Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
608
Views
0
Helpful
1
Replies

CNA and aaa authentication

rhodrijenkins
Level 1
Level 1

‎05-14-2006 06:27 PM - edited ‎03-10-2019 02:35 PM

I'm using a radius server to control telnet access to my infrstructure devices. Since enabling this, I can no longer log in via CNA. Have tried using http auth local aswell as via Radius.

My config is thus:

aaa new-model

aaa authentication login default group radius local

aaa authentication enable default group radius enable

aaa authorization exec default group radius local

ip http server

ip http authentication aaa

radius-server host x.x.x.x auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server directed-request

radius-server key 7 xxxxxx

When I debug radius auth I get the following - note the line:type, "radius-server attribute 6 on-for-login-auth" is off.

I can't see what I've done wrong. Any ideas?

debug radius auth:

138905850: 1y2w: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

138905851: 1y2w: RADIUS(00000000): Config NAS IP: 0.0.0.0

138905852: 1y2w: RADIUS(00000000): sending

138905853: 1y2w: RADIUS/ENCODE: Best Local IP-Address x.x.x.x for Radius-Server x.x.x.x

138905854: 1y2w: RADIUS(00000000): Send Access-Request to x.x.x.x:1645 id 1645/56, len 53

138905855: 1y2w: RADIUS: authenticator B9 CA 82 45 46 B5 3A CD - D9 FB DC 20 C9 75 67 F5

138905856: 1y2w: RADIUS: User-Name [1] 9 "uid"

138905857: 1y2w: RADIUS: User-Password [2] 18 *

138905858: 1y2w: RADIUS: NAS-IP-Address [4] 6 x.x.x.x

138905859: 1y2w: RADIUS: Received from id 1645/56 x.x.x.x:1645, Access-Accept, len 51

138905860: 1y2w: RADIUS: authenticator 04 30 24 7E 88 4E 49 E2 - C2 01 65 FC 1F 2C EF 59

138905861: 1y2w: RADIUS: Vendor, Cisco [26] 25

138905862: 1y2w: RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"

138905863: 1y2w: RADIUS: Service-Type [6] 6 Login [1]

138905864: 1y2w: RADIUS(00000000): Received from id 1645/56

Labels:
0 Helpful
1 Reply 1

a.kiprawih
Level 7
Level 7

‎05-14-2006 09:58 PM

Hi,

What is the value set under Group Settings for Radius AV Pair for attribute 6 (Service-Type)?

# In a request:

- Framed—For known PPP or SLIP (Serial Line Internet Protocol) connection.

- Administrative User—For enable command.

# In a response:

- Login—Make a connection.

- Framed—Start SLIP or PPP.

- Administrative User—Start an EXEC or enable ok.

- Exec User—Start an EXEC session.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080102172.html

Rgds,

AK

0 Helpful
Customers Also Viewed These Support Documents