Solved: ACS 5.2: Restricting access based on AD groups - Cisco Community

4550

Views

0

Helpful

13

Replies

Hello,

Can somebody provide me please with a clear guide how should I configure the question above?

I'm dealing with EAP-TLS situation if that matters (first time set-up, never worked before). As a matter of fact, other EAP flavors will follow – based on the same idea (must belong to certain AD group to authenticate).

Brand new ACS 5.2. I set up an identity rule, using the AD defined, as the authenticator. And an authorization rule – matching only AD1:External Groups (contain all), a certain group I've chosen from the "Directory Groups" tab of AD setup.

The problem is – although I take some users out of that group in active directory (let call it "wireless"), the user does authenticate against the "contained in wireless group" rule. Needless to say, both the identity and authorization default rules say "DenyAccess". Moreover, when I query the AD (using the directory attributes tab of AD setup) I can clearly see that this user does belong (or doesn’t) to that group. And somehow, ACS has problems authenticate correctly.

Any HOWTO guide will be appreciated. In fact, any help will be appreciated but I probably miss something so to begin with – maybe a clear documentation is all that needed (please do not offer cisco's )

Best Regards,
Alex.

1 Accepted Solution

Accepted Solutions

I see you are using EAP-TLS. When using this protocol you need to select a Certificate Authentication Profile as the result of the Authentication Policy. A certificate authentication profile defines two things

-Principal Username X509 Attribute: Attribute to be retrieved from certificate to be used as the user name

- Whether to "Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory"

By default there is a predefined profile called "CN Username" that select the "Common Name" from the certificate

If you want to do EAP-TLS and then retrieve attributes from AD for authorization you need to do the following

- create an Indentity Store Sequence:Users and Indetity Stores >Identity Store Sequence

- Select "Certificate Based" option and then a "Certificate Authenticaiton Profile" 9as defined above)

- In "Additional Attribute Retrieval Search List" use the arrows to put the Active Directory in the list of selected stores

Finally select this Identity Sequence as the result in the Authenticaiton Policy. Then when an EAP-TLS request is received the Certificate Authentication Profile will be use to process the TLS request and then the additional identity stores accessed to retrieve attributes for authorization policy processing

Note that if you want to extend this sequence to be used in other protocols you can select the "Password Based" option (as well) and select the databases to be authenticated against

Good luck and seasons greetings

View solution in original post

13 Replies 13

I see you are using EAP-TLS. When using this protocol you need to select a Certificate Authentication Profile as the result of the Authentication Policy. A certificate authentication profile defines two things

-Principal Username X509 Attribute: Attribute to be retrieved from certificate to be used as the user name

- Whether to "Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory"

By default there is a predefined profile called "CN Username" that select the "Common Name" from the certificate

If you want to do EAP-TLS and then retrieve attributes from AD for authorization you need to do the following

- create an Indentity Store Sequence:Users and Indetity Stores >Identity Store Sequence

- Select "Certificate Based" option and then a "Certificate Authenticaiton Profile" 9as defined above)

- In "Additional Attribute Retrieval Search List" use the arrows to put the Active Directory in the list of selected stores

Finally select this Identity Sequence as the result in the Authenticaiton Policy. Then when an EAP-TLS request is received the Certificate Authentication Profile will be use to process the TLS request and then the additional identity stores accessed to retrieve attributes for authorization policy processing

Note that if you want to extend this sequence to be used in other protocols you can select the "Password Based" option (as well) and select the databases to be authenticated against

Good luck and seasons greetings

Thank you,

I'll try it and update on the result.

Hi,

Unfortunately, the EAP protocol which was finally chosen is PEAP with EAP-TLS as an internal mechanism. And ACS 5.x up until now (5.1/5.2/5.3) does not support EAP-TLS under PEAP.

Hence, the story closed. Thank you.

PEAP with TLS inner method is supported on ACS 5.3

friend,

Already solved?

I have a sample configuration that can assist you.

Hi all,

Jrabinow – thank you for pointing this out (I was relying on someone who claimed it doesn’t Looks like it will be a little upgrade around here
jonatas marques - thank you for suggesting. I'd appreciate if you could post those.

Thank you and happy new year !

Hi all,

Jrabinow – thank you for pointing this out (I was relying on someone who claimed it doesn’t Looks like it will be a little upgrade around here )

jonatas marques - thank you for suggesting. I'd appreciate if you could post those.

Thank you and happy new year !

I will create a document in English and upload it here, since today it is in Portuguese.

Monday hugs do it.

Hello all,

So the support of EAP-TLS within PEAP was indeed added to 5.3 :-) so that works.

But, now it's not able to authenticate based on AD groups. The ACS-AD connection is fine. I'm able to list AD groups using the ACS GUI and poll the attributes for any user or group I'd like to. Moreover, I had selected the group (I test for) using the ACS GUI.

But, the moment I put – authorize if AD1:ExternalGroups contains/equal = wireless (or full DN) the authorization fails. How should I authorize based on AD groups?

Did you follow the instructions below. These should equally apply when EAP-TLS is used as an inner method

If you want to do EAP-TLS and then retrieve attributes from AD for authorization you need to do the following

- create an Indentity Store Sequence:Users and Indetity Stores >Identity Store Sequence

- Select "Certificate Based" option and then a "Certificate Authenticaiton Profile" as defined above)

- In "Additional Attribute Retrieval Search List" use the arrows to put the Active Directory in the list of selected stores

Finally select this Identity Sequence as the result in the Authenticaiton Policy. Then when an EAP-TLS request is received the Certificate Authentication Profile will be use to process the TLS request and then the additional identity stores accessed to retrieve attributes for authorization policy processing

Thank you jrabinow.

That's the way the rules configured. I've opened a TAC ticked, and they confirmed the settings are correct. I'll update on how it develops.

did you ever get a response from the TAC on this one. I have the same thing setup with an identity store sequence however the authorization component is still failing as soon as i ad an AD group to it.

Seems like its not looking up the group correctly.

The best way to trouble shoot this is to grab the authentication details for the request. This should give more details of what was performed during the flow of processing for the request

Can see the authentication details by selecting Monitoring and Reports->Reports->Catalog->AAA Protocol and then selecting RADIUS Authentication.

When see the record that relates to your Authentication then press Details and will see. If possible share the contents

Hi,

Bit of a long shot.

Anyone still able to assist with this still? I'm facing the same issue at the moment. :(

Cheers
Neil

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community