RADIUS VSAs for Airespace and ACS 3.3

Similar Messages

• Using root bridge as a fallback radius server for WPA and EAP

  From reading the different documentation out there, it seems that one should be able to configure a root bridge as a fallback radius server in case a primary radius server were to be unreachable. Has anyone encountered this situation? And could they share the steps and configuration statements to apply the bridges (1310 or 1410) in order to make this happen?
  Many Thanks and Regards,
  Giles -

  Yes, you have to first configure a root bridge as a fallback radius server in case a primary radius server were to be unreachable

• Adding RADIUS VSAs on ACS 3.2 SE

  I have tried to add a VSA to enable a Packeteer to authenticate using RADIUS on the ACS.
  Using RDBMS synchronization to import the csv file below.
  SequenceId,Priority,GroupName,Action,ValueName ,Value1,Value2,Value3
  1,1,External,163,26,access=look,2334,1
  The group name is 'External', Action is 163 which corresponds to ADD_RADIUS_ATTR.
  From RDBMS Sychronization Import Definitions (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user/ag.htm#wp35130)
  To add a vendor-specific attribute (VSA), set VN = "26" and use V2 and V3 as follows:
  •V2 = IETF vendor ID (which in this case is 2334)
  •V3 = VSA attribute ID (1)
  •V1 = In this case 'access=look'
  After a couple of attempts I got the format correct but when I try and import the file I don't get an "INFO" message in the "Reports" section of the ACS indicating that the process was successful. I don't get any message at all, WARNING, ERROR or INFO.
  From the FTP server I can confirm that the file was transferred.
  What I should get is an INFO message similar to:
  08/30/2004 16:27:50 INFO Sync complete: 1 transaction(s) 0 parse error(s) 0 process error(s)
  Any ideas as to what is wrong would be much appreciated.
  Cheers,
  Aylmer.

  HI you need to import the RADIUS VSA for PAcketeer from their site.
  The link to the steps as shown below is ( might require u to subscribe & login)
  https://packeteer.custhelp.com/cgi-bin/packeteer.cfg/php/enduser/std_adp.php?p_faqid=399&p_created=1046793530&p_sid=gszcDFBh&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PWRmbHQmcF9ncmlkc29ydD0mcF9yb3dfY250PTImcF9wcm9kcz0wJnBfY2F0cz0wJnBfcHY9JnBfY3Y9JnBfc2VhcmNoX3R5cGU9YW5zd2Vycy5zZWFyY2hfZm5sJnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9YWNz&p_li=&p_topview=1
  IN any case the same content is copied below:-
  Also the stpes on how to do them is listed here
  Create a User Defined Vendor
  First, you need to create a User Defined Vendor.
  1. Create a text file (packet.ini) and enter the following:
  [User Defined Vendor]
  Name=Packeteer
  IETF Code=2334
  VSA 1=Packeteer-AVPair
  [Packeteer-AVPair]
  Type=STRING
  Profile=OUT
  2. Name the file packet.ini.
  Add the Vendor to the Database
  Next, you need to add the above vendor to the database.
  1. Go to the command prompt, and change the directory to the Cisco Secure utils directory (typically C:\Program Files\CiscoSecure ACS v3.0\Utils).
  2. The instructions below install the vendor into User Defined slot 0. If you have other vendors, you need to change this number to a free slot. To see a list of slots and their assignments, use the csutil -listudv command. For example:
  C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
  CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
  UDV 0 - Unassigned
  UDV 1 - Unassigned
  UDV 2 - Unassigned
  UDV 3 - Unassigned
  UDV 4 - Unassigned
  UDV 5 - Unassigned
  UDV 6 - Unassigned
  UDV 7 - Unassigned
  UDV 8 - Unassigned
  UDV 9 - Unassigned
  3. Run csutil -addudv to and add Packeteer to UDV (User Defined Vendor) slot 0 or the next
  open slot.
  C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -addudv 0 c:\temp\packet.ini
  CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
  Adding or removing vendors requires ACS services to be re-started.
  Please make sure regedit is not running as it can prevent registry
  backup/restore operations
  Are you sure you want to proceed? (y/n)y
  Parsing [c:\temp\packet.ini] for addition at UDV slot [0]
  Stopping any running services
  Creating backup of current config
  Adding Vendor [Packeteer] added as [RADIUS (Packeteer)]
  Adding VSA [Packeteer-AVPair]
  Done
  Checking new configuration...
  New configuration OK
  Re-starting stopped services
  Verify that Packeteer was added.
  C:\Program Files\CiscoSecure ACS v3.0\Utils>
  C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
  CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
  UDV 0 - RADIUS (Packeteer)
  UDV 1 - Unassigned
  UDV 2 - Unassigned
  UDV 3 - Unassigned
  UDV 4 - Unassigned
  UDV 5 - Unassigned
  UDV 6 - Unassigned
  UDV 7 - Unassigned
  UDV 8 - Unassigned
  UDV 9 - Unassigned
  4. Return to ACS Admin and select Network Configuration.
  From the main screen select Network Configurtion and add the PacketShaper by supplying the AAA client Hostname, IP address: , Key. Scroll through the Authenticate Using choices and select RADIUS (Packeteer).
  5. From the main screen select User Setup and enter a user name for a Touch or Look access user to the Packet Shaper. Supply the PAP/CHAP password. Leave other fields at defaults and scroll to the bottom
  of the form. Be sure the Packeteer-AVPair box is selected and supply either
  "access=touch" or "access=look" in the available entry space.

• Cisco ACS 4.2.1.15 for Windows and Network Access Profiles

  We are attempting to configure ACS 4.2.1.15 on Windows Server 2008 Member Server. Initially I only have the need to authenticate Network Admins for device administration and authenticate Windows AD groups using PEAP authentication. The general problem that I am having is that if I configure a Cisco 1200 Access Point  for PEAP and also setup The Access Point for Radius authentication pointed to the ACS server it always maps to the the first Network Access Profile and rather than it trying the second it will error sayiing some condition is not met depending on what changes I make. Can someone tell me what the criteria that is used to determine what NAP is used? According to the manual if all 4 criteria are not met then the Profile will not apply.
  I am using one ACS group that is mapped to an AD group for Wireless Access and a Second ACS group mapped to an AD group that includes the Net Admins. This group mapping appers to be working as the user group name seems to mapped correctly in the logs.  In short I have tried only configuring the Wireless NAP to only Allow EAP authentication using PEAP EAP-MSCHAPv2 and the Netadmins profile to include all protocols. Bascially what happens is if I have the Wireless NAP first it works fine for PEAP authentication on Wireless but if I try to administer the access point and provide credentials I get a message in the failed log that the authentication profile is not allowed in this Network Access Profile. Why does this not just go onto the next Network Access profile?
  I am familiar with version 3.2 but it does not seem to work the same.
  Any help would be appreciated on what I am missing.
  Thanks

  Hi Surenda,
                     Thanks for your reply. Nop, there is no WLC yet, but the WLC will be installed shortly.
  Thanks,
  Jean Paul

• Dynamic VLAN assignment with WLC and ACS for

  Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
  dot11 vlan-name STUDENT vlan 2903
  dot11 vlan-name FACSTAF vlan 2905
  As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
  http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
  However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
  With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
  Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

  We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
  This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

• Using Active Directory and ACS for Concentrator 3000 VPN

  Has anyone gone down the path of using Cisco ACS for network access control AND authenticating it with their W2K Active Directory for VPN 3000 concentrators? I did some research on Google, Cisco web, and this group, I did not find a definite answer on the best practice for the architecture and design, can anyone share your experience how you approached this?
  Below is my understanding, I appeciate any help to piece some or all the below together
  (1) The end state is once a VPN user is successfully authenticated, it is assigned to certain network access privilege based on its group's policy. How to accomplish this?
  (2) AD stores a central user database for user authentication. Each user may belong to one or more groups on the AD; ACS is reponsible for network access control for the specific groups and enforces these controls to the users via the concentrators.
  (3) Concentrator is the NAS, and ACS is the RADIUS server
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949b4.shtml
  (4) Concentrator can link to the AD as an external database: http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/gs/gs3mgr.htm
  (5) A single "Tunnel Group" is created on the concentrator
  (6) Mulpile Groups, per corporate infosec policies are created on the AD
  (7) Mulpile Groups, per corporate infosec policies are also created on ACS, need to match with what're in the AD
  TIA.

  In order to restrict access for a specific AD group to specific SSID this is what you need to perform.
  When the WLC sends an authentication request to the  ACS, it will include  the SSID that the user is connecting to, in the  attribute  Calling-Station-Id(31). We can use this information to create  multiple  rules in ACS 5.x in order to take actions based on the  information  contained in the attribute.
  Under the  Users and Indetity Stores > click on Directory Groups > select  > check the group name you want to add and hit ok. Save the changes.
  We  just need to  create a DNIS rule that includes the name of the SSID and  use it as a  condition in any rule that we create for authentication.  The * is  required because the attribute not only contains the SSID but  also a MAC  address so the * is use as a regular expression.
  Now go to access-policies > default-network access > identity should be AD1.
  Go  to authorization > click on customize > move the  AD1:ExternalGroups and end-station filter attribute on the right side  and hit ok.
  After that slect the appropriate ad group for teachers and end-station filter.
  Save changes.
  Jatin Katyal
  - Do rate helpful posts -

• Pack and unpack Radius VSA attributes

  Hi
  As far as I know there are some methods to pack radius VSA attributes. Here are:
  As the part of Cisco-AVPair
  26 - VSA
  Length
  9  - Vendor ID
  1  - Vendor Type (Cisco-AVPair Attribute ID)
  Attribute Name=Value
  In the Vendor Specific attribute ("throught attribute ID")
  26  - VSALength
  9 - Vendor ID
  2 - Vendor Type (Attribute ID)
  Vendor Length
  Attribute Name=Value
  In the Vendor Specific attribute ("throught attribute ID") 
  26 - VSA
  Length
  9 - Vendor ID
  2 - Vendor Type (Attribute ID)
  Value
  i.e. with attribute name and witout.
  How to understand which attribute needs attribute name in value string?
  For example:
  26|Length|9|2|Vendor Length|1|h323-incoming-conf-id=82b5fc8cd6f411dfa3c6080027716a9a
  26|Length|9|2|Vendor Length|35|h323-incoming-conf-id=82b5fc8cd6f411dfa3c6080027716a9a
  26|Length|9|2|Vendor Length|35|82b5fc8cd6f411dfa3c6080027716a9a
  which of the methods is right?

  Hi,
  For the specific VSA you used in the example (h323-incoming-conf-id), (1) is the correct encoding, since Cisco VSA vendor type 1 (also more commonly referred to as  cisco AV Pair) is always encoded in strings with the format of "attribute=value". This applies to other cisco VSAs that use string encoding as well. For VSA's that don't use string encoding, eg., fax-pages (vendor type 5, encoding integer), it typically doesn't include the value. You should be able to check that against the vendor dictionary to confirm. Please also see:
  http://www.cisco.com/en/US/docs/ios/voice/cdr/developer/guide/cdrdefs.html
  Thanks,
  Wen

• How to add a switch to acs for login and ads authentication

  Hi all
  I want to add my switch so that it authenticates to my acs for login auth, I have done the switch end, using radius, also added the switch on the acs, how do I force the acs to use windows auth for this login?  do i just go under the network config where the device is and tick the box saying use windows database for authentication, and then do a group mapping ?
  cheers

  Hi,
  Easiest way is to download the table eg into an Excel table (if possible) or text table. Drop the table from the database. Build your table with the new key field. Build the database table again and fill it.
  You can do it also over the database into a new table. Drop the old one. Build the enhanced one and fill it. Afterwards drop your (temporary) table.
  Maybe there are other ways, but this works.
  Success,
  Rob

• Tacacs+ for exec and radius for ppp on the same ras

  Hi, I'm going to implement tacacs+ for exec control and RADIUS for ppp control in a ras router, using the same ACS for tacacs+ and radius sessions.
  Is there any problem with this kind of configuration ?
  thank you in advance
  Renato

  Renato
  I have recently done something very similar at a customer site. On a remote access server we configured it to use TACACS for exec control and to use Radius for ppp. In our case we are using different servers but I do not think that would be an issue. We also are generating aaa accounting records for the ppp sessions and sending the accounting records to the TACACS server. I have not had any particular problems with getting this to work.
  HTH
  Rick

• Authentication providers for TACACS+ and RADIUS

  Does anyone supply WLS 8.1 authentication providers for TACACS+ and/or
  RADIUS?
  Ben

  So in the ACS network config you add 2 NASes (or should that be NASi?)
  One is of type TACACS+, enter the device ip and secret. The other is RADIUS - unless you need to use some vendor specific trickery you could stick with IETF RADIUS to keep it simple. Again enter the IP and the secret.
  Assuming you a have at least 1 user in say, the default group (acs group 0) you then need to do some basic setup. In ACS a single group can have both RADIUS and TACACS+ config :-)
  RADIUS will pretty much default to PPP anyway, but you should still set the Service-Type to Framed and set session timeouts etc.
  With T+ you tick the boxes for the services that are allowed. For SSH login you might have to define a custom service first (under interface config)
  Suggest you first take time to scan through the ACS docs.

• Cisco WLC + ACS + AD for Machine AND User auth...

  So I am trying to implement an SSID that requires a machine to be a domain member, AND require the user to provide username/password credentials before being allowed on that SSID.
  I am reading that it is possible, but can't find a clear config on how it is supposed to be setup... read about Machine Access Restrictions as being part of the config.
  Any help here?
  WLC 7.6 and ACS 5.5
  -g

  We are testing ISE with EAP chaining. It allows you to validate the company device (laptop) is joined to the domain and then the user credentials. However this requires EAP-FAST and the Cisco Anyconnect client. There is a group set up to look at EAP-TEAP. This will allow for standardize "chaining"
  http://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01#page-5

• ACS 3.2 for Windows and Windows Active Directory.

  I'm using a member W2K server to run ACS 3.2.
  I'm using ACS and Windows group mapping but my users always go into default group.
  Why?
  Thanks.
  Andrea.

  I'm assuming your ACS \DEFAULT domain has NT Groups mapped to . Use a new Domain Configuration to add your AD and group mappings.
  The group name in ACS must match exactly the same group in AD. ie. If your AD group name is "Engineering" , create a ACS group with exactly the same spelling. Also,avoid certain characters such as @#%&*() in the naming of groups, both in AD and ACS.
  Hope this helps. let us know.
  P

• Adding a Custom VSA to a Group - ACS Appliance

  Hi,
  Using a secure ACS Appliance 4.0
  I want to add a new RADIUS Vendor and its associated VSA to the ACS configuration. This will then be returned during Authorization.
  I have already added the new Vendor and the required VSA through RDBMS. I can now see the new vendor as RADIUS (vendor) in NAP Profile etc
  However I cannot seem to find a way that how would i set the Value of the Added VSA ? And assign it to a particular group ? I cannot seem to find that VSA anywhere.

  Add a AAA client with "Authenticate using" Radius(vendor)
  then go to Interface Configuration and enable VSA for Group/User
  ~Rohit

• Wireless Virtual LAN - SSID and ACS User Mapping

  Hi Everybody
  We have the following senario:
  - WLC 4402 and ACS 3.3
  - 2 SSID's , One for Emploies - one for gests
  - All users are (guest and emploies) are authentication against the ACS Server.
  We would like to only permit Guest users to use the Guest SSID.
  I've been reading the Wireless Virtual LAN Deployment Guide :
  http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wvlan_an.pdf
  and have tried to use methode 1.
  - RADIUS-based SSID access control:
  "Upon successful 802.1X or MAC address authentication, the RADIUS server
  passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge."
  "This is configured by enableling the ?[026/009/001] cisco-av-pair? option. On the ACS Server
  - Enable and configure Cisco IOS/PIX RADIUS Attribute,
  009\001 cisco-av-pair
  - Example: ssid=LEAP_WEP"
  I've tried this, but regardless of wich SSID the user(-group) has configured, it sill can access all SSID's?
  Does anyone have any idea of what I'm doing wrong?
  Does this setting only apply to Accesspoint, or is it also valid for the WLC 44xx series?
  Greetings
  Jarle

  Hi I'm sorry but this still does not help.
  We have now upgraded ACS to version 4.0 and I'm still having the same problems.
  This is what i have configured:
  WLC:
  - WLAN
  - SSID : Public
  - WLAN id = 3
  - L2 Security : 802.1x
  - Interface Name : GuestVLAN
  - Controller - Interface
  - management - Untagged
  - GuestVLAN - VLAN 112
  - Security
  - RADIUS Servers
  When authenticating a Guest(belonging to the proper group in acs) - the right VLAN is used, IP Adresses from DHCP is recieved, and the Guest can access internet.
  Switch:
  - Port connected to WLC uses Trunking.
  - Guests are connected to VLAN 112 and "native VLAN" is used to connect the Private Users.
  ACS:
  - AAA Client is the WLC, Authenticating using Cisco Airespace
  - Guest Users are member of Group 11
  - Private Users are member of Group 1
  Group 11
  - Use Per Group NAR to only allow WLAN Access
  - Cisco Airespace RADIUS Attributes
  x 14179\001 - Aire-WLAN-ID = 3
  - Cisco IOS / PIX RADIUS Attributes
  x 009\001 Ciso-av-pair = "ssid=Public"
  - IETF Radius Attributes
  x 006 Service Type = Login
  x 007 Framed-Prot = ppp
  x 064 Tunnel-Type = VLAN
  x 065 Tunnel-Medium-tye = 802.1x
  x 081 Tunnel-Private-Group-ID = 112
  Group (default Group)
  - Cisco Airespace RADIUS
  x 14179\001 Aire-WLAN-ID = 1
  - Cisco IOS/PIX Radius Attrib
  x 009\001 Cisco-av-pair = "ssid=Private"
  - IETF RADIUS
  x 008 Service-type = Login
  x 064 Tunnel-Type = VLAN
  x 065 Tunnel-Medium-tye = 802.1x
  x 081 Tunnel-Private-Group-ID = 1
  Do you have any idea of what i should change?
  Greetings
  Jarle

• One WLC for Headquarter and Remote Site

  Hi
  I have a question about the WLC remote deployment.
  We have the following design at the moment:
  Headquarter
  - Network 192.168.49.0 /24
  - WLC 4402 Version 4.2.61.0
  -- 3 x LAP1252
  -- Layer 3 LWAPP
  -- SSID wep
  -- SSID wpa
  - Windows PDC with Active Directory, DHCP Server and local Data Storage
  - ACS Version 3.2 for TACACS and RADIUS authentication --> External DB to Active Directory
  Remote Site
  - Network 192.168.50.0 /24
  - 2 x LAP1252
  -- SSID wep
  -- SSID wpa
  - Windows PDC with Active Directory, DHCP Server and local Data Storage
  - ACS Version 3.2 for TACACS and RADIUS authentication --> External DB to Active Directory
  Connection between Headquarter and Remote Site
  - 2 Mbit ADSL
  The problem is, that the wireless clients on the remote site get an ip address out of the headquarter DHCP Range 192.168.49.0 /24. The users on the remote site
  most of the time only use the local data server in the remote office. With the actual design the hole traffic is switched over the 2 Mbit ADSL connection the the
  WLC in the headquarter and back to the remote site. That works but it is not that performant.
  The problem could be solved with HREAP, but what I think is, that it is not possible to have the same SSID at headquarter and remote site with different VLANs.
  How can I achieve, that the clients on the remote site connect to the same SSID (wep or wpa), get an ip address from the remote site DHCP server (192.168.50.0)
  and the traffic is switched localy.
  I hope you understand what the problem is.
  Thanks in advance for your help!

  Yes, putting the remote AP's in HREAP mode will allow the same WLANs to be available on the AP's but the traffic would be locally switched at the AP instead of being tunneled back to the controller. After you put the AP in HREAP mode you then would configure which VLAN you want traffic for each WLAN to be dumped onto for that AP.