06-11-2014 04:22 AM - edited 03-10-2019 09:47 PM
Hello,
Is it possible in some way to manipulate/add the following ACCESS-ACCEPT attributes that come from a radius proxy?
Using a Cisco ACS 5.5.0.46.
Best regards,
Roy
06-12-2014 03:12 AM
Hi Roy,
The RADIUS Attributes Rewrite feature introduced in ACS 5.4 enables to add, overwrite and delete RADIUS INBOUND attributes on access requests, which will be redirected to external servers.
In ACS 5.5, it is extended to enable manipulation on RADIUS OUTBOUND attributes.
ACS 5.5 supports add, overwrite and delete of RADIUS OUTBOUND attributes, which will be returned to the client.
The RADIUS attributes rewrite is enabled for Access-Accept response only, yet not for Access-Reject or Challenge responses and not relevant for accounting responses.
The attribute manipulation is defined as attribute operation statement and configured as part of the Proxy Access Service.
Administrator can configure attribute operation clause for a specific proxy access service. When this service is selected, ACS performs the operation on the Access Accept response and returns the updated response to the client.
Yes, you can manipulate those attributes.
Rate if Useful :)
Sharing knowledge makes you Immortal.
Regards,
Ed
06-12-2014 03:33 AM
12-10-2015 06:56 AM
Roy,
Did you ever get an answer on this. I am looking to do the exact same thing. We are also running 5.5.0.46.
Thanks
Tim
12-10-2015 11:01 PM
Hi Tim,
I never got an answer to this question. We solved this by using another Radius server that can do this. You could try FreeRADIUS for just these attributes.
Best regards,
Roy
12-14-2015 10:18 AM
Roy,
Thanks for responding. I know you have already moved on from this but we have figured an alternate method to do this just for FYI in case you wanted to change things in the future.
We have selection rules based on the username in our case "@college.edu" and assign a corresponding service rule.
Here we are still using the "outbound attribute injection", but we are using the "airspace-interface-name" under the "Radius Cisco-airspace" dictionary. There we are specifying an interface group we setup on the WLC.
This actually is even better for our environment as this will help keep our subnet size down and if we need more IP's we can assign and additional interface to that group.
Thanks again,
Tim
12-16-2015 07:27 AM
Tim,
Hmm, never thought about that. But do you have AAA override still on? I noticed that some administrators send an ACCESS-ACCEPT and also the attributes described in my first post for their own network. So we had users in the wrong VLAN because of that.
Roy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide