I've been poking around in ACS 5.x, trying to figure out how to make a Service Selection based on the EAP type the client is using to authenticate. For example, I have a wireless LAN on my WLC and my wireles clients will use one of two EAP types--either PEAP or EAP-FAST--to authentication to it. If they use PEAP, I want to put them in (interface) VLAN 10. If they use EAP-FAST, they should be assigned to (interface) VLAN 20.
I know how to do the AAA override piece, but the first part--determining which Access Policy to use based on client's EAP type--is eluding me. Does anyone know if it's possible, and if so, how to do it?
That’s what I figure, but unless it’s staring me straight in the face, I can’t see how to tie an EAP type to a specific Service Selection Rule. I can do it for an Access Policy, but I can’t see where to select it under the selection rule itself.
Great response; it got me where I needed to be. I'll have to tweak the setup a bit as it appears the desired DNIS string (EAP-FAST) or (PEAP) is not coming through on the first RADIUS packet from the controller. It's coming in on packet #2, so at some point I'll need to figure out a way to deal with this using an end-station filter at the Service Selection level.
In the meantime, your reply helped me discover another a perfectly working result, but in a slightly different way--as I started digging into the Authorization conditions in an Access Policy, lo and behold, there is an option for EAP Tunnel Building Method.
I just created two different Authorization rules for a single Access Policy:
Rule-1: if EAP Tunnel Building Method == PEAP call Authorization Profile that assigns client to VL10
Rule-2: if EAP Tunnel Building Method == EAP-FAST call Authorization Profile that assigns client to VL20
With ACS, it seems it's just a matter if realizing that you can put conditions just about anywhere, but that not all conditions are available everywhere. And now that I'm just about used to it... time to switch to ISE.
There is a lot you can grab from radius attribute and customizing the rules is important. What you can do is take one SSID and verify it passes, then review the pass authentication and look at what radius attribute comes through. The reason I used dnis to filter, is to be able to distinguish which rule to hit first. It should of worked as long as you see it come through as the called station with the mac address. I usually like to customize the rules to look at protocol first then SSID, but you just need to tweak what works for you.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...