Attribute 6 of radius is used to identify the Service Type this radius request is used for, the values are usually Admin, NAS Port, Remote access and some other vaues which I don't have on top of my head. Check on the ACS attibutes if the profile is configured to allow admin logins for this device. See also if you can get the full radius debug on the box since I have seen lots of times that the router/switch sends this attribute 6 error and it is not always the cause of the problem.
I am trying to test the Web Auth Feature on the Cisco 3750 with ACS 5.1 VM ware image.
the authentication page when I try to put the credentials I get Auth
Failed . On the Cisco switch when I did the Radius Debug I am geting
error as below
RADIUS/ENCODE(0000000B): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Then I get the Access-Reject message from the ACS and unable to authenticate.
Can any one suggest what this error means and what is the resolution.
If this command is configured and the Service-Type attribute is absent in the Access-Accept message packets, the authentication or authorization fails.when you have configured radius-server attribute 6 on-for-login-auth in cisco devices it sends the Service-Type attribute in the authentication packets.
Note :- The Service-Type attribute is sent by default in RADIUS Accept-Request messages. Therefore, RADIUS tunnel profiles should include "Service-Type=Outbound" as a check item, not just as a reply item. Failure to include Service-Type=Outbound as a check item can result in a security hole.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...