if we use an external radius for Authentication we have the demand that we control/filter the attributes which come from the external radius on the ACS51
Is this possible, for example for 802.1x dynamic VLAN assigment. we want to control which VLANs are assigned by the external Radius.
Just wanted to make sure I understood the question first - are you trying to point your WLC to an ACS 5.1 via radius and then additionally point the ACS 5.1 server to a second external Radius server to authenticate and pull down attributes?
If so, then you can specify attributes from the external radius server for use in ACS5's own authorization policies. To do that, first edit your Radius Identity Server entry on your ACS5 and ensure that the attributes you want to use are selected under the Directory Attributes tab.
Then under your authorization policies on the ACS, go to the Common Tasks page (where you would normally manually specify what Vlan you want to pass down). Instead of picking "Static" next to VLAN, you can select "Dynamic" and then select the external database you want to pull the attribute from. Select the attribute name that the value is stored in and then you can go to the "Custom Attributes" page and you should see all that reflected on the attributes it adds to your profile.
Save that profile and use it in your access policy rules. Now as long as the ACS is configured to authenticate against the external Radius server it will also take the value of the specified attribute and forward that on to the NAS to assign a vlan.
thx for your explanation, thats exactly waht we want to do, but in addition we want to control the value of the assigned atts which are assigned by the external radius. e.g. we want to control which vlans can be assigned by the external radius, is that possible.
You can either have the ACS send down static vlans that are all defined on the ACS, or have it dynamically pass down like discussed earlier, but if you have it dynamically pass down, it will always take the value of the attribute it received and pass it down to the switch. Theres no way to limit the vlans unless you create a condition in your access policy rule based on that external attribute and map it to a different authorization policy that passes down a static vlan from the ACS.
It would be if you use those EAP types. But out of curiousity why would you want to go from a switch to ACS to another Radius server IAS, which will pull from your active directory. Why don't you go from the ACS directly to the Active Directory?
the only reason is that we offer some VLANs and Ports to our customers and if they want to use dot1x we are not able to force them against which
identity store the authenticate. to authenticate against AD the only possibility woudl be via LDAP, because as I understand for authenticating directly against AD ACs hast to be member of the Domain, and cannot/shoulnt be member of a lot of customer domains??
Yes you are correct. ACS can only join to one Active Directory domain.
Unfortunately using LDAP there are some protocol limitations as well but you should be able to do EAP-TLS that way. The problem with EAP-TLS to another external radius server is that the ACS usually pulls data from the LDAP or AD server to match against the certificate. With an external database of Radius we can't do that - we have to send a full authentication to it, username and password - which we obviously don't have, so thats why EAP-TLS won't work to an external radius server.