Just a few cents on the ACS. I always try to be as specific when matching what I wanted. For example. Match WLC1 , match peap , match SSID and even user. Cause when complicating something in the future I would be more flexible. For example an extra requirement that I didnt forsee. We get those a lot in the real lab :)
I always configure a default deny for the default network access. (not default permit) So I know that my configuration is really failing. When matching WLC SSID the compound condition with "ends-with" (or starts-with, I dont remember) was the trick since the WLC Sends the SSID and the radio MAC involved in one string to the ACS. Kristjan Today's Topics: 1. Re: WB1 Lab 3.2 (Jay Killion (jakillio)) 2. Re: WB1 Lab 3.2 (Jeff Rensink) 3. Ang.: WB1 Lab 3.2 (Andreas di Zazzo) ---------------------------------------------------------------------- Message: 1 Date: Fri, 3 Jan 2014 15:40:28 +0000 From: "Jay Killion (jakillio)" <[email protected]> To: Justin Kurynny <[email protected]> Cc: "[email protected]" <[email protected]> Subject: Re: [OSL | CCIE_Wireless] WB1 Lab 3.2 Message-ID: <ceec355b.12742%[email protected]> Content-Type: text/plain; charset="iso-8859-1" Thanks for the reply Justin. Yes, I actually did exactly what you suggested and noticed that even when I created the end-station filter, I would never match on it and would just hit the default. Going through the logs, I don't see the SSID (in this case, Test4-01) mentioned anywhere. I'm guessing that autonomous doesn't send the SSID in the request? I think I found the correct workaround, however. Use Anyconnect NAM to create the network and lock-down the authentication method. Jay Killion, CCIE #17873 R/S On 1/3/14 12:11 AM, "Justin Kurynny" <[email protected]> wrote: >Jay, > >You're on the right track overall, but for that first step you may want >to take a close look at the ACS logs to see what attributes and >attribute values are included in the radius auth request packet coming from >the AP. > >In a larger context, I found that a highly valuable exercise was to >compare the radius auth requests from the following three devices. >Their attributes differ depending on source and knowing those >differences is key when setting up access policies in ACS: > >* WLC >* Autonomous AP >* FlexConnect AP (standalone mode) > >hth, >Justin > >Disclaimer: I'm not familiar with the specific exercise you're working >on--just trying to help in a general sense on your outlined first step. > >typd on tny kybrd. > >> On Jan 2, 2014, at 19:42, "Jay Killion (jakillio)" >><[email protected]> >>wrote: >> >> Question on WB1 lab 3.2. The requirements have you creating multiple >>SSID's (autonomous AP), each using different EAP methods in ACS ? such >>as PEAP for one and TLS for another. The solution book doesn't show >>how this is done in ACS so I wanted to find out the correct method for this. >> I'm thinking the correct steps are as follows, but would appreciate >>any feedback. >> >> 1 ? Create an end-station filter to match on SSID >> 2 ? Create a new access service that only allows that specific EAP >>method (TLS, for example) >> 3 ? Create a new service selection rule that matches the end-station >>filter (from step 1) and returns the service created in step 2, thus >>only permitting that EAP method >> >> Is that correct? >> >> Thanks >> >> Jay Killion, CCIE #17873 R/S >> _______________________________________________ >> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >> >> iPexpert on YouTube: www.youtube.com/ipexpertinc ------------------------------ Message: 2 Date: Fri, 3 Jan 2014 09:59:32 -0600 From: Jeff Rensink <[email protected]> To: "Jay Killion (jakillio)" <[email protected]> Cc: "[email protected]" <[email protected]> Subject: Re: [OSL | CCIE_Wireless] WB1 Lab 3.2 Message-ID: <CAG4_piWfFBr6j0E1CXnF20XAwZPFq=DzKrzG=6eeipshn2z...@mail.gmail.com> Content-Type: text/plain; charset="windows-1252" The exercise was mainly geared at configuring the SSIDs. There really isn't a specific ACS configuration that was supposed to go along with it. In fact, there's no sane ACS config that would only allow the authentications as described on the APs. With autonomous APs, we don't get the SSID name in the called station ID field like we do when the authentications come from a WLC. The same actually goes for H-REAP APs doing local authentication as well. It's just the MAC address of the AP radio at that point. So matching on SSIDs isn't really an option. You may be able to do it with MBSSID mode and matching on the MAC address of the radio (different MAC per SSID at that point I believe), but that would be out of the realm of reality in my opinion. The wireless lab doesn't really get into ridiculous scenarios like that. But let's say we were on WLCs, and we could match on SSIDs... While you could split this out into separate access services, I'd recommend just keeping it simple and doing it all under one. So if SSID1 only allowed clients to use PEAP, just write 2 rules with the logic below... if SSID= SSID1 and EAP type = PEAP then Permit if SSID= SSID1 then Deny This would probably do the trick just fine. Where you would absolutely have to split out into separate access services would be if they made reference that certain EAP authentications shouldn't even be allowed to be completed. Then you'd need to push them over to an access service that only allowed the specified EAP type. Here's why... In my first example, we'll pretend the access service allows all EAP types. Say a client tries to authenticate with EAP-FAST. The client would probably do a success ful authentication with EAP-FAST (correct username/password), but when it comes to the authorization phase, it would be denied based on the rules. So EAP-FAST actually happened successfully, but the client wasn't allowed on the network. If you kicked the client over to a different access service that only allowed PEAP, then the client would try to use EAP-FAST but the server wouldn't go along with it. So EAP-FAST would never have happened since the client and server wouldn't have agreed on an EAP type to use. So in the end, we always want to read very carefully and do exactly what is asked. But when possible, try to keep things simple. It's usually less to configure, less to verify, and less to troubleshoot. On Thu, Jan 2, 2014 at 9:35 PM, Jay Killion (jakillio) <[email protected]>wrote: > Question on WB1 lab 3.2. The requirements have you creating multiple > SSID's (autonomous AP), each using different EAP methods in ACS ? such > as PEAP for one and TLS for another. The solution book doesn't show > how this is done in ACS so I wanted to find out the correct method for > this. I'm thinking the correct steps are as follows, but would > appreciate any feedback. > > 1 ? Create an end-station filter to match on SSID > 2 ? Create a new access service that only allows that specific EAP > method (TLS, for example) > 3 ? Create a new service selection rule that matches the end-station > filter (from step 1) and returns the service created in step 2, thus > only permitting that EAP method > > Is that correct? > > Thanks > > Jay Killion, CCIE #17873 R/S > > _______________________________________________ > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > > iPexpert on YouTube: www.youtube.com/ipexpertinc > -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20140103/d1b0d92e/attachment-0001.html> ------------------------------ Message: 3 From: "Andreas di Zazzo" <[email protected]> To: "Jay Killion (jakillio)" <[email protected]>, "Justin Kurynny" <[email protected]> Cc: [email protected] Subject: [OSL | CCIE_Wireless] Ang.: WB1 Lab 3.2 Message-ID: <[email protected]> Content-Type: text/plain; charset="utf-8" For the autonomous AP the called station ID contains the MAC address associated with the WLAN the client connected to. Since each WLAN contains a unique mac-address you can filter it this way, however one rule-condition per AP. Skickat fr?n min HTC ----- Reply message ----- Fr?n: "Jay Killion (jakillio)" <[email protected]> Till: "Justin Kurynny" <[email protected]> Kopia: "[email protected]" <[email protected]> Rubrik: [OSL | CCIE_Wireless] WB1 Lab 3.2 Datum: fre, jan 3, 2014 16:58 Thanks for the reply Justin. Yes, I actually did exactly what you suggested and noticed that even when I created the end-station filter, I would never match on it and would just hit the default. Going through the logs, I don't see the SSID (in this case, Test4-01) mentioned anywhere. I'm guessing that autonomous doesn't send the SSID in the request? I think I found the correct workaround, however. Use Anyconnect NAM to create the network and lock-down the authentication method. Jay Killion, CCIE #17873 R/S On 1/3/14 12:11 AM, "Justin Kurynny" <[email protected]> wrote: >Jay, > >You're on the right track overall, but for that first step you may want >to take a close look at the ACS logs to see what attributes and >attribute values are included in the radius auth request packet coming from >the AP. > >In a larger context, I found that a highly valuable exercise was to >compare the radius auth requests from the following three devices. >Their attributes differ depending on source and knowing those >differences is key when setting up access policies in ACS: > >* WLC >* Autonomous AP >* FlexConnect AP (standalone mode) > >hth, >Justin > >Disclaimer: I'm not familiar with the specific exercise you're working >on--just trying to help in a general sense on your outlined first step. > >typd on tny kybrd. > >> On Jan 2, 2014, at 19:42, "Jay Killion (jakillio)" >><[email protected]> >>wrote: >> >> Question on WB1 lab 3.2. The requirements have you creating multiple >>SSID's (autonomous AP), each using different EAP methods in ACS ? such >>as PEAP for one and TLS for another. The solution book doesn't show >>how this is done in ACS so I wanted to find out the correct method for this. >> I'm thinking the correct steps are as follows, but would appreciate >>any feedback. >> >> 1 ? Create an end-station filter to match on SSID >> 2 ? Create a new access service that only allows that specific EAP >>method (TLS, for example) >> 3 ? Create a new service selection rule that matches the end-station >>filter (from step 1) and returns the service created in step 2, thus >>only permitting that EAP method >> >> Is that correct? >> >> Thanks >> >> Jay Killion, CCIE #17873 R/S >> _______________________________________________ >> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >> >> iPexpert on YouTube: www.youtube.com/ipexpertinc _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc ------------------------------ _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc End of CCIE_Wireless Digest, Vol 57, Issue 6 ******************************************** _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
