This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hi at all
i have a Problem with the cisco-av-pair string on the Cisco ACS and a SSID.
We have here some SSID and some AD Groups. It was no Problem with the old Cisco ACS 4.2. I have here configured the string: cisco-av-pair ssid=myssid. The Clients have only rights to this ssid. It works without Problems.
On the new ACS 5.2. I have here Problem to configure this.
My Configuration is a new Identity Policy.
But this string works not.
Did you have any ideas about this Problem.
Cisco ACS 5.2 with all new Patches
Cisco WLC newest Version
Solved! Go to Solution.
I think you need to match on the string that appears in the attribute. In this case. "ssid=myssid"
If you want to confirm what string should be used select: Monitoring and reports -> Launch Monitoring & Report Viewer
and then select Authentications -> RADIUS today
You should see a list of the requests including the ones you had tried. In the details column click on the icon and you will see the details of your RADIUS request. This includes the list of RADIUS attributes received. You can look at what is in the AV pair field and make sure a correct condition is specified
thanks for your Answer.
My Authorization Policy is with follow string:
RADIUS-Cisco:cisco-av-pair equals ssid=OFFEN
I can the in Other Attributes:
OFFEN is my SSID.
In the Steps from the Report i can see:
15006 Matched Default Rule
15012 Selected Access Service - DenyAccess
11019 Selected DenyAccess Service
11003 Returned RADIUS Access-Reject
from the steps can see that no Access Service is being matched. It is selecting the default rule.
A first step will be to look at the Service Selection Policy (Access Policies > Access Services > Service Selection Rules) and see why an access service is not being selected
I have make a Test with the "Airespace-WLAN-ID" Attribute.
I can configure a rule with
This works. I can only connect to this Wlan-ID.
I have found this in the Other Attributes list.
Device IP Address=10.99.11.16
But i can not find only the name of the SSID, only in the String "Called-Station-ID..."
Is it possible that the ACS get not this Information from the WLC?