cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1342
Views
0
Helpful
6
Replies

DNS via ACS 4.2 to upstream radius

paul_murphy
Level 1
Level 1

Hello,

A customer is using a telecom provider to provide remote access into their network via 3G.  They provide the dialup service, but pass through the authentication request to the customer ACS via radius, which in turn passes back an IP address to the client once authenticated.

I am trying to figure out how to pass them the DNS servers they need to resolve internal resources.  I tried using cisco-av-pair in RADIUS (Cisco / IOS) but it doesn't seem to get sent (I am not really surprised).

What I don't follow is why option 026 is missing from the Interface Configuration /  RADIUS (IETF) settings.  If I could enable that, I could add the attribute to the group containing the servers.

Any ideas why it is missing?

Thanks,

Paul

6 Replies 6

jedubois
Cisco Employee
Cisco Employee

Paul,

     Attribute 26 is not missing from ACS, attribute 26 is vendor specific so in ACS we have the option to import any vendor attributes you would like to use.  In the case of cisco-av-pair this is already imported.  On your NAS definition in ACS choose RADIUS (Cisco IOS/PIX 6.0) as your Authenticate Using value.  Then go to the group that your user is a part of, edit settings then use the Jump To box at the top and choose RADIUS (Cisco IOS/Pix 6.0).  The cisco-av-pair attribute should be the first attribute avaliable to define. (Note ACS only displays attributes if you have a Network Device defined to use the attribute type, also ACS will only send the attribute if the device is defined as that RADIUS type, IETF attributes are always sent.)

     If you still do not see the cisco-av-pair attribute in the group configuration make sure it is enabled in the interface under Interface Configuration -> Radius (Cisco IOS/PIX 6.0).

--Jesse

Thanks Jesse,

That makes perfect sense.  We have IETF attributes, then vendor attributes brought in via the import.

So for the NAS I am referring to, this is already Cisco IOS / PIX, and I have enabled the attribute so I can set it, and I have added the ip:dns-servers setting to the user I want to be allocated the DNS servers.

However, in the cisco-av-pair in the log comes up blank:  ".." which lead me to believe that the way I had set it up was incorrect as the av pair weren't appearing to be set.

So I posted this here.

It is difficult to see whether this is working from the customer end, as they get the standard 3G dns servers no matter what - 10.11.12.13.

Should I consider the absent av pair in the log a sign it isn't working or look further along the chain to see where it is getting lost?

Cheers,

Paul

Paul,

     Can you attach screen shots of your Network Device configuration for this router and the group setting where you are configuring the RADIUS attributes.  If you are setting this under the cisco-av-pair box and your device is set to RADIUS (Cisco IOS/PIX) then the attribute should be sent.

--Jesse

Hello Jesse,

Sorry for the delay in getting back to you.

It turns out that the end device is not listening for cisco-av-pair, instead I am sending the dns servers using IETF 135-137.  Under ACS, these attributes form part of the Ascend vendor attributes rather than IETF.

The upstream RADIUS server (the client to this one) is configured as an AAA Client, with Authenticate Using: RADIUS (IETF).  Does this means that it won't send through the attributes in the Ascend group, even if I have those attributes configured in the Users settings?

This is certainly how it appears to behave, sniffing the radius packets shows that attributes 135-137 are not being passed upstream.

If this is the case, then changing the AAA Client configuration to RADIUS (Ascend) would mean that the 135-137 attributes were pushed through, but then would that mean that the attributes in IETF RADIUS would no longer be passed through?  I have attributes in both groups that are required.

Lastly, I have per user radius attributes enabled in Advanced options of Interface Configuration.  I am assuming that if I have a per-user RADIUS attribute set, then the user setting wins over the group setting, if the group has the same attribute unticked?

Cheers,

Paul

Ooops, sorry, I just re-read your earlier post where you said that IETF is always sent through.  So that the AAA is set to IETF only is why the Ascend attributes are not being passed?

Paul,

     Ascend is not IETF, if you need to send Ascend attributes then you will need to set the Network Device as Radius (Ascend), then it would send both Ascend and IETF attributes to the NAS.

--Jesse

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: