ACS: Service Selection based on EAP Type?

Justin Kurynny · ‎04-10-2012

Hi all,

I've been poking around in ACS 5.x, trying to figure out how to make a Service Selection based on the EAP type the client is using to authenticate. For example, I have a wireless LAN on my WLC and my wireles clients will use one of two EAP types--either PEAP or EAP-FAST--to authentication to it. If they use PEAP, I want to put them in (interface) VLAN 10. If they use EAP-FAST, they should be assigned to (interface) VLAN 20.

I know how to do the AAA override piece, but the first part--determining which Access Policy to use based on client's EAP type--is eluding me. Does anyone know if it's possible, and if so, how to do it?

Justin

Scott Fella · ‎04-10-2012

Justin,

You have to create a new service selection rule, one for each type of auth. This will allow you to specify which default network access policy to use in which you can define your vlans.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Justin Kurynny · ‎04-10-2012

Scott,

That’s what I figure, but unless it’s staring me straight in the face, I can’t see how to tie an EAP type to a specific Service Selection Rule. I can do it for an Access Policy, but I can’t see where to select it under the selection rule itself.

Can you give me a hint? ☺

Justin

Scott Fella · ‎04-10-2012

I can take a look at my ACS later tonight. Not in front of it right now.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎04-10-2012

Here is what you can try... hope it helps:)

Create two Access Services Policies one for PEAP and one for EAP-FAST

Create two Service Selection Rules, one for PEAP and the other for EAP-FAST. Customize to lookup End Station Filter.

PEAP End Station Filer

EAP-FAST End Station Filter

PEAP Service Selection Rule

EAP-FAST Service Selection Rule

Authorization Profiles for vlan override

EAP-FAST Authorization Rule

PEAP Authorization Rule

-Scott
*** Please rate helpful posts ***

Justin Kurynny · ‎04-10-2012

Scott,

Great response; it got me where I needed to be. I'll have to tweak the setup a bit as it appears the desired DNIS string (EAP-FAST) or (PEAP) is not coming through on the first RADIUS packet from the controller. It's coming in on packet #2, so at some point I'll need to figure out a way to deal with this using an end-station filter at the Service Selection level.

In the meantime, your reply helped me discover another a perfectly working result, but in a slightly different way--as I started digging into the Authorization conditions in an Access Policy, lo and behold, there is an option for EAP Tunnel Building Method.

I just created two different Authorization rules for a single Access Policy:

Rule-1: if EAP Tunnel Building Method == PEAP call Authorization Profile that assigns client to VL10

Rule-2: if EAP Tunnel Building Method == EAP-FAST call Authorization Profile that assigns client to VL20

With ACS, it seems it's just a matter if realizing that you can put conditions just about anywhere, but that not all conditions are available everywhere. And now that I'm just about used to it... time to switch to ISE.

Thanks for your effort and all the screengrabs.

Justin

Scott Fella · ‎04-11-2012

There is a lot you can grab from radius attribute and customizing the rules is important. What you can do is take one SSID and verify it passes, then review the pass authentication and look at what radius attribute comes through. The reason I used dnis to filter, is to be able to distinguish which rule to hit first. It should of worked as long as you see it come through as the called station with the mac address. I usually like to customize the rules to look at protocol first then SSID, but you just need to tweak what works for you.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***