08-10-2015 05:22 AM - edited 03-10-2019 10:58 PM
Hello,
I have to configure AAA on HP 6125 (c7000 enclosure) with ISE for SSH and TELNET access.
It works for TELNET but not for SSH.
Attributes sent in access-accept for TELNET are the following:
0 is for TELNET.
The problem is that SSH value is not available by default and you have to add it into the IETF dictionnary. I made it with Microsoft NPS and it works perfectly.
Unfortunatly it seems not possible with Cisco ISE. Please could you help me ?
Regards,
Thibault
08-11-2015 03:28 PM
Just to be sure, are you saying that for SSH when you use NPS, you just set login-service to something else, and then SSH works ?
08-12-2015 05:51 AM
Yes you are right.
I edited c:\windows\system32\ias\dnary.xml and add the following value to login-service attribute:
<StandardValue>
<Name>ssh</Name>
<Value>50</Value>
</StandardValue>
Unfortunaly it is not possible to add this value in ISE.
Regards,
Thibault
08-13-2015 12:11 PM
As far as i can tell, we can't change the built-in dictionaries, so im not sure to do this. Also the value "50", is not a standard value for the Login-Service" IETF radius attribute according to IANA
https://www.iana.org/assignments/radius-types/radius-types.xml#radius-types-8
10-02-2015 02:26 AM
Hello,
Have you find any solution to your problem since 2 month ?
Because even if 50 is not standard, it's what the equipment need :-(
Regards,
Franck
10-04-2015 08:30 AM
Hello,
We use ISE for cisco devices and Microsoft NPS for HP devices.
ISE is configured as a radius proxy to simplify radius settings on HP and Cisco devices.
Regards
10-05-2015 07:13 AM
Thanks
That's a bad news.
10-15-2015 12:32 PM
I know this is old discussion. But how do you enable radius login-service 15 attribute in Cisco IOS to send to ISE?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: