Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
822
Views
5
Helpful
5
Replies

ACS 5.3 can not work with two service policy rules

Go to solution
ivan.martin
Level 1
Level 1

‎02-22-2013 03:59 PM - edited ‎03-10-2019 08:07 PM

Hello my name is Ivan

I have an issue about ACS v5.3 Appliance.

I have an ACS v 5.3 wo authenticate wireless users, together with a cisco wlc. One profile is to corporate users and the second profile is to guest.

The corporate users should authenticate with Active Directory and the guest with WLC. Guest users should authenticate with the ACS Local Database.

I have configurate two service selection policy that match with protocol Radius. The first rule is to users of Active Directory and the second is to users in

the Local Database of ACS.

When i try to authenticate users with active directory is OK, but when try to authenticate users with Local Database (Guest Portal) the ACS try to find the

the internal user in the Active Directory, because math the first rule, and the second profile can not authenticate.

When I change the order, first the Rule of internal users and second the rule of users of Active Directory, the internal users can authenticate in to ACS, but

the users in the Active Directory can not authenticate.

I think my ACS only authenticate the first rule of radius to Active Directory, no two rules of radius in the same time. Or maybe exists an issue in OS of the ACS.

The authentication by separately is OK.

Please could you help me to resolv this issue?

I attach my two rules

Regards

Labels:
Preview file
1 KB
Preview file
1 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎02-22-2013 09:33 PM

Hello Ivan,

To solve your issue, you need to configure your ACS so that the first service selection policy (active directory) only matches for corporate users and the other service selection policy (internal users) does not match.

The second service selection policy must only match for guest users.

If you are using Cisco WLCs, it will be easier for you.

why?

Because you can use "End Station Filter" easier to match SSID.

In the service selection policy, you build your match to the end station filter (add it via customize button).

Now, you need to create two end station filters, one matches the guest ssid and one matches the corporate ssid. (will tell how to create them later)

After creating the end station filter and match the service selection policy on end station filter, you have one servic selection policy matches only the guest SSID and the other SSP matches the corporate SSID.

Now you can choose different identiy sources for both SSP.

Now, for end station filter:

End station filter is used (in our scenario) to distinguish SSIDs.
If I want to separate requests from different SSIDs, I use the end station filter to match what SSID I am using.
to cretae end station filter for your SSIDs follow the following image:

hand-made image by Amjad :)

in point number 4, write asteristk mark (*) followd by your SSiD (case sensitive) without spaces. Make sure to avoid any spaces before or after.

(I suppose you are using cisco WLC. If not, the whole idea may not be applied the way I described above).

So far we are OK, except one point. The guest SSID by default is not sent by the Cisco WLC to the radius server when the client tries to connect to it, while the 802.1x SSIDs is.

To tell the WLC to send the guest SSID, you need to add this command to the WLC:

config radius callstationidtype ap-macaddr-ssid

I hope I described it correctly. let me know if you got everything or if you need more explanations.

Greetings,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

View solution in original post

5 Replies 5

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎02-22-2013 09:33 PM

Hello Ivan,

To solve your issue, you need to configure your ACS so that the first service selection policy (active directory) only matches for corporate users and the other service selection policy (internal users) does not match.

The second service selection policy must only match for guest users.

If you are using Cisco WLCs, it will be easier for you.

why?

Because you can use "End Station Filter" easier to match SSID.

In the service selection policy, you build your match to the end station filter (add it via customize button).

Now, you need to create two end station filters, one matches the guest ssid and one matches the corporate ssid. (will tell how to create them later)

After creating the end station filter and match the service selection policy on end station filter, you have one servic selection policy matches only the guest SSID and the other SSP matches the corporate SSID.

Now you can choose different identiy sources for both SSP.

Now, for end station filter:

End station filter is used (in our scenario) to distinguish SSIDs.
If I want to separate requests from different SSIDs, I use the end station filter to match what SSID I am using.
to cretae end station filter for your SSIDs follow the following image:

hand-made image by Amjad :)

in point number 4, write asteristk mark (*) followd by your SSiD (case sensitive) without spaces. Make sure to avoid any spaces before or after.

(I suppose you are using cisco WLC. If not, the whole idea may not be applied the way I described above).

So far we are OK, except one point. The guest SSID by default is not sent by the Cisco WLC to the radius server when the client tries to connect to it, while the 802.1x SSIDs is.

To tell the WLC to send the guest SSID, you need to add this command to the WLC:

config radius callstationidtype ap-macaddr-ssid

I hope I described it correctly. let me know if you got everything or if you need more explanations.

Greetings,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

Go to solution
ivan.martin
Level 1
Level 1
In response to Amjad Abdullah

‎02-26-2013 12:45 PM

Hi Amjad

When i'm  configuring end station filter, i see the users in the profile guest can authenticate but using the service rule by default no by the internal user.

I configured one service rule to internal users named Database Internal mapping to the internal users. The service rule by default is default network access. When i see the reports of authentication i only see match in the default service rule, no in my service rule.

Maybe i'm configure something bad?

Regards

Ivan

0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to ivan.martin

‎03-04-2013 11:17 PM

Hi Ivan,

What is your configuraiton on the ACS? can you post some screenshots?

Have you added the command I mentioned above to your controller?

Thanks.

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
ivan.martin
Level 1
Level 1
In response to Amjad Abdullah

‎03-09-2013 08:36 AM

Thank you Amjad Abdullah  you're answer help me to resolv my issue

Regards

Ivan

0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to ivan.martin

‎03-09-2013 08:49 AM

Glad to hear that my friend :-)

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents