Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ACS 5.5 RADIUS OUTBOUND Attributes Injection feature

Hello

I'm having a look at the RADIUS OUTBOUND Attributes Injection feature for the External Proxy service in ACS version 5.5.0.46.

The use case is:

  • ACS uses the External Proxy service to authenticate wireless users with certain domain suffixes
  • Sometimes the username Access-Accept comes back with the domain suffix stripped.
  • The result of this is:
    • ACS logs a successful authentication with the sent username (with suffix)
    • ACS sends the Access-Accept to the WLC and the user is listed on the WLC (without suffix)
    • Subsequent accounting packets for the user appear in ACS (without suffix)

In the past I've used a freeradius proxy server between ACS and the external proxy to 'rewrite' the username in the Access-Accept so that it matches the username origianlly sent in the Access-Request. The code for this looked something like the following.

Post-proxy {
...
update outer.reply {
User-Name := "%{request:User-Name}"
}
...
}


I'm looking to do the above solely with ACS but I can't see the Radius-ietf username attribute listed under the RADIUS OUTBOUND Attributes Injection feature. Is it possible to rewrite the username attribute in ACS 5.5?

Thanks
Andy

1 REPLY

ACS 5.5 RADIUS OUTBOUND Attributes Injection feature

Don't think this can be done in ACS 5.5 when using an External Proxy Service Type.

Interestingly, it appears to be possible with a Network Access Service Type. Under Allowed Protocols there is a tick box for Send as User-Name in RADIUS Access-Accept - one of the options is RADIUS Access-Request User-Name. Hopefully this will be implemented in a future release for External Proxy.

Cheers

Andy

443
Views
0
Helpful
1
Replies
CreatePlease to create content