Solved: ACS 5.3 and Enterasys A2 switch support

Murat TASKIN · ‎03-12-2012

Hi experts,

I am using ACS 5.3.I need to make macauthentication on Enterasys switch with Cisco ACS 5.3.I get the following error;

Parsing error or event type unknown:xxxxxxxxxxxxx ERROR RADIUS : RADIUS packet contains invalid attribute(s) ;Failed-Attepmt:Radius request dropped

How can I integrate Custom Attribute Enterasys A2 Switch with Cisco ACS 5.3 ?

Thanks.

jrabinow · ‎03-13-2012

I think what you need to do is define the Vendor attributes for this device

Can be done as follows:

Go to System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA

can define the new RADIUS vendor by pressing "Create". Vendor ID is the assigned ID. Attribute prefix allows you to assign a standard prefix to all attributes for this vendor. Names of all RADIUS attributes must be unqiue across all vendors

Once have define the RADIUS vendor can select it from the list and press "Show Vendor Attributes". Can now define the attributes for this vendor. This option is also available from the left navigation by select the vendor name.

Note that adding/removing vendor attributes takes a little time (quite a few seconds) and so don't be perturbed

View solution in original post

Eduardo Aliaga · ‎03-13-2012

Once I had problems with radius between a Cisco switch and Cisco ACS. The switch didn't understand some radius attributes, so I had to configure "radius-server vsa send authentication" in the switch, so the swith could understand Vendor Specific Attributes. That command fixed my problem.

I guess it's happening the same with your enterasys switch.

Another option will be to capture the packet sent from ACS to see what attributes is sending ACS. That way you can deduce which attributes are not understood by Enterasys and try to configure ACS not to send those attributes. But I really don't think the ACS is the problem but the switch.

Kind regards

View solution in original post

jrabinow · ‎03-13-2012

I think what you need to do is define the Vendor attributes for this device

Can be done as follows:

Go to System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA

can define the new RADIUS vendor by pressing "Create". Vendor ID is the assigned ID. Attribute prefix allows you to assign a standard prefix to all attributes for this vendor. Names of all RADIUS attributes must be unqiue across all vendors

Once have define the RADIUS vendor can select it from the list and press "Show Vendor Attributes". Can now define the attributes for this vendor. This option is also available from the left navigation by select the vendor name.

Note that adding/removing vendor attributes takes a little time (quite a few seconds) and so don't be perturbed

Eduardo Aliaga · ‎03-13-2012

Once I had problems with radius between a Cisco switch and Cisco ACS. The switch didn't understand some radius attributes, so I had to configure "radius-server vsa send authentication" in the switch, so the swith could understand Vendor Specific Attributes. That command fixed my problem.

I guess it's happening the same with your enterasys switch.

Another option will be to capture the packet sent from ACS to see what attributes is sending ACS. That way you can deduce which attributes are not understood by Enterasys and try to configure ACS not to send those attributes. But I really don't think the ACS is the problem but the switch.

Kind regards

Murat TASKIN · ‎03-16-2012

Thanks for your help.I had to configure radius attributes on the switch.My problem is solved.

Kind Regards.

Paul Heilmeier · ‎11-26-2013

Hi,

do you have maybe an sample config for Entereasys and ACS 5.X, or an short guide?

We try at the moment the same.

MAC Authentication against Cisco ACS with Enterasys.

But nothing works.

Even if the ACS denied the access, the Enterasys didn't disable the port.