The exercise was mainly geared at configuring the SSIDs. There really isn't a specific ACS configuration that was supposed to go along with it. In fact, there's no sane ACS config that would only allow the authentications as described on the APs.
With autonomous APs, we don't get the SSID name in the called station ID field like we do when the authentications come from a WLC. The same actually goes for H-REAP APs doing local authentication as well. It's just the MAC address of the AP radio at that point. So matching on SSIDs isn't really an option. You may be able to do it with MBSSID mode and matching on the MAC address of the radio (different MAC per SSID at that point I believe), but that would be out of the realm of reality in my opinion. The wireless lab doesn't really get into ridiculous scenarios like that. But let's say we were on WLCs, and we could match on SSIDs... While you could split this out into separate access services, I'd recommend just keeping it simple and doing it all under one. So if SSID1 only allowed clients to use PEAP, just write 2 rules with the logic below... if SSID= SSID1 and EAP type = PEAP then Permit if SSID= SSID1 then Deny This would probably do the trick just fine. Where you would absolutely have to split out into separate access services would be if they made reference that certain EAP authentications shouldn't even be allowed to be completed. Then you'd need to push them over to an access service that only allowed the specified EAP type. Here's why... In my first example, we'll pretend the access service allows all EAP types. Say a client tries to authenticate with EAP-FAST. The client would probably do a success ful authentication with EAP-FAST (correct username/password), but when it comes to the authorization phase, it would be denied based on the rules. So EAP-FAST actually happened successfully, but the client wasn't allowed on the network. If you kicked the client over to a different access service that only allowed PEAP, then the client would try to use EAP-FAST but the server wouldn't go along with it. So EAP-FAST would never have happened since the client and server wouldn't have agreed on an EAP type to use. So in the end, we always want to read very carefully and do exactly what is asked. But when possible, try to keep things simple. It's usually less to configure, less to verify, and less to troubleshoot. On Thu, Jan 2, 2014 at 9:35 PM, Jay Killion (jakillio) <[email protected]>wrote: > Question on WB1 lab 3.2. The requirements have you creating multiple > SSID's (autonomous AP), each using different EAP methods in ACS – such as > PEAP for one and TLS for another. The solution book doesn't show how this > is done in ACS so I wanted to find out the correct method for this. I'm > thinking the correct steps are as follows, but would appreciate any > feedback. > > 1 – Create an end-station filter to match on SSID > 2 – Create a new access service that only allows that specific EAP method > (TLS, for example) > 3 – Create a new service selection rule that matches the end-station > filter (from step 1) and returns the service created in step 2, thus only > permitting that EAP method > > Is that correct? > > Thanks > > Jay Killion, CCIE #17873 R/S > > _______________________________________________ > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > > iPexpert on YouTube: www.youtube.com/ipexpertinc >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
