Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.1 Radius device administration error 11033

Hello,

I'm trying to configure ACS 5.1 as radius server for a catalyst switch but i can't make it work.

I keep on getting the "11033 Selected Service type is not Network Access" error message.

Tacacs works fine but radius does not.

Does anybody have a sample device administration config to use with RADIUS?

It seem the service type does not work with radius in this scenario ( radius + device admin).

Regards,

Thibault.

Everyone's tags (5)
11 REPLIES
Cisco Employee

Re: ACS 5.1 Radius device administration error 11033

The default access policy for RADIUS on ACS 5.1 is for network access, and you are trying to authenticate an interactice login. You need to create a new access policy, using RADIUS, and choose the correct login type.

New Member

Re: ACS 5.1 Radius device administration error 11033

Hello,

I am not using the default policy. I've created a new policy for device administration and Radius but each time I try to log into my switch I get this

11033 error message that basically tells me Radius is for network access not device administration.

...Hence my other post : is it possible to do RADIUS AAA for device admin with ACS 5.1?

So far I can't make it work and the report output is not verbose enough to tell the exact cause of this issue.

Regards,

Thibault.

New Member

Re: ACS 5.1 Radius device administration error 11033

Does anybody out there use ACS 5.1 with RADIUS for device administration?

New Member

Re: ACS 5.1 Radius device administration error 11033

Hey,

Please use TACACS for device admin and RADIUS for network access and make sure the config on the switch is pointing to the correct radius server host

eg

radius-server host x.x.x.x auth-port 1812 acct-port 1813

Thats how I set-up my ACS5.1 and its working fine. I don't think you will be able to use RADIUS for device admin. Hope this helps

New Member

Re: ACS 5.1 Radius device administration error 11033

Hi,

Thanks for your help.

I'm still trying to find a way to configure ACS with RADIUS for device management.

Regards,

Thibault.

New Member

Re: ACS 5.1 Radius device administration error 11033

I've reinstalled ACS 5.0 from scratch on a VM (demo version) and it is now working fine.

Not sure about what exactly happened in the first place...

It's just a bit annoying that a fresh install or a server reboot are sometimes the only fix to a major issue.

I hope it is different with a real appliance.

New Member

ACS 5.1 Radius device administration error 11033

Hello ibault,

I am also configuring ACS 5,3 for configuring some aaa clients switches to add as clinets for device management using radius.

can you give some hints to me ?

Regards

Ajay

Silver

ACS 5.1 Radius device administration error 11033

For CLI login, the Service-Type attribute must be set to Login on the RADIUS server.

New Member

ACS 5.1 Radius device administration error 11033

Hi,

Could someone let me know how I can use same aaa client for using as 802.1x authentication server & also to work as a proxy radius for device administration ?

Means :

for 802.1x network access of user  : ACS will work as authentication server

for Device management : ACS will work as proxy and send the request to ACS server.

Bronze

ACS 5.1 Radius device administration error 11033

I don't understand what you mean by "ACS will work as a proxy and send the request to an ACS server". 

Why would you want to proxy a request, just to send it to itself?

New Member

ACS 5.1 Radius device administration error 11033

Yeah, I also had this issue... It´s actually pretty easy to solve!

For ‘Administration of device via radIus’ you need to use Network Access service.

Go to

Access Policies > ... > Access  Services > Service Selection Rules


Check your RADIUS rule. You should have Network Access as the Service Type. Note that this cannot be modified, so delete the existing rule and create a new one with the same Identity and Authorization config.

Thats it, works as a charm

3319
Views
1
Helpful
11
Replies