Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2474
Views
0
Helpful
1
Replies

ACS 5.1 - Radius Id Servers - Directory Attributes

fschramke
Level 1
Level 1

‎08-05-2010 06:04 AM - edited ‎03-10-2019 05:18 PM

Hello again.

I'm now trying to match on Directory Attributes returned by one of my Radius Identity Servers in my 'Authorization Policy'.

The log comes back with this:

Evaluating Service Selection Policy
15004  Matched rule
15012  Selected Access Service - ras
Evaluating Identity Policy
15006  Matched Default Rule
15013  Selected Identity Store - SBR-Vasco
24609  RADIUS token identity store is authenticating against the primary server.
11100  RADIUS-Client about to send request
11101  RADIUS-Client received response
24613  Authentication against the RADIUS token server failed.
24614  RADIUS token server authentication failure is translated as Unknown user failure.
24609  RADIUS token identity store is authenticating against the primary server.
11100  RADIUS-Client about to send request
11101  RADIUS-Client received response
24101  Some of the retrieved  attributes contain multiple values. These values are discarded. The  default values, if configured, will be used for these attributes.
24612  Authentication against the RADIUS token server succeeded.
24628  User cache not enabled in the RADIUS token identity store configuration.
22037  Authentication Passed
22023  Proceed to attribute retrieval
24432  Looking up user in Active Directory - schramke.fabian
24416  User's Groups retrieval from Active Directory succeeded
24420  User's Attributes retrieval from Active Directory succeeded
22036  Retrieved Attributes successfully from current IDStore
22016  Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
15006  Matched Default Rule
Evaluating Exception Authorization Policy
15042  No rule was matched
Evaluating Authorization Policy
15006  Matched Default Rule
15016  Selected Authorization Profile - DenyAccess
15039  Selected Authorization Profile is DenyAccess
11003  Returned RADIUS Access-Reject

I tried to use the 'Class' attribute, but the msg 24101 stated mulitvalued attributes are ignored. So i tried non mulitvalued fields, for example 'Framed-Apple-Talk-Zone[39]' with no luck.

Any help would be appreciated.

Labels:
0 Helpful
1 Reply 1

fschramke
Level 1
Level 1

‎08-06-2010 01:38 AM

I'll just work around the string problem and use an integer value.

I had to add an extra integer attribute to all the old Steelbelted Radius Profiles.

I can live with that, but still would like to know why it fails with strings.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents