×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACS 5.3 service selection rules for IP phone

Answered Question
Aug 5th, 2013
User Badges:

I've spent a considerable amount of time now trying to conifigure radius 802.1x authentication on our ACS 5.3 appliance with policies for non Cisco ip phones (Nortel IP 2004) and machine authentication for pc's so we can run the pc's through the ip phone switch which currently we can't do as existing 802.1x is through MS IAS and is not configured as such.


I have now got individual pc policy working on the ACS for the phones, using MAB, with the mac address of the phone entered as a host on the internal identity store, and also a separate individual policy for the pc authentication which does a host lookup in Active Directory.     These work fine on an individual basis and I can post details if necessary, but the part I am having real trouble with is the service selection rules, no matter what I do, it will only hit the first rule and then stop, even if that rule isn't relevant via the rules I've set up.    Currently i have the rules set up as below following various internet posts but its still not working...


service selection.JPG


Rule 1 which is for our switch management is fine and can be ignored, rule 2 is to select the IP phones policy (Hardphones) and rule 3 for the PC authentication.     No matter what I do for the conditions, either my test pc will authenticate, or my test IP phone will authenticate but the rules don't seem to work correctly filtering.       Rule 2 config I got from the below link


http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000480


With the rules as above, the phone will authenticate, but the pc fails attempting to use rule 2 which it shouldn't even hit!


I'm going round in circles with this now  so any help appreciated. Rule 2 config posted as well below


service selection rule 2.JPG


thanks


chris

Correct Answer by Amjad Abdullah about 4 years 1 week ago

quickly as I have to leave now:

- You don't have to use the usecase thing. As far as I remember it is almost the same: use case host lookup = auth method lookup.


- You can also separate the service policies by using the usecase thing.


- Try to use auth method lookup only and let me know if that works.



sorry for fast reply but I am really in hurry


Regards,


Amjad


Rating useful replies is more useful than saying "Thank you"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Amjad Abdullah Tue, 08/06/2013 - 02:19
User Badges:
  • Red, 2250 points or more

You don't have to separate PC and phones service policies.

Use a service selection policy that matches both PCs and phones (for example, select a policy based on radius auth).


You can then separate PCs and phones from the selected service policy using the "Authentication Method" Option.


Using MAB, the authentication method for phones will be "lookup".

For PCs, the authentication method will not be "lookup".


so, in both "identity" and "Authorization" parts of the access policy, you can choose the "Authentication method" with "match" and "does not match" to separate the identity and/or the authorization profile for both PC's and Phones.





HTH


Amjad


Rating useful replies is more useful than saying "Thank you"

Martin Keith Tue, 08/06/2013 - 04:34
User Badges:

Hi Amjad,


Thanks for responding to this post.    I've now combined the two policies into one with 2 rules (which I had already tried but was having similar rule selection isssues).    I've set the service selection rule to protocol 'radius' so no issue there now.


I originally had my phone identiity rule condition set to 'Usecase match Host Lookup' and identity source internal, I've now changed as below and this seems to work.




The PC rule I'm not sure about though, originally it was set so the identity was single result selection with identity source AD1 and authorisation rule as below which works for an individual policy.



I've tried to modify according to your suggestion but am not what/how authentication method lookup actually is or how it differs to 'host lookup' and as I'm trying to look the pc name up in Active Directory the below identity policy attempt  doesn't work and would seem to contradict itself.



I also added in authentication method into the authorisation policy as well but don't think this would work either.



thanks


chris

Correct Answer
Amjad Abdullah Tue, 08/06/2013 - 06:08
User Badges:
  • Red, 2250 points or more

quickly as I have to leave now:

- You don't have to use the usecase thing. As far as I remember it is almost the same: use case host lookup = auth method lookup.


- You can also separate the service policies by using the usecase thing.


- Try to use auth method lookup only and let me know if that works.



sorry for fast reply but I am really in hurry


Regards,


Amjad


Rating useful replies is more useful than saying "Thank you"

Martin Keith Mon, 08/12/2013 - 01:09
User Badges:

Hi Amjad,


Got it working now thanks!   I don' t fully understand the different options but I've got the hardhpone access working using 'authentication method match lookup' and the pc policy using 'authentication method does not match lookup', seems a bit strange but works anyway subject to further testing.


chris

Amjad Abdullah Sun, 08/18/2013 - 22:40
User Badges:
  • Red, 2250 points or more

Hi Martin,


The lookup means that the MAB is being used. (the device is not dot1x capable so the mac address is being used for the credentials after the normal dot1x process times out without providing normal credentials).

Now, if MAB is used then it is a phone (because the normal clients will use normal credentials not MAB).

If MAB is not used then it is not a phone, but something else (usually PC or any device that does not use MAB).


I hope it is still working with you without problems


Regards,


Amjad


p.s: thanks for marking the correct answer.


Rating useful replies is more useful than saying "Thank you"

Actions

This Discussion

 

 

Trending Topics - Security & Network