Thanks Jason.
Yes, it seems we dont have that option at the Service Selection Level. Thats exactly what I need in the real scenario Im working on. I am using the End Station Filter as mentioned in the document I sent but dont know how very well how it works It seems the NDIS comes from the EAP type but its strange Regards, Antonio Soares, CCIE #18473 (R&S/SP) <mailto:[email protected]> [email protected] <http://www.ccie18473.net/> http://www.ccie18473.net From: Jason Boyers [mailto:[email protected]] Sent: sexta-feira, 1 de Março de 2013 17:32 To: Antonio Soares Cc: Keith Clarke; [email protected] Subject: Re: [OSL | CCIE_Wireless] ACS 5 and Service Selection Rules Sorry for any confusion here. I took a look at the services again. You would need to use a filter of either End Station or Network Device Group or something like that (you can look under the Customize options for various conditions that are available.) Then, under the service itself, you would specify the allowed EAP protocols. I had in my mind that the Service Selection also had an option for EAP types, but I don't see it (even under the Compound Conditions option.) Jason Boyers, CCIE #26024 (Wireless) Blog: netboyers.wordpress.com On Fri, Mar 1, 2013 at 12:17 PM, Antonio Soares <[email protected]> wrote: @Keith Sorry for hijacking your thread but I have the same question as you but in a real world scenario J @Jason, Please confirm that the way to differentiate the EAP type in the service selection rules is via the use of End Station Filter. This was what I found about the topic: https://supportforums.cisco.com/thread/2142636 Thanks. Regards, Antonio Soares, CCIE #18473 (R&S/SP) [email protected] http://www.ccie18473.net <http://www.ccie18473.net/> From: [email protected] [mailto:[email protected]] On Behalf Of Keith Clarke Sent: sexta-feira, 1 de Março de 2013 15:54 To: [email protected] Subject: Re: [OSL | CCIE_Wireless] ACS 5 and Service Selection Rules Jeff / Jason, That makes perfect sense, thanks for the update. To be honest I usually like to keep the Selection Rules separate when implementing customer installs as it's easy to understand and troubleshoot (similar to ISE and the authentication / authorization policies). Thanks again. Regards, Keith Sent from my iPad On 1 Mar 2013, at 15:23, "Jason Boyers" <[email protected]> wrote: Like most things on the lab, the answer is "it depends on the requirements put forth." Say, for instance, that you had to allow only PEAPv1/EAP-GTC when connecting through an autonomous AP, and only EAP-TLS when connecting through a WLC. However, you couldn't put the EAP type into an authorization policy. In that case, you would need different Service Selection Rules that would only allow for EAP of those types. Then, you would create the authorization policies under those services as appropriate. Does that make sense? Jason Boyers, CCIE #26024 (Wireless) Blog: netboyers.wordpress.com On Fri, Mar 1, 2013 at 9:47 AM, Keith Clarke <[email protected]> wrote: Hi all, first post, please go easy. I've been scouring the past threads and can't find an answer to the below. Couple of questions on ACS 5: (1) Do you need to create separate Service Selection Rules for types of authentication through ACS (Radius client auth via PEAP/EAP-TLS / Radius Admin, TACACS auth to multiple devices from multiple groups in ACS)? (2) if the answer to the above is no, then I take it your are not allowed to have anything broken at the end of the ACS configuration. In other words you can't push a rule above another just to test (as it breaks a previous auth). I have all the permutations I can think of working fine (RADIUS / TACACS) using the two default Service Selection Rules, just wondering if this would go against me in the real lab environment. Congrats to all who have passed, great achievement. Regards, Keith Sent from my iPad This email communication does not create or vary any contractual relationship between Logicalis and you. Internet communications are not secure and accordingly Logicalis does not accept any legal liability for the contents of this message. The contents of this email are confidential to the intended recipient at the email address to which it has been addressed. It may not be disclosed to or used by anyone other than this addressee, nor may it be copied in any way. If received in error, please contact Logicalis on the above switchboard number quoting the name of the sender and the addressee and then delete it from your system. Please note that neither Logicalis nor the sender accepts any responsibility for viruses and it is your responsibility to scan the email and attachments (if any). Please be aware that Logicalis UK Ltd may monitor email traffic data and also email content for security purposes. Logicalis UK Ltd, Registered in England and Wales No: 3732397, Registered Office: 110 Buckingham Avenue, Slough. Berkshire, SL1 4PF ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com Please be aware that Logicalis UK Ltd may monitor email traffic data and also email content for security purposes. ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ This email communication does not create or vary any contractual relationship between Logicalis and you. Internet communications are not secure and accordingly Logicalis does not accept any legal liability for the contents of this message. The contents of this email are confidential to the intended recipient at the email address to which it has been addressed. It may not be disclosed to or used by anyone other than this addressee, nor may it be copied in any way. If received in error, please contact Logicalis on the above switchboard number quoting the name of the sender and the addressee and then delete it from your system. Please note that neither Logicalis nor the sender accepts any responsibility for viruses and it is your responsibility to scan the email and attachments (if any). Please be aware that Logicalis UK Ltd may monitor email traffic data and also email content for security purposes. Logicalis UK Ltd, Registered in England and Wales No: 3732397, Registered Office: 110 Buckingham Avenue, Slough. Berkshire, SL1 4PF ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
