Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Strip suffix/prefix with ACS 5.3 and Radius Server

Hi to everyone,

We have a diagram similar to this:

User -> AP Aironet -> Cisco WLC -> Radius Server -> Cisco ACS 5.3

Now in details:

User takes a notebook to Access a wireless network that uses PEAP-MSCHAPv2 as the authentication Protocol. The user has to input (see Image 1):

  • Username: telcouser
  • Mobile Token (OTP): 312832
  • Password: ********

Image 1. You can see the format on the image below

Screen Shot 2013-12-11 at 9.40.18 PM.png

AP Aironet forwards the SSID and other stuff to the Cisco WLC which connects to the Radius Server.

The Radius Server authenticate the Mobile Token using HOTP, made the separation of username / Mobile Token and the PEAP Challenge and delivers the information to the ACS.

Actually we use the Radius Server in the middle of WLC and Cisco ACS to mantain a strong authentication policy without breaking our PEAP-MSCHAPv2 due to the incompatibility of the Cisco ACS to handle that type of authentication protocols.

Everything here Works fine until we add the Active Directory as the Identity Source on the Network Policy we use.

We noticed that when we switch to this diagram:

User -> AP Aironet -> Cisco WLC -> Radius Server -> Cisco ACS -> Active Directory

The radius server sents the “Radius Username” attribute stripped but in the logs of the ACS we saw an attribute “ACS Username” that contains user/token and obviously this action fails.

After a debug at the first Radius Server we are pretty sure that there is no such attribute like “ACS Username” o “ACS::Username”. So the question is, in wich point the ACS get the user/token or how can we override this type o behavior?

We also think if the ACS can strip the prefix/suffix of the attribute and send the information to the Active Directory without the Mobile token “(/312832)”.

User: Windows XP, Windows 7 and Mac OS X

AP Aironet: Versión

Cisco WLC: Versión

Radius Server: Freeradius 2.1 – VU Security Application Server

Cisco ACS: Versión 5.3

Active Directory: Versión Windows 2003

Attributes:

UserName

ACS::UserName

For Host   Lookup, the value will be the host MAC address. In all other cases, the value   is the identity name used for authentication.

554
Views
0
Helpful
0
Replies