Cisco Support Community
Community Member

ACS 5.1 - service selection rule and machine authentication

Hi everybody

I have 2 problems and appreciate any help resolving them as I am starting to pull my hair out and pretty soon there will none left.

- I have a cisco unified network (ACS 5.1, Cisco controller, LWAP) and have configured ACS to integrate with AD.

- I am using this network for Laptops and wireless IP phones access.

- I have only one Service Selection rule for both Laptops and wireless IP phones. All the conditions attributes are set to ANY except Protocol = Radius

- I select a simple Identity Policy and I use a sequence where IP phones users are authenticated using ACS local user and the Laptops users are authenticated using AD

- Laptop users are authenticated using PEAP and IP phones users using EAP-Fast

Everything is working fine BUT I need to make 2 changes and eventhough  I spent many hours hours on forums and reading articles and trying things myself I can't get the changes to work.

The first change is to use 2 Service Selection Rules one for the IP phones and one for the Laptops. After adding another service selection rules that I put at the top, I tried many combinations to try and get the IP phones to use it but whatever I did (used different combinations of conditions), the IP phones always select the 2nd rule, which is the original one. The question is "what conditions to put in a service selection rule to make wireless IP phones use the rule).

The second change is that I want to add machine authentication so only Laptops that are in AD can access the network. AGain I tried various settings but can't get this to work. If someone could give me the steps involved and where in ACS to find  them that would be great.

I appreciate any help you can provide.



Community Member

ACS 5.1 - service selection rule and machine authentication

We are not using IP phones, but, for our "agentless clients" we added "useCase" to the conditions of the service selection rule and configured "match Host Lookup" and placed in the top of the rule stack. The identity uses the local host database. Our second rule matches radius requests and uses Active Directory external store.

On the switchport, we configured authentication order dot1x mab. Works for us.

Community Member

ACS 5.1 - service selection rule and machine authentication

Thanks for the reply Graham, I will have a go.

Which switchport are you referring to please as we are connecting wirelessly only.


CreatePlease to create content