cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3765
Views
0
Helpful
8
Replies

ACS, Access Service and Authorization

beausoleilb1
Level 1
Level 1

I am running ACS 5.2 and I am trying to set up 3 new SSIDs, 2 of which are unsecured and 1 that is secured.  I am trying to figure out the best way to authorize them based on which network they are coming from.  All the authentication requests are coming from the same devices, the Wireless LAN Controllers, so NDG cannot be used as criteria.  I have been looking at either creating 3 Access Services and using Service Selection Rules, or creating 1 Access Service and using Authorization to choose.  Regardless, I cannot find an attribute to use that can determine which network they came from.

Does anyone have a suggestion for the best way to do this?  I

1 Accepted Solution

Accepted Solutions

Go to in Policy Elements -> Network Conditions -> End Station Filters, and create a CLI/DNIS rule that includes the name of the SSID, then use it as a condition in any rule you create for authentication. The SSID will be preceded by the MAC address, so enter *ssidname (ie, match anything before the SSID name, then match the SSID name). For example, if the SSID is called lab then you would enter *lab.

Then go to Access Policies -> Service Selection and create a service selection rule that has End Station Filter as the criteria.

View solution in original post

8 Replies 8

Go to in Policy Elements -> Network Conditions -> End Station Filters, and create a CLI/DNIS rule that includes the name of the SSID, then use it as a condition in any rule you create for authentication. The SSID will be preceded by the MAC address, so enter *ssidname (ie, match anything before the SSID name, then match the SSID name). For example, if the SSID is called lab then you would enter *lab.

Then go to Access Policies -> Service Selection and create a service selection rule that has End Station Filter as the criteria.

Javier thank you.  Sounds like a perfect solution to my issue.  From what I read, DNIS is where I want to place the *ssid value.  However, when I save it, the value gets moved from the DNIS field to the CLI field.  I get the same results in IE8 and FF3.  Any thoughts?

Put ANY in the CLI field, then *SSID in the DNIS field, it should work.

Scratch that.  It is displaying properly now.  I cannot explain what or why, but it is displaying fine now.

Ok it has to be a bug.  It is displaying incorrectly again.  This time I have also confirmed it on FF3 for Mac.  I suppose I can open a TAC case and allow you to confirm if it is a bug or not via a webex?

Thanks.

Brian

Brian,

That would be best.

Did you guys ever find a solution to this?  I have the same problem where it flips the values I enter for CLI and DNIS.  I've tried entering them in reverse order to get ACS to display them properly but my filter still doesn't work.

I enter the values like you see in pictures 2 & 3.  But then after hitting submit, when I go back in to check it the values are reversed like in picture 1.

I've even patched ACS up to version 5.2.0.26.3.

Guys-

I had the same issue with end station fileters when I would enter the source/destination mac addresses. Try reversing the values > hit submit and then go back and see if that worked. It definately works on the MAC address fields. I am pretty sure it is a bug in the current version that probably won't get fixed till ACS 5.3. I won't be back for a week, otherwise I would try myself

Thank you for rating helpful posts!