topic Hi!While trying to reply to in Network Access Control

Telnet and VPN RADIUS authentication

avorobyev — Wed, 13 Mar 2019 00:44:44 GMT

Hi!

Trying to configure telnet (exec) and VPN authentication via the same RADIUS server.

How can differentiate EXEC and VPN logins on radius server?

Cisco sends Service-Type when PPPoE or some other type of auth but doesn't send it smth when I login via telnet.

So, I cannot see if client logins via telnet.

Have I missed something?

What type of Radius server

nspasov — Wed, 12 Nov 2014 01:36:40 GMT

What type of Radius server are you using?

Thank you for rating helpful posts!

Using Microsoft NPS.I can

avorobyev — Wed, 12 Nov 2014 06:24:51 GMT

Using Microsoft NPS.

I can authenticate both telnet and PPPoE/PPTP, but can't tell that one of the logins is EXEC.

I have done very little work

nspasov — Wed, 12 Nov 2014 07:30:41 GMT

I have done very little work with Microsoft's NPS but from what I can recall it was very limited when it came to its functionality.

For instance, in ISE and/or ACS, you can distinguish between the two via the following attributes:

1. EndpointID > > > For SSH this would look like this ip:source-ip=x.x.x.x. While for VPNs this field would just be populated with the public IP address of the client

2. CVPN3000/ASA/PIX7x-Tunnel-Group-Name > > > This field will only populate when doing VPNs and will reflect the name of the tunnel-group configured on the ASA

You can check and see if NPS has these either one of those attributes from I highly doubt it. I think you can create custom based Radius attributes in NPS but from what I remember it was not an easy task 🙂 However, google.com should be able to point you in the right direction

Hope this helps!

Thank you for rating helpful posts!

Hi!While trying to reply to

avorobyev — Sun, 16 Nov 2014 11:32:11 GMT

Hi!

While trying to reply to your answer, turned on maximum possible debugs for the login and saw this:

Nov 16 10:00:29.186: RADIUS/ENCODE(0000000F): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

so put the command to the config:

radius-server attribute 6 on-for-login-auth

and then in every request for authentication i see:

for Login:

Nov 16 11:02:12.303: RADIUS: Service-Type [6] 6 Login [1]

for PPPoE/ PPTP/...

Nov 16 11:02:37.475: RADIUS: Service-Type [6] 6 Framed [2]

This answers my question.

By the way, this command is mandatory for ISE according to this post http://www.ajsnetworking.com/switch-configuration-for-ise-integration-part-2-radius-server-config/

Thanks for you participating!

Ah good catch and good job

nspasov — Mon, 17 Nov 2014 17:29:41 GMT

Ah good catch and good job solving your own problem!! Also, thank you for coming back and taking the time to post the solution!!! (+5 from me).

If your issue is resolved, please mark the thread as "answered" 🙂