cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
6082
Views
15
Helpful
34
Replies
Highlighted
Beginner

Per SSID authentication on ACS 5

Hi Everyone

I have noticed that with a basic setup on ACS 5 I can not differentiate between PEAP clients that i want to authenticate against AD and PEAP clients that I want to authenticate against a locally created database on the ACS. All clients, regardless of what SSID they are connected to, will be tried against the AD if there is no match the the client is promted for a username and password to be authenticated against the local information store.

Can someone point me to some documentaion that describes how I can seperate the two, so that the clients on one SSID are checked against AD and clients on another are checked against the local info store.

Many thanks

Simon

1 ACCEPTED SOLUTION

Accepted Solutions
Enthusiast

Re: Per SSID authentication on ACS 5

Simon,

One of the attributes that the WLC sends in a RADIUS authentication request is the Called-Station-ID field. That field contains both the BSSID and ESSID (WLAN name) the client is trying to access, which means that you can do a compare on this field as a condition of your access rule. The format is xx-xx-xx-xx-xx-xx:wlanName. We don't really care about the BSSID, but the WLAN at the end of this string is very useful.

Here's how you can use this attribute value to influence access policy decisions:

1. Create a custom session condition (under Policy Elements) of type RADIUS-IETF using the Called-Station-ID (not the Calling-Station-ID).

2. Customize your access policy template so that your new custom session condition is available to your access policies

3. Edit your access policy: a) check the custom session condition to enable it, b) choose the "Ends with" operator, and c) type in the name of your WLAN (case sensitive).

Justin

34 REPLIES 34
Enthusiast

Re: Per SSID authentication on ACS 5

Simon,

One of the attributes that the WLC sends in a RADIUS authentication request is the Called-Station-ID field. That field contains both the BSSID and ESSID (WLAN name) the client is trying to access, which means that you can do a compare on this field as a condition of your access rule. The format is xx-xx-xx-xx-xx-xx:wlanName. We don't really care about the BSSID, but the WLAN at the end of this string is very useful.

Here's how you can use this attribute value to influence access policy decisions:

1. Create a custom session condition (under Policy Elements) of type RADIUS-IETF using the Called-Station-ID (not the Calling-Station-ID).

2. Customize your access policy template so that your new custom session condition is available to your access policies

3. Edit your access policy: a) check the custom session condition to enable it, b) choose the "Ends with" operator, and c) type in the name of your WLAN (case sensitive).

Justin

Re: Per SSID authentication on ACS 5

Justin +5 !

Nice response!

Can you add any additional links for more reading on this or config examples?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Enthusiast

Re: Per SSID authentication on ACS 5

George,

I sort of cobbled this together with a packet sniff to figure out which fields I had available. The project I did this on was for w2k8 and I ported the solution over to ACS. Short answer is I don't have any docs or vids to link, but I'm happy to put a how-to together. Give me a few days and I'll post something a little more detailed.

Justin

Sent from Cisco Technical Support iPhone App

Beginner

Re: Per SSID authentication on ACS 5

Im trying this with a Cisco autonomous AP but it doesnt seem to work.  I assume in IOS mode the AP will still be sending the RADIUS attribute required?

Hall of Fame Master

Re: Per SSID authentication on ACS 5

The best way to see the value is being passed is authenticate and look at the ACS logs. It will show you the mac address and the SSID if the attribute is being passed to the radius server.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Beginner

Re: Per SSID authentication on ACS 5

was just looking at at.  its sending the called-station-id as the MAC of the BVI0 inteface.  AP debug follows:

*Mar  1 04:12:54.238: RADIUS:  User-Name           [1]   15  "TEST\testwlan"

*Mar  1 04:12:54.238: RADIUS:  Framed-MTU          [12]  6   1400

*Mar  1 04:12:54.238: RADIUS:  Called-Station-Id   [30]  16  "b414.895b.ccc0"

*Mar  1 04:12:54.238: RADIUS:  Calling-Station-Id  [31]  16  "001e.4cb2.bfe1"

*Mar  1 04:12:54.238: RADIUS:  Service-Type        [6]   6   Login                     [1]

so it doesnt seem to be sending a SSID as the ID.

Hall of Fame Master

Re: Per SSID authentication on ACS 5

If it doesn't send the SSID name after the mac address, you will not be able to filter on the SSID. On ACS, the NAR field you can set is:

CLI - The calling-station-id attribute 31

DNID - The called-station-id attribute 30

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Beginner

Re: Per SSID authentication on ACS 5

Went with a hunch and added the following commands i have to add for dot1x to work on the LAN:

radius-server vsa send accounting

radius-server vsa send authentication

The AP debug then shows:

*Mar  1 04:33:44.586: RADIUS:  User-Name           [1]   15  "TEST\testwlan"

*Mar  1 04:33:44.586: RADIUS:  Framed-MTU          [12]  6   1400

*Mar  1 04:33:44.586: RADIUS:  Called-Station-Id   [30]  16  "b414.895b.ccc0"

*Mar  1 04:33:44.586: RADIUS:  Calling-Station-Id  [31]  16  "001e.4cb2.bfe1"

*Mar  1 04:33:44.586: RADIUS:  Vendor, Cisco       [26]  18

*Mar  1 04:33:44.586: RADIUS:   Cisco AVpair       [1]   12  "ssid=Test2"

*Mar  1 04:33:44.586: RADIUS:  Service-Type        [6]   6   Login                     [1]

So I have now created a Service Selection Rule with a Compound Condition of: RADIUS-Cisco:cisco-av-pair equals ssid=Test2

and it now matches :-)

Thanks all

Enthusiast

Re: Per SSID authentication on ACS 5

Nicholas,

Wireless LAN Controllers send SSID in Called-Station-ID.

From what I see in the the rest of the thread, it looks like this field wouldn't work for an autonomous AP deployment.

Justin

Sent from Cisco Technical Support iPhone App

Hall of Fame Master

Re: Per SSID authentication on ACS 5

Here are a couple links that explain it in general. It's the same concept from the 4.2 guide to 5.x. You can also achieve this using IAS or NPS, but you have to use a different wildcard.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

https://supportforums.cisco.com/thread/2081646

http://www.routerdiscussions.com/viewtopic.php?f=7&t=9020

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Hall of Fame Master

Re: Per SSID authentication on ACS 5

Oh... If you do this for ISE, you use the same attribute but the value is .*SSIDNAME

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Beginner

Re: Per SSID authentication on ACS 5

Justin

Thank you for your responce, thats really helpful. I will give it a try and re-post with the results.

Thanks

Simon

Hall of Fame Master

Re: Per SSID authentication on ACS 5

Thanks for posting your solution!

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Beginner

Re: Per SSID authentication on ACS 5

Is there anything I need to do on the controller. I am begin challenged for a user name and password but getting authentication failures with the failure "Check Service Selection Rules".

CreatePlease to create content
Content for Community-Ad
June's Community Spotlight Awards