Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

12.2(11)JA1 & Admin Access via RADIUS/ACS3.2

Hi,

the problem:

I am not able to authenticate the administrator for an aironet1200 AP with 12.2(11)JA1-Firmware over an external RADIUS-Server (Cisco ACS3.2).

the configuration:

Aironet1200:

1. Security->Admin Access->Administrator Authenticated by:->Authentication Server if not found in Local List

2. Server Manager-> Current Server List ->RADIUS->IP,shared-Secret,default Auth. And Acc-Ports, Admin Authentication

ACS 3.2:

1. Network Configuration->New AAA Client-> AAA Client IP Address, Shared Secret-> Authenticate Using=RADIUS (Cisco IOS/PIX)

2. Interface Configuration-> RADIUS (Cisco IOS/PIX)-> [026/009/001] cisco-av-pair for User and Group

3. User Setup->Add User->Username,Password->[ 009\001] cisco-av-pair = aironet:admin-capability=write+ident+admin+firmware

the symptoms:

1. I cant login the Web-Interface. The login Dialog just does not disappear.

2. I cant login telnet. The feedback: % Authentication failed

3. ACS says at Report and Activity->Passed Authentication->Authen O.K !!!

4. The radius debugging on Aironet 12000 shows following:

*Mar 1 17:09:51.359: Radius: radius_port_info() success=1 radius_nas_port=1

*Mar 1 17:09:51.359: RADIUS: added cisco VSA 2 len 4 "tty2"

*Mar 1 17:09:51.360: RADIUS: Send to tty2 id 23 193.22.125.123:1645, Access-Req

uest, len 93

*Mar 1 17:09:51.360: RADIUS: authenticator 1A 74 6C 37 29 55 BA 52 - 07 D6 A1

B8 D7 67 60 CF

*Mar 1 17:09:51.361: RADIUS: NAS-IP-Address [4] 6 193.22.125.124

*Mar 1 17:09:51.361: RADIUS: NAS-Port [5] 6 2

*Mar 1 17:09:51.361: RADIUS: Vendor, Cisco [26] 12

*Mar 1 17:09:51.361: RADIUS: cisco-nas-port [2] 6 "tty2"

*Mar 1 17:09:51.361: RADIUS: NAS-Port-Type [61] 6 Virtual

[5]

*Mar 1 17:09:51.361: RADIUS: User-Name [1] 10 "abrancat"

*Mar 1 17:09:51.361: RADIUS: Calling-Station-Id [31] 15 "193.22.125.41"

*Mar 1 17:09:51.361: RADIUS: User-Password [2] 18 *

*Mar 1 17:09:51.381: RADIUS: Received from id 23 193.22.125.123:1645, Access-Ac

cept, len 109

*Mar 1 17:09:51.381: RADIUS: authenticator 5A 36 0F C0 33 71 22 A3 - 33 8E 2E

D3 1D A2 88 39

*Mar 1 17:09:51.381: RADIUS: Vendor, Cisco [26] 59

*Mar 1 17:09:51.381: RADIUS: Cisco AVpair [1] 53 "aironet:admin-capa

bility=write+ident+admin+firmware"

*Mar 1 17:09:51.382: RADIUS: Class [25] 30

*Mar 1 17:09:51.382: RADIUS: 43 49 53 43 4F 41 43 53 3A 30 30 30 30 30 39 30

[CISCOACS:0000090]

*Mar 1 17:09:51.383: RADIUS: 34 2F 63 31 31 36 37 64 37 63 2F 32

[4/c1167d7c/2]

*Mar 1 17:09:51.383: RADIUS: saved authorization data for user 8A9F74 at 90C254

*Mar 1 17:09:51.383: RADIUS: cisco AVPair "aironet:admin-capability=write+ident

+admin+firmware" not applied for shell

What have I done wrong?

Kind regards

Angelo Brancato

1 REPLY
Silver

Re: 12.2(11)JA1 & Admin Access via RADIUS/ACS3.2

I think this is a known issue, not sure if there's any work around but if the admin is configured in an internal database this will work fine.

116
Views
0
Helpful
1
Replies