does have anyone working configuration that user authentication is done by radius? I've done everything as documentation said but still without success :-(
in ONS log I've such info but I cannot find any help what attribute is wrong despite that configuration is done step by step from guide
Security::General::loginEMS::Fail (Invalid Radius svc attr)(user-10.40.1.7) 0 F user
we use ACS 3.3 as Radius
I set option #26.
ONS ver. 8.5
Is your ACS UNIX based or Windows?
Is the ONS an ENE or GNE?
Here are the steps in the Procedure Guide for the ONS:
Make sure you complete this:
Step 13 Click the Enable the Node as the Final Authenticator check box if you want the node to be the final autheticator. This means that if every RADIUS authenticator is unavailable, the node will authenticate the login rather than locking the user out.
Do not configure a node for RADIUS authentication until after you have added that node to the RADIUS server and added
the RADIUS server to the list of authenticators. If you do not add the node to a RADIUS server prior to activating
RADIUS authentication, no user will be able to access the node unless you complete Step 13.
One the Windows ACS here are the steps:
1. Add the ONS as an AAA client
2. Enable Per-user TACACS+/RADIUS Attributes
3. Enable Per-user Service Type
4. Create the User
5. Set the Cisco IOS/PIX 6.x RADIUS Attributes
The following Cisco vendor-specific attribute (VSA) needs to be specified when adding users to the RADIUS server:
shell:priv-lvl=N, where N is:
0 for Retrieve User
1 for Maintenance User
2 for Provisioning User
3 for Super User.
6. Set the IETF RADIUS Attributes
 Service-Type = Login