Solved: Re: ACS 5.2 selection policy/access service attribute question

andrewswanson · ‎12-22-2010

hello

i'm using ACS 5.2.0.26 and have created Service Selection Policys to authenticate wireless PEAP clients based on the domain suffix used by the clients. if i use the RADIUS attribute RADIUS-IETF:User-Name to do this, am i right in saying that this matches the "Roaming Identity" as opposed to the users actual login id?

Under Access Services i can use the attribute System:UserName which does match based on the clients actual login id . My questions are:

Does the RADIUS-IETF:User-Name attribute match "Roaming Identity"?

I can use the System:UserName attribute with an Access Service but not it seems with a Service Selection Policy. Why is this?

Thanks

Andy

Tiago Antunes · ‎12-22-2010

Hi,

Does the RADIUS-IETF:User-Name attribute match "Roaming Identity"?

-> No.The roaming identity is particular to some supplicants and do not always match the username.

If the Roaming Identity is cleared, %domain%\%username% is the default.

When 802.1x MS RADIUS is used as an authentication server, the server authenticates the device that uses the Roaming Identity user name from Intel PROSet/Wireless software, and ignores the Authentication Protocol MS-CHAP-V2 user name. This feature is the 802.1x identity supplied to the authenticator. Microsoft IAS RADIUS accepts only a valid user name (dotNet user) for EAP clients. When 802.1x MS RADIUS is used, enter a valid user name. For all other servers, this is optional. Therefore, it is recommended to use the desired realm (for example, anonymous@myrealm) instead of a true identity.

I can use the System:UserName attribute with an Access Service but not it seems with a Service Selection Policy. Why is this?

-> Because that attribute is not valid for Service selection Policy. It was designed this way...nothing we can do.

HTH,
Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

View solution in original post

Tiago Antunes · ‎12-22-2010

Hi,

Does the RADIUS-IETF:User-Name attribute match "Roaming Identity"?

-> No.The roaming identity is particular to some supplicants and do not always match the username.

If the Roaming Identity is cleared, %domain%\%username% is the default.

When 802.1x MS RADIUS is used as an authentication server, the server authenticates the device that uses the Roaming Identity user name from Intel PROSet/Wireless software, and ignores the Authentication Protocol MS-CHAP-V2 user name. This feature is the 802.1x identity supplied to the authenticator. Microsoft IAS RADIUS accepts only a valid user name (dotNet user) for EAP clients. When 802.1x MS RADIUS is used, enter a valid user name. For all other servers, this is optional. Therefore, it is recommended to use the desired realm (for example, anonymous@myrealm) instead of a true identity.

I can use the System:UserName attribute with an Access Service but not it seems with a Service Selection Policy. Why is this?

-> Because that attribute is not valid for Service selection Policy. It was designed this way...nothing we can do.

HTH,
Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

andrewswanson · ‎12-22-2010

Thanks for the quick and thorough response - yes, i am using Intel PROSet on the client. So is the System:UserName attibute on the ACS always the users correct username regardless of the suplicant used?

thanks

andy

Tiago Antunes · ‎12-23-2010

Hi,

Yes,

That attribute will contain the username searched on the Identity Sources for authentication, regardless of the supplicant software.

HTH,
Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.