https://community.cisco.com/t5/network-access-control/acs-5-2-cisco-av-pair-problem/m-p/1689686#M248159 <HTML><HEAD></HEAD><BODY><P>Hi Jrabinow,</P><P></P><P>thanks for your help. I have configured this condition and now it works.</P><P></P><P>regards</P><P>Andreas</P></BODY></HTML> Thu, 09 Jun 2011 11:24:25 GMT Andreas_Seybold-Epting 2011-06-09T11:24:25Z https://community.cisco.com/t5/network-access-control/acs-5-2-cisco-av-pair-problem/m-p/1689680#M248060 <P>Hi at all</P><P>i have a Problem with the cisco-av-pair string on the Cisco ACS and a SSID.</P><P>We&nbsp; have here some SSID and some AD Groups. It was no Problem with the old&nbsp; Cisco ACS 4.2. I have here configured the string: cisco-av-pair&nbsp; ssid=myssid. The Clients have only rights to this ssid. It works without&nbsp; Problems.</P><P></P><P>On the new ACS 5.2. I have here Problem to configure this. </P><P>My Configuration is a new Identity Policy.</P><P>Compound Condition:</P><P>Radius-Cisco --&gt;cisco-av-pair--&gt;equals--&gt;myssid</P><P></P><P>But this string works not. </P><P>Did you have any ideas about this Problem.</P><P></P><P>My System:</P><P>Cisco ACS 5.2 with all new Patches</P><P>Cisco WLC newest Version</P><P></P><P>Thanks</P><P>regards</P><P>Andreas</P> Mon, 11 Mar 2019 01:09:05 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-cisco-av-pair-problem/m-p/1689680#M248060 Andreas_Seybold-Epting 2019-03-11T01:09:05Z https://community.cisco.com/t5/network-access-control/acs-5-2-cisco-av-pair-problem/m-p/1689681#M248072 <HTML><HEAD></HEAD><BODY><P> I think you need to match on the string that appears in the attribute. In this case. "ssid=myssid"</P><P></P><P>If you want to confirm what string should be used select: Monitoring and reports -&gt; Launch Monitoring &amp; Report Viewer</P><P>and then select Authentications -&gt; RADIUS today</P><P></P><P>You should see a list of the requests including the ones you had tried. In the details column click on the icon and you will see the details of your RADIUS request. This includes the list of RADIUS attributes received. You can look at what is in the AV pair field and make sure a correct condition is specified</P></BODY></HTML> Thu, 09 Jun 2011 06:52:54 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-cisco-av-pair-problem/m-p/1689681#M248072 jrabinow 2011-06-09T06:52:54Z https://community.cisco.com/t5/network-access-control/acs-5-2-cisco-av-pair-problem/m-p/1689682#M248092 <HTML><HEAD></HEAD><BODY><P>Hi jrabinow,</P><P></P><P>thanks for your Answer.</P><P></P><P>My Authorization Policy is with follow string:</P><P></P><P>RADIUS-Cisco:cisco-av-pair equals ssid=OFFEN</P><P></P><P></P><P>I can the in Other Attributes:</P><DIV>ACSVersion=acs-5.2.0.26-B.3075 <BR />ConfigVersionId=56 <BR />Device&nbsp; Port=32769 <BR />RadiusPacketType=AccessRequest <BR />Protocol=Radius <BR />Service-Type=Framed <BR />Framed-MTU=1300 <BR />Called-Station-ID=1c-17-d3-fc-9b-00:<STRONG>OFFEN </STRONG><BR />Airespace-Wlan-Id=7 <BR />Device&nbsp; IP Address=10.99.11.16</DIV><P></P><P>OFFEN is my SSID.</P><P></P><P>In the Steps from the Report i can see:</P><TABLE id="S2"><TBODY><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><P style="margin-top: 0pt;">15006&nbsp; Matched Default Rule</P></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><DIV style="margin-top: 0pt;">15012&nbsp; Selected Access Service -&nbsp; DenyAccess</DIV></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><P style="margin-top: 0pt;">11019&nbsp; Selected DenyAccess Service</P></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; padding-left: 2pt; padding-right: 2pt; color: #ff0000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><P style="margin-top: 0pt;">11003&nbsp; Returned RADIUS Access-Reject</P></TD></TR></TBODY><P></P><P>regards</P><P>Andreas</P></TABLE></BODY></HTML> Thu, 09 Jun 2011 07:01:05 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-cisco-av-pair-problem/m-p/1689682#M248092 Andreas_Seybold-Epting 2011-06-09T07:01:05Z https://community.cisco.com/t5/network-access-control/acs-5-2-cisco-av-pair-problem/m-p/1689683#M248108 <HTML><HEAD></HEAD><BODY><P> from the steps can see that no Access Service is being matched. It is selecting the default rule. </P><P></P><P>A first step will be to look at the Service Selection Policy (Access Policies &gt; Access Services &gt; Service Selection Rules) and see why an access service is not being selected</P></BODY></HTML> Thu, 09 Jun 2011 07:34:54 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-cisco-av-pair-problem/m-p/1689683#M248108 jrabinow 2011-06-09T07:34:54Z https://community.cisco.com/t5/network-access-control/acs-5-2-cisco-av-pair-problem/m-p/1689684#M248122 <HTML><HEAD></HEAD><BODY><P>I have make a Test with the "Airespace-WLAN-ID" Attribute.</P><P></P><P>I can configure a rule with </P><P>RADIUS-Cisco Airespace-Wlan-ID=7</P><P>This works. I can only connect to this Wlan-ID.</P><P>I have found this in the Other Attributes list.</P><P></P><P>ACSVersion=acs-5.2.0.26-B.3075 </P><P>ConfigVersionId=56 </P><P>Device&nbsp; Port=32769 </P><P>RadiusPacketType=AccessRequest </P><P>Protocol=Radius </P><P>Service-Type=Framed </P><P>Framed-MTU=1300 </P><P>Called-Station-ID=1c-17-d3-fc-9b-00:OFFEN </P><P><STRONG>Airespace-Wlan-Id=7 </STRONG></P><P>Device&nbsp; IP Address=10.99.11.16</P><P></P><P>But i can not find only the name of the SSID, only in the String "Called-Station-ID..."</P><P></P><P>Is it possible that the ACS get not this Information from the WLC?</P></BODY></HTML> Thu, 09 Jun 2011 08:53:08 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-cisco-av-pair-problem/m-p/1689684#M248122 Andreas_Seybold-Epting 2011-06-09T08:53:08Z https://community.cisco.com/t5/network-access-control/acs-5-2-cisco-av-pair-problem/m-p/1689685#M248141 <HTML><HEAD></HEAD><BODY><P>You could try a condition:</P><P></P><P>Called-Station-ID&nbsp; ends-with ":0FFEN"</P></BODY></HTML> Thu, 09 Jun 2011 09:18:56 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-cisco-av-pair-problem/m-p/1689685#M248141 jrabinow 2011-06-09T09:18:56Z https://community.cisco.com/t5/network-access-control/acs-5-2-cisco-av-pair-problem/m-p/1689686#M248159 <HTML><HEAD></HEAD><BODY><P>Hi Jrabinow,</P><P></P><P>thanks for your help. I have configured this condition and now it works.</P><P></P><P>regards</P><P>Andreas</P></BODY></HTML> Thu, 09 Jun 2011 11:24:25 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-cisco-av-pair-problem/m-p/1689686#M248159 Andreas_Seybold-Epting 2011-06-09T11:24:25Z