How to configure Cisco Airespace in Cisco Secure ACS v5.3

Erwin Buena · ‎03-11-2013

Need some help regarding Cisco Airespace configuration in Cisco Secure ACS v5.3. We're migrating to ACS v5.3 but we're encountering an issue with

Cisco Airespace. It is only working on ACS4.1 but when we tried to move it to Cisco Secure ACS v5.3, it is not working.

Amjad Abdullah · ‎03-11-2013

What do you mean by Airespace? a controller? or an AP?

What is the thing that is not working? clients authentiation? or management authentication?

What is the message that appears on the ACS logs when you try to authenticate?

Rating useful replies is more useful than saying "Thank you"

Erwin Buena · ‎03-12-2013

Ok, we have a legacy Cisco wireless devices called Cisco Airespace and this device is the result of Cisco acquisition of Airespace Wireless Network in 2005. Cisco improve this technology and make it a perfect device for WLAN. Going back to my issue, as I mention we have this device and it is working in our older version of ACS (4.x). Since we have now a latest version of ACS which is 5.3. We wanted to migrate all the device into our latest version of ACS including older version (Airespace). Since this is an older device, I'm thinking that the VSA attributes needs to manually added and create Policy and Access Service specific to Cisco Airespace. I've attached the Dictionaries attributed that I've added and needs some advise if I got the correct value for below item

Airespace-WLAN-Id

Airespace-QoS-Level

Airespace-DSCP

Airespace-802.1p-Tag

Airespace-Interface-Name

Airespace-ACL-Name

Below link is the configuration guide for Cisco Airespace under ACS 4.x

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080891919.shtml

maldehne · ‎03-12-2013

all the Airospace attributes that you have mentioned are already available on ACS 5.

All you need to do is to have them linked in the plolicies that you have created.

For info about the values of those attributes:

Airespace-WLAN-Id : you should enter the wlan profile id needed as configured on the controller

Airespace-QoS-Level : You add the value of QoS profile to be authorized to certain user , either

Platinum, Silver, Gold , Bronze or Uranium

Airespace-DSCP : You add the DSCP value to be authorized

Airespace-802.1p-Tag : You add the dot1p value to be authorized

Airospace-Interface-Name:You add the name of interface to be authorized to certain user , this can be used

as alternative to dynamic vlan assignment, but you have to make sure that the interface name returned has been

already configured on the WLC.

Airespace-ACL-Name : put the ACL name to be controlling particular client traffic after successful authentication, you have to make sure that the ACL name is valid for already defined one on the WLC.

----------------------------------------------------------------------------------------------

Please make sure to rate correct answers

Erwin Buena · ‎03-14-2013

Hi Maldehne,

Thanks for your reply but I'm confuse regarding the term that you mention in authorizing the DCP. Which part in ACS do i need to do that? I have set the Access policy already and I'm not so certain if I got it correct regarding the Attribute Value.

maldehne · ‎03-14-2013

interface name : not sure if you have interface with the name of 32

and ACL with the name of 64 ? You should put a value defined on your controller

so you should already have a dynamic interface with the same name

and ACL with the same name as well on your controller, otherwise your controller

will not be able to force the needed level of authorization.

In the following link , have a look on common DSCP values that are used:

http://www.cisco.com/en/US/partner/docs/solutions/Enterprise/Mobility/vowlan/41dg/vowlan_ch2.html#wp1058065

make sure to have integer value for DSCP

------------------------------------------------------------------------------------------

Please make sure to flag this thread as answered

Erwin Buena · ‎03-18-2013

Hi Maldehne,

Thank you for the information, it is clear now to me on how to configure the Airespace VSA in ACS 5.3. We're not implementing ACL in our WLAN controller

Airespace-Wlan-Id -> Value is set to "0" since the WLC are set to 0 or default

Airespace-QOS-Level -> Value is set to "Silver" since it is the one that is configure in WLC

Airespace-Interface-Name -> Value is set to "management" as define in WLC

-> Below are the VSA that I've remove in my configuration in ACS 5.3 since it is not define in ou WLC, let me know if it is the right thing to do or there is a default value that I can configure.

Airespace-ACL-Name -> This is not define in our WLC

Airespace-DSCP -> This is not define in our WLC

Airespace-802.1p-Tag -> Remove and to have the system put-in the default value

Thanks,

Erwin

maldehne · ‎03-18-2013

if you don't want to use certain attributes just remove them from the authorization profile.

--------------------------------------------------------------------------------------

Please make sure to rate correct answers