Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1116
Views
0
Helpful
6
Replies

Manipulate ACCESS-ACCEPT attributes

Roy Ros
Level 1
Level 1

‎06-11-2014 04:22 AM - edited ‎03-10-2019 09:47 PM

Hello,

Is it possible in some way to manipulate/add the following ACCESS-ACCEPT attributes that come from a radius proxy?

  •     Tunnel-Type
  •     Tunnel-Medium-Type
  •     Tunnel-Private-Group-ID

 

Using a Cisco ACS 5.5.0.46.

 

Best regards,

Roy

Labels:
0 Helpful
6 Replies 6

edwardcollins7
Level 1
Level 1

‎06-12-2014 03:12 AM

Hi Roy,

The RADIUS Attributes Rewrite feature introduced in ACS 5.4 enables to add, overwrite and delete RADIUS INBOUND attributes on access requests, which will be redirected to external servers. 
In ACS 5.5, it is extended to enable manipulation on RADIUS OUTBOUND attributes.
ACS 5.5 supports add, overwrite and delete of RADIUS OUTBOUND attributes, which will be returned to the client. 
The RADIUS attributes rewrite is enabled for Access-Accept response only, yet not for Access-Reject or Challenge responses and not relevant for accounting responses. 
The attribute manipulation is defined as attribute operation statement and configured as part of the Proxy Access Service.
Administrator can configure attribute operation clause for a specific proxy access service. When this service is selected, ACS performs the operation on the Access Accept response and returns the updated response to the client.

Yes, you can manipulate those attributes.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

 

0 Helpful

Roy Ros
Level 1
Level 1
In response to edwardcollins7

‎06-12-2014 03:33 AM

Hello Ed,

Thank you for your response.

I noticed the Radius (INBOUND/OUTBOUND) Attributes Injection field, but I don't see the attributes i mentioned before. Should they be here?

Best regards,

Roy

Preview file
94 KB
0 Helpful

Timothy Burns
Level 1
Level 1
In response to Roy Ros

‎12-10-2015 06:56 AM

Roy,

Did you ever get an answer on this. I am looking to do the exact same thing. We are also running 5.5.0.46.

Thanks

Tim

0 Helpful

Roy Ros
Level 1
Level 1
In response to Timothy Burns

‎12-10-2015 11:01 PM

Hi Tim,

I never got an answer to this question. We solved this by using another Radius server that can do this. You could try FreeRADIUS for just these attributes.

Best regards,

Roy

0 Helpful

Timothy Burns
Level 1
Level 1
In response to Roy Ros

‎12-14-2015 10:18 AM

Roy,

Thanks for responding. I know you have already moved on from this but we have figured an alternate method to do this just for FYI in case you wanted to change things in the future.

We have selection rules based on the username in our case "@college.edu" and assign a corresponding service rule.

Here we are still using the "outbound attribute injection", but we are using the "airspace-interface-name" under the "Radius Cisco-airspace" dictionary. There we are specifying an interface group we setup on the WLC. 

This actually is even better for our environment as this will help keep our subnet size down and if we need more IP's we can assign and additional interface to that group.

Thanks again,

Tim

0 Helpful

Roy Ros
Level 1
Level 1
In response to Timothy Burns

‎12-16-2015 07:27 AM

Tim,

Hmm, never thought about that. But do you have AAA override still on? I noticed that some administrators send an ACCESS-ACCEPT and also the attributes described in my first post for their own network. So we had users in the wrong VLAN because of that.

Roy

0 Helpful
Customers Also Viewed These Support Documents