Solved: Re: Cisco ACS 5.5 configure for higher order radius

David Bell · ‎04-23-2018

We have ACS 5.5 in production which works well for our internal users.

We now have a requirement for eduroam / govroam (both work in a similar manner).

My challenge is that I only want users from a particular wireless SSID to be authenticated on a higher order RADIUS server.

For example, internally no problems, from the supplicant via the wireless controller using 802.1X ACS interrogates AD great and provides the necessary responses.

However govroam/eduroam the users need to be authenticated on a centralised RADIUS servers which several organisations use, hence our ACS servers would simply act as the proxy - aka forward the RADIUS request.

I only wish for this to happen via a single SSID, and for my other SSID's to not be affected - any idea how I may achieve this without breaking my local infrastructure?

A guide for eduroam is here: https://community.jisc.ac.uk/blogs/scotts-eduroam-blog/article/eduroam-home-configuration-cisco-acs-53

However its really govroam I need, however it works in a similar fashion.

With regards

Dave

andrewswanson · ‎04-23-2018

Hi

Ensure your WLC is sending the SSID in the Called Station ID attribute (configurable on the WLC under SECURITY > AAA > RADIUS > Authentication)

On the ACS, configure a Service Selection Rule with a condition like "RADIUS-IETF:Called-Station-ID contains eduroam". Anything matching this Rule can then be proxied.

hth
Andy

View solution in original post

andrewswanson · ‎04-23-2018

No problem David

If you don't have the gui option to do this on the 4400s, check the following thread - it shows how to do this from the cli (I recall having to do this on a 4400 years ago as the option wasn't available in the gui).

hth
Andy

https://supportforums.cisco.com/t5/security-and-network-management/how-to-use-authorization-profile-for-different-wlan-ssid/td-p/1779908

View solution in original post

andrewswanson · ‎04-24-2018

Found this documentation for ACS and eduroam - uk based version.

hth

Andy

https://community.jisc.ac.uk/library/janet-services-documentation/cisco-acsise-configuration-eduroam

View solution in original post

andrewswanson · ‎04-23-2018

Hi

Ensure your WLC is sending the SSID in the Called Station ID attribute (configurable on the WLC under SECURITY > AAA > RADIUS > Authentication)

On the ACS, configure a Service Selection Rule with a condition like "RADIUS-IETF:Called-Station-ID contains eduroam". Anything matching this Rule can then be proxied.

hth
Andy

David Bell · ‎04-23-2018

Thanks very much Andrew.

I've looked at the WLC configuration and I can see this field in our 5500 series controller. We still have some legacy 4400 series controllers which do not provide this function, hence we couldn't support it yet.

I'll accept as a good solution, many thanks for your help.

andrewswanson · ‎04-23-2018

No problem David

If you don't have the gui option to do this on the 4400s, check the following thread - it shows how to do this from the cli (I recall having to do this on a 4400 years ago as the option wasn't available in the gui).

hth
Andy

https://supportforums.cisco.com/t5/security-and-network-management/how-to-use-authorization-profile-for-different-wlan-ssid/td-p/1779908

David Bell · ‎04-23-2018

Thanks very much.

I'll give this a go, my main concern is when I make the change what will the effect be on authentication of users currently?

I'm hoping none as its just the NAS identification?

Kind regards

Dave

andrewswanson · ‎04-23-2018

Are you using this attribute in any policy decisions on the ACS already?

You can check what the attribute is set to without changing anything with "show radius summary".

If I remember rightly the default is the AP mac address. This can be changed to both AP Mac address and SSID with the command "config radius callStationIdType ap-macaddr-ssid".

hth
Andy

David Bell · ‎04-24-2018

Thanks very much.

I now have the wireless controller configured.

I've been googling for a good guide on how to configure ACS 5.5 so for a given SSID ACS forwards the authentication to an external

server.

I must confess I am finding this element difficult, do you have experience in this regard or maybe a good guide?

Thanks again.

Dave

andrewswanson · ‎04-24-2018

Hi

The following is a rough guide on how to proxy WLC radius authentication requests for a given SSID to an external proxy using ACS.

hth
Andy

Step 1 Configure WLC to forward SSID in called station id to ACS

Step 2 Add proxy servers to ACS here:
Network Resources > External Proxy Servers

Step 3 Create an ACS Access Service to for the proxy
Access Policies > Access Services

Select "External Proxy" for User Selected Service Type when you create the service. This will give you options to select the External proxy servers created in step 2

Step 4 Create ACS Service Selection rule to match traffic you want to send to the proxy service.
Access Policies > Access Services > Service Selection Rules

for the Conditions you can use compound statements to granularly match the traffic you want to send to the proxy e.g.

match radius traffic from your WLC
AND
match RADIUS-IETF:Called-Station-ID contains eduroam
AND
match RADIUS-IETF:User-Name not contains <@YOUR-DOMAIN>

The above statements would be matched for radius traffic from the wlcs where the SSID is eduroam and the username does not contain your organisation's domain name.

The Result for this Service Selection rule would be the Access Service created in step 3

andrewswanson · ‎04-24-2018

Found this documentation for ACS and eduroam - uk based version.

hth

Andy

https://community.jisc.ac.uk/library/janet-services-documentation/cisco-acsise-configuration-eduroam