I typically do the same thing when writing my rules as well. I try and write the rules so that a single rule would only apply to a single point section rather than using the same rule across many different point sections. If you do have to make a tweak to a given rule, it's better to only have that tweak affect one thing instead of 3+ things.
The called station ID format when coming from a WLC will be radio MAC address + ":" + SSID name. ie. 00-11-22-33-44-55:MySSID So if you want to use a compound condition to match on the SSID, choose the "ends with" matching option. But to reiterate a previous point, we only get the SSID when the authentication comes from a WLC, and not when it comes from an AP (autonomous or HREAP). Regards, Jeff Rensink : Sr Instructor : iPexpert <http://www.ipexpert.com/> CCIE # 24834 :: Wireless / R&S :: World-Class Cisco Certification Training Direct: +1.810.326.1444 :: Free Videos <http://www.youtube.com/ipexpertinc> :: Free Training / Product Offerings <http://www.facebook.com/ipexpert> :: CCIE Blog <http://blog.ipexpert.com/> :: Twitter <http://www.twitter.com/ipexpert> On Fri, Jan 3, 2014 at 11:39 AM, Kristján Ólafur Eðvarðsson < [email protected]> wrote: > Just a few cents on the ACS. > > I always try to be as specific when matching what I wanted. For example. > Match WLC1 , match peap , match SSID and even user. > Cause when complicating something in the future I would be more flexible. > For example an extra requirement that I didnt forsee. > We get those a lot in the real lab :) > > I always configure a default deny for the default network access. (not > default permit) So I know that my configuration is really failing. > When matching WLC SSID the compound condition with "ends-with" (or > starts-with, I dont remember) was the trick since the WLC > Sends the SSID and the radio MAC involved in one string to the ACS. > > Kristjan > > Today's Topics: > > 1. Re: WB1 Lab 3.2 (Jay Killion (jakillio)) > 2. Re: WB1 Lab 3.2 (Jeff Rensink) > 3. Ang.: WB1 Lab 3.2 (Andreas di Zazzo) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 3 Jan 2014 15:40:28 +0000 > From: "Jay Killion (jakillio)" <[email protected]> > To: Justin Kurynny <[email protected]> > Cc: "[email protected]" > <[email protected]> > Subject: Re: [OSL | CCIE_Wireless] WB1 Lab 3.2 > Message-ID: <ceec355b.12742%[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Thanks for the reply Justin. Yes, I actually did exactly what you > suggested and noticed that even when I created the end-station filter, I > would never match on it and would just hit the default. Going through the > logs, I don't see the SSID (in this case, Test4-01) mentioned anywhere. > I'm guessing that autonomous doesn't send the SSID in the request? > > I think I found the correct workaround, however. Use Anyconnect NAM to > create the network and lock-down the authentication method. > > Jay Killion, CCIE #17873 R/S > > > > > On 1/3/14 12:11 AM, "Justin Kurynny" <[email protected]> wrote: > > >Jay, > > > >You're on the right track overall, but for that first step you may want > >to take a close look at the ACS logs to see what attributes and > >attribute values are included in the radius auth request packet coming > from the AP. > > > >In a larger context, I found that a highly valuable exercise was to > >compare the radius auth requests from the following three devices. > >Their attributes differ depending on source and knowing those > >differences is key when setting up access policies in ACS: > > > >* WLC > >* Autonomous AP > >* FlexConnect AP (standalone mode) > > > >hth, > >Justin > > > >Disclaimer: I'm not familiar with the specific exercise you're working > >on--just trying to help in a general sense on your outlined first step. > > > >typd on tny kybrd. > > > >> On Jan 2, 2014, at 19:42, "Jay Killion (jakillio)" > >><[email protected]> > >>wrote: > >> > >> Question on WB1 lab 3.2. The requirements have you creating multiple > >>SSID's (autonomous AP), each using different EAP methods in ACS ? such > >>as PEAP for one and TLS for another. The solution book doesn't show > >>how this is done in ACS so I wanted to find out the correct method for > this. > >> I'm thinking the correct steps are as follows, but would appreciate > >>any feedback. > >> > >> 1 ? Create an end-station filter to match on SSID > >> 2 ? Create a new access service that only allows that specific EAP > >>method (TLS, for example) > >> 3 ? Create a new service selection rule that matches the end-station > >>filter (from step 1) and returns the service created in step 2, thus > >>only permitting that EAP method > >> > >> Is that correct? > >> > >> Thanks > >> > >> Jay Killion, CCIE #17873 R/S > >> _______________________________________________ > >> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > >> > >> iPexpert on YouTube: www.youtube.com/ipexpertinc > > > > ------------------------------ > > Message: 2 > Date: Fri, 3 Jan 2014 09:59:32 -0600 > From: Jeff Rensink <[email protected]> > To: "Jay Killion (jakillio)" <[email protected]> > Cc: "[email protected]" > <[email protected]> > Subject: Re: [OSL | CCIE_Wireless] WB1 Lab 3.2 > Message-ID: > <CAG4_piWfFBr6j0E1CXnF20XAwZPFq=DzKrzG= > [email protected]> > Content-Type: text/plain; charset="windows-1252" > > The exercise was mainly geared at configuring the SSIDs. There really > isn't a specific ACS configuration that was supposed to go along with it. > In fact, there's no sane ACS config that would only allow the > authentications as described on the APs. > > With autonomous APs, we don't get the SSID name in the called station ID > field like we do when the authentications come from a WLC. The same > actually goes for H-REAP APs doing local authentication as well. It's just > the MAC address of the AP radio at that point. So matching on SSIDs isn't > really an option. You may be able to do it with MBSSID mode and matching > on the MAC address of the radio (different MAC per SSID at that point I > believe), but that would be out of the realm of reality in my opinion. The > wireless lab doesn't really get into ridiculous scenarios like that. > > But let's say we were on WLCs, and we could match on SSIDs... While you > could split this out into separate access services, I'd recommend just > keeping it simple and doing it all under one. So if SSID1 only allowed > clients to use PEAP, just write 2 rules with the logic below... > > if SSID= SSID1 and EAP type = PEAP then Permit if SSID= SSID1 then Deny > > This would probably do the trick just fine. Where you would absolutely > have to split out into separate access services would be if they made > reference that certain EAP authentications shouldn't even be allowed to be > completed. Then you'd need to push them over to an access service that > only allowed the specified EAP type. Here's why... > > In my first example, we'll pretend the access service allows all EAP types. > Say a client tries to authenticate with EAP-FAST. The client would > probably do a success ful authentication with EAP-FAST (correct > username/password), but when it comes to the authorization phase, it would > be denied based on the rules. So EAP-FAST actually happened successfully, > but the client wasn't allowed on the network. > > If you kicked the client over to a different access service that only > allowed PEAP, then the client would try to use EAP-FAST but the server > wouldn't go along with it. So EAP-FAST would never have happened since the > client and server wouldn't have agreed on an EAP type to use. > > So in the end, we always want to read very carefully and do exactly what > is asked. But when possible, try to keep things simple. It's usually less > to configure, less to verify, and less to troubleshoot. > > > On Thu, Jan 2, 2014 at 9:35 PM, Jay Killion (jakillio) > <[email protected]>wrote: > > > Question on WB1 lab 3.2. The requirements have you creating multiple > > SSID's (autonomous AP), each using different EAP methods in ACS ? such > > as PEAP for one and TLS for another. The solution book doesn't show > > how this is done in ACS so I wanted to find out the correct method for > > this. I'm thinking the correct steps are as follows, but would > > appreciate any feedback. > > > > 1 ? Create an end-station filter to match on SSID > > 2 ? Create a new access service that only allows that specific EAP > > method (TLS, for example) > > 3 ? Create a new service selection rule that matches the end-station > > filter (from step 1) and returns the service created in step 2, thus > > only permitting that EAP method > > > > Is that correct? > > > > Thanks > > > > Jay Killion, CCIE #17873 R/S > > > > _______________________________________________ > > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > > > > iPexpert on YouTube: www.youtube.com/ipexpertinc > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > </archives/ccie_wireless/attachments/20140103/d1b0d92e/attachment-0001.html> > > ------------------------------ > > Message: 3 > From: "Andreas di Zazzo" <[email protected]> > To: "Jay Killion (jakillio)" <[email protected]>, "Justin Kurynny" > <[email protected]> > Cc: [email protected] > Subject: [OSL | CCIE_Wireless] Ang.: WB1 Lab 3.2 > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8" > > > For the autonomous AP the called station ID contains the MAC address > associated with the WLAN the client connected to. Since each WLAN contains > a unique mac-address you can filter it this way, however one rule-condition > per AP. > > Skickat fr?n min HTC > > ----- Reply message ----- > Fr?n: "Jay Killion (jakillio)" <[email protected]> > Till: "Justin Kurynny" <[email protected]> > Kopia: "[email protected]" < > [email protected]> > Rubrik: [OSL | CCIE_Wireless] WB1 Lab 3.2 > Datum: fre, jan 3, 2014 16:58 > > > Thanks for the reply Justin. Yes, I actually did exactly what you > suggested and noticed that even when I created the end-station filter, I > would never match on it and would just hit the default. Going through the > logs, I don't see the SSID (in this case, Test4-01) mentioned anywhere. > I'm guessing that autonomous doesn't send the SSID in the request? > > I think I found the correct workaround, however. Use Anyconnect NAM to > create the network and lock-down the authentication method. > > Jay Killion, CCIE #17873 R/S > > > > > On 1/3/14 12:11 AM, "Justin Kurynny" <[email protected]> wrote: > > >Jay, > > > >You're on the right track overall, but for that first step you may want > >to take a close look at the ACS logs to see what attributes and > >attribute values are included in the radius auth request packet coming > from the AP. > > > >In a larger context, I found that a highly valuable exercise was to > >compare the radius auth requests from the following three devices. > >Their attributes differ depending on source and knowing those > >differences is key when setting up access policies in ACS: > > > >* WLC > >* Autonomous AP > >* FlexConnect AP (standalone mode) > > > >hth, > >Justin > > > >Disclaimer: I'm not familiar with the specific exercise you're working > >on--just trying to help in a general sense on your outlined first step. > > > >typd on tny kybrd. > > > >> On Jan 2, 2014, at 19:42, "Jay Killion (jakillio)" > >><[email protected]> > >>wrote: > >> > >> Question on WB1 lab 3.2. The requirements have you creating multiple > >>SSID's (autonomous AP), each using different EAP methods in ACS ? such > >>as PEAP for one and TLS for another. The solution book doesn't show > >>how this is done in ACS so I wanted to find out the correct method for > this. > >> I'm thinking the correct steps are as follows, but would appreciate > >>any feedback. > >> > >> 1 ? Create an end-station filter to match on SSID > >> 2 ? Create a new access service that only allows that specific EAP > >>method (TLS, for example) > >> 3 ? Create a new service selection rule that matches the end-station > >>filter (from step 1) and returns the service created in step 2, thus > >>only permitting that EAP method > >> > >> Is that correct? > >> > >> Thanks > >> > >> Jay Killion, CCIE #17873 R/S > >> _______________________________________________ > >> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > >> > >> iPexpert on YouTube: www.youtube.com/ipexpertinc > > _______________________________________________ > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > > iPexpert on YouTube: www.youtube.com/ipexpertinc > > > > ------------------------------ > > _______________________________________________ > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > > iPexpert on YouTube: www.youtube.com/ipexpertinc > > End of CCIE_Wireless Digest, Vol 57, Issue 6 > ******************************************** > _______________________________________________ > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > > iPexpert on YouTube: www.youtube.com/ipexpertinc >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
