Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS 5.3 service selection rules for IP phone

I've spent a considerable amount of time now trying to conifigure radius 802.1x authentication on our ACS 5.3 appliance with policies for non Cisco ip phones (Nortel IP 2004) and machine authentication for pc's so we can run the pc's through the ip phone switch which currently we can't do as existing 802.1x is through MS IAS and is not configured as such.

I have now got individual pc policy working on the ACS for the phones, using MAB, with the mac address of the phone entered as a host on the internal identity store, and also a separate individual policy for the pc authentication which does a host lookup in Active Directory.     These work fine on an individual basis and I can post details if necessary, but the part I am having real trouble with is the service selection rules, no matter what I do, it will only hit the first rule and then stop, even if that rule isn't relevant via the rules I've set up.    Currently i have the rules set up as below following various internet posts but its still not working...

service selection.JPG

Rule 1 which is for our switch management is fine and can be ignored, rule 2 is to select the IP phones policy (Hardphones) and rule 3 for the PC authentication.     No matter what I do for the conditions, either my test pc will authenticate, or my test IP phone will authenticate but the rules don't seem to work correctly filtering.       Rule 2 config I got from the below link

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000480

With the rules as above, the phone will authenticate, but the pc fails attempting to use rule 2 which it shouldn't even hit!

I'm going round in circles with this now  so any help appreciated. Rule 2 config posted as well below

service selection rule 2.JPG

thanks

chris

1 ACCEPTED SOLUTION

Accepted Solutions

ACS 5.3 service selection rules for IP phone

quickly as I have to leave now:

- You don't have to use the usecase thing. As far as I remember it is almost the same: use case host lookup = auth method lookup.

- You can also separate the service policies by using the usecase thing.

- Try to use auth method lookup only and let me know if that works.

sorry for fast reply but I am really in hurry

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
5 REPLIES

Re: ACS 5.3 service selection rules for IP phone

You don't have to separate PC and phones service policies.

Use a service selection policy that matches both PCs and phones (for example, select a policy based on radius auth).

You can then separate PCs and phones from the selected service policy using the "Authentication Method" Option.

Using MAB, the authentication method for phones will be "lookup".

For PCs, the authentication method will not be "lookup".

so, in both "identity" and "Authorization" parts of the access policy, you can choose the "Authentication method" with "match" and "does not match" to separate the identity and/or the authorization profile for both PC's and Phones.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
Community Member

ACS 5.3 service selection rules for IP phone

Hi Amjad,

Thanks for responding to this post.    I've now combined the two policies into one with 2 rules (which I had already tried but was having similar rule selection isssues).    I've set the service selection rule to protocol 'radius' so no issue there now.

I originally had my phone identiity rule condition set to 'Usecase match Host Lookup' and identity source internal, I've now changed as below and this seems to work.

The PC rule I'm not sure about though, originally it was set so the identity was single result selection with identity source AD1 and authorisation rule as below which works for an individual policy.

I've tried to modify according to your suggestion but am not what/how authentication method lookup actually is or how it differs to 'host lookup' and as I'm trying to look the pc name up in Active Directory the below identity policy attempt  doesn't work and would seem to contradict itself.

I also added in authentication method into the authorisation policy as well but don't think this would work either.

thanks

chris

ACS 5.3 service selection rules for IP phone

quickly as I have to leave now:

- You don't have to use the usecase thing. As far as I remember it is almost the same: use case host lookup = auth method lookup.

- You can also separate the service policies by using the usecase thing.

- Try to use auth method lookup only and let me know if that works.

sorry for fast reply but I am really in hurry

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
Community Member

ACS 5.3 service selection rules for IP phone

Hi Amjad,

Got it working now thanks!   I don' t fully understand the different options but I've got the hardhpone access working using 'authentication method match lookup' and the pc policy using 'authentication method does not match lookup', seems a bit strange but works anyway subject to further testing.

chris

ACS 5.3 service selection rules for IP phone

Hi Martin,

The lookup means that the MAB is being used. (the device is not dot1x capable so the mac address is being used for the credentials after the normal dot1x process times out without providing normal credentials).

Now, if MAB is used then it is a phone (because the normal clients will use normal credentials not MAB).

If MAB is not used then it is not a phone, but something else (usually PC or any device that does not use MAB).

I hope it is still working with you without problems

Regards,

Amjad

p.s: thanks for marking the correct answer.

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
731
Views
0
Helpful
5
Replies
CreatePlease to create content