Security

Hi,
I m trying to test accounting between CPPM & Cisco.

I m providing attribute Class in radius return to Switch. but once I check accounting on CPPM, I m not seeeing Class attribute from Switch.

I have put all related aaa accounting commands and also radius vsa accounting command o Cisco. Switch ia 3750X and IOS is 15.0 SE.

Any guide in this regard.
#ALE

start a packet capture to check if the swich actually sends the information.

---

@atifj wrote:
Hi,
I m trying to test accounting between CPPM & Cisco.

I m providing attribute Class in radius return to Switch. but once I check accounting on CPPM, I m not seeeing Class attribute from Switch.

I have put all related aaa accounting commands and also radius vsa accounting command o Cisco. Switch ia 3750X and IOS is 15.0 SE.

Any guide in this regard.

---

atifj,

 

Radius accounting and Radius attributes are two different things.  Radius accounting would have to occur after successful authentication.  First things first....is authentication even happening?

 

https://afp.arubanetworks.com/afp/index.php/Tacacs_command_authorization

 

 

First, we configure the TACACS server on the Cisco box:
Switch(config)# tacacs-server host 172.16.16.200 key aruba123 (Note that in some versions of IOS the key must be entered on a separate line of config: tacacs-server key aruba123)

 

Next we setup AAA authentication:
Switch(config)# aaa authentication default group tacacs+ local 
Switch(config)# aaa authentication enable default group tacacs+ enable 
This tells the switch that, for login attempts, to first look at TACACS, if that is unreachable, use the local database. When a user types "enable" to gain privileged mode access to first check TACACS and if that is unreachable, use the locally stored enable password or secret.

 

Now we setup AAA authorization for commands:
Switch(config)# aaa authorization commands 0 default group tacacs+ none 
Switch(config)# aaa authorization commands 1 default group tacacs+ none 
Switch(config)# aaa authorization commands 15 default group tacacs+ none 
This sends all commands entered at the privilege level 0, 1 and 15 to the configured TACACS server(CPPM) for authorization and failing that, it disallows the command.

 

Levels 0, 1 and 15 map to the following:

• level 0—Includes the disable, enable, exit, help, and logout commands
• level 1—Includes all user-level commands at the router> prompt
• level 15—Includes all enable-level commands at the router# prompt

Lastly, if you want to audit Cisco config commands:
Switch(config)# aaa authorization config-commands 
This instructs the switch to run all config level commands through tacacs for authorization.

Be a good little Cisco admin:
Switch(config)# exit
Switch# write mem

Authentication is successfully completing.

 

My Scenario is that I am using Cisco Switch for dot1x authentication of PC connected to them.

 

My Requirement is that I am sending Class attribute to Cisco Switch, Once PC authenticated with CPPM, I added CLASS attribute in VLAN enforcement so that PC get VLAN according to test and Class attribute and want that Class attribute back in Accounting packet.

 

I am doing this to send accounting packets to Firewall so that if any user's traffic reach firewall without Authentication with CPPM, that Firewall blocks its traffic.

 

Any Help.

 

My Cisco Switch Configuration is:

 

aaa new-model
!
!        
aaa authentication login VTY group radius local
aaa authentication dot1x default group radius
aaa authorization exec VTY group radius local
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group radius
!
!
!
!
!
aaa server radius dynamic-author
 client 192.168.1.100 server-key XXXXX

!
aaa session-id common

!

!

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 1
radius-server host 192.68.1.100 auth-port 1645 acct-port 1646 key XXXXX
radius-server deadtime 1
radius-server vsa send accounting
radius-server vsa send authentication

sorry but i still don't quite understand what you are doing.

 

My Requirement is that I am sending Class attribute to Cisco Switch.

why exactly? after reading up on it i conclude this is something used between radius authorization and accounting, but there is no need to work with it yourself. do you have a specific need to work with it? are you sure accounting doesnt just work without manually manipulating the class?

 

I am doing this to send accounting packets to Firewall so that if any user's traffic reach firewall without Authentication with CPPM, that Firewall blocks its traffic.

ok, even more confused now. what firewall?

 

i come back to my original reply, use a packet sniffer to check the accounting records really aren't send.