Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1313
Views
0
Helpful
5
Replies

ACS Rules based on Wireless SSID?

Go to solution
Josh Morris
Level 3
Level 3

‎08-14-2012 08:06 AM - edited ‎03-10-2019 07:25 PM

As part of our BYOD policy, mobile phones are supposed to only use certificates for authentication, but they are using MSCHAP and cached creds to authenticate without a certificate. I think that I can fix this in ACS by creating a rule that PERMITS access if the user is using the x509 cert and a rule that DENYS mobile access if MSCHAP is used.

I think this hinges on ACS being able to see users for the particular SSID though. This is because we are running other secure SSIDs and if I implement the rules above it would affect all wireless auth.

Does anyone know how to create authentication policy in ACS 5.2 based on different SSIDs?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎08-14-2012 08:13 AM

Josh,

You can add a compound condition that uses the radius called-station-id attribute, you will use the "ends with" operator and then type in the SSID (case sensitive), and you combine that with the authentication method of x509.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎08-14-2012 08:13 AM

Josh,

You can add a compound condition that uses the radius called-station-id attribute, you will use the "ends with" operator and then type in the SSID (case sensitive), and you combine that with the authentication method of x509.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
Josh Morris
Level 3
Level 3
In response to Tarik Admani

‎08-14-2012 08:43 AM

Thanks, I think I see what you mean. I added the compound condition field to my rule base, and upon creating a rule I put in the standard fields. In the compound condition field I add 'called-station-id' and input the ssid like you mentioned.

As far as my overall rule goes, I'm thinking this is the proper syntax:

match Radius > in device type: Wireless > Radius IETF: Called-Station-ID ends with SSID > Network Access

And by Network Access, I will create an Access Service that does not allow MSCHAPv2.

Does this sound correct?

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Josh Morris

‎08-14-2012 08:48 AM

You should be able to set the authentication method when you click the customize button on the bottom. From there you can combine x509 + called-station-id ends with SSID = authorization profile.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
Josh Morris
Level 3
Level 3
In response to Tarik Admani

‎08-14-2012 09:02 AM

Thanks. Under which Dictionary can I find the authentication method attribute?

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Josh Morris

‎08-14-2012 09:19 AM

Its not under any dictionary, when you go to the authorization section with in your service policy, select customize, you should see the authentication method as one of the first options, just drag that over to the right and you should be able to configure it.

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents