06-03-2011 03:25 AM - edited 03-10-2019 06:08 PM
Several of my older netscreen devices only support radius authentication and I'm having trouble migrating them from ACS 4.2 to ACS 5.1. When I try to authenticate, the authentication passes in ACS but it doesn't log you into the Netscreen (you see a auth failure in the Netscreen logs). I believe that the custom attributes are not being passed from ACS to the Netscreen. The custom attribute we are trying to pass is "NS-Admin-Privilege" with type integer and a value of 2. The netscreen is setup so that the user privledges are obtained from the ACS server.
Does anyone have a setup where they are using Cisco radius authentication to authenticate Netscreen devices? If so, could you advise on how it's setup?
06-13-2011 02:10 PM
Issue resolved. We finally setup a packet capture device and monitored the ports and found that the VSA was sending a message saying "VSA too short". After comparing our setup with the old setup and then comparing it to Cisco's config, we decided to delete the VSA and restart ACS. After recreating the VSA, everything worked fine. We then tried with a second custom VSA (infoblox) and had the same failed result. We did the same process of deleting, restarting, and recreating and everything worked fine. We've come to the conclusion that something during the import from 4.2 to 5.1 corrupted the VSA config.
04-22-2013 06:16 AM
Does anyone know how to setup the NetScreen VSA and Authorization Profile for Radius to work between ACS V5 and Juniper Netscreen. Plenty documents on how to get TACACS to work but alot of our Junipers are on the older software and dont have the TACACS option.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide