Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3484
Views
1
Helpful
7
Replies

ACS 5.6 Authentication for Alcatel Devices with RADIUS Protocol

Go to solution
ridho.antoro
Level 1
Level 1

‎09-11-2015 01:47 AM - edited ‎03-10-2019 11:02 PM

Dear All,

I've been hitting an issue on my ACS 5.6 project about RADIUS authentication for Alcatel devices.

I already added manually VSA Vendor attributes for Alcatel on ACS Radius Dictionary as you can see below on screenshot. There is one access attribute and four privilege attribute.

 

This is my Alcatel configuration:

ALCATEL>>>> show configuration snapshot aaa

! AAA :

aaa radius-server "HQACS1" host 10.10.10.10 key cisco retransmit 3 timeout 2 auth-port 1812 acct-port 1813

aaa authentication console "local"

aaa authentication telnet "HQACS1" "local"

aaa authentication snmp "local"

aaa authentication ssh "local"

aaa accounting session "HQACS1"

 

And this is privilege value that I get from the device:

ALCATEL>>> show aaa priv hexa telnet

0x00000008 0x00000000

ALCATEL>>> show aaa priv hexa ssh  

0x00000002 0x00000000

ALCATEL>>> show aaa priv hexa telnet ssh

0x0000000a 0x00000000

 

Already tried using these three privilege combination for my write value and the result is all the same.

My current status now, I can login with ACS user (so the authentication passed).

Trying command "show configuration snapshot" and it works.

But other commands were failed.

 

ALCATEL>>>> interfaces 1/20 admin down
ERROR: Authorization failed. No functional privileges for this command

 

This is the RADIUS Authentication reports on ACS:

 

This is the RADIUS Accounting reports on ACS:

 

Any help is appreciated.

 

Thanks all.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ivan Gonzalez
Cisco Employee
Cisco Employee
In response to ridho.antoro

‎09-17-2015 05:37 AM

Hi,

 

That is correct, radius does support accounting. What I said above is that it does not support "command" authorization/accounting, it only works with tacacs.

View solution in original post

7 Replies 7

Go to solution
Ivan Gonzalez
Cisco Employee
Cisco Employee

‎09-14-2015 02:45 PM

Hello,

 

For this type of scenarios it is necessary to engage third-party support ( Alcatel ) to confirm that you are adding the proper values and not missing any of the needed ones.

It is not an issue with authorization against the ACS when you type in the command since with Radius authentication and authorization are sent together with the initial "access-accept" message, so basically all the attributed you have listed on the "authorization profile" were sent with the "access-accept" when you were able to log into the Alcatel device.

 

 

0 Helpful

Go to solution
ridho.antoro
Level 1
Level 1
In response to Ivan Gonzalez

‎09-15-2015 05:19 PM

Yes, what's gone wrong before was the authentication value on my vsa attributes.

The correct type for all access privilege is Unsigned Integer 32, and the value is 4294967295.

 

One question remaining, is Radius VSA for Alcatel supported accounting session? as you can see the accounting log is just showing accounting start (and stop after I typed exit command), but no log command whatsoever between them.

Preview file
13368 KB
0 Helpful

Go to solution
Ivan Gonzalez
Cisco Employee
Cisco Employee
In response to ridho.antoro

‎09-15-2015 05:57 PM

Hi,

 

That is totally expected as radius protocol does not support command authorization/accounting as you can see on the bellow link:

 

http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html

 

 

Note: Please this reply as answered if applicable.

0 Helpful

Go to solution
ridho.antoro
Level 1
Level 1
In response to Ivan Gonzalez

‎09-16-2015 09:27 PM

I think radius does support accounting, because:

- I have command "aaa accounting session" on the Alcatel

- I have a set of attributes on Radius IETF Dictionary ACS for accounting purposes.

The problem is I don't know which attribute and value that can make it work.

 

Or maybe Radius accounting just can generate start and stop session without knowing the command like Tacacs+ did?

 

Radius accounting: Provides user accounting information based on RADIUS for a selected time period.

Tacacs accounting: Provides user or command accounting information for TACACS+ authentications for a selected time period.

 

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/user/guide/acsuserguide/viewer_reporting.html#74003

0 Helpful

Go to solution
Ivan Gonzalez
Cisco Employee
Cisco Employee
In response to ridho.antoro

‎09-17-2015 05:37 AM

Hi,

 

That is correct, radius does support accounting. What I said above is that it does not support "command" authorization/accounting, it only works with tacacs.

Go to solution
ridho.antoro
Level 1
Level 1
In response to Ivan Gonzalez

‎09-17-2015 07:18 PM

Thanks for the answers ivangonz :)

0 Helpful

Go to solution
Ivan Gonzalez
Cisco Employee
Cisco Employee
In response to ridho.antoro

‎09-18-2015 06:23 AM

Hi,

 

 

You are very welcome. It has been a pleasure. 

 

Regards,

0 Helpful
Customers Also Viewed These Support Documents