01-18-2008 01:14 AM - edited 07-03-2021 03:14 PM
Hello
I have here a WLan setup with a WDS, some 40 Accesspoints, an ACS 4.1 server and a Windows Domain Controller which has the users configured.
I have a group mapping in ACS configured which points to a small group in the ADS.
The groupmapping in ACS points to a specific group in ACS.
There I've configured the following:
[009\001] cisco-av-pair
- ssid=xx-200 (the name of the SSID the clients connect)
[006] Service-Type
- Login
[007] Framed-Protocol
- PPP
[025] Class
- OU=pers; (this is not the special group where those users are in, but they are also in this one)
[064] Tunnel-Type
- Tag 1 Value Vlan
[065] Tunnel-Medium-Type
- Tag 1 Value 802
[081] Tunnel-Private-Group-ID
- Tag 1 Value 200 (the Vlan in which they should go)
The good thing is, authentication with username password works.
The bad thing is, every user can authenticate and get into this SSID instead of only the users in the special group which points to this groupmapping.
The other ADS groups also point to other ACS groups, but they don't have the above values ([009\001] cisco-av-pair, [064] Tunnel-Type, [065] Tunnel-Medium-Type, [081] Tunnel-Private-Group-ID) configured.
The logfile from the ACS also shows that the wrong users are mapped into the correct group like they should, but they still get access.
Here the WDS configuration:
aaa group server radius RADIUS_GROUP_WDS_RADIOMANAGEMENT
server 10.1.1.30 auth-port 1645 acct-port 1646
server 10.1.2.30 auth-port 1645 acct-port 1646
aaa authentication login METHOD_WDS_RADIOMANAGEMENT group RADIUS_GROUP_WDS_RADIOMANAGEMENT
aaa authentication enable default enable
aaa session-id common
radius-server host 10.1.1.30 auth-port 1645 acct-port 1646 key 7 xxxx
radius-server host 10.1.2.30 auth-port 1645 acct-port 1646 key 7 xxxx
radius-server retransmit 2
radius-server timeout 18
radius-server deadtime 1
radius-server vsa send accounting
wlccp authentication-server infrastructure METHOD_WDS_RADIOMANAGEMENT
wlccp authentication-server client any METHOD_WDS_RADIOMANAGEMENT
ssid xx-200
The accesspoint config:
aaa authentication login METHOD_RAD_WDS_CLIENT group radius
aaa authentication enable default enable
aaa session-id common
!
dot11 ssid xx-200
vlan 200
authentication open eap METHOD_RAD_WDS_CLIENT
authentication network-eap METHOD_RAD_WDS_CLIENT
authentication key-management wpa
interface Dot11Radio0
encryption vlan 200 mode ciphers aes-ccm
broadcast-key vlan 200 change 60
ssid xx-200
!
interface Dot11Radio0.200
description
encapsulation dot1Q 200
no ip route-cache
no cdp enable
bridge-group 200
bridge-group 200 subscriber-loop-control
bridge-group 200 block-unknown-source
no bridge-group 200 source-learning
no bridge-group 200 unicast-flooding
bridge-group 200 spanning-disabled
!
interface FastEthernet0.200
description
encapsulation dot1Q 200
no ip route-cache
bridge-group 200
no bridge-group 200 source-learning
bridge-group 200 spanning-disabled
!
I hope you can find why any user can authenticate and not just the ones in the groupmapping which has the radius attributes configured.
Thanks,
pato
01-18-2008 08:02 AM
I have finally found something to look into :/
000619: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: ssid [263] 6
000620: Jan 18 16:50:11 A: RADIUS: 48 53 52 2D [xxx-]
000621: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: interface [156] 4
000622: Jan 18 16:50:11 A: RADIUS: 32 35 [25]
This is with various debugging active on the WDS. And this might be the reason why it doesn't work.
02-18-2009 09:46 AM
Hi patoberli,
the same debug message I have seen in my debugs!
But I can't find anything about it...
Did you find out what the message means?
Thanks a lot!
Sven
02-18-2009 11:26 PM
Hi, no I found nothing about that. But I've also replaced our complete setup to the new controller based solution. That's makes the whole setup way easier, but it's not cheap.
-
Patrick
03-06-2009 02:22 PM
With ACS you have debug logs in package.cab, it should give more useful info on user mapping
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: