cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1105
Views
0
Helpful
11
Replies

ACS 5.1 using external Radius

HUBERT RESCH
Level 3
Level 3

Hi

if we use an external radius for Authentication we have the demand that we control/filter the attributes which come from the external radius on the ACS51

Is this possible, for example for 802.1x dynamic VLAN assigment. we want to control which VLANs are assigned by the external Radius.

Thx

Hubert

11 Replies 11

Nate Austin
Cisco Employee
Cisco Employee

Hi Hubert,

Just wanted to make sure I understood the question first - are you trying to point your WLC to an ACS 5.1 via radius and then additionally point the ACS 5.1 server to a second external Radius server to authenticate and pull down attributes?

If so, then you can specify attributes from the external radius server for use in ACS5's own authorization policies. To do that, first edit your Radius Identity Server entry on your ACS5 and ensure that the attributes you want to use are selected under the Directory Attributes tab.

Then under your authorization policies on the ACS, go to the Common Tasks page (where you would normally manually specify what Vlan you want to pass down). Instead of picking "Static" next to VLAN, you can select "Dynamic" and then select the external database you want to pull the attribute from. Select the attribute name that the value is stored in and then you can go to the "Custom Attributes" page and you should see all that reflected on the attributes it adds to your profile.

Save that profile and use it in your access policy rules. Now as long as the ACS is configured to authenticate against the external Radius server it will also take the value of the specified attribute and forward that on to the NAS to assign a vlan.

Thanks,

Nate

Hi Nathaniel,

thx for your explanation, thats exactly waht we want to do, but in addition we want to control the value of the assigned atts which are assigned by the external radius. e.g. we want to control which vlans can be assigned by the external radius, is that possible.

br

hubert

Hi Hubert,

You can either have the ACS send down static vlans that are all defined on the ACS, or have it dynamically pass down like discussed earlier, but if you have it dynamically pass down, it will always take the value of the attribute it received and pass it down to the switch. Theres no way to limit the vlans unless you create a condition in your access policy rule based on that external attribute and map it to a different authorization policy that passes down a static vlan from the ACS.

Thanks,

Nate

Hi,

but if I understand this snip from documentation dot1x will not work with an external Radius ?

Thx

hubert

Hi Hubert,

It will support two EAP types for 802.1x - PEAP-GTC, and EAP-FAST with GTC as the inner method.

Nate

Hmm but not EAP-TLS ?

Hubert

According to that documentation, no.

Nate

That means no 802.1x Machine authentication against an external MS-IAS is possible

with ACS ?

Hubert

It would be if you use those EAP types. But out of curiousity why would you want to go from a switch to ACS to another Radius server IAS, which will pull from your active directory. Why don't you go from the ACS directly to the Active Directory?

Thanks,

Nate

Hi,

the only reason is that we offer some VLANs and Ports to our customers and if they want to use dot1x we are not able to force them against which

identity store the authenticate. to authenticate against AD the only possibility woudl be via LDAP, because as I understand for authenticating directly against AD ACs hast to be member of the Domain, and cannot/shoulnt  be member of a lot of customer domains??

Hubert

Hi Hubert,

Yes you are correct. ACS can only join to one Active Directory domain.

Unfortunately using LDAP there are some protocol limitations as well but you should be able to do EAP-TLS that way. The problem with EAP-TLS to another external radius server is that the ACS usually pulls data from the LDAP or AD server to match against the certificate. With an external database of Radius we can't do that - we have to send a full authentication to it, username and password - which we obviously don't have, so thats why EAP-TLS won't work to an external radius server.


Thanks,

Nate

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: