Thanks for the reply Justin. Yes, I actually did exactly what you suggested and noticed that even when I created the end-station filter, I would never match on it and would just hit the default. Going through the logs, I don't see the SSID (in this case, Test4-01) mentioned anywhere. I'm guessing that autonomous doesn't send the SSID in the request?
I think I found the correct workaround, however. Use Anyconnect NAM to create the network and lock-down the authentication method. Jay Killion, CCIE #17873 R/S On 1/3/14 12:11 AM, "Justin Kurynny" <[email protected]> wrote: >Jay, > >You're on the right track overall, but for that first step you may want >to take a close look at the ACS logs to see what attributes and attribute >values are included in the radius auth request packet coming from the AP. > >In a larger context, I found that a highly valuable exercise was to >compare the radius auth requests from the following three devices. Their >attributes differ depending on source and knowing those differences is >key when setting up access policies in ACS: > >* WLC >* Autonomous AP >* FlexConnect AP (standalone mode) > >hth, >Justin > >Disclaimer: I'm not familiar with the specific exercise you're working >on--just trying to help in a general sense on your outlined first step. > >typd on tny kybrd. > >> On Jan 2, 2014, at 19:42, "Jay Killion (jakillio)" <[email protected]> >>wrote: >> >> Question on WB1 lab 3.2. The requirements have you creating multiple >>SSID's (autonomous AP), each using different EAP methods in ACS such >>as PEAP for one and TLS for another. The solution book doesn't show how >>this is done in ACS so I wanted to find out the correct method for this. >> I'm thinking the correct steps are as follows, but would appreciate any >>feedback. >> >> 1 Create an end-station filter to match on SSID >> 2 Create a new access service that only allows that specific EAP >>method (TLS, for example) >> 3 Create a new service selection rule that matches the end-station >>filter (from step 1) and returns the service created in step 2, thus >>only permitting that EAP method >> >> Is that correct? >> >> Thanks >> >> Jay Killion, CCIE #17873 R/S >> _______________________________________________ >> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >> >> iPexpert on YouTube: www.youtube.com/ipexpertinc _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
