A customer is using a telecom provider to provide remote access into their network via 3G. They provide the dialup service, but pass through the authentication request to the customer ACS via radius, which in turn passes back an IP address to the client once authenticated.
I am trying to figure out how to pass them the DNS servers they need to resolve internal resources. I tried using cisco-av-pair in RADIUS (Cisco / IOS) but it doesn't seem to get sent (I am not really surprised).
What I don't follow is why option 026 is missing from the Interface Configuration / RADIUS (IETF) settings. If I could enable that, I could add the attribute to the group containing the servers.
Attribute 26 is not missing from ACS, attribute 26 is vendor specific so in ACS we have the option to import any vendor attributes you would like to use. In the case of cisco-av-pair this is already imported. On your NAS definition in ACS choose RADIUS (Cisco IOS/PIX 6.0) as your Authenticate Using value. Then go to the group that your user is a part of, edit settings then use the Jump To box at the top and choose RADIUS (Cisco IOS/Pix 6.0). The cisco-av-pair attribute should be the first attribute avaliable to define. (Note ACS only displays attributes if you have a Network Device defined to use the attribute type, also ACS will only send the attribute if the device is defined as that RADIUS type, IETF attributes are always sent.)
If you still do not see the cisco-av-pair attribute in the group configuration make sure it is enabled in the interface under Interface Configuration -> Radius (Cisco IOS/PIX 6.0).
That makes perfect sense. We have IETF attributes, then vendor attributes brought in via the import.
So for the NAS I am referring to, this is already Cisco IOS / PIX, and I have enabled the attribute so I can set it, and I have added the ip:dns-servers setting to the user I want to be allocated the DNS servers.
However, in the cisco-av-pair in the log comes up blank: ".." which lead me to believe that the way I had set it up was incorrect as the av pair weren't appearing to be set.
So I posted this here.
It is difficult to see whether this is working from the customer end, as they get the standard 3G dns servers no matter what - 10.11.12.13.
Should I consider the absent av pair in the log a sign it isn't working or look further along the chain to see where it is getting lost?
Can you attach screen shots of your Network Device configuration for this router and the group setting where you are configuring the RADIUS attributes. If you are setting this under the cisco-av-pair box and your device is set to RADIUS (Cisco IOS/PIX) then the attribute should be sent.
It turns out that the end device is not listening for cisco-av-pair, instead I am sending the dns servers using IETF 135-137. Under ACS, these attributes form part of the Ascend vendor attributes rather than IETF.
The upstream RADIUS server (the client to this one) is configured as an AAA Client, with Authenticate Using: RADIUS (IETF). Does this means that it won't send through the attributes in the Ascend group, even if I have those attributes configured in the Users settings?
This is certainly how it appears to behave, sniffing the radius packets shows that attributes 135-137 are not being passed upstream.
If this is the case, then changing the AAA Client configuration to RADIUS (Ascend) would mean that the 135-137 attributes were pushed through, but then would that mean that the attributes in IETF RADIUS would no longer be passed through? I have attributes in both groups that are required.
Lastly, I have per user radius attributes enabled in Advanced options of Interface Configuration. I am assuming that if I have a per-user RADIUS attribute set, then the user setting wins over the group setting, if the group has the same attribute unticked?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :