Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
908
Views
5
Helpful
5
Replies

Telnet and VPN RADIUS authentication

avorobyev
Level 1
Level 1

‎11-11-2014 11:12 AM - edited ‎03-12-2019 05:44 PM

Hi!

Trying to configure telnet (exec) and VPN authentication via the same RADIUS server.

 

How can differentiate EXEC and VPN logins on radius server?

 

Cisco sends Service-Type when PPPoE or some other type of auth but doesn't send it smth when I login via telnet.

 

So, I cannot see if client logins via telnet.

 

Have I missed something?

Labels:
0 Helpful
5 Replies 5

nspasov
Cisco Employee
Cisco Employee

‎11-11-2014 05:36 PM

What type of Radius server are you using?

 

Thank you for rating helpful posts! 

0 Helpful

avorobyev
Level 1
Level 1
In response to nspasov

‎11-11-2014 10:24 PM

Using Microsoft NPS.

I can authenticate both telnet and PPPoE/PPTP, but can't tell that one of the logins is EXEC.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to avorobyev

‎11-11-2014 11:30 PM

I have done very little work with Microsoft's NPS but from what I can recall it was very limited when it came to its functionality. 

For instance, in ISE and/or ACS, you can distinguish between the two via the following attributes:

1. EndpointID   > > > For SSH this would look like this ip:source-ip=x.x.x.x. While for VPNs this field would just be populated with the public IP address of the client

2. CVPN3000/ASA/PIX7x-Tunnel-Group-Name > > > This field will only populate when doing VPNs and will reflect the name of the tunnel-group configured on the ASA

You can check and see if NPS has these either one of those attributes from I highly doubt it. I think you can create custom based Radius attributes in NPS but from what I remember it was not an easy task :) However, google.com should be able to point you in the right direction

Hope this helps!

 

Thank you for rating helpful posts!

0 Helpful

avorobyev
Level 1
Level 1
In response to nspasov

‎11-16-2014 03:32 AM

Hi!

While trying to reply to your answer, turned on maximum possible debugs for the login and saw this:

Nov 16 10:00:29.186: RADIUS/ENCODE(0000000F): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

so put the command to the config:

radius-server attribute 6 on-for-login-auth

 

and then in every request for authentication i see:

for Login: 

Nov 16 11:02:12.303: RADIUS:  Service-Type        [6]   6   Login                     [1]

for PPPoE/ PPTP/...

Nov 16 11:02:37.475: RADIUS:  Service-Type        [6]   6   Framed                    [2]

 

 

This answers my question.

By the way, this command is mandatory for ISE according to this post http://www.ajsnetworking.com/switch-configuration-for-ise-integration-part-2-radius-server-config/

 

Thanks for you participating!

 

 

 

nspasov
Cisco Employee
Cisco Employee
In response to avorobyev

‎11-17-2014 09:29 AM

Ah good catch and good job solving your own problem!! Also, thank you for coming back and taking the time to post the solution!!! (+5 from me). 

If your issue is resolved, please mark the thread as "answered" :)

0 Helpful
Customers Also Viewed These Support Documents