topic Re: WSA External Authentication Service Type in Network Access Control

WSA External Authentication Service Type

scamarda — Sun, 30 Apr 2017 01:49:18 GMT

I am setting up my WSA to use ISE as an external authentication method. I have several other Cisco devices using ISE for Device Administration (RADIUS, not TACACS). The routers and switches set their service type as Login. The WSA sets its service type as 134217728. I'd rather not create another Top Level Entry in my policy sets to handle the WSA. I am looking to create a compound condition with a Boolean OR for the devices. I can select RADIUS service type virtual for the routers and switched but I cannot enter 134217728 as a valid service type. I only get the system provided drop downs.

Is is possible to add this to the existing RADIUS> Service Type dictionary or can I create my own dictionary with the service type of 134217728?

I know I can key on other attributes but I would like to use other attributes that come from the machine logins.

Regards.

Sam

Re: WSA External Authentication Service Type

howon — Mon, 01 May 2017 14:11:59 GMT

Currently, the RADIUS-IETF dictionary cannot be modified. You could try creating a NDG with WSAs, and then craft a policy set condition that reads NDG = WSA or Service-Type = Login to satisfy both in a single policy set.

Re: WSA External Authentication Service Type

scamarda — Mon, 01 May 2017 14:15:43 GMT

Thanks Hosuk. The customer ended up going with NDG configuration. As an FYI, the WSA sends a Service-Type value of 134217728, not Login.

Re: WSA External Authentication Service Type

ricardocalvillo — Thu, 05 Dec 2019 01:13:34 GMT

Do you know if WSA can use TACACS+ as external authentication service in the latest version?

thanks.