ISE 1.3 - How to add login-service = ssh into ietf radius attributes

Thibault BRISSE · ‎08-10-2015

Hello,

I have to configure AAA on HP 6125 (c7000 enclosure) with ISE for SSH and TELNET access.

It works for TELNET but not for SSH.

Attributes sent in access-accept for TELNET are the following:

Huawei-Exec-Privilege = 3
login-Service = 0

0 is for TELNET.

The problem is that SSH value is not available by default and you have to add it into the IETF dictionnary. I made it with Microsoft NPS and it works perfectly.

Unfortunatly it seems not possible with Cisco ISE. Please could you help me ?

Regards,

Thibault

jan.nielsen · ‎08-11-2015

Just to be sure, are you saying that for SSH when you use NPS, you just set login-service to something else, and then SSH works ?

Thibault BRISSE · ‎08-12-2015

Yes you are right.

I edited c:\windows\system32\ias\dnary.xml and add the following value to login-service attribute:

<StandardValue>
    <Name>ssh</Name>
    <Value>50</Value>
   </StandardValue>

Unfortunaly it is not possible to add this value in ISE.

Regards,

Thibault

jan.nielsen · ‎08-13-2015

As far as i can tell, we can't change the built-in dictionaries, so im not sure to do this. Also the value "50", is not a standard value for the Login-Service" IETF radius attribute according to IANA

https://www.iana.org/assignments/radius-types/radius-types.xml#radius-types-8

fdelrio · ‎10-02-2015

Hello,

Have you find any solution to your problem since 2 month ?

Because even if 50 is not standard, it's what the equipment need :-(

Regards,

Franck

Thibault BRISSE · ‎10-04-2015

Hello,

We use ISE for cisco devices and Microsoft NPS for HP devices.

ISE is configured as a radius proxy to simplify radius settings on HP and Cisco devices.

Regards

fdelrio · ‎10-05-2015

Thanks

That's a bad news.

Roger Base · ‎10-15-2015

I know this is old discussion. But how do you enable radius login-service 15 attribute in Cisco IOS to send to ISE?