topic Re: How to add an attribute in the authentication phase? in Network Access Control

How to add an attribute in the authentication phase?

Jaime Salcedo — Fri, 24 Jun 2016 14:02:30 GMT

I am trying to limit traffic profiles to users via radius.

I have found that in the documentation:

Configuring Controller Settings - Configuring Quality of Service [Cisco 5500 Series Wireless Controllers] - Cisco Syste…

“If you choose to create an entry on the RADIUS server for a guest user and enable RADIUS authentication
for the WLAN on which web authentication is performed rather than adding a guest user to the local user
database from the controller, you need to assign the QoS role on the RADIUS server itself. To do so, a
“guest-role” Airespace attribute needs to be added on the RADIUS server with a datatype of “string” and
a return value of “11.” This attribute is sent to the controller when authentication occurs. If a role with the
name returned from the RADIUS server is found configured on the controller, the bandwidth associated
to that role is enforced for the guest user after authentication completes successfully.”

It says that this is send in the authentication phase but I am not able to see in ISE how to do it in the authentication phase only I am able to send it in the authorization phase.

Is it possible to do that in ISE 2.0?

In case of yes. How is that done?

I am using internal users in ISE.

Re: How to add an attribute in the authentication phase?

hslai — Fri, 24 Jun 2016 15:50:02 GMT

I believe it refers to the Local Web Authentication (LWA) rather than the Central Web Authentication (CWA).

In LWA, the WLC may authenticate a webauth user against an ISE PSN and the ISE PSN would evaluate both the authentication and authorization policies in the process. See External User Authentication (RADIUS) for more info. Thus, it's done by adding such attribute in the matched ISE authorization profile.

As to how this guest-role Airespace attribute works, please consult with our wireless support and/or product teams.

Re: How to add an attribute in the authentication phase?

Jaime Salcedo — Mon, 27 Jun 2016 08:17:31 GMT

Hi,

I am not talking here about any web authentication.

I am talking about PEAP with an user and password. For the explanation seems is in the first phase of the peap before the 4-way where this guess user information has to go from ISE to WLC.

cheers

Re: How to add an attribute in the authentication phase?

Jaime Salcedo — Mon, 27 Jun 2016 08:24:54 GMT

Problem I am geting is that I am receiving that message from WLC:

“ Unknown Airespace / Attribute 11” when using Airespace-Guest-Role-Name” (atributo ID 11)

Cheers

Re: How to add an attribute in the authentication phase?

hslai — Mon, 27 Jun 2016 10:41:15 GMT

Please consult the wireless support teams for that. It may or may not be supported in the recent AireOS releases.

Even with PEAP, ISE will evaluate both authentication and authorization policies and returns with the matched authorization profiles.

Re: How to add an attribute in the authentication phase?

vibobrov — Mon, 27 Jun 2016 13:41:43 GMT

The easiest way to rate limit guests is to use BDRL (Bidirectional Rate Limiting).

In AuthZ policy return the attributes shown on the screenshot below. The values are in kbits/sec