12.2(11)JA1 & Admin Access via RADIUS/ACS3.2

abrancat — Sun, 04 Jul 2021 16:13:05 GMT

Hi,

the problem:

I am not able to authenticate the administrator for an aironet1200 AP with 12.2(11)JA1-Firmware over an external RADIUS-Server (Cisco ACS3.2).

the configuration:

Aironet1200:

1. Security->Admin Access->Administrator Authenticated by:->Authentication Server if not found in Local List

2. Server Manager-> Current Server List ->RADIUS->IP,shared-Secret,default Auth. And Acc-Ports, Admin Authentication

ACS 3.2:

1. Network Configuration->New AAA Client-> AAA Client IP Address, Shared Secret-> Authenticate Using=RADIUS (Cisco IOS/PIX)

2. Interface Configuration-> RADIUS (Cisco IOS/PIX)-> [026/009/001] cisco-av-pair for User and Group

3. User Setup->Add User->Username,Password->[ 009\001] cisco-av-pair = aironet:admin-capability=write+ident+admin+firmware

the symptoms:

1. I cant login the Web-Interface. The login Dialog just does not disappear.

2. I cant login telnet. The feedback: % Authentication failed

3. ACS says at Report and Activity->Passed Authentication->Authen O.K !!!

4. The radius debugging on Aironet 12000 shows following:

*Mar 1 17:09:51.359: Radius: radius_port_info() success=1 radius_nas_port=1

*Mar 1 17:09:51.359: RADIUS: added cisco VSA 2 len 4 "tty2"

*Mar 1 17:09:51.360: RADIUS: Send to tty2 id 23 193.22.125.123:1645, Access-Req

uest, len 93

*Mar 1 17:09:51.360: RADIUS: authenticator 1A 74 6C 37 29 55 BA 52 - 07 D6 A1

B8 D7 67 60 CF

*Mar 1 17:09:51.361: RADIUS: NAS-IP-Address [4] 6 193.22.125.124

*Mar 1 17:09:51.361: RADIUS: NAS-Port [5] 6 2

*Mar 1 17:09:51.361: RADIUS: Vendor, Cisco [26] 12

*Mar 1 17:09:51.361: RADIUS: cisco-nas-port [2] 6 "tty2"

*Mar 1 17:09:51.361: RADIUS: NAS-Port-Type [61] 6 Virtual

[5]

*Mar 1 17:09:51.361: RADIUS: User-Name [1] 10 "abrancat"

*Mar 1 17:09:51.361: RADIUS: Calling-Station-Id [31] 15 "193.22.125.41"

*Mar 1 17:09:51.361: RADIUS: User-Password [2] 18 *

*Mar 1 17:09:51.381: RADIUS: Received from id 23 193.22.125.123:1645, Access-Ac

cept, len 109

*Mar 1 17:09:51.381: RADIUS: authenticator 5A 36 0F C0 33 71 22 A3 - 33 8E 2E

D3 1D A2 88 39

*Mar 1 17:09:51.381: RADIUS: Vendor, Cisco [26] 59

*Mar 1 17:09:51.381: RADIUS: Cisco AVpair [1] 53 "aironet:admin-capa

bility=write+ident+admin+firmware"

*Mar 1 17:09:51.382: RADIUS: Class [25] 30

*Mar 1 17:09:51.382: RADIUS: 43 49 53 43 4F 41 43 53 3A 30 30 30 30 30 39 30

[CISCOACS:0000090]

*Mar 1 17:09:51.383: RADIUS: 34 2F 63 31 31 36 37 64 37 63 2F 32

[4/c1167d7c/2]

*Mar 1 17:09:51.383: RADIUS: saved authorization data for user 8A9F74 at 90C254

*Mar 1 17:09:51.383: RADIUS: cisco AVPair "aironet:admin-capability=write+ident

+admin+firmware" not applied for shell

What have I done wrong?

Kind regards

Angelo Brancato

Re: 12.2(11)JA1 & Admin Access via RADIUS/ACS3.2

thomas.chen — Wed, 17 Dec 2003 16:20:22 GMT

I think this is a known issue, not sure if there's any work around but if the admin is configured in an internal database this will work fine.

topic Re: 12.2(11)JA1 & Admin Access via RADIUS/ACS3.2 in Wireless

12.2(11)JA1 & Admin Access via RADIUS/ACS3.2

Re: 12.2(11)JA1 & Admin Access via RADIUS/ACS3.2