Vendor Specific Attributes - Cisco IOS and IOSXE - NPS

Thomas_Johnston · ‎11-04-2021

Trying to implement MFA on Cisco switches with DUO proxy and Microsoft NPS. I have it working but I cannot figure out how to get it to pass the vendor attributes properly so that user is dropped into priv level 15.

[radius_client]
host=xxx
secret=xxxx
;pass_through_all=true
;pass_through_attr_names=Cisco-AV-Pair,Vendor-Specific

On NPS I have the following set up under “Vendor Specific”
Name: Cisco-AV-Pair
Vendor: Cisco
Value: shell:priv-lvl:15

Neither pass_through option works when uncommented. The user is dropped to priv 1 and then must authenticate with local credentials to enter priv 15.

If I turn on pass_through_all=true then the switch comes back with the following error:
Line has invalid autocommand " ppp negotiate"Connection to xxxx

I have no PPP settings set in NPS that I can see at all. The only line I have under Standard Radius Attributes is: Filter-id

Any ideas?

DuoKristina · ‎04-13-2022

Did you try defining it a Cisco-AVPair on NPS and then setting pass_through_attr_names=Cisco-AVPair? You posted you used Cisco-AV-Pair instead and IDK what switch you have but this Cisco document has it as cisco-avpair (with just one dash in it).

The Authentication Proxy includes Cisco-AVPair in its dictionary.

You can try a packet capture to examine the RADIUS response from NPS to the Duo proxy, and from the Duo proxy to your switch, to see exactly what attributes are getting passed.

Did this work with the switch pointing directly to NPS? This person’s blog suggests the error you saw when passing through all radius attributes could be due to the NPS default policy’s service-type.

Duo, not DUO.

stevenmc13 · ‎06-21-2022

Hi, did you ever manage to get this to work? I am facing the same issue.