SSID To Group Mapping With ACS 5.1

sreejith_r · ‎09-29-2010

Hi ;

I am trying to implement PEAP authentication with ACS 5.1 and PEAP is working fine. I have two SSID's with peap authentication and i have two groups in AD. I need to map one ssid with one group and another SSID with the other group.

I implemented the same with ACS 4.2 (Screenshot attached) . Now the requirement is to implement the same concept in ACS 5.1. Could you please help me on this.

burnsidestev · ‎09-30-2010

DNIS is confidured under Policy Elements ->Session Conditions-> Network Conditions-> End Station Filters.

You can then Apply that under Access Policies -> Service Selection Rules

-by adding it by clicking the Customize button in the lower right corner.

- create a new rule that adds that filter.

Thats the basics I have figured out so far. I am still having issues implementing it myself though.

sreejith_r · ‎09-30-2010

Thank You Boss. As you said still there are issues. Its not denying the access evenif we are trying to access the SSID with another group member credentials.

burnsidestev · ‎09-30-2010

My issue turned out to be a missing * before the SSID in the End Station Filter.

If its not denying access when the wrong credentials are entered, look at the authentication profile the service selection rule pointed to. At the bottom it shows the default action if a rule isnt met. The default on those rules is Permit Access. Change that to Deny Access.

sreejith_r · ‎09-30-2010

I already added the * before the SSID value.

I put CLI as ANY and DNIS = *Staff.

I created two groups in ACS called staff and student and created the usernames in the respective group.

My requirement is that Only users in the staff group should access staff ssid. But now both student and staff group members can access staff ssid.

That means the endstation filter is not working properly.

burnsidestev · ‎10-01-2010

If you go under Access Policies and Service Selection Rules and check you hit count( you may need to refresh if you just tried connecting) see if the rule is incrementing.

If that rule has a condition tied to that SSID, it should only increment when that SSID sends traffic. If users credentials are working, thats a separate issue.

For the Access service you created, that your selection rule feeds, check the following

Identity will be set to internal users

Authorization you will need to have hit custom and selected "Identity Group" as a selector" Then when you make the rule, check that box and set it to your Staff Group. Set the default at the bottom of the page to Deny Access.

Scott Fella · ‎10-03-2010

I agree with the previous post... Make sure you deny access on the default on the bottom of the page. Make sure your polices are configured correctly especially if you have others listed ahead of this one. Since you can customize the policies, you can use internal groups or not. I tend to not use those since I specify in my policies what AD group to match.

Posted from my mobile device.

-Scott
*** Please rate helpful posts ***

sreejith_r · ‎10-03-2010

My default rule is the deny statement. Cureently i dont have any AD and i am doing the PoC with 5.1 . Could you please the below settings are correct

CLI=ANY

DNIS = *staff where staff is the SSID value.

If you have any document please share it with us. Once this is successful i will try with dynamic vlan assignment.

and in the policy i set the group mapping.

Scott Fella · ‎10-03-2010

Can you post some screen shots of your end station filter, your policies and your internal group. This way I can see what you have setup.

Posted from my mobile device.

-Scott
*** Please rate helpful posts ***