Strip suffix/prefix with ACS 5.3 and Radius Server
Hi to everyone,
We have a diagram similar to this:
User -> AP Aironet -> Cisco WLC -> Radius Server -> Cisco ACS 5.3
Now in details:
User takes a notebook to Access a wireless network that uses PEAP-MSCHAPv2 as the authentication Protocol. The user has to input (see Image 1):
Mobile Token (OTP): 312832
Image 1. You can see the format on the image below
AP Aironet forwards the SSID and other stuff to the Cisco WLC which connects to the Radius Server.
The Radius Server authenticate the Mobile Token using HOTP, made the separation of username / Mobile Token and the PEAP Challenge and delivers the information to the ACS.
Actually we use the Radius Server in the middle of WLC and Cisco ACS to mantain a strong authentication policy without breaking our PEAP-MSCHAPv2 due to the incompatibility of the Cisco ACS to handle that type of authentication protocols.
Everything here Works fine until we add the Active Directory as the Identity Source on the Network Policy we use.
We noticed that when we switch to this diagram:
User -> AP Aironet -> Cisco WLC -> Radius Server -> Cisco ACS -> Active Directory
The radius server sents the “Radius Username” attribute stripped but in the logs of the ACS we saw an attribute “ACS Username” that contains user/token and obviously this action fails.
After a debug at the first Radius Server we are pretty sure that there is no such attribute like “ACS Username” o “ACS::Username”. So the question is, in wich point the ACS get the user/token or how can we override this type o behavior?
We also think if the ACS can strip the prefix/suffix of the attribute and send the information to the Active Directory without the Mobile token “(/312832)”.
User: Windows XP, Windows 7 and Mac OS X
AP Aironet: Versión
Cisco WLC: Versión
Radius Server: Freeradius 2.1 – VU Security Application Server
Cisco ACS: Versión 5.3
Active Directory: Versión Windows 2003
For Host Lookup, the value will be the host MAC address. In all other cases, the value is the identity name used for authentication.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...