth<BR />SW2(config)#radius-server attribute 8 include-in-access-req<BR />SW2(config)#radius-server attribute 25 access-request include<BR />SW2(config)#radius-server vsa send accounting<BR />SW2(config)#radius-server vsa send authentication<BR />SW2(config)#radius-server dead-criteria time 30 tries 3<BR />SW2(config)#radius-server timeout 2</P> Thu, 09 May 2024 14:15:08 GMT https://community.cisco.com/t5/network-access-control/on-for-login-auth-attribute-cisco-ise/m-p/5096205#M589352 Jason2005 2024-05-09T14:15:08Z Re: on-for-login-auth attribute Cisco ISE https://community.cisco.com/t5/network-access-control/on-for-login-auth-attribute-cisco-ise/m-p/5096216#M589354 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1683156">@Jason2005</a>&nbsp; most of these commands are described in the Cisco ISE wired prescriptive guide <A href="https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515" target="_blank">https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515</A></P> <P>Send the Service-Type attribute in the authentication packets, which is important for ISE to distinguish between the different authentication methods:</P> <PRE>c9300-Sw(config)#radius-server attribute 6 on-for-login-auth</PRE> <P>Send the IP address of an endpoint to the RADIUS server in the access request:</P> <PRE>c9300-Sw(config)#radius-server attribute 8 include-in-access-req</PRE> <P>Include the class attribute in an access request for network access authorization:</P> <PRE>c9300-Sw(config)#radius-server attribute 25 access-request include</PRE> <P>Define how a switch must detect a RADIUS server reachability failure:</P> <PRE>c9300-Sw(config)#radius-server dead-criteria time 10 tries 3</PRE> <P class="codeblock"><SPAN><SPAN class="content">Specifies the number of seconds a switch waits for a reply to a RADIUS request before resending the request. The default is 5 seconds; the range is 1 to 1000.</SPAN></SPAN></P> <PRE class="codeblock"><SPAN>Switch</SPAN>(config)# <KBD class="userinput"><STRONG>radius-server timeout 3</STRONG></KBD></PRE> <P><LI-WRAPPER></LI-WRAPPER><SPAN class="content"><SPAN>Enables the network access server to recognize and use vendor-specific attributes as defined by RADIUS IETF attribute 26</SPAN></SPAN></P> <PRE>Device(config)# radius-server vsa send&nbsp;<SPAN> [<SPAN class="synph"><SPAN class="kwd">accounting</SPAN></SPAN> | <SPAN class="synph"><SPAN class="kwd">authentication</SPAN></SPAN>] </SPAN></PRE> <P><SPAN><A href="https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/multibook/configuration_guide/b_consolidated_config_guide_3850_chapter_0101111.html" target="_blank">https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/multibook/configuration_guide/b_consolidated_config_guide_3850_chapter_0101111.html</A></SPAN></P> Thu, 09 May 2024 14:26:43 GMT https://community.cisco.com/t5/network-access-control/on-for-login-auth-attribute-cisco-ise/m-p/5096216#M589354 Rob Ingram 2024-05-09T14:26:43Z Re: on-for-login-auth attribute Cisco ISE https://community.cisco.com/t5/network-access-control/on-for-login-auth-attribute-cisco-ise/m-p/5096225#M589355 <P>Does an attribute refers to a segment on a Packet ?</P> Thu, 09 May 2024 14:34:23 GMT https://community.cisco.com/t5/network-access-control/on-for-login-auth-attribute-cisco-ise/m-p/5096225#M589355 Jason2005 2024-05-09T14:34:23Z Re: on-for-login-auth attribute Cisco ISE https://community.cisco.com/t5/network-access-control/on-for-login-auth-attribute-cisco-ise/m-p/5096233#M589356 <P><A href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radatt/configuration/xe-16/sec-usr-radatt-xe-16-book/sec-rad-ov-ietf-attr.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radatt/configuration/xe-16/sec-usr-radatt-xe-16-book/sec-rad-ov-ietf-attr.html</A></P> <P>&nbsp;</P> Thu, 09 May 2024 14:38:15 GMT https://community.cisco.com/t5/network-access-control/on-for-login-auth-attribute-cisco-ise/m-p/5096233#M589356 Rob Ingram 2024-05-09T14:38:15Z