Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.1 Access Policies for multiple EAP types

Hello

I am trying to configure a Unified Wireless solutions with ACS 5.1 and am having trouble with the access policies. We have corporate laptops authenticating via PEAP and 7921 phones authenticating using EAP-FAST.

I have one access service configured to allow PEAP and authenticate against AD and another access service configured to allow EAP-FAST and authenticate the 7921 phones against the "internal user" database.

I have configured 2 service selection rules. Each one points to one of the access services. The only condition I have currently configured is the "protocol" field to be RADIUS. Because both the 7921 phones and the client laptops are generating RADIUS requests I can only have one EAP type working depending which rule is at the top. Because the RADIUS protocol field is always matched, requests never get past the first rule.

Can anybody help me on how I modify the rule to be able to distinguis between VoIP handsets on one WLAN and client laaptops on another so that correct access policy is used for each device?

Many Thanks

Simon

5 REPLIES
Cisco Employee

Re: ACS 5.1 Access Policies for multiple EAP types

You can configure the WLC to send the SSID name in the radius requests :

(s7wlc05) >config radius callStationIdType ?
              
ap-macaddr-ssid Sets Call Station Id Type to the format :

You can then create an ACS rule that check the Radius callstationid attribute and check if it ends with ssid "phone" or "laptops" (for example)

Nicolas

New Member

Re: ACS 5.1 Access Policies for multiple EAP types

Hi Nicholas

Thank you for responding.

For sure I thought that you could filter on different attributes, but I'm struggling to work out how to do this with ACS 5 and I'm also struggling to find any documentaion on how to do it so any advice would be great.

Thanks

Simon

Hall of Fame Super Silver

Re: ACS 5.1 Access Policies for multiple EAP types

Not many docs out there for this, but since you are doing multiple authentication you need create a policy for each.  You can start by creating a filter that looks for radius protocol only if you are using tacacs too.  Then you can also filter by other attributes like ssid and what type of authentication on that ssid.  This way you can specify that a certain ssid uses EAP and matches a windows group, etc.  This would go the same with the other authentication.  You must match the ssid and to do this, look at these links:

https://supportforums.cisco.com/thread/2044633

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/pol_elem.html#wp1074411

-Scott
*** Please rate helpful posts ***
New Member

Re: ACS 5.1 Access Policies for multiple EAP types

Hi guys, just to add to this the command 'config radius callStationIdType' is not required when doing 802.1x authentication. Ever noticed the 'Note' right at the bottom of the attached screenshot - Call Station ID Type will be applicable only for non 802.1x authentication only” - what does this mean???

Well.....

RFC 3580 defines; IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines

In the RFC it states;

Called-Station-Id

   For IEEE 802.1X Authenticators, this attribute is used to store the

   bridge or Access Point MAC address in ASCII format (upper case only),

   with octet values separated by a "-". Example: "00-10-A4-23-19-C0".

   In IEEE 802.11, where the SSID is known, it SHOULD be appended to the

   Access Point MAC address, separated from the MAC address with a ":".

   Example "00-10-A4-23-19-C0:AP1".

Calling-Station-Id

   For IEEE 802.1X Authenticators, this attribute is used to store the

   Supplicant MAC address in ASCII format (upper case only), with octet

   values separated by a "-". Example: "00-10-A4-23-19-C0".

SHOULD   This word, or the adjective "RECOMMENDED", mean that there

   may exist valid reasons in particular circumstances to ignore a

   particular item, but the full implications must be understood and

   carefully weighed before choosing a different course.

Conclusion.

Therefore, if you are using 802.1x for 802.11 authentication, as per the RFC the WLC will by default send the AP MAC address with the SSID appended. You cannot even change this! So, what is the point of setting the ‘Call Station ID Type’ in the above screenshot? This is used by non-802.1x authentication schemes – for example if you are using web-authentication. This is why the note at the bottom of the screenshot above states; “Call Station ID Type will be applicable only for non 802.1x authentication only”.

I tested this, and when using 802.1x with the Call Station ID Type left to default (= IP address) the ACS still see’s call station ID as AP MAC address with SSID appended.

I hope this helps someone learn something new

Dazzler

Cisco Employee

ACS 5.1 Access Policies for multiple EAP types

You can create the End Station filter (DNIS) and Based on that create a service selection rule.

1809
Views
0
Helpful
5
Replies