Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Telnet and VPN RADIUS authentication

Hi!

Trying to configure telnet (exec) and VPN authentication via the same RADIUS server.

 

How can differentiate EXEC and VPN logins on radius server?

 

Cisco sends Service-Type when PPPoE or some other type of auth but doesn't send it smth when I login via telnet.

 

So, I cannot see if client logins via telnet.

 

Have I missed something?

5 REPLIES
Cisco Employee

What type of Radius server

What type of Radius server are you using?

 

Thank you for rating helpful posts! 

Thank you for rating helpful posts!
New Member

Using Microsoft NPS.I can

Using Microsoft NPS.

I can authenticate both telnet and PPPoE/PPTP, but can't tell that one of the logins is EXEC.

Cisco Employee

I have done very little work

I have done very little work with Microsoft's NPS but from what I can recall it was very limited when it came to its functionality. 

For instance, in ISE and/or ACS, you can distinguish between the two via the following attributes:

1. EndpointID   > > > For SSH this would look like this ip:source-ip=x.x.x.x. While for VPNs this field would just be populated with the public IP address of the client

2. CVPN3000/ASA/PIX7x-Tunnel-Group-Name > > > This field will only populate when doing VPNs and will reflect the name of the tunnel-group configured on the ASA

You can check and see if NPS has these either one of those attributes from I highly doubt it. I think you can create custom based Radius attributes in NPS but from what I remember it was not an easy task :) However, google.com should be able to point you in the right direction

Hope this helps!

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
New Member

Hi!While trying to reply to

Hi!

While trying to reply to your answer, turned on maximum possible debugs for the login and saw this:

Nov 16 10:00:29.186: RADIUS/ENCODE(0000000F): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

so put the command to the config:

radius-server attribute 6 on-for-login-auth

 

and then in every request for authentication i see:

for Login: 

Nov 16 11:02:12.303: RADIUS:  Service-Type        [6]   6   Login                     [1]

for PPPoE/ PPTP/...

Nov 16 11:02:37.475: RADIUS:  Service-Type        [6]   6   Framed                    [2]

 

 

This answers my question.

By the way, this command is mandatory for ISE according to this post http://www.ajsnetworking.com/switch-configuration-for-ise-integration-part-2-radius-server-config/

 

Thanks for you participating!

 

 

 

Cisco Employee

Ah good catch and good job

Ah good catch and good job solving your own problem!! Also, thank you for coming back and taking the time to post the solution!!! (+5 from me). 

If your issue is resolved, please mark the thread as "answered" :)

Thank you for rating helpful posts!
111
Views
5
Helpful
5
Replies
CreatePlease login to create content