Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Multi-Vendor Authorization

Hi

I'm trying to use ACS 3.0 to perform authorization onto exec level on multiple vendors network equipment. I'm able to use the ACS server to authorize a user onto a cisco switch and set the exec priv level if there is no RADIUS attributes defined for any other vendor. However, once I add in the attributes for authorization and priv level on our Enterasys switches I loose the ability to access the cisco switches but can access the enterasys ones.

I see the following errors on the debug on the cisco box.

1d05h: AAA: parse name=tty1 idb type=-1 tty=-1

1d05h: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=

0

1d05h: AAA/MEMORY: create_user (0x80CA24B4) user='' ruser='' port='tty1' rem_add

r='10.133.152.144' authen_type=ASCII service=LOGIN priv=1

1d05h: AAA/AUTHEN/START (647308947): port='tty1' list='' action=LOGIN service=LO

GIN

1d05h: AAA/AUTHEN/START (647308947): using "default" list

1d05h: AAA/AUTHEN/START (647308947): Method=radius (radius)

1d05h: AAA/AUTHEN (647308947): status = GETUSER

1d05h: AAA/AUTHEN/CONT (647308947): continue

1d05h: AAA/AUTHEN (647308947): status = GETUSER

1d05h: AAA/AUTHEN (647308947): Method=radius (radius)

1d05h: AAA/AUTHEN (647308947): status = GETPASS

1d05h: AAA/AUTHEN/CONT (647308947): continue_login (user='webstm02')

1d05h: AAA/AUTHEN (647308947): status = GETPASS

1d05h: AAA/AUTHEN (647308947): Method=radius (radius)

1d05h: RADIUS: ustruct sharecount=1

1d05h: RADIUS: Initial Transmit tty1 id 24 10.129.1.167:1812, Access-Request, le

n 82

1d05h: Attribute 4 6 0A8108FE

1d05h: Attribute 5 6 0000000

1d05h: Attribute 61 6 00000005

1d05h: Attribute 1 10 77656273

1d05h: Attribute 31 16 31302E31

1d05h: Attribute 2 18 D597882A

1d05h: RADIUS: Received from id 24 10.129.1.167:1812, Access-Accept, len 145

1d05h: Attribute 26 59 0000000901356169

1d05h: Attribute 26 25 0000000901137368

1d05h: Attribute 6 6 00000007

1d05h: Attribute 11 29 456E7465

1d05h: Attribute 8 6 FFFFFFFF

1d05h: RADIUS: saved authorization data for user 80CA24B4 at 80CA25DC

1d05h: AAA/AUTHEN (647308947): status = PASS

1d05h: tty1 AAA/AUTHOR/EXEC (904302638): Port='tty1' list='' service=EXEC

1d05h: AAA/AUTHOR/EXEC: tty1 (904302638) user='webstm02'

1d05h: tty1 AAA/AUTHOR/EXEC (904302638): send AV service=shell

1d05h: tty1 AAA/AUTHOR/EXEC (904302638): send AV cmd*

1d05h: tty1 AAA/AUTHOR/EXEC (904302638): found list "default"

1d05h: tty1 AAA/AUTHOR/EXEC (904302638): Method=radius (radius)

1d05h: RADIUS: cisco AVPair "aironet:admin-capability=write+ident+admin+firmware

" not applied for shell

1d05h: RADIUS: Bad attribute (Inapplicable attribute): type 26 len 59 data 0x9

1d05h: RADIUS: cisco AVPair "shell:priv-lvl=15"

1d05h: RADIUS: Bad attribute (Inapplicable attribute): type 26 len 25 data 0x9

1d05h: AAA/AUTHOR (904302638): Post authorization status = PASS_ADD

1d05h: AAA/AUTHOR/EXEC: Processing AV service=shell

1d05h: AAA/AUTHOR/EXEC: Processing AV cmd*

1d05h: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15

1d05h: AAA/AUTHOR/EXEC: Processing AV acl=Enterasys:version=1:mgmt=su

1d05h: AAA/AUTHOR/EXEC: received invalid access-class value 0. (Should be 1 - 19

9)

1d05h: AAA/AUTHOR/EXEC: acl Enterasys:version=1:mgmt=su does not exist.

1d05h: AAA/AUTHOR/EXEC: Authorization FAILED

1d05h: AAA/MEMORY: free_user (0x80CA24B4) user='webstm02' ruser='' port='tty1' r

em_addr='10.133.152.144' authen_type=ASCII service=LOGIN priv=1

Any clues greatly appreciated.

2 REPLIES
Silver

Re: Multi-Vendor Authorization

Make sure you have properly configured the Authorization parameter in correct manner

Authorization Parameters

The following authentication server attribute value (AV) pair is returned to the access point for an

administrator login request:

This is RADIUS attribute #26, Cisco Vendor ID #9, type #1 --- string.

Cisco:Avpair = "aironet:admin-capability=write+snmp+ident+firmware+admin"

Any combination of capabilities are returned with this attribute, for example:

? Cisco:Avpair = "aironet:admin-capability=ident+admin"

? Cisco:Avpair = "aironet:admin-capability=admin"

The following is an example Livingston RADIUS server users file entry:

User password = "aironet"

Service-Type = Outbound

cisco-avpair = "aironet:admin-capability-ident+admin"

New Member

Re: Multi-Vendor Authorization

I'm pretty sure I've got the aironet stuff right... The problem seems to be the cisco switches getting upset with the Enterasys attributes.

Is there any way of getting them to ignore non-cisco attributes??

396
Views
0
Helpful
2
Replies