Enterprise Lockdown

Reply
Occasional Contributor I
Posts: 7
Registered: ‎05-01-2009

Cisco ACS and Aruba Radius auth

Help

We are using Cisco's ACS as the backend radius server. It works fine for the Aruba if I have the ACS set to use Radius (IETF) but as soon as I change this to the Radius (Aruba Wireless Networks) option it no longer authenticates the users and they can’t connect.
Strangely enough the AAA server diagnostic test in the controller GUI interface authenticates just fine.
I would like to be able to use the additional features this will give me. I am thinking I have something configured incorrectly but I can't find any documentation on how to set this up.

is anyone using this?
Guru Elite
Posts: 20,799
Registered: ‎03-29-2007

Radius IETF


Help

We are using Cisco's ACS as the backend radius server. It works fine for the Aruba if I have the ACS set to use Radius (IETF) but as soon as I change this to the Radius (Aruba Wireless Networks) option it no longer authenticates the users and they can’t connect.
Strangely enough the AAA server diagnostic test in the controller GUI interface authenticates just fine.
I would like to be able to use the additional features this will give me. I am thinking I have something configured incorrectly but I can't find any documentation on how to set this up.

is anyone using this?




Radius IETF is the correct setting. What, in addition do you want to use your Cisco ACS for?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎05-01-2009

Radius

I was wanting to set up groups on the ACS side and assign specific roles to these groups.

the plan was to set a condition in the server group to set the role based on the attribute of "Aruba User Role".

I don't think this attribute works with RADUIS ietf

I am also looking to filter by login domain and set user roles by the domain they login to but this is down the line...
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Cisco ACS and Aruba Radius auth

If you are using RADIUS ietf, you can pass back "Filter-ID" (attribute 011). On the controller, you will need a server derivation rule that says:

aaa server-group "your AAA group name"
set role condition "Filter-Id" value-of position 1

In the GUI, go to Configuration > Authenticaiton > Server Group, select your Server Group and click the "Add" button. Under condition, select Filter-ID and then drop down the box that says contains and select "value-of".

When you authentication to ACS, it will pass back the attribute Filter-ID that contains the string you entered for that group. The controller will use that string to assign the correct role to the user.
Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Re: Cisco ACS and Aruba Radius auth

You can load the specific Aruba RADIUS attributes into ACS as well, which is what we did. You'll then be able to use the "Aruba-User-Role" as a return attribute. You can download the attributes from the Aruba support site.
Search Airheads
Showing results for 
Search instead for 
Did you mean: