Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE Radius - Access-accept is returned with no autorization policy

Hello,

With ISE Radius service / PAP, the authentication passes OK, but the Network Element which send the autorization request, returns message "not enough user priviledges to execute command" and the HTTP page is blank.

The reason for that is, the Network Element is sending in the Access-Request with Service-Type value = 8, which means Authenticate-Only (and this can be seen at ISE . This causes the Radius server to authenticate, but not to send the authorization parameters back to the NE in the Access-Accept, causing the login to fail. A bit inside of the RFC:

5.6.  Service-Type

    Description

       This Attribute indicates the type of service the user has
      requested, or the type of service to be provided.  It MAY be used
      in both Access-Request and Access-Accept packets.  A NAS is not
      required to implement all of these service types, and MUST treat
      unknown or unsupported Service-Types as though an Access-Reject
      had been received instead.

 

   Type

       6 for Service-Type.

      The Value field is four octets.

       1      Login
       2      Framed
       3      Callback Login
       4      Callback Framed
       5      Outbound
       6      Administrative
       7      NAS Prompt
       8      Authenticate Only
       9      Callback NAS Prompt
      10      Call Check
      11      Callback Administrative

There is no way to modify the value on the network element in the Access-Request packet.

Question: Is there a way to for the Cisco ISE to ignore the service type value (Authenticate Only), and return the autorization parametes back with the Access-Accept packet?

Thanks,

Lucho

1 REPLY

ISE Radius - Access-accept is returned with no autorization poli

Lucho,

I Checked the rfc and the answer is no, rfc states that no authorzation information needs to returned for this request.

http://www.ietf.org/rfc/rfc2865.txt

Thanks,

Tarik

Tarik Admani *Please rate helpful posts*
535
Views
0
Helpful
1
Replies
CreatePlease login to create content