Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2762
Views
0
Helpful
3
Replies

How to authenticate WCS Administration with MS IAS

gfreundlc
Level 1
Level 1

‎12-12-2007 01:06 PM - edited ‎07-03-2021 03:05 PM

I was looking for a way to avoid creating numerous Lobby Ambassador users on a WCS, but use an existing Active Directory group instead.

The WCS configuration guide is very general on RADIUS servers other than TACACS, so I worked out the IAS related solution described below, which works with WCS 4.2.62.0 against IAS on Windows Server2003 SP1.

Of course you can authenticate every other role on the WCS, for this example I used the Admin role.

It is assumed that the WCS is correctly configured for your RADIUS servers, and has been created and configured as a RADIUS client on the IAS. The policy condition is correctly configured, so that access requests from the WCS are being successfully processed and accepted by IAS, but WCS still brings up a Login failed message.

The interesting section is in the Advanced Tab, within the policy form, where we will have to add the vendor specific attribute (VSA), and only the VSA, no other attributes are required. Once we add the VSA we create attribute values, one for the role, and additional ones for every task the user is allowed on the WCS. The attribute values are of the vendor code 9 (or select Cisco from list), and have to be entered in Hex format as "non RFC conforming" attributes. So for the Admin role, (Wireless-WCS:role0=Admin) the Hex string could have been 0x576972656c6573732d5743533a726f6c65303d41646d696e

But unfortunately it's not as simple as that.

Now we need to prefix this string with 0x01 (this stands for Cisco AV pair) and the length of the complete string (26 bytes in this case, which is 0x1a). So the final string that is to be entered is 0x011a576972656c6573732d5743533a726f6c65303d41646d696e

The next value would be Wireless-WCS:task0=Users and Groups, in Hex format (again including the prefix 0x1a and a length byte of 0x25): 0x0125576972656c6573732d5743533a7461736b303d557365727320616e642047726f757073

And so on.

In fact, you will have to calculate the Hex string and the length for every line of the task list. These lists can be found on the WCS in Administration / AAA / Groups / Export task list.

It would be wise to automate this process, I used Excel for that. For translating ASCII to HEX, there are lots of tools, like xxd (linux) or http://www.centricle.com/tools/ascii-hex/

For testing, you can start with a role with just one task.

If things dont work out, an incorrect length might be the reason. Using a sniffer is definitely helpful then.

There is a new document out, that gives more information about how the packets are assembled, http://www.cisco.com/en/US/products/ps6305/products_tech_note09186a00809038e6.shtml

Hope this helps someone. I couldnt find this information anywhere on the web.

Gerald

Labels:
0 Helpful
3 Replies 3

Mehdi_ab
Level 1
Level 1

‎12-20-2007 03:21 PM

Thx mate. I had the same problem a few months ago, resolved but never documented it :(

0 Helpful

boshardy1
Level 1
Level 1

‎04-12-2008 08:07 PM

how do you calculate the length bytes?

0 Helpful

gfreundlc
Level 1
Level 1
In response to boshardy1

‎04-14-2008 12:56 AM

I used Excel for that. There is a formula called LENGTH or so, which yields the number of characters of a string. Since a Hex Byte is presented by two characters, you divide the result by 2, then add 2 (1 for the prefix and 1 for the length byte itself).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card