ACS 5.1 Access Policies for multiple EAP types

Unanswered Question
Mar 3rd, 2011

Hello

I am trying to configure a Unified Wireless solutions with ACS 5.1 and am having trouble with the access policies. We have corporate laptops authenticating via PEAP and 7921 phones authenticating using EAP-FAST.

I have one access service configured to allow PEAP and authenticate against AD and another access service configured to allow EAP-FAST and authenticate the 7921 phones against the "internal user" database.

I have configured 2 service selection rules. Each one points to one of the access services. The only condition I have currently configured is the "protocol" field to be RADIUS. Because both the 7921 phones and the client laptops are generating RADIUS requests I can only have one EAP type working depending which rule is at the top. Because the RADIUS protocol field is always matched, requests never get past the first rule.

Can anybody help me on how I modify the rule to be able to distinguis between VoIP handsets on one WLAN and client laaptops on another so that correct access policy is used for each device?

Many Thanks

Simon

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Nicolas Darchis Thu, 03/03/2011 - 22:39

You can configure the WLC to send the SSID name in the radius requests :

(s7wlc05) >config radius callStationIdType ?
              
ap-macaddr-ssid Sets Call Station Id Type to the format :

You can then create an ACS rule that check the Radius callstationid attribute and check if it ends with ssid "phone" or "laptops" (for example)

Nicolas

s.vosper Fri, 03/04/2011 - 03:41

Hi Nicholas

Thank you for responding.

For sure I thought that you could filter on different attributes, but I'm struggling to work out how to do this with ACS 5 and I'm also struggling to find any documentaion on how to do it so any advice would be great.

Thanks

Simon

Scott Fella Sun, 03/06/2011 - 07:49

Not many docs out there for this, but since you are doing multiple authentication you need create a policy for each.  You can start by creating a filter that looks for radius protocol only if you are using tacacs too.  Then you can also filter by other attributes like ssid and what type of authentication on that ssid.  This way you can specify that a certain ssid uses EAP and matches a windows group, etc.  This would go the same with the other authentication.  You must match the ssid and to do this, look at these links:

https://supportforums.cisco.com/thread/2044633

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/pol_elem.html#wp1074411

dazza_johnson Wed, 10/19/2011 - 21:05

Hi guys, just to add to this the command 'config radius callStationIdType' is not required when doing 802.1x authentication. Ever noticed the 'Note' right at the bottom of the attached screenshot - Call Station ID Type will be applicable only for non 802.1x authentication only” - what does this mean???

Well.....

RFC 3580 defines; IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines

In the RFC it states;

Called-Station-Id

   For IEEE 802.1X Authenticators, this attribute is used to store the

   bridge or Access Point MAC address in ASCII format (upper case only),

   with octet values separated by a "-". Example: "00-10-A4-23-19-C0".

   In IEEE 802.11, where the SSID is known, it SHOULD be appended to the

   Access Point MAC address, separated from the MAC address with a ":".

   Example "00-10-A4-23-19-C0:AP1".

Calling-Station-Id

   For IEEE 802.1X Authenticators, this attribute is used to store the

   Supplicant MAC address in ASCII format (upper case only), with octet

   values separated by a "-". Example: "00-10-A4-23-19-C0".

SHOULD   This word, or the adjective "RECOMMENDED", mean that there

   may exist valid reasons in particular circumstances to ignore a

   particular item, but the full implications must be understood and

   carefully weighed before choosing a different course.

Conclusion.

Therefore, if you are using 802.1x for 802.11 authentication, as per the RFC the WLC will by default send the AP MAC address with the SSID appended. You cannot even change this! So, what is the point of setting the ‘Call Station ID Type’ in the above screenshot? This is used by non-802.1x authentication schemes – for example if you are using web-authentication. This is why the note at the bottom of the screenshot above states; “Call Station ID Type will be applicable only for non 802.1x authentication only”.

I tested this, and when using 802.1x with the Call Station ID Type left to default (= IP address) the ACS still see’s call station ID as AP MAC address with SSID appended.

I hope this helps someone learn something new

Dazzler

Vinay Saini Mon, 03/12/2012 - 11:19

You can create the End Station filter (DNIS) and Based on that create a service selection rule.

Actions

Login or Register to take actions

This Discussion

Posted March 3, 2011 at 7:14 AM
Stats:
Replies:5 Avg. Rating:
Views:1624 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard