Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS, Access Service and Authorization

I am running ACS 5.2 and I am trying to set up 3 new SSIDs, 2 of which are unsecured and 1 that is secured.  I am trying to figure out the best way to authorize them based on which network they are coming from.  All the authentication requests are coming from the same devices, the Wireless LAN Controllers, so NDG cannot be used as criteria.  I have been looking at either creating 3 Access Services and using Service Selection Rules, or creating 1 Access Service and using Authorization to choose.  Regardless, I cannot find an attribute to use that can determine which network they came from.

Does anyone have a suggestion for the best way to do this?  I

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACS, Access Service and Authorization

Go to in Policy Elements -> Network Conditions -> End Station Filters, and create a CLI/DNIS rule that includes the name of the SSID, then use it as a condition in any rule you create for authentication. The SSID will be preceded by the MAC address, so enter *ssidname (ie, match anything before the SSID name, then match the SSID name). For example, if the SSID is called lab then you would enter *lab.

Then go to Access Policies -> Service Selection and create a service selection rule that has End Station Filter as the criteria.

8 REPLIES
Cisco Employee

Re: ACS, Access Service and Authorization

Go to in Policy Elements -> Network Conditions -> End Station Filters, and create a CLI/DNIS rule that includes the name of the SSID, then use it as a condition in any rule you create for authentication. The SSID will be preceded by the MAC address, so enter *ssidname (ie, match anything before the SSID name, then match the SSID name). For example, if the SSID is called lab then you would enter *lab.

Then go to Access Policies -> Service Selection and create a service selection rule that has End Station Filter as the criteria.

New Member

Re: ACS, Access Service and Authorization

Javier thank you.  Sounds like a perfect solution to my issue.  From what I read, DNIS is where I want to place the *ssid value.  However, when I save it, the value gets moved from the DNIS field to the CLI field.  I get the same results in IE8 and FF3.  Any thoughts?

Cisco Employee

Re: ACS, Access Service and Authorization

Put ANY in the CLI field, then *SSID in the DNIS field, it should work.

New Member

Re: ACS, Access Service and Authorization

Scratch that.  It is displaying properly now.  I cannot explain what or why, but it is displaying fine now.

New Member

Re: ACS, Access Service and Authorization

Ok it has to be a bug.  It is displaying incorrectly again.  This time I have also confirmed it on FF3 for Mac.  I suppose I can open a TAC case and allow you to confirm if it is a bug or not via a webex?

Thanks.

Brian

Cisco Employee

Re: ACS, Access Service and Authorization

Brian,

That would be best.

New Member

Re: ACS, Access Service and Authorization

Did you guys ever find a solution to this?  I have the same problem where it flips the values I enter for CLI and DNIS.  I've tried entering them in reverse order to get ACS to display them properly but my filter still doesn't work.

I enter the values like you see in pictures 2 & 3.  But then after hitting submit, when I go back in to check it the values are reversed like in picture 1.

I've even patched ACS up to version 5.2.0.26.3.

Cisco Employee

Re: ACS, Access Service and Authorization

Guys-

I had the same issue with end station fileters when I would enter the source/destination mac addresses. Try reversing the values > hit submit and then go back and see if that worked. It definately works on the MAC address fields. I am pretty sure it is a bug in the current version that probably won't get fixed till ACS 5.3. I won't be back for a week, otherwise I would try myself

Thank you for rating helpful posts!
1456
Views
0
Helpful
8
Replies
CreatePlease login to create content