Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14066
Views
5
Helpful
2
Replies

Radius Error Message:radius-server attribute 6 on-for-login-auth" is off

yusuf.ujjainwala
Level 1
Level 1

‎02-03-2010 06:26 AM - edited ‎03-10-2019 04:55 PM

I am trying to test the Web Auth Feature on the Cisco 3750 with ACS 5.1 VM ware image.

On the authentication page when I try to put the credentials I get Auth Failed . On the Cisco switch when I did the Radius Debug I am geting error as below

RADIUS/ENCODE(0000000B): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

Then I get the Access-Reject message from the ACS and unable to authenticate.

Can any one suggest what this error means and what is the resolution.

Regards

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Ivan Martinon
Level 7
Level 7

‎02-03-2010 01:24 PM

Hi Yusuf,

Attribute 6 of radius is used to identify the Service Type this radius request is used for, the values are usually Admin, NAS Port, Remote access and some other vaues which I don't have on top of my head. Check on the ACS attibutes if the profile is configured to allow admin logins for this device. See also if you can get the full radius debug on the box since I have seen lots of times that the router/switch sends this attribute 6 error and it is not always the cause of the problem.

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎02-06-2010 03:03 AM 

I am trying to test the Web Auth Feature on the Cisco 3750 with ACS 5.1 VM ware image.
On
the authentication page when I try to put the credentials I get Auth
Failed . On the Cisco switch when I did the Radius Debug I am geting
error as below
 RADIUS/ENCODE(0000000B): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Then I get the Access-Reject message from the ACS and unable to authenticate.
Can any one suggest what this error means and what is the resolution.
Regards

Hi ,

If this command is configured and the Service-Type attribute is absent in the Access-Accept message packets, the authentication or authorization fails.when you have configured radius-server attribute 6 on-for-login-auth in cisco devices it sends the  Service-Type attribute in the authentication packets.

Note :- The Service-Type attribute is sent by default in RADIUS Accept-Request messages. Therefore, RADIUS tunnel profiles should include "Service-Type=Outbound" as a check item, not just as a reply item. Failure to include Service-Type=Outbound as a check item can result in a security hole.

HTH

Ganesh.H

Customers Also Viewed These Support Documents