Cisco Switching/Routing :: Radius-server Attribute 61 Extended On ASR1004
Nov 9, 2011
We faced with problem after upgrade ASR from 12(2) 33 XNE2. I know that this is an old XE release but our Radius deny authization from ASR with more new XE version. Here is our radius attribute configuretion:
!
radius-server attribute 44 include-in-access-req
radius-server attribute nas-port format d
radius-server host x.x.x.x auth-port 1812 acct-port 1813 non-standard
[Code]....
How can I add in my configuration that ASR send necesserry NAS-Port-Type - VPDN
I couldn't found out any info ((( for radius-server attribute 61 extended
I'm using Cisco ACS 3.3 for RADIUS. How to do I make Vendor-Specific attribute available? (Attribute number 26, format: OctetString) The online help makes reference to it, but does not tell you how to make it available.
Is it possible to send profile name as an Radius atribute during client authentication? I would like to match users depends on profile name to sperate Identity Stores in my ACS. ASA 5540 8.4, anyconnect 3.1.01065, ACS 5.1
Basically I want to query Radius for AD group membership and apply a set of Bookmarks based on that group. I would use LDAP, but we have two domains and I need both to be available for login, so I am using ACS 5.3 as a proxy. I saw that using attribute 4242 for DAP for group membership, but what is the Group syntax?
ACS 5.3 always sends the class=cacs:xyz attribute in an authentication response. How can I suppress that behaviour? The Cisco Email Security Appliance doesn't support multiple class attributes (defect 49096) and even treats guest users as administrators.
I am doing 802.1X for a user on Cisco 3650 and wanted the Radius Server to return an attribute to set the Duplex setting of the port. with the correct Radius Return Attribute.
I have Cisco 2960 switches deployed in my environment along with radius server authentication. Now i need to assign some roles to particular users (shutdown port, description) so what i need to do for this task so not all users have same privileges.
I came across an interesting issue and thought I would see if anyone else has encountered it before contacting TAC.I have two Cisco Catalyst WS-4510R-E switches with a single Supervisor V module in each chassis. Both Sup cards are now running 12.2(54) SG1; ipbasek9 firmware; yes, I plan to move both switches to 15 code but that's another story. Anyways, prior to the upgrade the one switch was running 12.2 (33) code; I suspect the code was never upgraded; running ipbase non - K9 code. The other switch was running 12.2(44) with K9 prior to upgrade to 12.2(54).
I have two Cisco Catalyst WS-4510R-E switches with a single Supervisor V module in each chassis. Both Sup cards are now running 12.2(54) SG1; ipbasek9 firmware; yes, I plan to move both switches to 15 code but that's another story. Anyways, prior to the upgrade the one switch was running 12.2 (33) code; I suspect the code was never upgraded; running ipbase non - K9 code. The other switch was running 12.2(44) with K9 prior to upgrade to 12.2(54). With the background set, one switch reports the following:SwitchA (config)#r?radius-server redundancy regexp represourc rmon route-map router.
I am trying to test the MTU between two 3750 switches I have in the lab. I've set the MTU with the command "system mtu 9000" on both switches and rebooted.
The only connections on the switches are the gig ports connecting the two switches. Each interface is a member of vlan 1.
I am doing an extended ping. I set the datagram size to 2000. When the df bit is set the ping doesn't go through. If the DF bit is not set the ping goes through.
The debug ip icmp shows, 4d00h: ICMP: dst (1.1.1.1): frag. needed and DF set.
Why is fragmentation needed when the MTU is set to 9000?
GigabitEthernet1/0/1 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is 0015.2b7d.0d01 (bia 0015.2b7d.0d01) MTU 9000 bytes, BW 1000000 Kbit, DLY 10 usec,
I was wondering why can't we no longer use the multiple ports within an extented ACL like I use to do it in a CAT3750E.I have IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.02.00.SG.I wanted to create an ACL like so [code] But when I do, it tells me that I cannot do it.... I can only add 1 tcp port to my ACL line. I tried to search the "object-group" concept also but it's not implemented in this IOS.Can this be done in IOS-XE ?I'm migrating my enviroment from a CAT3750E stack to a C4510-E.
We have a 3560 switch running IOS universalk9-mz.150-1.SE3.bin.Recently, we saw two problems with this switch:-
1. if we try to enable subinterface on any routed interface , for eg. gig1/1, it says invalid input detected. It doesnt accept encapsulation command also. Following was done to enable subinterface:
int gig1/1 no ip address int gig1/1.2000 ip address 1.1.1.1
under the gi1/1.2000 subinterface, it doesnt present the option of ip address.
2. we created a layer 2 vlan 2000 like: vlan 2000 When we do an exit after creating this vlan , it gives following error:-
%SW_VLAN-4-VLAN_CREATE_FAIL: Failed to create VLANs 2000: extended VLAN(s) not allowed in current VTP mode
We have a gateway on a 4503, say on port 2/1, and we only want the other devices that are plugged into the 4503 to be able to talk to the gateway and thats it. The other devices are Motorola TUT DSL devices and they plug into the 4503 directly.
Normally "switchport protected" would make this very easy to keep stuff on one port from talking to other ports but with 4500's you are not able to do that command. So we implemented a MAC Access-List Extended ACL. Here is what we did
mac access-list extended BLAH permit #host 0000.XXXX.YYYY any interface range fa 2/5 - 20 mac access-group BLAH out
The MAC address 0000.XXXX.YYYY is the MAC address of the gateway that is plugged into Fa2/1 and the DSL TUT devices are plugged into ports Fa2/5-20. We would think that this config would only allow devices on the TUT DSL to talk only to the Gateway but we don't really think this is happening. The TUT devices are learning about MAC addresses that are on other TUT devices.
I am trying to write an extended ACL for the voice vlan.My scenario is the following:I have two PBXs with two Catalyst 4505 L3 switches.The C4505 are connected trough a trunk link.I have a VTP domain configured.
Voice VLANs are Vlan 100 and Vlan 101 with networks 10.2.0.0/16 and 10.4.0.0/16 Voip telephones are communicating between them self and everything is working fine.I want to secure both voice VLANs with an ACL to allow only couple of IPs to administer the phones.The PCs are connected trough a integrated switch via VOIP telephone.Here is the sample configuration of the dhcp pool for the PC VLAN:
ip dhcp pool PCs network 10.1.0.0 255.255.0.0 default-router 10.1.1.1 dns-server 10.10.10.1 option 43 hex 010a.5369.656d.656e.7300.0000.0204.0000.0064.0000.0000.00ff
I had to implement the 43 hex option because the PCs did not get the ip from the DHCP because of the vendor specific information.The thing that worries me is will the DHCP forward the ACKs for the PCs if I implement this test ACL:
ip access-list extended VLAN100 permit ip 10.2.0.0 0.0.255.255 10.4.0.0 0.0.255.255 permit ip 10.4.0.0 0.0.255.255 10.2.0.0 0.0.255.255 permit ip 192.168.2.0 0.0.0.255 10.2.0.0 0.0.255.255 permit ip 192.168.2.0 0.0.0.255 10.4.0.0 0.0.255.255 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps (this I am not sure do I need) permit udp host 255.255.255.255 eq bootps host 0.0.0.0 eq bootpc (also this) deny ip any any
I only want to allow the network 192.168.2.0/24 and maybe some other hosts to access the web based http gui to adiminister the IP phones.All PCs are connected trough the VOIP terminals. I do not want to deny the traffic to PCs.
We are using mac authentication, it is working fine on all of the other 3560's except this new one.
Mac address shows up completely different (very long hex, doesnt even look like a mac address) on ACS compared to what its showing on the switch in the mac address table.
Im stumped, config matches every other 3560 in the building, has something changed in the v2 software compared to the older 3560's ?
A Cisco 3560V2 was bought to complete a project at my company. I noticed the IPBase IOS Image was installed. I was unable to configure RADIUS. I upgraded the IOS to the Latest Release of the IPServices IOS Image. I still dont have the capabilities of configuring RADIUS.
getting radius to work on a 2950G switch with an older IOS of 12.1(22)EA1. I have radius setup on a windows 2k8 box and all of my other switches 2960's and above have no issues. I am unable to input the nas-identifier of 32 into the config using - radius-server 32 attribute 32 include-in-access-req format %h as well as the aaa session-id common commands. Doing a debug radius says that the radius server is not defined.
I went to configure RADIUS on my 3750X with IOS 15, and lo and behold it is not where it used to be. Did it get moved somewhere else that I can't seem to find very easily?
I'm about to configure radius on a 2960 and 2955 switch as I have been testing this on a 1841 router and to my dismay I can't see the options to configure radius, do these L2 switches not supoprt radius?
edit - apoligies I forgot the "aaa new-model" all ok now
I currenly have a cisco AP1142N configured to work with our radius server (It was already configured when I took over the network). I order two additional access points for building coverage on multiple floors. Currently, I uploaded the config of the orginal access point to the new device and I can access the device via web and the ssid is being broadcasted. I then added in the access point into IAS with the radius secret key to our Radius server. When I go to connec to the new access point w/ domain credentials I am not able to establish a connection. I am not very familiar with CISCO products. I followed a video to get the access point up and running w/ an IP from CLI so I could access the web interface and upload the edited config.txt file. Are there any issues with setting up multiple access points w/ a single windows radius (IAS) server?
I am facing issue with nexus 7010 login authentication by radius server. I have two nexus 7010, one of them is working perfectly. Other taking long time to authenticate. If i use local database to login it works perfectly. It works fine also if i login from console using radius for authentication.
I'm using a radius server to authenticate ssh when connecting to my company's switches (a 3560 + several 2960s).
Everywhere I've looked claims that using the line 'transport input ssh' in my switch config should disable telnet access and allow ssh only. But after changing 'transport input ssh telnet' to 'transport input ssh' I can still connect to all of the switches from telnet. I can't block telnet with ACLs either because my company uses a telnet based terminal client to do most of their work.
I don't have much experience with radius. How do I stop telnet connections when using radius to authenticate?
I´ve a little problem with the aaa authentication over RADIUS with a Cisco 3560G-48PS - IOS 12.2(58)SE2. When I try to log in to the Switch per Telnet, it didn`t works and my windows domain account is locked. Here the aaa config:
aaa new-model aaa authentication login default local group radius aaa authorization config-commands
I am using radius authentication on C4507R+E with supervisor card 6L-E and IOS 15.0.2(SG1). It works perfectly but all radius messages appear in the console. Radius is very verbose, I can't use console because of the significant number of messages and I am worried about switches performances. I add that all debug commands are disabled.
I've got a problem with an ASR1004 running "asr1000rp2-adventerprisek9.03.02.00.S.151-1.S.bin".
When I'm performing extended ping tests using a tclsh script i'm geting this error message:
ASR_X1A2#ping 172.27.1.250
% Authorization failed.
When i'm pinging 12 diffrent destinations this happens to about 3 of them.
Checking the logs I found this:
Apr 24 19:42:56.071: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection
In my entire backbone this is happening only in this equipment, I've checked the connection between my ASR and the TACACS and it's OK, no packet loss. CPU and MEM are OK too.
I have just got a ASR1004 and try to upgrade it, but, I can not find the instruction, I guess it may just same as other production by copy. but, it is good to see in writing.
