Limit EAP methods per SSID in ACS

Answered Question
Sep 27th, 2010
User Badges:

Hi,


st1\:*{behavior:url(#ieooui) } /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";}

In a WLAN environment that has 2 WLC, lots of LAP´s and clients authenticating with an ACS which has configure an Active Directory as an external data base, I would like to know how I can limit de EAP methods per group or SSID in the ACS.


For example: one SSID can only use PEAP-MSCHAPv2 and the other SSID con only use EAP-TLS.


Thanks in advance.

Correct Answer by Tiago Antunes about 6 years 5 months ago

As Serge said, you can do it with NAPs.

The trick in on the filter to match the NAP.


Using Cisco WLCs there is an attribute that is sent on the Radius Access-Request which contains the SSID:


"Called-Station-Id=00-26-cb-ac-03-00:test"


Please note that in this example the ssid name is "test".

So on the NAP you need a filter like:


"[030]Called-Station-Id contains test"


HTH,
Tiago

Correct Answer by Serge Yasmine about 6 years 5 months ago

Hi,


You can do this with NAP on ACS. Create a NAP for each SSID you have and under the NAP you can allow only the desired EAP Method.


Thanks

Serge

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
Correct Answer
Serge Yasmine Fri, 10/08/2010 - 04:25
User Badges:
  • Cisco Employee,

Hi,


You can do this with NAP on ACS. Create a NAP for each SSID you have and under the NAP you can allow only the desired EAP Method.


Thanks

Serge

Correct Answer
Tiago Antunes Fri, 10/08/2010 - 05:00
User Badges:
  • Cisco Employee,

As Serge said, you can do it with NAPs.

The trick in on the filter to match the NAP.


Using Cisco WLCs there is an attribute that is sent on the Radius Access-Request which contains the SSID:


"Called-Station-Id=00-26-cb-ac-03-00:test"


Please note that in this example the ssid name is "test".

So on the NAP you need a filter like:


"[030]Called-Station-Id contains test"


HTH,
Tiago

Nicolas Darchis Fri, 10/08/2010 - 05:05
User Badges:
  • Cisco Employee,

All correct. Just adding that to have the WLC sending the SSID after the mac address in the called station id, this need to be configured :


(Cisco Controller) >config radius callStationIdType ?
              
ipaddr         Sets Call Station Id Type to the system's IP Address
macaddr        Sets Call Station Id Type to the system's MAC Address
ap-macaddr     Sets Call Station Id Type to the AP's MAC Address
ap-macaddr-ssid Sets Call Station Id Type to the format :


Enjoy !

jedubois Fri, 10/08/2010 - 12:24
User Badges:
  • Cisco Employee,

The solutions in this thread are great I though I would add one more.  You can also accomplish this with CLI/DNIS Network Access Restrictions in ACS 4.2 with the : Calling-Station-ID configuration (which I believe is default on the WLCs):

-AAA Client would be set to your WLC NDG or IP

-Port would be set to *

-CLI would be set to *

-DNIS would be set to *


You can use a permit or deny based on what you are trying to accomplish.

--Jesse

Actions

This Discussion

 

 

Trending Topics - Security & Network