Re: ACS ver 3.3 IETF Radius Attributes

fabrizio.roggerini · ‎06-20-2005

I didn't find the standard IETF attributes "135 Primary-DNS-Server" and "136 Secondary-DNS-Server" in any configuration screen. I need to provide this value to the my clients.

Where can I find that? Thanks

dan.reynolds · ‎06-24-2005

I am not sure if this helps but you can find an attribute that is similar under the interface configuration/ radius VPN 3000

fabrizio.roggerini · ‎06-27-2005

I changed my radius client from "standard IEFT" to "Radius-Cisco VPN 3000" and then I set the values "CVPN3000-Primary-DNS" and "CVPN3000-Secondary-DNS" with the server's IP address.

But on client site (PPP dial-UP connection from microsoft operating systems), after normal connection completition, don't receive the value of the DNS.

The connection is based on two authentication steps:

1) the client call a phone number provide by Telco provider. Telco has a Radius server that check the realm (the value after @ character), if it is valid value, the Telco Radius proxy the request to my ACS Radius.

2) my ACS Radius know the Telco Radius as AAA client Radius, so it checks the value username@realm + password recived from Telco Radius. If it receive the correct value, the authorization process provide to client an IP address from pool and, in this phase, I try to provide to client the DNS.

All the process works properly execpt the DNS assignment.

The systems engineer from Telco provider reply me that the problem is probably on my ACS, because it doesn't be able to complete the authorization phase with standard IETF values ("135 Primary-DNS-Server" and "136 Secondary-DNS-Server"). The Telco Radius doesn't accept any vendors Av-pairs.

In standard documentation I found that the ACS Radius support this values (http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a008023360b.html)

but I didn't find in any configuration screen.

In your opinion where is my mistake?

Thanks.

mlheureux · ‎08-30-2005

Hello !

I might be able to help you! I have the same problem PPP dialup authenticated and configured via ACS ( configuring ip and DNS for ppp client remote access)

AS5200 IOS 12.1(27) and ACS 3.3

According to http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113t/113t_4/dnsserv.htm

You need to use IETF attribute 26 CiscoID 9 vendor-type 1

In ACS 3.3 IETF attribute 26 seem to be supported if you look in the online help but it`s not visible in any interface. Acording to a recent posting (http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd6e5df) you need to import IETF attribute 26 with CSutil.exe in ACS 3.3 ref:http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_user_guide_chapter09186a00802335eb.html#wp365780

Let me know if I am wrong I haven't tried it yet.

m.maiorino · ‎08-10-2008

Hello,

I have a similar problem, I have an ACS ver.3.2 for windows and I cannot find where select the ietf radius attribute # 88 (Framed-Pool).

I want to assign the ip by the framed-pool attribute but there'snt a way to select it.

The case is strange, because in Help-on-line the attribute appears... but not in the configuration screens.

Thanks for your answer.

Massimo

Farrukh Haroon · ‎08-11-2008

To be able to view the attributes in User/Groups you have to go to the 'Interface Configuration' and enable them. By default they are not visible.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/3.3/user/guide/i.html#wp576076

Regards

Farrukh