06-08-2011 11:37 PM - edited 03-10-2019 06:09 PM
Hi at all
i have a Problem with the cisco-av-pair string on the Cisco ACS and a SSID.
We have here some SSID and some AD Groups. It was no Problem with the old Cisco ACS 4.2. I have here configured the string: cisco-av-pair ssid=myssid. The Clients have only rights to this ssid. It works without Problems.
On the new ACS 5.2. I have here Problem to configure this.
My Configuration is a new Identity Policy.
Compound Condition:
Radius-Cisco -->cisco-av-pair-->equals-->myssid
But this string works not.
Did you have any ideas about this Problem.
My System:
Cisco ACS 5.2 with all new Patches
Cisco WLC newest Version
Thanks
regards
Andreas
Solved! Go to Solution.
06-09-2011 02:18 AM
06-08-2011 11:52 PM
I think you need to match on the string that appears in the attribute. In this case. "ssid=myssid"
If you want to confirm what string should be used select: Monitoring and reports -> Launch Monitoring & Report Viewer
and then select Authentications -> RADIUS today
You should see a list of the requests including the ones you had tried. In the details column click on the icon and you will see the details of your RADIUS request. This includes the list of RADIUS attributes received. You can look at what is in the AV pair field and make sure a correct condition is specified
06-09-2011 12:01 AM
Hi jrabinow,
thanks for your Answer.
My Authorization Policy is with follow string:
RADIUS-Cisco:cisco-av-pair equals ssid=OFFEN
I can the in Other Attributes:
OFFEN is my SSID.
In the Steps from the Report i can see:
15006 Matched Default Rule |
15012 Selected Access Service - DenyAccess |
11019 Selected DenyAccess Service |
11003 Returned RADIUS Access-Reject |
06-09-2011 12:34 AM
from the steps can see that no Access Service is being matched. It is selecting the default rule.
A first step will be to look at the Service Selection Policy (Access Policies > Access Services > Service Selection Rules) and see why an access service is not being selected
06-09-2011 01:53 AM
I have make a Test with the "Airespace-WLAN-ID" Attribute.
I can configure a rule with
RADIUS-Cisco Airespace-Wlan-ID=7
This works. I can only connect to this Wlan-ID.
I have found this in the Other Attributes list.
ACSVersion=acs-5.2.0.26-B.3075
ConfigVersionId=56
Device Port=32769
RadiusPacketType=AccessRequest
Protocol=Radius
Service-Type=Framed
Framed-MTU=1300
Called-Station-ID=1c-17-d3-fc-9b-00:OFFEN
Airespace-Wlan-Id=7
Device IP Address=10.99.11.16
But i can not find only the name of the SSID, only in the String "Called-Station-ID..."
Is it possible that the ACS get not this Information from the WLC?
06-09-2011 02:18 AM
You could try a condition:
Called-Station-ID ends-with ":0FFEN"
06-09-2011 04:24 AM
Hi Jrabinow,
thanks for your help. I have configured this condition and now it works.
regards
Andreas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide