11-21-2008 06:38 AM
hi,
does have anyone working configuration that user authentication is done by radius? I've done everything as documentation said but still without success :-(
in ONS log I've such info but I cannot find any help what attribute is wrong despite that configuration is done step by step from guide
Security::General::loginEMS::Fail (Invalid Radius svc attr)(user-10.40.1.7) 0 F user
we use ACS 3.3 as Radius
I set option #26.
ONS ver. 8.5
Solved! Go to Solution.
11-21-2008 10:20 AM
Is your ACS UNIX based or Windows?
Is the ONS an ENE or GNE?
Here are the steps in the Procedure Guide for the ONS:
Make sure you complete this:
Step 13 Click the Enable the Node as the Final Authenticator check box if you want the node to be the final autheticator. This means that if every RADIUS authenticator is unavailable, the node will authenticate the login rather than locking the user out.
Do not configure a node for RADIUS authentication until after you have added that node to the RADIUS server and added
the RADIUS server to the list of authenticators. If you do not add the node to a RADIUS server prior to activating
RADIUS authentication, no user will be able to access the node unless you complete Step 13.
One the Windows ACS here are the steps:
1. Add the ONS as an AAA client
2. Enable Per-user TACACS+/RADIUS Attributes
3. Enable Per-user Service Type
4. Create the User
5. Set the Cisco IOS/PIX 6.x RADIUS Attributes
[009\001] cisco-av-pair
shell:priv-lvl=3
Where:
The following Cisco vendor-specific attribute (VSA) needs to be specified when adding users to the RADIUS server:
shell:priv-lvl=N, where N is:
0 for Retrieve User
1 for Maintenance User
2 for Provisioning User
3 for Super User.
6. Set the IETF RADIUS Attributes
[006] Service-Type = Login
11-21-2008 10:20 AM
Is your ACS UNIX based or Windows?
Is the ONS an ENE or GNE?
Here are the steps in the Procedure Guide for the ONS:
Make sure you complete this:
Step 13 Click the Enable the Node as the Final Authenticator check box if you want the node to be the final autheticator. This means that if every RADIUS authenticator is unavailable, the node will authenticate the login rather than locking the user out.
Do not configure a node for RADIUS authentication until after you have added that node to the RADIUS server and added
the RADIUS server to the list of authenticators. If you do not add the node to a RADIUS server prior to activating
RADIUS authentication, no user will be able to access the node unless you complete Step 13.
One the Windows ACS here are the steps:
1. Add the ONS as an AAA client
2. Enable Per-user TACACS+/RADIUS Attributes
3. Enable Per-user Service Type
4. Create the User
5. Set the Cisco IOS/PIX 6.x RADIUS Attributes
[009\001] cisco-av-pair
shell:priv-lvl=3
Where:
The following Cisco vendor-specific attribute (VSA) needs to be specified when adding users to the RADIUS server:
shell:priv-lvl=N, where N is:
0 for Retrieve User
1 for Maintenance User
2 for Provisioning User
3 for Super User.
6. Set the IETF RADIUS Attributes
[006] Service-Type = Login
11-21-2008 02:08 PM
thanks for quick reply
ACS is Windows based
ONS is ENE
all what You mentioned I've done already but the last one with Service-Type can by the solution.
I'll check this with customer on Monday
I hope that this will help :-)
thanks & have nice weekend
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide