02-10-2012 05:34 AM - edited 03-10-2019 06:48 PM
Hi everyone,
I've configured SSH via TACACS+ successfully, but Web(SSL) via RADIUS seems to be impossible. The ACS reports that my authentication was successful but the Switch asks merciless again and again for the credentials.
Do I have to send any specific RADIUS-Attributes with the Authorization Profiles?
Perhaps someone resolved this problem.
Thanks in advanced,
Paul
02-13-2012 06:32 AM
Here are the Steps, that I cann see in the RADIUS Authentication Detail:
11001 Received RADIUS Access-Request |
11017 RADIUS created a new session |
Evaluating Service Selection Policy |
15004 Matched rule |
15012 Selected Access Service - Switch Web Admin |
Evaluating Identity Policy |
15004 Matched rule |
15013 Selected Identity Store - Internal Users |
24210 Looking up User in Internal Users IDStore - freiberg |
24212 Found User in Internal Users IDStore |
22037 Authentication Passed |
Evaluating Group Mapping Policy |
Evaluating Exception Authorization Policy |
15042 No rule was matched |
Evaluating Authorization Policy |
15004 Matched rule |
15016 Selected Authorization Profile - Permit Access |
11002 Returned RADIUS Access-Accept |
But the HP Switches are not very impressed by this "RADIUS Access-Accept"...
02-13-2012 11:31 AM
Hello Paul,
It sounds like the HP Router is expecting additional information or Attributes to be send by the RADIUS server to complete the connection for WebVPN.
I have checked and I was not able to find any attributes on Cisco side for HP router VPN access to work. Can you check with HP support and verify if a RADIUS dictionary has to be installed on the ACS server for it to send additional information?
Usually 3rd-Party vendors support should provide you with the appropriate dictionary file if applicable.
If this was helpful please rate.
Regards.
02-13-2012 11:36 PM
Thx for your reply,
the problem is a bit more trivial. HP 2848/2810 are layer 2 switches and I only want to auth the web-admin-interface via RADIUS.
I found this page:
There are some Session-Identification attributes like user-name and Acct-Session-ID which sound interessting. This Attributes I found within RADIUS-IETF. But they are not listed if I wanna put them to an authorization-profile.
Perhaps you could find any dictionary file for that HP switches.
Thanks in advanced,
Paul
02-23-2012 02:32 AM
Hi, I mad it!
I had to transmit the "service-type" - RADIUS-Attribute. "administrative" for enable(manager)-access and "nas-promt" for operator-access.
This Page was very helpful:
Bye
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: