Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
849
Views
10
Helpful
2
Replies

I suffering a strange issue ACS 4.2

CSCO11518107
Level 1
Level 1

‎08-28-2012 12:56 PM - edited ‎03-10-2019 07:28 PM

Hi Guys

I suffering a strange issue , I have two group users (wireless user , VPN users),

  • I created a NAR To restrict users,, created two group NAR (network access restriction ) wirless group and vpn group
  • I attached wireless NAR group to wireless group user , and attached VPN NAR group to VPN group users ,

Supposed Wireless users only have access to wireless ,and VPN users just have access to connect VPN and they don’t have access wireless .

The issue VPN user can access wireless!!!!!

Notice I used ACS4.2 And Aruba controller

Is this bug in ACS 4.2 or what ? please advice

1.gif

22.png

33.png

444.png

Labels:
0 Helpful
2 Replies 2

Tarik Admani
VIP Alumni
VIP Alumni

‎09-08-2012 12:39 AM

Hi,

NAR are based on two radius attributes (calling-station-id = client information) (called-station-id = network device information).

The issue is based on the VPN NAR that you have configured.

However let me explain why this works for the WLAN users, you configured an IP based rule (dont know if this was intentional but it works), in a way that if a client authenticates with the calling-station-id from the VPN server (ip address is the format for calling-station-id), that it must match the called-station-id that belongs in the "NDG-WLAN" which fails. I noticed that you do not have a DNIS condition configured, the ACS is designed to failover to this rule for non IP based NAR filters. For wireless dot1x authentication (calling-station-id is the mac address of the client), there is no CLI/DNIS based rule enabled so that is why the wireless requests are permitted.

When the VPN users connect to wireless an hit the VPN NAR, the calling-station-id is a mac address format, and with no CLI/DNIS rule configured you allow them access.

In the VPN NAR, you should create a DNIS based rule which denies access from the NDG:WLAN and wildcard the dnis field, and that will fix your issue.

Here is some reference material:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SPC.html#wp766301

"IP-based NAR filters work only if ACS receives the Radius Calling-Station-Id  (31) attribute. The Calling-Station-Id (31) must contain a valid IP  address. If it does not, it will fall over to DNIS rules."

Thanks,

Tarik Admani
*Please rate helpful posts*

Amjad Abdullah
VIP Alumni
VIP Alumni
In response to Tarik Admani

‎09-11-2012 01:20 AM

Tarik :You are always the man when it comes to AAA. +5 my friend.

I would also add that called-station-id format is "AP_Mac_address:SSID".

so suppose that radio mac address of your SSID is 11:11:11:11:11:11 and your SSID is Test the called-station-id will be 11:11:11:11:11:11:Test

keeping this in mind, when you create CLI/DNIS access restriction filter, you need to provide one entry for every signel SSID that you have and want to allow the users to.

You can use wildcards (* for example) if you want to allow the users to all APs.

To allow client access on all APs on SSID Test then you need to configure the DNIS as *Test.

You look into this config example and it will certainly help you:

http://tiny.cc/9qogkw

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful
Customers Also Viewed These Support Documents