Re: Creating multiple Access Policies

Andrew MacTaggart · ‎11-27-2011

Greetings

I have set up an LDAP indentity store that provides WLC wlan authentication - this works well - points to the default network access

I have created a host Identity in the host local store.

I have created policy elements based on time

I created a new Access Policies that match to radius and points to the Internal Hosts store.

would like to have both running at same time, each policy and datastore providing authentication for separate WLANs

I am following this document for MAC authentication

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml

I am using acs 5.2

When I try to authenticate with the MAC address,

I get error 22056 Subject not found in the applicable identity store.

The log shows that the Username {mac address} is pointing to the LDAP authentication under the Default Network Access policy.

So it seems like the ACS is only looking at the default network access policy and ignoring the MAC Filter Policy I created.

Steps I followed

Assume LDAP store is configured for the

Default Network Access policy

Is up and running

I creat a host in the Internal Identity Store populate all required fields

under Policy elements I create

a session condition based on time

and a Authorization and permissions element under network access

Under Access policies

I create a new access policy - mark allowed protocols

and enable it under Service Selection rules > match to radius = same as the LDAP

got a green light

under the identity I point to internal Hosts

under authorization I create a new policy and point to my time element and my Authorization Profile

on WLC

create wlan

security none - for now

layer 2 - clicked mac filtering

aaa servers pointing to ACS server created under the security tab.

under security tab click mac filtering

select cisco acs and : delimiter, but have tried hyphon as well.

I look at the acs logs

get radius fail status

username is the mac address of my machine

Access Service pointing to Default Network Access

auth method Lookup - I do have under the protocols allowed section of the access policy lookup checked.

Failure reason

22056

Any thoughts on where to pin point the issue?

Cheers

Andrew MacTaggart · ‎11-27-2011

I think my issue reside somewhere in here - specifically in the

Service Selection Policy section

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/policy_mod.html#wp1074259

ACS comes preconfigured with two default access services: Default Device Admin and Default Network Access. The rules-based service selection mode is configured to use the AAA protocol as the selection criterion and hence when a TACACS+ request comes in, the Default Device Admin service is used and when a RADIUS request comes in, the Default Network Access service is used.

So what I am looking for is a way to have the radius request be smart enough to see if it is a Host authentication or an LDAP request.

when looking at the service selection policy rule creation, there are only 2 match criteria tacacs+ and radius.

and radius will point to the Default Network Access, which I currently have pointing to the LDAP store. which does not contain the Mac Address.

I have figured out a work around

Under users and Identity stores

I create Identity store sequences

and add LDAP and internal hosts to the ISS

then under the access policy I change the default network access to point to the ISS instead of the LDAP store.

This allows the local mac database and the LDAP store to work.

Wondering if there is a more efficient way or if I can separate the two.

Cheers