Security

Hello,

 

Can we split a radius response value on the colon  delimiter? Then match a part of the response in the role mapping?

 

Here some background:

 

We use the Called-Station-Id for 2 things. Match a service policy and for enforcement.

 

cisco called station response is configured for AP_MAC:SSID

Radius:IETF:Called-Station-Id       ac-a0-16-bb-f9-40:OFFICE2

 

The last part of the Called-Station-Id is used to match the service policy on the SSID OFFICE2:

name="Called-Station-Id" operator="CONTAINS" type="Radius:IETF" value="OFFICE2"

 

The role mapping maps on AP_mac address part and gives a tag.

(only an tag if this AP is configured for cisco Flexconnect)

 

RuleAttribute name="Called-Station-Id" operator="BEGINS_WITH" type="Radius:IETF" value=" ac-a0-16-bb-f9-40"

RuleAttribute name="Called-Station-Id" operator="BEGINS_WITH" type="Radius:IETF" value=" ac-a0-16-bb-f9-41"

 

etc etc this result in quite some line in the role mapping if I need to do this for all Flexconnect AP’s

 

I there some logic that I can take only the MAC part and spilt the responce on the delimiter colon?

 

Then I use the static host list for listing all the AP-mac’s.

RuleAttribute name="Called-Station-Id" operator="BELONGS_TO_GROUP" type="Radius:IETF" value="HostList:3004" displayValue="Flexconnect remote BSSID devices"

 

 

There might be other ways to do this aswell?

 

Thanks,

Gerrit

Don’t use static host lists. I never use this because it’s inflexible.

This requirement is easy to achieve using attributes in the endpoint database. Fetch that data during authentication from the endpoint database.

Willem

Thank for your responce

 

Attached an snapshot from the AP in the endpoint DB. so it's there as I use device profiling and learn via DHCP.

 

Please notish that the ethernet MAC 54-75-d0-f5-37-3d is different from the BSSID mac send in the called-station ac-a0-16-bb-f9-40.

 

So basacly you suggest add the "Radius:IETF:Called-Station-Id = ac-a0-16-bb-f9-40:OFFICE2" as an attribute to this attached device database entry?

 

Thanks,

Gerrit

Ok. Why not use a different NAS identifier in the RADIUS request to make a differentation for the flexconnect AP's?

Willem,

 

The Radius:IETF:NAS-Identifier is the wireless controller.

I use this indeed for site with a local wireless controller.

However for Flexconnect I can't use this, as I can't differentate between the Flexconnect sites any more.

So the Radius:IETF:NAS-Identifier is the same for all flexconnect site. 

 

However I probably can make an entry in the endpoint database that looks like this 

"ac-a0-16-bb-f9-40:OFFICE2"

 

so I agree instead of looking for a sollution with static host list, looking for a sollution with the endpoint database makes more sense.

 

Thanks,

Gerrit

You can add the BSSID MAC address to the endpoint database and assign some attributes to it. However, I think this is not a scalable solution.
Is there no other option to make some difference in the RADIUS request for FlexConnect sites? In most cases there or option to use different NAS IP or NAS ID for a SSID. In Aruba we can do this using multiple AP groups.

Just try to add the BSSID to the endpoint database "ac-a0-16-bb-f9-40".

However it did not work as I can search for it via the string I got "ac-a0-16-bb-f9-40:OFFICE2" what is not a mac adress. 

 

In there design today I don't see any different between flexconnect AP and normall AP's other that the Radius:IETF:Called-Station-Id value.

 

Yes pritty sure with slight different flexconnect design we might can do this easyer.

 

Thanks,

Gerrit