Radius authentication problem in ONS15454

Answered Question
Nov 21st, 2008
User Badges:

hi,

does have anyone working configuration that user authentication is done by radius? I've done everything as documentation said but still without success :-(

in ONS log I've such info but I cannot find any help what attribute is wrong despite that configuration is done step by step from guide

Security::General::loginEMS::Fail (Invalid Radius svc attr)(user-10.40.1.7) 0 F user


we use ACS 3.3 as Radius

I set option #26.

ONS ver. 8.5


Correct Answer by tphelps about 8 years 6 months ago

Is your ACS UNIX based or Windows?



Is the ONS an ENE or GNE?




Here are the steps in the Procedure Guide for the ONS:


http://www.cisco.com/en/US/docs/optical/15000r8_5_1/15454/sonet/procedure/guide/454a851_dlp4.html#wpxref25074


Make sure you complete this:

Step 13 Click the Enable the Node as the Final Authenticator check box if you want the node to be the final autheticator. This means that if every RADIUS authenticator is unavailable, the node will authenticate the login rather than locking the user out.


Do not configure a node for RADIUS authentication until after you have added that node to the RADIUS server and added

the RADIUS server to the list of authenticators. If you do not add the node to a RADIUS server prior to activating

RADIUS authentication, no user will be able to access the node unless you complete Step 13.




One the Windows ACS here are the steps:


1. Add the ONS as an AAA client


2. Enable Per-user TACACS+/RADIUS Attributes


3. Enable Per-user Service Type


4. Create the User


5. Set the Cisco IOS/PIX 6.x RADIUS Attributes


[009\001] cisco-av-pair

shell:priv-lvl=3


Where:

The following Cisco vendor-specific attribute (VSA) needs to be specified when adding users to the RADIUS server:

shell:priv-lvl=N, where N is:

0 for Retrieve User

1 for Maintenance User

2 for Provisioning User

3 for Super User.




6. Set the IETF RADIUS Attributes

[006] Service-Type = Login



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
tphelps Fri, 11/21/2008 - 10:20
User Badges:
  • Cisco Employee,

Is your ACS UNIX based or Windows?



Is the ONS an ENE or GNE?




Here are the steps in the Procedure Guide for the ONS:


http://www.cisco.com/en/US/docs/optical/15000r8_5_1/15454/sonet/procedure/guide/454a851_dlp4.html#wpxref25074


Make sure you complete this:

Step 13 Click the Enable the Node as the Final Authenticator check box if you want the node to be the final autheticator. This means that if every RADIUS authenticator is unavailable, the node will authenticate the login rather than locking the user out.


Do not configure a node for RADIUS authentication until after you have added that node to the RADIUS server and added

the RADIUS server to the list of authenticators. If you do not add the node to a RADIUS server prior to activating

RADIUS authentication, no user will be able to access the node unless you complete Step 13.




One the Windows ACS here are the steps:


1. Add the ONS as an AAA client


2. Enable Per-user TACACS+/RADIUS Attributes


3. Enable Per-user Service Type


4. Create the User


5. Set the Cisco IOS/PIX 6.x RADIUS Attributes


[009\001] cisco-av-pair

shell:priv-lvl=3


Where:

The following Cisco vendor-specific attribute (VSA) needs to be specified when adding users to the RADIUS server:

shell:priv-lvl=N, where N is:

0 for Retrieve User

1 for Maintenance User

2 for Provisioning User

3 for Super User.




6. Set the IETF RADIUS Attributes

[006] Service-Type = Login



dkrupanext Fri, 11/21/2008 - 14:08
User Badges:

thanks for quick reply


ACS is Windows based

ONS is ENE


all what You mentioned I've done already but the last one with Service-Type can by the solution.

I'll check this with customer on Monday

I hope that this will help :-)


thanks & have nice weekend

Actions

This Discussion