Thanks a lot, as soon as possibile i will try to test the VSA import.

Best regards

Marco

Marco, I read your post. I have the same question and I follow the attacched suggestion.

The RDBMS operation ended with success, but I have not reach the results? I didn't see the new parameters ( "135 Primary-DNS-Server" and "136 Secondary-DNS-Server") in the configuration screen.

Had you reach the same results? If not, could you explain me how do you resolve the issue?

Attribute 135 and 136 are part of the base attribute range and not part of a vendor specific set, and as thus can not be defind via the customizable dictionary mechanism.

In ACS 3.3 it seems there is a bug, since these attributes are defined against an Ascend NAS type. But on attempting to view these attributes inside the Ascend dictionary they don't appear to show up

Closer inspection of the Windows registry shows these items to be present. So this leaves me to thinking there is a bug in CiscoSecure. Possibly the list of Ascend supported attributes has grown too large for the GUI.

Ive managed to come up with a work around if you are feeling happy to hack the registry is this.

Assuming you are using ACS 3.3 download the attached registry file and double click on it ( open it in notepad if you want to see what it does ).

Now restart CSADMIN

net stop CSADMIN

net start CSADMIN

Now navigate Interface Configuration -> RADIUS IETF

You should see Attribute 135,136 and the bottom select them for group or user configuration and hit submit

you should then see them in any group or user configuration.

Having just rechecked my 3.3 it appears they were showing up in Ascend. So you shouldn't have to do the registry hack

Simply go to Interface Configuration -> Ascend and enable attribute 135 and 136. They should then appear in the group configuration assuming you are using an Ascend compatible device.

E.g Cisco IOS/PIX

This problem stinks. I have tried the RDBMS for IETF 135 and 136 (Primary DNS and Secondary) and it simply doesn't work. I read in places that the solution is ascend but the thing is I need to use framed routes (IETF) aswell. Is this issue a bug in ACS 3.3 or am I doing something wrong. Why this option wouldn't be included by default eludes me.

Is it that the config doesnt show up.. or that the attributes do not get sent to the device?

ACS tries to intelligently (ahem) filter inappropriate attributes.

Therefore, if you have Ascend attributes defined in a group, but the device is defined as Cisco... ACS may well filter out the Ascend attributes.

Easily tested, in the ACS network config set the RADIUS client to be Ascend and re-test.

yeah tried setting as ascend and even nortel but it doesn't work for them either. Essentially where the RDBMS is falling over is with the sync. I get a parse error because it doesn't recognise the attribute and that is because I do not know the correct vendor ID for IETF...which I thought was default or at worst 9 (CISCO). Attached is my current CSV file to enable 135 and 136 (IETF).

Ah, I see the mistake.

These are NOT VSAs. Way back (before VSAs) Ascend simply "stole" a huge chunk of standard attribute numbers for their own purposes.

So use the non-vsa attribute settings actions, eg just like you would for setting something like Session-Timeout and it should be ok.

could you please tell me where to find the "non-vsa" attribute for DNS. Essentially as you describe it the attribute I am after was "stolen" by Ascend and I can't use that? So this still comes back to my point of how do I assign DNS from the Radius when it won't allow me to specify it anywhere? Please help me this is a major flaw with this device.