Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Radius Error Message:radius-server attribute 6 on-for-login-auth" is off

I am trying to test the Web Auth Feature on the Cisco 3750 with ACS 5.1 VM ware image.

On the authentication page when I try to put the credentials I get Auth Failed . On the Cisco switch when I did the Radius Debug I am geting error as below

RADIUS/ENCODE(0000000B): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

Then I get the Access-Reject message from the ACS and unable to authenticate.

Can any one suggest what this error means and what is the resolution.

Regards

2 REPLIES

Re: Radius Error Message:radius-server attribute 6 on-for-login-

Hi Yusuf,

Attribute 6 of radius is used to identify the Service Type this radius request is used for, the values are usually Admin, NAS Port, Remote access and some other vaues which I don't have on top of my head. Check on the ACS attibutes if the profile is configured to allow admin logins for this device. See also if you can get the full radius debug on the box since I have seen lots of times that the router/switch sends this attribute 6 error and it is not always the cause of the problem.

Re: Radius Error Message:radius-server attribute 6 on-for-login-

I am trying to test the Web Auth Feature on the Cisco 3750 with ACS 5.1 VM ware image.

On the authentication page when I try to put the credentials I get Auth Failed . On the Cisco switch when I did the Radius Debug I am geting error as below

RADIUS/ENCODE(0000000B): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

Then I get the Access-Reject message from the ACS and unable to authenticate.

Can any one suggest what this error means and what is the resolution.

Regards

Hi ,

If this command is configured and the Service-Type attribute is absent in the Access-Accept message packets, the authentication or authorization fails.when you have configured radius-server attribute 6 on-for-login-auth in cisco devices it sends the  Service-Type attribute in the authentication packets.

Note :- The Service-Type attribute is sent by default in RADIUS Accept-Request messages. Therefore, RADIUS tunnel profiles should include "Service-Type=Outbound" as a check item, not just as a reply item. Failure to include Service-Type=Outbound as a check item can result in a security hole.

HTH

Ganesh.H

7202
Views
5
Helpful
2
Replies
CreatePlease to create content