How to authenticate WCS Administration with MS IAS

Unanswered Question
Dec 12th, 2007

I was looking for a way to avoid creating numerous Lobby Ambassador users on a WCS, but use an existing Active Directory group instead.

The WCS configuration guide is very general on RADIUS servers other than TACACS, so I worked out the IAS related solution described below, which works with WCS 4.2.62.0 against IAS on Windows Server2003 SP1.

Of course you can authenticate every other role on the WCS, for this example I used the Admin role.

It is assumed that the WCS is correctly configured for your RADIUS servers, and has been created and configured as a RADIUS client on the IAS. The policy condition is correctly configured, so that access requests from the WCS are being successfully processed and accepted by IAS, but WCS still brings up a Login failed message.

The interesting section is in the Advanced Tab, within the policy form, where we will have to add the vendor specific attribute (VSA), and only the VSA, no other attributes are required. Once we add the VSA we create attribute values, one for the role, and additional ones for every task the user is allowed on the WCS. The attribute values are of the vendor code 9 (or select Cisco from list), and have to be entered in Hex format as "non RFC conforming" attributes. So for the Admin role, (Wireless-WCS:role0=Admin) the Hex string could have been 0x576972656c6573732d5743533a726f6c65303d41646d696e

But unfortunately it's not as simple as that.

Now we need to prefix this string with 0x01 (this stands for Cisco AV pair) and the length of the complete string (26 bytes in this case, which is 0x1a). So the final string that is to be entered is 0x011a576972656c6573732d5743533a726f6c65303d41646d696e

The next value would be Wireless-WCS:task0=Users and Groups, in Hex format (again including the prefix 0x1a and a length byte of 0x25): 0x0125576972656c6573732d5743533a7461736b303d557365727320616e642047726f757073

And so on.

In fact, you will have to calculate the Hex string and the length for every line of the task list. These lists can be found on the WCS in Administration / AAA / Groups / Export task list.

It would be wise to automate this process, I used Excel for that. For translating ASCII to HEX, there are lots of tools, like xxd (linux) or http://www.centricle.com/tools/ascii-hex/

For testing, you can start with a role with just one task.

If things dont work out, an incorrect length might be the reason. Using a sniffer is definitely helpful then.

There is a new document out, that gives more information about how the packets are assembled, http://www.cisco.com/en/US/products/ps6305/products_tech_note09186a00809038e6.shtml

Hope this helps someone. I couldnt find this information anywhere on the web.

Gerald

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mehdi_ab Thu, 12/20/2007 - 15:21

Thx mate. I had the same problem a few months ago, resolved but never documented it :(

gfreundlc Mon, 04/14/2008 - 00:56

I used Excel for that. There is a formula called LENGTH or so, which yields the number of characters of a string. Since a Hex Byte is presented by two characters, you divide the result by 2, then add 2 (1 for the prefix and 1 for the length byte itself).

Actions

This Discussion

 

 

Trending Topics - Security & Network