Community Tribal Knowledge Base

Cisco ACS and Aruba Radius Auth

Question

We are using Cisco's ACS as the backend radius server. It works fine for the Aruba if I have the ACS set to use Radius (IETF) but as soon as I change this to the Radius (Aruba Wireless Networks) option it no longer authenticates the users and they can’t connect.

 

Strangely enough the AAA server diagnostic test in the controller GUI interface authenticates just fine.
I would like to be able to use the additional features this will give me. I am thinking I have something configured incorrectly but I can't find any documentation on how to set this up.

Is anyone using this?

Answer

If you are using RADIUS ietf, you can pass back "Filter-ID" (attribute 011). On the controller, you will need a server derivation rule that says:

aaa server-group "your AAA group name"
set role condition "Filter-Id" value-of position 1

In the GUI, go to Configuration > Authentication > Server Group, select your Server Group and click the "Add" button. Under condition, select Filter-ID and then drop down the box that says contains and select "value-of".

When you authentication to ACS, it will pass back the attribute Filter-ID that contains the string you entered for that group. The controller will use that string to assign the correct role to the user.

 

You can load the specific Aruba RADIUS attributes into ACS as well, which is what we did. You'll then be able to use the "Aruba-User-Role" as a return attribute. You can download the attributes from the Aruba support site.

Version History
Revision #:
2 of 2
Last update:
‎11-15-2011 08:35 AM
Updated by:
 
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.