02-23-2012 12:02 PM - edited 07-03-2021 09:39 PM
Hi Everyone
I have noticed that with a basic setup on ACS 5 I can not differentiate between PEAP clients that i want to authenticate against AD and PEAP clients that I want to authenticate against a locally created database on the ACS. All clients, regardless of what SSID they are connected to, will be tried against the AD if there is no match the the client is promted for a username and password to be authenticated against the local information store.
Can someone point me to some documentaion that describes how I can seperate the two, so that the clients on one SSID are checked against AD and clients on another are checked against the local info store.
Many thanks
Simon
Solved! Go to Solution.
02-23-2012 06:12 PM
Simon,
One of the attributes that the WLC sends in a RADIUS authentication request is the Called-Station-ID field. That field contains both the BSSID and ESSID (WLAN name) the client is trying to access, which means that you can do a compare on this field as a condition of your access rule. The format is xx-xx-xx-xx-xx-xx:wlanName. We don't really care about the BSSID, but the WLAN at the end of this string is very useful.
Here's how you can use this attribute value to influence access policy decisions:
1. Create a custom session condition (under Policy Elements) of type RADIUS-IETF using the Called-Station-ID (not the Calling-Station-ID).
2. Customize your access policy template so that your new custom session condition is available to your access policies
3. Edit your access policy: a) check the custom session condition to enable it, b) choose the "Ends with" operator, and c) type in the name of your WLAN (case sensitive).
Justin
02-23-2012 06:12 PM
Simon,
One of the attributes that the WLC sends in a RADIUS authentication request is the Called-Station-ID field. That field contains both the BSSID and ESSID (WLAN name) the client is trying to access, which means that you can do a compare on this field as a condition of your access rule. The format is xx-xx-xx-xx-xx-xx:wlanName. We don't really care about the BSSID, but the WLAN at the end of this string is very useful.
Here's how you can use this attribute value to influence access policy decisions:
1. Create a custom session condition (under Policy Elements) of type RADIUS-IETF using the Called-Station-ID (not the Calling-Station-ID).
2. Customize your access policy template so that your new custom session condition is available to your access policies
3. Edit your access policy: a) check the custom session condition to enable it, b) choose the "Ends with" operator, and c) type in the name of your WLAN (case sensitive).
Justin
02-23-2012 08:26 PM
Justin +5 !
Nice response!
Can you add any additional links for more reading on this or config examples?
02-23-2012 11:32 PM
George,
I sort of cobbled this together with a packet sniff to figure out which fields I had available. The project I did this on was for w2k8 and I ported the solution over to ACS. Short answer is I don't have any docs or vids to link, but I'm happy to put a how-to together. Give me a few days and I'll post something a little more detailed.
Justin
Sent from Cisco Technical Support iPhone App
02-24-2012 05:29 AM
Im trying this with a Cisco autonomous AP but it doesnt seem to work. I assume in IOS mode the AP will still be sending the RADIUS attribute required?
02-24-2012 05:43 AM
The best way to see the value is being passed is authenticate and look at the ACS logs. It will show you the mac address and the SSID if the attribute is being passed to the radius server.
Thanks,
Scott Fella
Sent from my iPhone
02-24-2012 05:46 AM
was just looking at at. its sending the called-station-id as the MAC of the BVI0 inteface. AP debug follows:
*Mar 1 04:12:54.238: RADIUS: User-Name [1] 15 "TEST\testwlan"
*Mar 1 04:12:54.238: RADIUS: Framed-MTU [12] 6 1400
*Mar 1 04:12:54.238: RADIUS: Called-Station-Id [30] 16 "b414.895b.ccc0"
*Mar 1 04:12:54.238: RADIUS: Calling-Station-Id [31] 16 "001e.4cb2.bfe1"
*Mar 1 04:12:54.238: RADIUS: Service-Type [6] 6 Login [1]
so it doesnt seem to be sending a SSID as the ID.
02-24-2012 06:05 AM
If it doesn't send the SSID name after the mac address, you will not be able to filter on the SSID. On ACS, the NAR field you can set is:
CLI - The calling-station-id attribute 31
DNID - The called-station-id attribute 30
Thanks,
Scott Fella
Sent from my iPhone
02-24-2012 06:09 AM
Went with a hunch and added the following commands i have to add for dot1x to work on the LAN:
radius-server vsa send accounting
radius-server vsa send authentication
The AP debug then shows:
*Mar 1 04:33:44.586: RADIUS: User-Name [1] 15 "TEST\testwlan"
*Mar 1 04:33:44.586: RADIUS: Framed-MTU [12] 6 1400
*Mar 1 04:33:44.586: RADIUS: Called-Station-Id [30] 16 "b414.895b.ccc0"
*Mar 1 04:33:44.586: RADIUS: Calling-Station-Id [31] 16 "001e.4cb2.bfe1"
*Mar 1 04:33:44.586: RADIUS: Vendor, Cisco [26] 18
*Mar 1 04:33:44.586: RADIUS: Cisco AVpair [1] 12 "ssid=Test2"
*Mar 1 04:33:44.586: RADIUS: Service-Type [6] 6 Login [1]
So I have now created a Service Selection Rule with a Compound Condition of: RADIUS-Cisco:cisco-av-pair equals ssid=Test2
and it now matches :-)
Thanks all
02-24-2012 07:51 AM
Nicholas,
Wireless LAN Controllers send SSID in Called-Station-ID.
From what I see in the the rest of the thread, it looks like this field wouldn't work for an autonomous AP deployment.
Justin
Sent from Cisco Technical Support iPhone App
02-24-2012 05:16 AM
Here are a couple links that explain it in general. It's the same concept from the 4.2 guide to 5.x. You can also achieve this using IAS or NPS, but you have to use a different wildcard.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
https://supportforums.cisco.com/thread/2081646
http://www.routerdiscussions.com/viewtopic.php?f=7&t=9020
Thanks,
Scott Fella
Sent from my iPhone
02-24-2012 05:18 AM
Oh... If you do this for ISE, you use the same attribute but the value is .*SSIDNAME
Thanks,
Scott Fella
Sent from my iPhone
02-23-2012 11:57 PM
Justin
Thank you for your responce, thats really helpful. I will give it a try and re-post with the results.
Thanks
Simon
02-24-2012 07:01 AM
Thanks for posting your solution!
Sent from Cisco Technical Support iPhone App
02-27-2012 06:30 AM
Is there anything I need to do on the controller. I am begin challenged for a user name and password but getting authentication failures with the failure "Check Service Selection Rules".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide