ACS 5.5 RADIUS OUTBOUND Attributes Injection feature

andrewswanson · ‎01-30-2014

Hello

I'm having a look at the RADIUS OUTBOUND Attributes Injection feature for the External Proxy service in ACS version 5.5.0.46.

The use case is:

ACS uses the External Proxy service to authenticate wireless users with certain domain suffixes
Sometimes the username Access-Accept comes back with the domain suffix stripped.
The result of this is:
- ACS logs a successful authentication with the sent username (with suffix)
- ACS sends the Access-Accept to the WLC and the user is listed on the WLC (without suffix)
- Subsequent accounting packets for the user appear in ACS (without suffix)

In the past I've used a freeradius proxy server between ACS and the external proxy to 'rewrite' the username in the Access-Accept so that it matches the username origianlly sent in the Access-Request. The code for this looked something like the following.

Post-proxy {
...
update outer.reply {
User-Name := "%{request:User-Name}"
}
...
}

I'm looking to do the above solely with ACS but I can't see the Radius-ietf username attribute listed under the RADIUS OUTBOUND Attributes Injection feature. Is it possible to rewrite the username attribute in ACS 5.5?

Thanks
Andy

andrewswanson · ‎02-27-2014

Don't think this can be done in ACS 5.5 when using an External Proxy Service Type.

Interestingly, it appears to be possible with a Network Access Service Type. Under Allowed Protocols there is a tick box for Send as User-Name in RADIUS Access-Accept - one of the options is RADIUS Access-Request User-Name. Hopefully this will be implemented in a future release for External Proxy.

Cheers

Andy