cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9625
Views
15
Helpful
34
Replies

Per SSID authentication on ACS 5

s.vosper
Level 1
Level 1

Hi Everyone

I have noticed that with a basic setup on ACS 5 I can not differentiate between PEAP clients that i want to authenticate against AD and PEAP clients that I want to authenticate against a locally created database on the ACS. All clients, regardless of what SSID they are connected to, will be tried against the AD if there is no match the the client is promted for a username and password to be authenticated against the local information store.

Can someone point me to some documentaion that describes how I can seperate the two, so that the clients on one SSID are checked against AD and clients on another are checked against the local info store.

Many thanks

Simon

1 Accepted Solution

Accepted Solutions

Justin Kurynny
Level 4
Level 4

Simon,

One of the attributes that the WLC sends in a RADIUS authentication request is the Called-Station-ID field. That field contains both the BSSID and ESSID (WLAN name) the client is trying to access, which means that you can do a compare on this field as a condition of your access rule. The format is xx-xx-xx-xx-xx-xx:wlanName. We don't really care about the BSSID, but the WLAN at the end of this string is very useful.

Here's how you can use this attribute value to influence access policy decisions:

1. Create a custom session condition (under Policy Elements) of type RADIUS-IETF using the Called-Station-ID (not the Calling-Station-ID).

2. Customize your access policy template so that your new custom session condition is available to your access policies

3. Edit your access policy: a) check the custom session condition to enable it, b) choose the "Ends with" operator, and c) type in the name of your WLAN (case sensitive).

Justin

View solution in original post

34 Replies 34

Justin Kurynny
Level 4
Level 4

Simon,

One of the attributes that the WLC sends in a RADIUS authentication request is the Called-Station-ID field. That field contains both the BSSID and ESSID (WLAN name) the client is trying to access, which means that you can do a compare on this field as a condition of your access rule. The format is xx-xx-xx-xx-xx-xx:wlanName. We don't really care about the BSSID, but the WLAN at the end of this string is very useful.

Here's how you can use this attribute value to influence access policy decisions:

1. Create a custom session condition (under Policy Elements) of type RADIUS-IETF using the Called-Station-ID (not the Calling-Station-ID).

2. Customize your access policy template so that your new custom session condition is available to your access policies

3. Edit your access policy: a) check the custom session condition to enable it, b) choose the "Ends with" operator, and c) type in the name of your WLAN (case sensitive).

Justin

Justin +5 !

Nice response!

Can you add any additional links for more reading on this or config examples?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George,

I sort of cobbled this together with a packet sniff to figure out which fields I had available. The project I did this on was for w2k8 and I ported the solution over to ACS. Short answer is I don't have any docs or vids to link, but I'm happy to put a how-to together. Give me a few days and I'll post something a little more detailed.

Justin

Sent from Cisco Technical Support iPhone App

Im trying this with a Cisco autonomous AP but it doesnt seem to work.  I assume in IOS mode the AP will still be sending the RADIUS attribute required?

The best way to see the value is being passed is authenticate and look at the ACS logs. It will show you the mac address and the SSID if the attribute is being passed to the radius server.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

was just looking at at.  its sending the called-station-id as the MAC of the BVI0 inteface.  AP debug follows:

*Mar  1 04:12:54.238: RADIUS:  User-Name           [1]   15  "TEST\testwlan"

*Mar  1 04:12:54.238: RADIUS:  Framed-MTU          [12]  6   1400

*Mar  1 04:12:54.238: RADIUS:  Called-Station-Id   [30]  16  "b414.895b.ccc0"

*Mar  1 04:12:54.238: RADIUS:  Calling-Station-Id  [31]  16  "001e.4cb2.bfe1"

*Mar  1 04:12:54.238: RADIUS:  Service-Type        [6]   6   Login                     [1]

so it doesnt seem to be sending a SSID as the ID.

If it doesn't send the SSID name after the mac address, you will not be able to filter on the SSID. On ACS, the NAR field you can set is:

CLI - The calling-station-id attribute 31

DNID - The called-station-id attribute 30

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Went with a hunch and added the following commands i have to add for dot1x to work on the LAN:

radius-server vsa send accounting

radius-server vsa send authentication

The AP debug then shows:

*Mar  1 04:33:44.586: RADIUS:  User-Name           [1]   15  "TEST\testwlan"

*Mar  1 04:33:44.586: RADIUS:  Framed-MTU          [12]  6   1400

*Mar  1 04:33:44.586: RADIUS:  Called-Station-Id   [30]  16  "b414.895b.ccc0"

*Mar  1 04:33:44.586: RADIUS:  Calling-Station-Id  [31]  16  "001e.4cb2.bfe1"

*Mar  1 04:33:44.586: RADIUS:  Vendor, Cisco       [26]  18

*Mar  1 04:33:44.586: RADIUS:   Cisco AVpair       [1]   12  "ssid=Test2"

*Mar  1 04:33:44.586: RADIUS:  Service-Type        [6]   6   Login                     [1]

So I have now created a Service Selection Rule with a Compound Condition of: RADIUS-Cisco:cisco-av-pair equals ssid=Test2

and it now matches :-)

Thanks all

Nicholas,

Wireless LAN Controllers send SSID in Called-Station-ID.

From what I see in the the rest of the thread, it looks like this field wouldn't work for an autonomous AP deployment.

Justin

Sent from Cisco Technical Support iPhone App

Here are a couple links that explain it in general. It's the same concept from the 4.2 guide to 5.x. You can also achieve this using IAS or NPS, but you have to use a different wildcard.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

https://supportforums.cisco.com/thread/2081646

http://www.routerdiscussions.com/viewtopic.php?f=7&t=9020

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Oh... If you do this for ISE, you use the same attribute but the value is .*SSIDNAME

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

s.vosper
Level 1
Level 1

Justin

Thank you for your responce, thats really helpful. I will give it a try and re-post with the results.

Thanks

Simon

Scott Fella
Hall of Fame
Hall of Fame

Thanks for posting your solution!

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

s.vosper
Level 1
Level 1

Is there anything I need to do on the controller. I am begin challenged for a user name and password but getting authentication failures with the failure "Check Service Selection Rules".

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: