Hey Antonio, If I wanted to match on the EAP type, I would use the customize button and enable the condition “Eap Authentication Method” within the authorization configuration of a specific service. For instance, this could be performed under “Authorization” of the “Default Network Access” service. Then, you would have the option to match LEAP, EAP-TLS, etc… within the rule.
Thanks, Jason From: [email protected] [mailto:[email protected]] On Behalf Of Antonio Soares Sent: Friday, March 01, 2013 11:18 AM To: [email protected]; 'Keith Clarke' Cc: [email protected] Subject: Re: [OSL | CCIE_Wireless] ACS 5 and Service Selection Rules @Keith Sorry for hijacking your thread but I have the same question as you but in a real world scenario ☺ @Jason, Please confirm that the way to differentiate the EAP type in the service selection rules is via the use of End Station Filter. This was what I found about the topic: https://supportforums.cisco.com/thread/2142636 Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) [email protected]<mailto:[email protected]> http://www.ccie18473.net<http://www.ccie18473.net/> From: [email protected] [mailto:[email protected]] On Behalf Of Keith Clarke Sent: sexta-feira, 1 de Março de 2013 15:54 To: [email protected] Subject: Re: [OSL | CCIE_Wireless] ACS 5 and Service Selection Rules Jeff / Jason, That makes perfect sense, thanks for the update. To be honest I usually like to keep the Selection Rules separate when implementing customer installs as it's easy to understand and troubleshoot (similar to ISE and the authentication / authorization policies). Thanks again. Regards, Keith Sent from my iPad On 1 Mar 2013, at 15:23, "Jason Boyers" <[email protected]<mailto:[email protected]>> wrote: Like most things on the lab, the answer is "it depends on the requirements put forth." Say, for instance, that you had to allow only PEAPv1/EAP-GTC when connecting through an autonomous AP, and only EAP-TLS when connecting through a WLC. However, you couldn't put the EAP type into an authorization policy. In that case, you would need different Service Selection Rules that would only allow for EAP of those types. Then, you would create the authorization policies under those services as appropriate. Does that make sense? Jason Boyers, CCIE #26024 (Wireless) Blog: netboyers.wordpress.com<http://netboyers.wordpress.com> On Fri, Mar 1, 2013 at 9:47 AM, Keith Clarke <[email protected]<mailto:[email protected]>> wrote: Hi all, first post, please go easy. I've been scouring the past threads and can't find an answer to the below. Couple of questions on ACS 5: (1) Do you need to create separate Service Selection Rules for types of authentication through ACS (Radius client auth via PEAP/EAP-TLS / Radius Admin, TACACS auth to multiple devices from multiple groups in ACS)? (2) if the answer to the above is no, then I take it your are not allowed to have anything broken at the end of the ACS configuration. In other words you can't push a rule above another just to test (as it breaks a previous auth). I have all the permutations I can think of working fine (RADIUS / TACACS) using the two default Service Selection Rules, just wondering if this would go against me in the real lab environment. Congrats to all who have passed, great achievement. Regards, Keith Sent from my iPad This email communication does not create or vary any contractual relationship between Logicalis and you. Internet communications are not secure and accordingly Logicalis does not accept any legal liability for the contents of this message. The contents of this email are confidential to the intended recipient at the email address to which it has been addressed. It may not be disclosed to or used by anyone other than this addressee, nor may it be copied in any way. If received in error, please contact Logicalis on the above switchboard number quoting the name of the sender and the addressee and then delete it from your system. Please note that neither Logicalis nor the sender accepts any responsibility for viruses and it is your responsibility to scan the email and attachments (if any). Please be aware that Logicalis UK Ltd may monitor email traffic data and also email content for security purposes. Logicalis UK Ltd, Registered in England and Wales No: 3732397, Registered Office: 110 Buckingham Avenue, Slough. Berkshire, SL1 4PF ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com> Please be aware that Logicalis UK Ltd may monitor email traffic data and also email content for security purposes. ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ This email communication does not create or vary any contractual relationship between Logicalis and you. Internet communications are not secure and accordingly Logicalis does not accept any legal liability for the contents of this message. The contents of this email are confidential to the intended recipient at the email address to which it has been addressed. It may not be disclosed to or used by anyone other than this addressee, nor may it be copied in any way. If received in error, please contact Logicalis on the above switchboard number quoting the name of the sender and the addressee and then delete it from your system. Please note that neither Logicalis nor the sender accepts any responsibility for viruses and it is your responsibility to scan the email and attachments (if any). Please be aware that Logicalis UK Ltd may monitor email traffic data and also email content for security purposes. Logicalis UK Ltd, Registered in England and Wales No: 3732397, Registered Office: 110 Buckingham Avenue, Slough. Berkshire, SL1 4PF ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ ________________________________ This communication (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify Vital Support Systems at 515 334 5700 and delete or destroy all copies and the original document.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
