06-17-2010 06:20 AM - edited 03-10-2019 05:11 PM
Hi,
I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
I can't manage to login using RADIUS and i get the following message.
"Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
But in my ACS View, I can see : "Authentication succeeded."
I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
I've got no problems with RADIUS Auth using other brand devices
Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS Authentication ?
Regards.
06-17-2010 06:57 AM
Marc,
Did you set up Radius VSA Nortel?
Please check this link,
Regards,
~JG
Do rate helpful posts
06-17-2010 07:12 AM
What do you mean by "setting up Nortel VSA" ?
I've checked the documentation and my server, There isn't much i can do, execpt changing or creating other attributes.
06-17-2010 07:24 AM
You need to set up Network Access Authorization Policy -->Rule--> Compound Condition--->Radius Nortel.
Regards,
~JG
Do rate helpful posts
06-18-2010 01:23 AM
Are you sure that setting up a compound condition will help ?
To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
Here is my steps in the ACS View
11001 Received RADIUS Access-Request |
11017 RADIUS created a new session |
Evaluating Service Selection Policy |
15004 Matched rule |
15012 Selected Access Service - Default Network Access |
Evaluating Identity Policy |
15006 Matched Default Rule |
15013 Selected Identity Store - Internal Users |
24210 Looking up User in Internal Users IDStore - radius |
24212 Found User in Internal Users IDStore |
22037 Authentication Passed |
Evaluating Group Mapping Policy |
Evaluating Exception Authorization Policy |
15042 No rule was matched |
Evaluating Authorization Policy |
15006 Matched Default Rule |
15016 Selected Authorization Profile - Permit Access |
11002 Returned RADIUS Access-Accept |
So I think the ACS does its job
06-01-2011 05:57 AM
Hi Marc,
Did you manage to find the answer to this? - Having the exact issue at the moment.
Thanks
06-02-2011 03:46 AM
Hello Andrew,
Did you configure an authorization profile for Nortel using their VSA and see if it helped.
Looks like authorziation policy is needed & will be pushed by the new ACS even if only radius authentication is setup on the Nortel device
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide