Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Manipulate ACCESS-ACCEPT attributes

Hello,

Is it possible in some way to manipulate/add the following ACCESS-ACCEPT attributes that come from a radius proxy?

  •     Tunnel-Type
  •     Tunnel-Medium-Type
  •     Tunnel-Private-Group-ID

 

Using a Cisco ACS 5.5.0.46.

 

Best regards,

Roy

6 REPLIES

Hi Roy,The RADIUS Attributes

Hi Roy,

The RADIUS Attributes Rewrite feature introduced in ACS 5.4 enables to add, overwrite and delete RADIUS INBOUND attributes on access requests, which will be redirected to external servers. 
In ACS 5.5, it is extended to enable manipulation on RADIUS OUTBOUND attributes.
ACS 5.5 supports add, overwrite and delete of RADIUS OUTBOUND attributes, which will be returned to the client. 
The RADIUS attributes rewrite is enabled for Access-Accept response only, yet not for Access-Reject or Challenge responses and not relevant for accounting responses. 
The attribute manipulation is defined as attribute operation statement and configured as part of the Proxy Access Service.
Administrator can configure attribute operation clause for a specific proxy access service. When this service is selected, ACS performs the operation on the Access Accept response and returns the updated response to the client.

Yes, you can manipulate those attributes.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

 

New Member

Hello Ed,Thank you for your

Hello Ed,

Thank you for your response.

I noticed the Radius (INBOUND/OUTBOUND) Attributes Injection field, but I don't see the attributes i mentioned before. Should they be here?

Best regards,

Roy

New Member

Roy,

Roy,

Did you ever get an answer on this. I am looking to do the exact same thing. We are also running 5.5.0.46.

Thanks

Tim

New Member

Hi Tim,

Hi Tim,

I never got an answer to this question. We solved this by using another Radius server that can do this. You could try FreeRADIUS for just these attributes.

Best regards,

Roy

New Member

Roy,

Roy,

Thanks for responding. I know you have already moved on from this but we have figured an alternate method to do this just for FYI in case you wanted to change things in the future.

We have selection rules based on the username in our case "@college.edu" and assign a corresponding service rule.

Here we are still using the "outbound attribute injection", but we are using the "airspace-interface-name" under the "Radius Cisco-airspace" dictionary. There we are specifying an interface group we setup on the WLC. 

This actually is even better for our environment as this will help keep our subnet size down and if we need more IP's we can assign and additional interface to that group.

Thanks again,

Tim

New Member

Hmm, never thought about that

Tim,

Hmm, never thought about that. But do you have AAA override still on? I noticed that some administrators send an ACCESS-ACCEPT and also the attributes described in my first post for their own network. So we had users in the wrong VLAN because of that.

Roy

162
Views
0
Helpful
6
Replies