cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1542
Views
0
Helpful
2
Replies

Radius authentication problem in ONS15454

dkrupanext
Level 1
Level 1

hi,

does have anyone working configuration that user authentication is done by radius? I've done everything as documentation said but still without success :-(

in ONS log I've such info but I cannot find any help what attribute is wrong despite that configuration is done step by step from guide

Security::General::loginEMS::Fail (Invalid Radius svc attr)(user-10.40.1.7) 0 F user

we use ACS 3.3 as Radius

I set option #26.

ONS ver. 8.5

1 Accepted Solution

Accepted Solutions

tphelps
Cisco Employee
Cisco Employee

Is your ACS UNIX based or Windows?

Is the ONS an ENE or GNE?

Here are the steps in the Procedure Guide for the ONS:

http://www.cisco.com/en/US/docs/optical/15000r8_5_1/15454/sonet/procedure/guide/454a851_dlp4.html#wpxref25074

Make sure you complete this:

Step 13 Click the Enable the Node as the Final Authenticator check box if you want the node to be the final autheticator. This means that if every RADIUS authenticator is unavailable, the node will authenticate the login rather than locking the user out.

Do not configure a node for RADIUS authentication until after you have added that node to the RADIUS server and added

the RADIUS server to the list of authenticators. If you do not add the node to a RADIUS server prior to activating

RADIUS authentication, no user will be able to access the node unless you complete Step 13.

One the Windows ACS here are the steps:

1. Add the ONS as an AAA client

2. Enable Per-user TACACS+/RADIUS Attributes

3. Enable Per-user Service Type

4. Create the User

5. Set the Cisco IOS/PIX 6.x RADIUS Attributes

[009\001] cisco-av-pair

shell:priv-lvl=3

Where:

The following Cisco vendor-specific attribute (VSA) needs to be specified when adding users to the RADIUS server:

shell:priv-lvl=N, where N is:

0 for Retrieve User

1 for Maintenance User

2 for Provisioning User

3 for Super User.

6. Set the IETF RADIUS Attributes

[006] Service-Type = Login

View solution in original post

2 Replies 2

tphelps
Cisco Employee
Cisco Employee

Is your ACS UNIX based or Windows?

Is the ONS an ENE or GNE?

Here are the steps in the Procedure Guide for the ONS:

http://www.cisco.com/en/US/docs/optical/15000r8_5_1/15454/sonet/procedure/guide/454a851_dlp4.html#wpxref25074

Make sure you complete this:

Step 13 Click the Enable the Node as the Final Authenticator check box if you want the node to be the final autheticator. This means that if every RADIUS authenticator is unavailable, the node will authenticate the login rather than locking the user out.

Do not configure a node for RADIUS authentication until after you have added that node to the RADIUS server and added

the RADIUS server to the list of authenticators. If you do not add the node to a RADIUS server prior to activating

RADIUS authentication, no user will be able to access the node unless you complete Step 13.

One the Windows ACS here are the steps:

1. Add the ONS as an AAA client

2. Enable Per-user TACACS+/RADIUS Attributes

3. Enable Per-user Service Type

4. Create the User

5. Set the Cisco IOS/PIX 6.x RADIUS Attributes

[009\001] cisco-av-pair

shell:priv-lvl=3

Where:

The following Cisco vendor-specific attribute (VSA) needs to be specified when adding users to the RADIUS server:

shell:priv-lvl=N, where N is:

0 for Retrieve User

1 for Maintenance User

2 for Provisioning User

3 for Super User.

6. Set the IETF RADIUS Attributes

[006] Service-Type = Login

thanks for quick reply

ACS is Windows based

ONS is ENE

all what You mentioned I've done already but the last one with Service-Type can by the solution.

I'll check this with customer on Monday

I hope that this will help :-)

thanks & have nice weekend

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: