cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1377
Views
0
Helpful
5
Replies

ACS Rules based on Wireless SSID?

Josh Morris
Level 3
Level 3

As part of our BYOD policy, mobile phones are supposed to only use certificates for authentication, but they are using MSCHAP and cached creds to authenticate without a certificate. I think that I can fix this in ACS by creating a rule that PERMITS access if the user is using the x509 cert and a rule that DENYS mobile access if MSCHAP is used.

I think this hinges on ACS being able to see users for the particular SSID though. This is because we are running other secure SSIDs and if I implement the rules above it would affect all wireless auth.

Does anyone know how to create authentication policy in ACS 5.2 based on different SSIDs?

1 Accepted Solution

Accepted Solutions

Tarik Admani
VIP Alumni
VIP Alumni

Josh,

You can add a compound condition that uses the radius called-station-id attribute, you will use the "ends with" operator and then type in the SSID (case sensitive), and you combine that with the authentication method of x509.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

Josh,

You can add a compound condition that uses the radius called-station-id attribute, you will use the "ends with" operator and then type in the SSID (case sensitive), and you combine that with the authentication method of x509.

Thanks,

Tarik Admani
*Please rate helpful posts*

Thanks, I think I see what you mean. I added the compound condition field to my rule base, and upon creating a rule I put in the standard fields. In the compound condition field I add 'called-station-id' and input the ssid like you mentioned.

As far as my overall rule goes, I'm thinking this is the proper syntax:

match Radius > in device type: Wireless > Radius IETF: Called-Station-ID ends with SSID > Network Access

And by Network Access, I will create an Access Service that does not allow MSCHAPv2.

Does this sound correct?

You should be able to set the authentication method when you click the customize button on the bottom. From there you can combine x509 + called-station-id ends with SSID = authorization profile.

Thanks,

Tarik Admani
*Please rate helpful posts*

Thanks. Under which Dictionary can I find the authentication method attribute?

Its not under any dictionary, when you go to the authorization section with in your service policy, select customize, you should see the authentication method as one of the first options, just drag that over to the right and you should be able to configure it.

thanks,

Tarik Admani
*Please rate helpful posts*