Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5424
Views
0
Helpful
6
Replies

ACS 5.2 Cisco-AV-Pair Problem

Go to solution
Andreas_Seybold-Epting
Level 1
Level 1

‎06-08-2011 11:37 PM - edited ‎03-10-2019 06:09 PM

Hi at all

i have a Problem with the cisco-av-pair string on the Cisco ACS and a SSID.

We  have here some SSID and some AD Groups. It was no Problem with the old  Cisco ACS 4.2. I have here configured the string: cisco-av-pair  ssid=myssid. The Clients have only rights to this ssid. It works without  Problems.

On the new ACS 5.2. I have here Problem to configure this.

My Configuration is a new Identity Policy.

Compound Condition:

Radius-Cisco -->cisco-av-pair-->equals-->myssid

But this string works not.

Did you have any ideas about this Problem.

My System:

Cisco ACS 5.2 with all new Patches

Cisco WLC newest Version

Thanks

regards

Andreas

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7
In response to Andreas_Seybold-Epting

‎06-09-2011 02:18 AM

You could try a condition:

Called-Station-ID  ends-with ":0FFEN"

View solution in original post

0 Helpful
6 Replies 6

Go to solution
jrabinow
Level 7
Level 7

‎06-08-2011 11:52 PM

I think you need to match on the string that appears in the attribute. In this case. "ssid=myssid"

If you want to confirm what string should be used select: Monitoring and reports -> Launch Monitoring & Report Viewer

and then select Authentications -> RADIUS today

You should see a list of the requests including the ones you had tried. In the details column click on the icon and you will see the details of your RADIUS request. This includes the list of RADIUS attributes received. You can look at what is in the AV pair field and make sure a correct condition is specified

0 Helpful

Go to solution
Andreas_Seybold-Epting
Level 1
Level 1
In response to jrabinow

‎06-09-2011 12:01 AM

Hi jrabinow,

thanks for your Answer.

My Authorization Policy is with follow string:

RADIUS-Cisco:cisco-av-pair equals ssid=OFFEN

I can the in Other Attributes:

ACSVersion=acs-5.2.0.26-B.3075
ConfigVersionId=56
Device  Port=32769
RadiusPacketType=AccessRequest
Protocol=Radius
Service-Type=Framed
Framed-MTU=1300
Called-Station-ID=1c-17-d3-fc-9b-00:OFFEN
Airespace-Wlan-Id=7
Device  IP Address=10.99.11.16

OFFEN is my SSID.

In the Steps from the Report i can see:

regards

Andreas

15006  Matched Default Rule

15012  Selected Access Service -  DenyAccess

11019  Selected DenyAccess Service

11003  Returned RADIUS Access-Reject

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to Andreas_Seybold-Epting

‎06-09-2011 12:34 AM

from the steps can see that no Access Service is being matched. It is selecting the default rule.

A first step will be to look at the Service Selection Policy (Access Policies > Access Services > Service Selection Rules) and see why an access service is not being selected

0 Helpful

Go to solution
Andreas_Seybold-Epting
Level 1
Level 1
In response to jrabinow

‎06-09-2011 01:53 AM

I have make a Test with the "Airespace-WLAN-ID" Attribute.

I can configure a rule with

RADIUS-Cisco Airespace-Wlan-ID=7

This works. I can only connect to this Wlan-ID.

I have found this in the Other Attributes list.

ACSVersion=acs-5.2.0.26-B.3075

ConfigVersionId=56

Device  Port=32769

RadiusPacketType=AccessRequest

Protocol=Radius

Service-Type=Framed

Framed-MTU=1300

Called-Station-ID=1c-17-d3-fc-9b-00:OFFEN

Airespace-Wlan-Id=7

Device  IP Address=10.99.11.16

But i can not find only the name of the SSID, only in the String "Called-Station-ID..."

Is it possible that the ACS get not this Information from the WLC?

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to Andreas_Seybold-Epting

‎06-09-2011 02:18 AM

You could try a condition:

Called-Station-ID  ends-with ":0FFEN"

0 Helpful

Go to solution
Andreas_Seybold-Epting
Level 1
Level 1
In response to jrabinow

‎06-09-2011 04:24 AM

Hi Jrabinow,

thanks for your help. I have configured this condition and now it works.

regards

Andreas

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents