Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3332
Views
1
Helpful
5
Replies

ACS - internally auth MSCHAPv2, Radius Proxy for EAP-TLS

Go to solution
des.mckee
Level 1
Level 1

‎02-15-2016 09:40 AM

Hi,

I have a requirement that I logically think can be met using ACS but I'm struggling to get it actually configured.

I have an existing wired 802.1x setup using PEAP-MSCHAPv2 against our ACS (recently updated to 5.8) which works fine. A new requirement has come up to authenticate a partner's users against our switches. The partner also has a working 802.1x wired setup, using EAP-TLS against ISE with Anyconnect as the client. We want to use each others LANs, using the partner device (ACS / ISE) as a Radius external proxy.

In theory I believe this should work, but im having difficulty working out where I can configure the match statements in the service selection policy.

My existing MSCHAPv2 rule, as an example, matches on DOMAIN\HOSTxxxxx in the Radius username field and then uses my wired 802.1x service.

What I think I want to do is have a match statement above this that matches on an EAP type. So if it matches EAP-TLS, send it to the proxy radius server (which is the ISE) and let it worry about authenticating that user - I will happily trust its answer.

When I choose Service Selection Rules, then Compound Condition, the only dictionary I can find with protocol is SYSTEM, and the choices are only RADIUS or TACACS - I cant find anything more like an EAP-TYPE to match on.

So how do I create a service selection rule that can differentiate between a PEAP-MSCHAPv2 request and use the internal database, and one that uses an external Radius server when it detects an EAP-TLS authentication request?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to des.mckee

‎02-18-2016 10:02 AM

A proxy forwards the request and response from the client to the Authentication server.

Please check the related topics section under "working with external proxy servers" from the following link. This is meant for 5.4. You can google it for other ACS servers. Content should be similar.

User Guide for Cisco Secure Access Control System 5.4 - Managing Network Resources [Cisco Secure Access Control System] …

The EAP-TLS needs to be configured in ISE as part of Authentication/Authz rules or policy sets. ACS just forwards the request from ACS to ISE.

Thanks

Krishnan

View solution in original post

0 Helpful
5 Replies 5

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎02-16-2016 02:02 PM

There are couple of options you have in ACS. It is important to remember ACS offers a hierarchy of policies in its policy constructs. Here are the steps to do for your use case.

When you create a service selection rule, there is a customize button in the right bottom of the screen, you can add dictionary attributes and other filters using this. That said, it is possible to choose device type, location, Radius IETF attribute or any other attribute for customizing the ruless. Play around with it to see what options you can use.

  1. In your access service, make sure you create a rule using external proxy with EAP-TLS protocol. Then edit the service selection rule and use this rule to choose the access service.
  2. This will create an umbrella rule for all the service to be processed from the particular Network device group, or other condition you applied in Service selection rule using customization.
  3. Now if you want to further filter it based on EAP-authentication, you can go to the identity policy, customize it, add EAP-Authentication and filter it based on EAP-TLS.

You can do this with ISE, by creating a compound condition and using this condition in policy set to filter endpoints based on protocol.

This way ISE offers flexibility in setting up the initial filter and has a flexibility to have a flatter model or hierarchical based on the need.

Thanks

Krishnan

0 Helpful

Go to solution
des.mckee
Level 1
Level 1
In response to kthiruve

‎02-17-2016 03:47 AM

Hi,

thanks for the response.

If i define the ISE as an external Radius proxy service, i dont seem to have the usual options (or any options). I can choose what external proxy to point it at, and i can inject or strip Radius attributes. I dont have the identity or authorization choices, or the allowed protocols section, so i cant see how to tie this external proxy service to EAP-TLS (or anything really)?

In the service selection rules, i still cant find a condition that selects based on EAP-TYPE to then call this proxy service itself?

Thanks

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to des.mckee

‎02-18-2016 10:02 AM

A proxy forwards the request and response from the client to the Authentication server.

Please check the related topics section under "working with external proxy servers" from the following link. This is meant for 5.4. You can google it for other ACS servers. Content should be similar.

User Guide for Cisco Secure Access Control System 5.4 - Managing Network Resources [Cisco Secure Access Control System] …

The EAP-TLS needs to be configured in ISE as part of Authentication/Authz rules or policy sets. ACS just forwards the request from ACS to ISE.

Thanks

Krishnan

0 Helpful

Go to solution
des.mckee
Level 1
Level 1
In response to kthiruve

‎02-18-2016 11:21 AM

Thanks. What I'm trying to do is make a decision at the ACS layer.

If the incoming request is mschapv2, authenticate internally.

If the incoming request is eap-tls, send it to an ISE to authenticate.

Cisco SE pointed me towards using ISE as a radius proxy rather than

external database, but I'm not seeing how this is possible.

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to des.mckee

‎02-18-2016 01:52 PM

Please check my response above that outlines what is possible with access service vs identity policy.

If you want to filter based on EAP authentication method, you need to use identity policy in ACS.

However you can filter the requests based on the NAD's, NDG, location or other factors. You need to explore that.

Here are the steps

  1. If you want to use external proxy, you have to create the external proxy in Access services.For eg: you create a rule called "external-ISE”.
  2. Now you can go back to the service selection rule, customize it the sections you want to see using the customize button in the left cornet.
  3. Later create a service selection rule to include the conditions you need such as network devices, location, device groups, endpoint filters etc. While creating or editing the service selection rule, in the results, you can add external-ISE as the service you need.
  4. This will give ability for ACS to select the service based on the service selection rule.

This may not be the option you are looking for, but it is an alternative.

In ISE, you can do this by creating compound conditions and using that in policy sets or in the authentication policy itself.

Thanks

Krishnan

Customers Also Viewed These Support Documents