04-10-2012 10:18 AM - edited 07-03-2021 09:58 PM
Hi all,
I've been poking around in ACS 5.x, trying to figure out how to make a Service Selection based on the EAP type the client is using to authenticate. For example, I have a wireless LAN on my WLC and my wireles clients will use one of two EAP types--either PEAP or EAP-FAST--to authentication to it. If they use PEAP, I want to put them in (interface) VLAN 10. If they use EAP-FAST, they should be assigned to (interface) VLAN 20.
I know how to do the AAA override piece, but the first part--determining which Access Policy to use based on client's EAP type--is eluding me. Does anyone know if it's possible, and if so, how to do it?
Justin
04-10-2012 11:22 AM
Justin,
You have to create a new service selection rule, one for each type of auth. This will allow you to specify which default network access policy to use in which you can define your vlans.
Thanks,
Scott Fella
Sent from my iPhone
04-10-2012 12:26 PM
Scott,
That’s what I figure, but unless it’s staring me straight in the face, I can’t see how to tie an EAP type to a specific Service Selection Rule. I can do it for an Access Policy, but I can’t see where to select it under the selection rule itself.
Can you give me a hint? ☺
Justin
04-10-2012 12:33 PM
I can take a look at my ACS later tonight. Not in front of it right now.
Thanks,
Scott Fella
Sent from my iPhone
04-10-2012 08:11 PM
Here is what you can try... hope it helps:)
Create two Access Services Policies one for PEAP and one for EAP-FAST
Create two Service Selection Rules, one for PEAP and the other for EAP-FAST. Customize to lookup End Station Filter.
PEAP End Station Filer
EAP-FAST End Station Filter
PEAP Service Selection Rule
EAP-FAST Service Selection Rule
Authorization Profiles for vlan override
EAP-FAST Authorization Rule
PEAP Authorization Rule
04-10-2012 09:49 PM
Scott,
Great response; it got me where I needed to be. I'll have to tweak the setup a bit as it appears the desired DNIS string (EAP-FAST) or (PEAP) is not coming through on the first RADIUS packet from the controller. It's coming in on packet #2, so at some point I'll need to figure out a way to deal with this using an end-station filter at the Service Selection level.
In the meantime, your reply helped me discover another a perfectly working result, but in a slightly different way--as I started digging into the Authorization conditions in an Access Policy, lo and behold, there is an option for EAP Tunnel Building Method.
I just created two different Authorization rules for a single Access Policy:
Rule-1: if EAP Tunnel Building Method == PEAP call Authorization Profile that assigns client to VL10
Rule-2: if EAP Tunnel Building Method == EAP-FAST call Authorization Profile that assigns client to VL20
With ACS, it seems it's just a matter if realizing that you can put conditions just about anywhere, but that not all conditions are available everywhere. And now that I'm just about used to it... time to switch to ISE.
Thanks for your effort and all the screengrabs.
Justin
04-11-2012 04:11 AM
There is a lot you can grab from radius attribute and customizing the rules is important. What you can do is take one SSID and verify it passes, then review the pass authentication and look at what radius attribute comes through. The reason I used dnis to filter, is to be able to distinguish which rule to hit first. It should of worked as long as you see it come through as the called station with the mac address. I usually like to customize the rules to look at protocol first then SSID, but you just need to tweak what works for you.
Thanks,
Scott Fella
Sent from my iPhone
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: