Cisco ACS and Aruba Radius Auth

By ozerdo posted Nov 11, 2011 07:48 PM

  

Question

We are using Cisco's ACS as the backend radius server. It works fine for the Aruba if I have the ACS set to use Radius (IETF) but as soon as I change this to the Radius (Aruba Wireless Networks) option it no longer authenticates the users and they can’t connect.

 

Strangely enough the AAA server diagnostic test in the controller GUI interface authenticates just fine.
I would like to be able to use the additional features this will give me. I am thinking I have something configured incorrectly but I can't find any documentation on how to set this up.

Is anyone using this?

Answer

If you are using RADIUS ietf, you can pass back "Filter-ID" (attribute 011). On the controller, you will need a server derivation rule that says:

aaa server-group "your AAA group name"
set role condition "Filter-Id" value-of position 1

In the GUI, go to Configuration > Authentication > Server Group, select your Server Group and click the "Add" button. Under condition, select Filter-ID and then drop down the box that says contains and select "value-of".

When you authentication to ACS, it will pass back the attribute Filter-ID that contains the string you entered for that group. The controller will use that string to assign the correct role to the user.

 

You can load the specific Aruba RADIUS attributes into ACS as well, which is what we did. You'll then be able to use the "Aruba-User-Role" as a return attribute. You can download the attributes from the Aruba support site.

1 comment
0 views

Comments

Jun 21, 2020 09:47 AM

Hi,

 

Hope this finds you all well.

 

Can you help me find the appropriate MSR XXXX router series for CISCO ISR4351-SEC/K9?

 

Regards,

Brian