02-15-2016 09:40 AM
Hi,
I have a requirement that I logically think can be met using ACS but I'm struggling to get it actually configured.
I have an existing wired 802.1x setup using PEAP-MSCHAPv2 against our ACS (recently updated to 5.8) which works fine. A new requirement has come up to authenticate a partner's users against our switches. The partner also has a working 802.1x wired setup, using EAP-TLS against ISE with Anyconnect as the client. We want to use each others LANs, using the partner device (ACS / ISE) as a Radius external proxy.
In theory I believe this should work, but im having difficulty working out where I can configure the match statements in the service selection policy.
My existing MSCHAPv2 rule, as an example, matches on DOMAIN\HOSTxxxxx in the Radius username field and then uses my wired 802.1x service.
What I think I want to do is have a match statement above this that matches on an EAP type. So if it matches EAP-TLS, send it to the proxy radius server (which is the ISE) and let it worry about authenticating that user - I will happily trust its answer.
When I choose Service Selection Rules, then Compound Condition, the only dictionary I can find with protocol is SYSTEM, and the choices are only RADIUS or TACACS - I cant find anything more like an EAP-TYPE to match on.
So how do I create a service selection rule that can differentiate between a PEAP-MSCHAPv2 request and use the internal database, and one that uses an external Radius server when it detects an EAP-TLS authentication request?
Thanks!
Solved! Go to Solution.
02-18-2016 10:02 AM
A proxy forwards the request and response from the client to the Authentication server.
Please check the related topics section under "working with external proxy servers" from the following link. This is meant for 5.4. You can google it for other ACS servers. Content should be similar.
The EAP-TLS needs to be configured in ISE as part of Authentication/Authz rules or policy sets. ACS just forwards the request from ACS to ISE.
Thanks
Krishnan
02-16-2016 02:02 PM
There are couple of options you have in ACS. It is important to remember ACS offers a hierarchy of policies in its policy constructs. Here are the steps to do for your use case.
When you create a service selection rule, there is a customize button in the right bottom of the screen, you can add dictionary attributes and other filters using this. That said, it is possible to choose device type, location, Radius IETF attribute or any other attribute for customizing the ruless. Play around with it to see what options you can use.
You can do this with ISE, by creating a compound condition and using this condition in policy set to filter endpoints based on protocol.
This way ISE offers flexibility in setting up the initial filter and has a flexibility to have a flatter model or hierarchical based on the need.
Thanks
Krishnan
02-17-2016 03:47 AM
Hi,
thanks for the response.
If i define the ISE as an external Radius proxy service, i dont seem to have the usual options (or any options). I can choose what external proxy to point it at, and i can inject or strip Radius attributes. I dont have the identity or authorization choices, or the allowed protocols section, so i cant see how to tie this external proxy service to EAP-TLS (or anything really)?
In the service selection rules, i still cant find a condition that selects based on EAP-TYPE to then call this proxy service itself?
Thanks
02-18-2016 10:02 AM
A proxy forwards the request and response from the client to the Authentication server.
Please check the related topics section under "working with external proxy servers" from the following link. This is meant for 5.4. You can google it for other ACS servers. Content should be similar.
The EAP-TLS needs to be configured in ISE as part of Authentication/Authz rules or policy sets. ACS just forwards the request from ACS to ISE.
Thanks
Krishnan
02-18-2016 11:21 AM
Thanks. What I'm trying to do is make a decision at the ACS layer.
If the incoming request is mschapv2, authenticate internally.
If the incoming request is eap-tls, send it to an ISE to authenticate.
Cisco SE pointed me towards using ISE as a radius proxy rather than
external database, but I'm not seeing how this is possible.
02-18-2016 01:52 PM
Please check my response above that outlines what is possible with access service vs identity policy.
If you want to filter based on EAP authentication method, you need to use identity policy in ACS.
However you can filter the requests based on the NAD's, NDG, location or other factors. You need to explore that.
Here are the steps
This may not be the option you are looking for, but it is an alternative.
In ISE, you can do this by creating compound conditions and using that in policy sets or in the authentication policy itself.
Thanks
Krishnan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide