Users with Superuser security privileges can configure nodes to use RADIUS authentication.
An ONS node operates as a client of RADIUS. The client passes user information to designated RADIUS servers, and then acts on the response. RADIUS servers receive user connection requests, authenticate the user, and return all configuration information necessary for the client to deliver service to the user.
Create a user on ACS with CiscoSecure PAP password that we will use to login ONS
Assign the above created user 454supper to FullAccessGroup group by going tp Group Setup.
Defining ONS as a Radius client
Login To ACS
Click on Network Configuration.
Click on ADD Entry.
Name the Client hostname unique.
Enter the ip address of the ONS node.
Enter the shared secret key, should be same as Node/ONS config.
Make sure Authenticate Using set to "Radius(CiscoIOS/PIX 6.0)
User Security Group Mapping
The possible security levels are Retrieve, Maintenance, Provisioning, and Superuser.
An attribute-value (AV) pair represents a variable and one of the possible values that the variable can hold. Within ONS, users are mapped to different security groups based on Cisco AV Pair. Here is an example:
"shell:priv-lvl=X" where X can be value of 0 to 3:
0 represents Retrieve
. 1 represents Maintenance
2 represents Provisioning
3 represents Super
Defining RADIUS Server On ONS
Log into Cisco Transport Controller (CTC).
Go to the Network view.
Select a specific ONS in order to go to the Shelf view.
Click Provisioning > Security > RADIUS Server.
Type the IP address of the RADIUS server in the IP Address field.
Type a shared secret in the Shared Secret field. A shared secret is a text string that serves as a password between a RADIUS client and RADIUS server.
Type the RADIUS authentication port number in the Authentication Port field.
The default authentication port number is 1812.
Type the RADIUS accounting port number in the Accounting Port field. The default accounting port number is 1813.
Check ACS logs under reports and activities > failed authentication.
Make sure shared-secret key is same on both the sides.
In order to get rds.log file, set the logging level to full and generate package.cab file.
In some cases even your configuration is correct and you see an extra attribute "aaa:supplicant-name=<username>" in the RDS logs pushing down to ONS then this will cause ONS to fail authorization. In order to fix this go to Interface Configuration > RADIUS (Cisco IOS/PIX 6.x) and uncheck the "Enable Authenticated Port cisco-av-pair" option.
Dear All,I writing to you because I can't find anywhere answer for my question. Basicly, I have migration from ASA(2xASA in failover active/standby) to FTD. I have 2xFTD 1140 and FMC. I want to migrate with minimal downtime, so in my LAB I prepared 1:1 mi...
Are there any resources available on how to setup an asav in Azure and get a simple static nat to a web server working? I am evaluating the asav for our new saas product but I just can't seem to get this simple example to work. I hav...
Hello,ISE2.7 patch 1There is a brand new deployment (primary/secondary node). That was the first time when I used "revert config procedure" and it stuck. I've been waiting for 4 hours without any luck. I bet it's still hanging there. I don't have access r...
Hello all, I made a mistake configuring a Cisco ASA5525, where I listed the password as "ecrypted", but pasted the password as clear text. Is there anyway I can find out what it would've been "decrypted" to so I can login to the device? Thank yo...
So, we have a site to site VPN to serve VOIP to a remote location. The remote location has an ASA 5506-X and our main location has a Palo Alto firewall. It's a simple IPSec IKE VPN. We had the need to route multicast traffic across it, s...