Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1428
Views
0
Helpful
3
Replies

ACS 5.3 use LDAP IS. for one SSID and use HOST IS. for another SSID

Go to solution
Andrew MacTaggart
Level 1
Level 1

‎07-31-2012 11:28 PM - edited ‎03-10-2019 07:22 PM

I have 2 SSIDs on WLCs

I would like to have 1 SSID point to the acs radius using LDAP store and the 2nd SSID point to the acs radius using the host identity store for mac filtering.

both scenarios are working, but not together.

if I adjust the rule order I can get one SSID, but then the other fails.

Authentication failed                                                                                 :

22056 Subject not found in the applicable identity store(s).

Access Service Selection Matched Rule:

Rule-1

Identity Policy Matched Rule:

Rule-1

Selected Identity Stores:

RBLDAP

Evaluating Identity Policy

15004  Matched rule

15013  Selected Identity Store -

24031  Sending request to primary LDAP server

24017  Looking up host in LDAP Server - 04-xx-xx-xx-xx-xx

24009  Host not found in LDAP Server

22056  Subject not found in the applicable identity store(s).

22058  The advanced option that is configured for an unknown user is used.

22061  The 'Reject' advanced option is configured in case of a failed authentication request.

11003  Returned RADIUS Access-Reject

If I move the mac add rule before the ldap rule, but then ldap auth fails

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

11027  Detected Host Lookup UseCase (Service-Type = Call Check (10))

Evaluating Service Selection Policy

15004  Matched rule

15012  Selected Access Service - MAC filter network access

Evaluating Identity Policy

15004  Matched rule

15013  Selected Identity Store - Internal Hosts

24209  Looking up Host in Internal Hosts IDStore - 04-xx-xx-xx-xx-xx

24211  Found Host in Internal Hosts IDStore

22037  Authentication Passed

I have tried to setup the following to no avail.

It seems to me that there should be a simple process to make this happens. I thought if the rule is not matched it would move on to the next rule etc...

I might be able to live with first checking ldap and if that fails move on to the local host db, but that seems ineficient.

https://supportforums.cisco.com/thread/2133704

Labels:
Preview file
24 KB
Preview file
27 KB
Preview file
28 KB
Preview file
28 KB
Preview file
30 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎07-31-2012 11:36 PM

You can create an identity store sequence so that if the endpoint isn't present in the ldap database then it can check its local host database.

Or you can create a condition in your service selection rule such that if the called-station-id ends with (SsidA) then you can have it match the rule that uses the appropriate rule which points to ldap, another rule where called-station-id ends with (ssidB) match the rule that points to the rule that uses the local host database.

Here is the section on how to configure the identity store sequence, keep in mind to select continue if user not found.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1054132

Thanks,

Sent from Cisco Technical Support iPad App

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎07-31-2012 11:36 PM

You can create an identity store sequence so that if the endpoint isn't present in the ldap database then it can check its local host database.

Or you can create a condition in your service selection rule such that if the called-station-id ends with (SsidA) then you can have it match the rule that uses the appropriate rule which points to ldap, another rule where called-station-id ends with (ssidB) match the rule that points to the rule that uses the local host database.

Here is the section on how to configure the identity store sequence, keep in mind to select continue if user not found.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1054132

Thanks,

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Andrew MacTaggart
Level 1
Level 1
In response to Tarik Admani

‎08-01-2012 12:02 AM

Thanks

I had created a identity store sequence but had placed the local db in the optional additional section. also changed contains to ends with. Seems to be working as of now.

Cheers

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to Andrew MacTaggart

‎08-01-2012 12:22 AM

I don't think you need an idnetity sequence

The problem was occuring since you were using the contains operators and the SSIDs are "difi" and "difimac". Since the text "difi" is contained within "difimac" then this rule would always match if placed first

Therefore, if change rule to say ends with "difi" or ends with "difimac" then should not need an identity sequence and can select the specific database

0 Helpful
Customers Also Viewed These Support Documents