WLC Radius Attribute support

Similar Messages

• Radius Attributes Supported by WLC? Guest bandwidth limiting

  Hello all..
  I've seen several mentions of limited guest user traffic usage by QoS settings and policy maps.. But my issue with this is, it's a global setting for that SSID. In my case, I have a 'Submit' button our Guest Internet page that does a hidden login of the user Guest. In the past, I would apply a sesion time out of 3hours and limit the bandwidth by quite a bit. However, for vendors and visitors that come in, there was a login section that they could input their uesr/pass given to them by the helpdesk and with radius attributes have an extended time out with greater bandwidth. However, I haven't been able to get this to work on the Controller based service, other then the time-out attribute. Is anyone doing it this way? What attributes does the WLC support?

  Have you looked at the v4.2 code? You can create different QoS Roles, and then assign different people to different roles.
  I've never tried this through RADIUS though.
  Regards,
  Richard

• WLC RADIUS attribute with Cisco ISE

  Hi All,
  Does anyone get the same result as me when integrating Cisco ISE with Wireless LAN Controller ?
  My Authentication Policy :
       Name: IsGuestAuthen
       IF "WLC_Authentication" THEN "Default Network Access" > "Internal Users"
  My Authorization Policy :
       Name: IsGuestAuthen
       IF "Guest" THEN "InternetOnly"
  When I monitoring on the Live Authentication page, I can see only the MAC address and a guest account that authenticated. I cannot see the IP address of the guest client. Do you get the same result as me ?
  Please advise on how to get the IP address of the guest client to show on the Live Authentication Page.
  Thanks,
  Pongsatorn Maneesud

  Exactly...here is the list of attributes sent in the access-request from the wlc -
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp1992129
  The framed ip address is sent in the accounting packet which doesnt appear in the live authentication report.
  If you are up to speed on rest api's here is some reference material on this:
  http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1089826
  You can also run radius accounting report and filter it based off of account-start packets which will have the username and the ip address along with the mac address.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Filter RADIUS Attributes transmitted by WLC?

  Afternoon all,
  I've got an 8510 on the latest 7.6.120.0 software and I have a standard WPA2/802.1x Wireless LAN.  When Users authenticate we send their traffic off to a RADIUS Server, but when we do, the WLC includes all sorts of superfluous RADIUS attributes in the request (various things like default VLAN ID and all sorts of Cisco Airespace bits)
  The RADIUS Server we're using can't filter these attributes out, so I'd like to find a way of having the WLC not send them in the first place...  Any suggestions?
  Cheers,
  Richard

  Hi Richard,
  As far as I know you cannot do anything on WLC to stop this. 
  Did you speak to TAC and ask about this ? Not sure any hidden commands to do this though.
  HTH
  Rasika
  **** Pls rate all useful responses ****

• WLC-Radius Integration..

  Hi
  I want to do the WLC authentication with radius.the problem is when i enter the username and password , in radius it shows authentication passed but in telnet prompt it asks again for username password as if wrong username-password.
  attached are debug capture of WLC and radius config summry.
  can u please help me on the same

  Hi
  similar incident i have observed on cisco.
  Problem Title
  Unable to login to WLC even after the successful authentication message is received from the RADIUS Server
  Resolution For the Remote Access Dial-In User Service (RADIUS) user to login to the controller, the login user entry in the RADIUS server has to be associated with an attribute, Service-Type.If this attribute is not sent back to the controller from the ACS, the authentication finishes successfully (access-accept) and you do not see any authorization error on the controller, even with debug aaa all enable. But, you are prompted again for authentication. The only thing missing in the RADIUS return packet is the service type 6 attribute.Refer to the Before Using RADIUS Attributes section of RADIUS Attributes for more information on how to configure the service-type attribute.
  It seemseverything ok in WLC and radius attribute is a problem..

• ACS 5.5 Radius Attribute not listed in Radius Directory

                     Hello Community,
  iam on the evaluation on Cisco ACS 5.5, and iam trying some scenarios for my company.
  I have to authenticate a ip phone . here i need one VLan tagged and one vlan untagged.
  In the authorization profile u can add the Radius Attributes, we got hp switches and i need the attribute  with the ID-56, but this ID ist not listed in the Authorization Profiles--> Radius Attributes-->select Part.
  But it is listed under system-administration->Configuration-->dictionaries-->Protocols->Radius--> Radius IETF
  come somebody tell me how i can selct this Attributes under Authorization Profiles--> Radius Attributes-->select Part. ??
  Thanks a lot
  regards

  Hi
  As you are using HP switches, certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality, and are therefore not supported with non-Cisco devices.
  For more information regarding Authorization profile configuration, please go through the following link:
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/pol_elem.html

• [Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid

  Hi,
  I got many Cisco AP which are linked to 2 Cisco WLC.
  On each WLC, I configured a primary and a secondary RADIUS Server.
  RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
  Primary and secondary ACS configurations are synchronized.
  There are no problem between primary WLC and Cisco ACS (primary and secondary).
  When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"
  Secondary WLC automatically contacts secondary Cisco ACS and it works fine.
  Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."
  The two Cisco ACS are synchronized so I should have same error on them...
  Why does primary ACS generate this error?
  Thanks for your help,
  Patrick

  Tarik Admani wrote:Amjad,That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.Thanks,Tarik Admani
  *Please rate helpful posts*
  Yes. That is a good point.
  With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).
  The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.
  Rating useful replies is more useful than saying "Thank you"

• Apply QoS profile using RADIUS attributes

  Hi all,
  Anyone delved into the use of RADIUS attributes to apply QoS values (DSCP/802.1p) to wireless users via a WLC?
  With the emergence of ISE and the concept of a shared SSID for several user types I may want to apply QoS profiles by user rather than SSID.
  Do you need to apply the maximum value to the SSID for the attribute-derived value to work?
  Can non-WMM client traffic be marked using this approach?
  Plenty to think about here...
  Any discussion welcome!
  Cheers
  Rob

  Yo can apply QoS RADIUS override.
  http://www.cisco.com/en/US/products/ps6307/products_tech_note09186a0080870334.shtml
  Yes it would be best to apply the wlan max qos value to the level that you intend to use with the radius override. for example if you want to apply platinum qos for voice clients on the ssid, i would map the wlan to platinum qos.
  i am not sure on the next question. I think u can assign a DSCP/802.1p to a non WMM clients but I dont think the non wmm clients will benefit from it as they will not tag their traffic and hence the AP and subsequently the wired network will treat it as best effort (untagged).
  Thanks,

• Radius Attributes for WAP321 AP

  Hi
  Is there a list with the supported radius attributes for wlan-user-authentication? Now I have the following freeradius entry in my users file:
  DEFAULT Ldap-Group == 'wlanusers', Huntgroup-Name == 'accesspoint'
          Service-Type := Login,
          Fall-Through := No
  But it doesn't work. Have I forgotten some attributes?
  thx for any help
  Matthias

  Hi,
  Can you please take a screenshot of your configuiration and attach so that it will be used to root cause the issue.
  Regards,
  Phanikrishna

• ACS 3.3 Send Radius Attribute 135 & 136

  Hi
  I need an ACS box to return IETF RADIUS attributes 135 & 136 to a NAS for the assignment of DNS servers to clients.
  The ACS 3.3 user guide lists these as supported IETF RADIUS Attributes however they don't seem to be available under Interface Configuration--> Radius IETF.
  Would anyone know how I can enable these ?
  Thanks
  Leon

  Hi Leon,
  That is quite strange. You should have those attributes.
  As you mentioned you have ACS SE, if you could console into it. Issue command,
  stop csadmin
  start csadmin
  Or rebooting ACS SE will re-start the CSAdmin server.
  If you are restarting services from, System Configuration > Service Control, then that wont restart the CSAdmin service.
  Give that a try.
  Regards,
  Prem

• Cisco 2960-X & ISE accounting- username Radius attribute missing

  Hi,
  I'm facing an issue with cisco 2960 switch radius accounting with Cisco ISE1.2.1 .here is my senario:
  - Username (vendor1) is configured in ISE local database, under  group (VENDOR)
  - Authentication protocol : wired  MAB 
  - Authentication method : webauth  using guest portal  , the user is a  vendor  , so no dot1x configured on his NIC .
  the problem is that , the switch is not sending the username as a part of radius attribute , in the authentication log , the username shown as the MAC address of the user machine , therefor , I can not configure my authorization condition using  internaluser:Name  Equal  vendor1
  while if  I configure the condition using the identity group condition  IdentityGroup:Name  Equal  VENDOR  , it works .
  The same configuration is working on 3750 switch  with no issue .
  Here is my Switch config:
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius 
  aaa authorization auth-proxy default group radius 
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting update periodic 5
  username admin password 
  username radius-test password 
  aaa server radius dynamic-author
   client 172.16.2.20 server-key 7 04490A0206345F450C00
   client 172.16.2.21 server-key 7 03165A0F0F1A32474B10
  radius server ISE-RADIUS-1
   address ipv4 172.16.2.20 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key 7 111B18011E0718070133
  radius server ISE-RADIUS-2
   address ipv4 172.16.2.21 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key 7 0214055F02131C2A4957
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server attribute 31 mac format ietf upper-case
  radius-server attribute 31 send nas-port-detail
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  any help  !!!

  Thanks for your reply , I know what's MAB , if you read my explanation again , i mentioned that the user is authenticated in the guest portal which mean that I have web authentication , and it is working fine .. The only issue is that I can not use the vendor1 username as part of authorization condition and this is because the switch is not sending the radius attribute type 1 to the ISE , thus , on the ise authentication log the MAC address  of the client machine is shown as a username not the actual username ( vendor1) 
  as I mentioned also , I have exactly the same setup with ise 1.2 and 3750 switch and I do not have this issue .I experience this with 2960x only . 

• Radius Attribute in authentication packet

  I'm new to Radius, so bear with me.
  Is it possible, or does anyone knows how to make use of the vendor specific attribute sent in the authentication request. What I'm looking at is that based on the value of a specific VSA, the value of another radius attribute is set and sent in the authentication response.

  More information on Radius Vendor-specific attribute (VSA) is given in the document.
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fappendx/fradattr/scfrdat3.pdf

• Cisco ISE throws "11036 The Message-Authenticator RADIUS attribute is invalid "

  Hello,
  I am trying to authenticate my server(running an NMS) with an Cisco ISE with EAP-TLS protocol.
  I am seeing "11036 The Message-Authenticator RADIUS attribute is invalid " in the ISE when the ACCESS-REQUEST is sent from NMSServer to ISE. The RADIUS shared secret key is same in both the NMS server and the ISE server .
  Is the some java samples for Message authenticator attribute which I can refer. I think, I am missing something in Message authenticator attribute.
  Any pointers or suggestions to overcome this ?

  To login to Prime GUI, the authentication will be done by ISE.
  The flow goes like this, Admins will login to Prime GUI with default username/pwd and add the RADIUS/ISE details to it which will be used by prime for authentication/authorization.
  Once its done, any other user who tries to login to Prime GUI with their own credentials will be validated against the Identity details in ISE. So even to login to Prime GUI, authentication should be successful in ISE.

• ACS 4.2 Windows Radius Attributes for VPN-dial-in

  Hello,
  this Situation:
  Remote-User establish a VPN-Connection (AnyConnect) to a ASA 8.4, ASA forwards Authentication to ACS 4.2. , ACS should assign IP-Adress from a Adress-Pool dependent on GroupMembership (LDAP)
  the Problem:
  the User gets an IP-Config with a Default-Gateway which is always the 3.Address of the IP-Pool (IP-Pools are /28 Ranges), the Mask is ok (/32).
  On the ASA-Log I can see a Message:
  %ASA-6-110002: Failed to locate egress interface for protocol from src interface:src IP/src port to dest IP/dest port
  I've assigned following Attibutes:
  IP Assignement: Assigned from AAA server pool (the accordant pool is selected)
  IETF Radius Attributes:
  006 Service Type: Framed
  007 Framed Protocol: ppp
  009 Framed-IP-Netmask: 255.255.255.255
  (not sure about) 022 Framed-Route: 0.0.0.0
  025 Class: <Group-Policy of ASA>
  does anyone of you know, what I'm making wrong?
  on The ASA I can't find any settings.
  Thanks for any advice

  O'Brien Simon
  Did you manage to get a reply to your question about the timeout period for dynamic users in ACS 4.2 ?  As this is what I was about to ask but noticed your post.
  Many thanks
  florrieford

• ACS 5.1 RADIUS Proxy - Adding RADIUS attributes

  Is there anyway under ACS 5.1 to add RADIUS attributes to outgoing RADIUS proxy auth requests or failing this to RADIUS proxy accounting updates?
  As soon as I configure a RADIUS proxy services, there is little config I can do other than to say whether or not the prefix and suffix is to be stripped.
  I can add these attributes if using an external RADIUS box as an identity store, but I cannot do this for this particular service and instead I need to use RADIUS proxying.
  Thanks
  Paul

  Hi Steve,
  The shared secret is 100% correct.
  Finally I find out that there may be some white lists for attributes.
  If I keep NAS-Identifier , it will work.
  But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.
  The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .
  When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .
  The RADIUS Server gets the message from NSA.
  Of course, there is the Proxy-State attribute.
  In this condition, the ACS has incorrect output in the sub-attribute.
  Now I try 5.2 to see the problem exist or not.