Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Radius authentication problem in ONS15454

hi,

does have anyone working configuration that user authentication is done by radius? I've done everything as documentation said but still without success :-(

in ONS log I've such info but I cannot find any help what attribute is wrong despite that configuration is done step by step from guide

Security::General::loginEMS::Fail (Invalid Radius svc attr)(user-10.40.1.7) 0 F user

we use ACS 3.3 as Radius

I set option #26.

ONS ver. 8.5

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Radius authentication problem in ONS15454

Is your ACS UNIX based or Windows?

Is the ONS an ENE or GNE?

Here are the steps in the Procedure Guide for the ONS:

http://www.cisco.com/en/US/docs/optical/15000r8_5_1/15454/sonet/procedure/guide/454a851_dlp4.html#wpxref25074

Make sure you complete this:

Step 13 Click the Enable the Node as the Final Authenticator check box if you want the node to be the final autheticator. This means that if every RADIUS authenticator is unavailable, the node will authenticate the login rather than locking the user out.

Do not configure a node for RADIUS authentication until after you have added that node to the RADIUS server and added

the RADIUS server to the list of authenticators. If you do not add the node to a RADIUS server prior to activating

RADIUS authentication, no user will be able to access the node unless you complete Step 13.

One the Windows ACS here are the steps:

1. Add the ONS as an AAA client

2. Enable Per-user TACACS+/RADIUS Attributes

3. Enable Per-user Service Type

4. Create the User

5. Set the Cisco IOS/PIX 6.x RADIUS Attributes

[009\001] cisco-av-pair

shell:priv-lvl=3

Where:

The following Cisco vendor-specific attribute (VSA) needs to be specified when adding users to the RADIUS server:

shell:priv-lvl=N, where N is:

0 for Retrieve User

1 for Maintenance User

2 for Provisioning User

3 for Super User.

6. Set the IETF RADIUS Attributes

[006] Service-Type = Login

2 REPLIES
Cisco Employee

Re: Radius authentication problem in ONS15454

Is your ACS UNIX based or Windows?

Is the ONS an ENE or GNE?

Here are the steps in the Procedure Guide for the ONS:

http://www.cisco.com/en/US/docs/optical/15000r8_5_1/15454/sonet/procedure/guide/454a851_dlp4.html#wpxref25074

Make sure you complete this:

Step 13 Click the Enable the Node as the Final Authenticator check box if you want the node to be the final autheticator. This means that if every RADIUS authenticator is unavailable, the node will authenticate the login rather than locking the user out.

Do not configure a node for RADIUS authentication until after you have added that node to the RADIUS server and added

the RADIUS server to the list of authenticators. If you do not add the node to a RADIUS server prior to activating

RADIUS authentication, no user will be able to access the node unless you complete Step 13.

One the Windows ACS here are the steps:

1. Add the ONS as an AAA client

2. Enable Per-user TACACS+/RADIUS Attributes

3. Enable Per-user Service Type

4. Create the User

5. Set the Cisco IOS/PIX 6.x RADIUS Attributes

[009\001] cisco-av-pair

shell:priv-lvl=3

Where:

The following Cisco vendor-specific attribute (VSA) needs to be specified when adding users to the RADIUS server:

shell:priv-lvl=N, where N is:

0 for Retrieve User

1 for Maintenance User

2 for Provisioning User

3 for Super User.

6. Set the IETF RADIUS Attributes

[006] Service-Type = Login

New Member

Re: Radius authentication problem in ONS15454

thanks for quick reply

ACS is Windows based

ONS is ENE

all what You mentioned I've done already but the last one with Service-Type can by the solution.

I'll check this with customer on Monday

I hope that this will help :-)

thanks & have nice weekend

1015
Views
0
Helpful
2
Replies
CreatePlease login to create content