Authorization question

Unanswered Question
May 27th, 2010

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Currently I manage using PEAP to authenticate users seeking access to the network through the wireless APs, using a Cisco Secure ACS 4.2, as the external RADIUS server. But I cannot authorize access to the network, so all users with proper credentials can access to the network without authorization. The idea would be that only authorized users can access the network and not all users currently in the ACS.
The AP configuration is:

aaa new-model
aaa group server radius rad_eap
server auth-port 1645 acct-port 1646
aaa authentication login group rad_eap eap_methods
aaa authentication login auth-admin-access group tac_admin
Authorization exec default group aaa tac_admin
Authorization exec aaa group eap_methods rad_eap
aaa group eap_methods rad_eap network Authorization
aaa accounting exec auth-admin-access start-stop group tac_admin
aaa accounting auth-admin commands 15 start-stop-access group tac_admin
aaa accounting network start-stop group eap_methods rad_eap
dot11 ssid PEAP
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
   accounting eap_methods
   Infrastructure-ssid optional
   information-element ssidl advertisement wps
radius-server attribute 32 include-in-access-req format% h
radius-server attribute 31 mac format ietf
radius-server host auth-port 1645 acct-port 1646 key Secret
Authorization radius-server default Framed-Protocol ppp
radius-server vsa send accounting
radius-server vsa send authentication

Within the definition of "SSID" there is no command for authorization, only one for authentication and another for accounting and these two options work properly.
I would not mind changing the method or any other option, I just need a model or method that allows me to authenticate, authorize and account for network access to users through the AP.
I count the following:
• AP: Cisco Airnet 1242 IOS:
• Cisco Secure Access Control Sever 4.2 that uses an external base of Windows Active Directory.

Thank you for your  attention

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jatin Katyal Sun, 05/30/2010 - 06:24


The way you have setup wireless is perfect. Understanding the process, RADIUS combines authentication and authorization. The access-accept       packets sent by the RADIUS server to the client contain authorization       information. This makes it difficult to decouple authentication and       authorization so the moment you connect with your credentials is count as a pert of authentication and all other settings like ssid count under authorization. There is not command to configure authorization with radius in wireless. There is something called SSID---WLAN restrction using ACS where we use NAR even that also comes in access-accept.



Do rate helpful posts-


This Discussion



Trending Topics - Security & Network