Dynamic VLAN Assignment with ACS Server

In this post we will learn/test how the dynamic VLAN assignment works.

Basic Info:

Dynamic VLAN assignment: It pushes a wireless user into a specific VLAN based on his identity. This task of assigning users to a specific VLAN is handled by a RADIUS authentication server (i.e. ACS).

It’s a type of identity networking. It allows us to have single SSID, but allows specific users to use different VLAN attributes based on the user credentials.

This task of assigning users to a specific VLAN is handled by a RADIUS authentication server (ACS 5.2 in my case). This can be used, for example, to allow the wireless host to remain on the same VLAN as it moves within a campus network.

As a result, when a client attempts to associate to a LAP registered with a controller, the LAP passes the credentials of the user to the RADIUS server for validation. Once the authentication is successful, the RADIUS server passes (IETF) attributes to the user. These RADIUS attributes decide the VLAN ID that should be assigned to the wireless client.

***In my post I am using a single SSID

My Topology:

DVAACS1

Let’s take an Example:

  1. We will create a SSID “XYZ” and assign a non-routed VLAN (99) or management VLAN to it.
  2. Now we have Groups of employees in our company “Production, Admin and Sales”.
  3. VLANs as per Roles.(Production – 13, Admin – 14, Sales – 17 )

Steps to Configuration:

  • Configure WLC
  • Configure ACS server
  • Verification

Configure WLC

We must configure the WLC so it can communicate with the RADIUS server in order to authenticate the clients.

  1. Configure ACS on WLC:

From the controller GUI, click Security> AuthenticationDVAACS2

  1. Create dynamic interface (for VLAN 13, 14 and 17)

Example for VLAN 13, same we have to do for VLAN 14 & 17

Controller GUI, in the Controller > Interfaces

DVAACS3

  1. Create a WLAN and assign to a Non Routed VLAN or management interface

From the controller GUI, go to WLANs > Create New

My WLAN isXYZ

DVAACS4

DVAACS5

Enable AAA override feature:

DVAACS6

CLI Command to enable: config wlan aaa-override enable wlan-id

Configure ACS (RADIUS) Server

  • Configure Network Resources.

AAA Client (WLC management IP), Location, and device type

  • Configure User and Identity Store

Create Identity Group, Users and then assign users to Identity Groups(Production, Admin and Sales Users)

Create Identity Store Sequence

  • Define policy elements.

Custom Profile

End Station Filter

Create Authorization Profiles

  • Apply access policies.

Select EAP Method

Assign Auth. Profile as per identity

  1. Configure Network Resources.

First we will add the WLC as an AAA client on the RADIUS server so that the WLC can pass the user credentials to the RADIUS server.

Create a Location type:

From the ACS GUI, go to Network Resources > Network Device Groups > Location, and click Create

DVAACS7

Crete Device Type:

Go to Network Resources > Network Device Groups > Device Type > Create

DVAACS8

Add WLC as AAA client in ACS sever:

Go to Network Resources > Network Devices and AAA Clients. Put the WLC IP and shared secret (it must be same as in WLC)

DVAACS9

DVAACS10

  1. Configure User and Identity Store

Create Identity Group, Users and then assign users to Identity Groups:

In this post we will create three types of users (Production, Admin and Sales Users)

For Identity Groups:

Go to Users and Identity Stores > Identity Groups > Create

For Users:

Go to Users and Identity Stores > Internal Identity Stores > Users > Create

DVAACS11

Create Identity Store Sequence:

As we don’t need it in this post (only internal user option will also work)

Go to Users and Identity Stores > Identity Stores Sequences > Create

DVAACS12

  1. Define policy elements.

Custom Profile

Create a Custom SSID Profile or create an END STATION filter (we will use only one method from this and that will be CUSTOM SSID)

Go to Policy Elements > Custom> Create

Enter the Name (MySSID), choose Dictionary as RADIUS-IETF and Attribute as Called-Station-ID.

DVAACS13

End Station Filter:

Go to Policy Elements> Network Conditions>End Station Filter>Create

*** We will not use this in this post

DVAACS14

DVAACS15

Create Authorization Profiles:

Go to Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles > Create.

IN this post we are using vlan 13, 14 and 17 so we need three Auth Profiles.

Two ways to do: Either under Common Tasks or under RADIUS Attributes:

Both ways are shown here.

DVAACS16

DVAACS17

So in end auth profile will look like this:

DVAACS18

  1. Access Policies

We are using Radius Authentication we have to use Default Network Access.

DVAACS19

Select which EAP method we would like the wireless Clients to Authenticate. In this post we will use EAP-FAST or PEAP.

DVAACS20

Select Identity under Default Network Access as “MyLab” which we created earlier.

DVAACS21

Configure Authorization Rules:

Go to Access Policies > Access Services > Default Network Access > Authorization.

We can customize under what conditions we will allow user access to the network and what authorization profile (attributes) we will pass once authenticated. In this post, we selected Location, SSID, Device Type, and Identity Group.

DVAACS22

Verification

Production User must go in vlan 13.

DVAACS23

Sales User must go in vlan 17.

DVAACS24

Admin User must go in vlan 14.

DVAACS25Logs from ACS:

DVAACS26

Thats all 🙂

 

AAA Override

In this post we will learn about the AAA override feature which is used with ACS (Radius Server).

This AAA Override function used to configure for identity networking. It allows us to configure VLAN tagging, QoS and ACL for specific clients.

Basic Info:

By using this feature we can reduce or minimize WLANs and can provide or segregate network segmentation within the network.

IN this post we take an example especially for dynamic VLAN assignment. This feature allows a single SSID to serve multiple users as per their roles (as per their VLANs).

How it works:

  1. Wireless client associates to the AP on specific WLAN.
  2. Wireless Client start RADIUS authentication process.
  3. When the wireless client authenticates successfully, the RADIUS server assign this client to a specific VLAN (as we configured on RADIUS server), regardless of the VLAN assigned to SSID the client is using on the AP. If the RADIUS server does not return any VLAN attribute for the wireless client, the client is assigned to the VLAN specified by the SSID mapped locally on the AP.

Limitation:

  • To apply an ACL we must disable & then enable the WLAN so that client must re-authenticate again otherwise ACL does not take effect.
  • If we don’t have ACL on WLC or put the wrong name, then the clients are not allowed to be authenticated.
  • In HREAP/Flexconnect local switching, Multicast is forwarded only for the VLAN that the SSID is mapped to and not to any overridden VLANs.
  • When the interface group is mapped to a WLAN and clients connect to the WLAN, the client does not get the IP address in a round robin fashion. The AAA override with interface group is supported.
  • AAA override is done at the RADIUS server.
  • On WLC, enable AAA Override parameter using the GUI or CLI. Enabling this parameter allows the controller to accept the attributes returned by the RADIUS server. The controller then applies these attributes to its clients.

Enable this feature on WLAN:

Via GUI:

AAAoverride2

Via CLI:

WLC > config wlan aaa-override enable <wlan-id>

In next post we will see how this function can be used with an example.

WLC Admin Access by TACAS+ Server

In this post we will learn how to provide or control WLC management user’s access via TACAS+ server.

We will create 3 users:

User1: Full Admin rights on WLC – sandeeprw
User2: Read-Only rights to WLC (Only allow one tab”WLAN” as admin access) – sandeepro
User3: Lobby user to create Guest Accounts – sandeeplobby

Parameters:

ACS Server: 192.168.205.5
WLC: 192.168.112.10
Shared Secret: Test12345

Read/Write User: sandeeprw, Password: sandeeprw
Read/Only User: sandeepro, Password: sandeepro
Lobby User: sandeeplobby, Password: sandeeplobby

Steps:

  1. Add ACS server to WLC as TACAS+ server
  2. Add WLC as AAA client to ACS.
  3. Create Identity Groups.
  4. Create Users and assign to respective Identity Groups
  5. Assign shell profiles to Users
  6. Configure Access Policies for specific Users
  7. Assign the Priority order for management access.
  8. Verification

So let’s start with configuration:

Add ACS server to WLC as TACAS+ server

Go to WLC GUI, click Security > AAA > TACAS+ > Authentication. Enter the parameters specific to the server. Also put Accounting& Authorization server info as well.

TACAS1

Add WLC as AAA client to ACS

Login to ACS and then go to Network Resources > Network Devices and AAA Clients

Must select TACAS+ check box and put the same shared secret as we did while adding ACS to WLC.

WLC-Admin-RAdius2

Create Identity Groups

Create Identity groups for different users.

These are the Groups:

Admin-Lobby
Admin-RO
Admin-RW

WLC-Admin-RAdius3

Create Users and assign to respective Identity Groups

WLC-Admin-RAdius4

Assign shell profiles to Users

Here we will create shell profile and assign the custom attributes to users.

Admin Users: role1 as ALL
Read-Only User: role1 as WLAN
Lobby Users: role1 as MONITOR

TACAS2

TACAS3

TACAS4

Configure Access Policies for specific Users

Create Authorization rules under default Network Access:

It will look like this:

TACAS5

Assign the Priority order for management access

Authentication Oder for management users on the WLC.

Security > Priority Order > Management User.

TACAS6

Verification

To verify each account, we must login with different users and check it.

Verification Logs from ACS about users attempts:

TACAS7

That’s all 🙂

In the next post we will learn the AAA override /Dynamic VLAN Assignment feature.

WLC Admin Access by Radius Server

In this post we will learn how to provide or control WLC management users access via external radius server.

We will create 3 users:

User1: Full Admin rights on WLC – sandeeprw
User2: Read-Only rights to WLC – sandeepro
User3: Lobby user to create Guest Accounts – sandeeplobby

Parameters:

ACS Server: 192.168.205.5
WLC: 192.168.112.10
Shared Secret: Test12345

Read/Write User: sandeeprw, Password: sandeeprw
Read/Only User: sandeepro, Password: sandeepro
Lobby User: sandeeplobby, Password: sandeeplobby

Steps:

  1. Add ACS server to WLC as Radius server (Check this post: Configure RADIUS server on WLC
  2. Add WLC as AAA client to ACS.
  3. Create Identity Groups.
  4. Create Users and assign to respective Identity Groups
  5. Assign roles or Authorization profiles to Users
  6. Configure Access Policies for specific Users
  7. Assign the Priority order for management access.
  8. Verification

So let’s start with configuration:

Add ACS server to WLC as Radius server

Go to WLC GUI, click Security > AAA > RADIUS > Authentication. Enter the parameters specific to the RADIUS server. If we need to put accounting server info then enters the info as well.

*** Don’t forget to Check Management box.

WLC-Admin-RAdius1

Add WLC as AAA client to ACS

Login to ACS and then go to Network Resources > Network Devices and AAA Clients

Must select RADIUS check box and put the same shared secret as we did while adding ACS to WLC.

WLC-Admin-RAdius2

Create Identity Groups

Create Identity groups for different users.

These are the Groups:

Admin-Lobby
Admin-RO
Admin-RW

WLC-Admin-RAdius3

Create Users and assign to respective Identity Groups

WLC-Admin-RAdius4

Assign roles or Authorization profiles to Users

Here we will Create Authorization profile and assign the Service-Type Attribute to users to get access.

Admin Users: Administrative
Read-Only User: NAS Prompt
Lobby Users: Callback Administrative

WLC-Admin-RAdius5

WLC-Admin-RAdius6

WLC-Admin-RAdius7

Configure Access Policies for specific Users

Create Authorization rules under default Network Access:

It will look like this:

WLC-Admin-RAdius8

Assign the Priority order for management access

If WLC is configured with management users both locally & RADIUS server with the Management check box enabled. In this case, by default, when a user tries to login to the WLC, the WLC behaves in this manner:

First looks at the local management users. If the user exists in its local list, then it allows authentication for this user. If this user does not appear locally, then it looks to the RADIUS server.

Means WLC always takes precedence when compared to the RADIUS server.

Authentication Oder for management users on the WLC.

Security > Priority Order > Management User.

WLC-Admin-RAdius9

*** If LOCAL is selected as second priority, then the user will be authenticated using this method only if the method defined as the first priority (RADIUS) is unreachable.

Verification

To verify each account, we must login with different users and check it.

If we login with user (sandeeprw) then we will have full administrative access to the WLC.

Example: If we login with read only user (sandeepro) and want to modify something on WLC then this will appear:

WLC-Admin-RAdius10

Verification Logs from ACS about users attempts:

WLC-Admin-RAdius11

That’s all 🙂

Calling & Called station ID

In this post we will learn / see how there format looks like with an example. It’s very important to know these because in exam we may need to create a policy using this.

My topology:

Client~~~~~~~~~~~AP—————–Switch——————–WLC

Call1

AP Details:

Call2

Default Format:

Called-Station-ID: Normally Contains (1) the MAC address of the Access Point and (2) the SSID on which the wireless device is connecting. These 2 fields are separated by a colon.  Example: “AA-BB-CC-DD-EE-FF:SSID_NAME”.

Calling-Station-ID: Contains the MAC address of the wireless device.  Example: “AA-BB-CC-DD-EE-FF”.

Local mode AP:

Let’s see the log:

***I removed the middle part

Call3

Here our Called-Station ID is: 38-1c-1a-c5-66-20:RSCCIEW

And

Calling Station-ID: F8:16:54:20:F4:C2 (this is from ISE), Normally ACS 5.2 shows like this (F8-16-54-20-F4-C2)

HREAP Connected Mode

*** In HREAP Connected mode it’s the same as in Local mode.

Called-Station ID is: 38-1c-1a-c5-66-20:RSCCIEW

Calling Station-ID: F8-16-54-20-F4-C2

HREAP Standalone Mode

***In HREAP standalone mode its bit different:

Called-Station-ID: 381c.1ac5.6621

*** Its BSSID(We can also find it via command line: show ap wlan 802.11a/b <AP name>)

Calling Station-ID: F816.5420.F4C2

(Not mentioned SSID name in called station-id and also the last number is 21 because its add the WLAN id to its mac address)

*** My wlan id is 2.

ACS Policies based on SSID

If we need to Create Policy in ACL which needs to be include SSID then either we must use the End Station Filters or we need to create a custom profile(Policy Elements > Session Conditions > Custom)

End Station filter:

Policy > Network Conditions > End Station Filters

Create a new and enter the *SSID_Name(example – *RSCCIEW) unders CLI/DNIS.

Call4

Note: *RSCCIEW must be under DNIS but here in ACS it shows under CLI (This is due to bug-CSCtk16271).To resolve this we must click submit again to swap these entry.

Custom Profile:

Then click on Create, give the name to this custom profile.

Under Condition Tab:

We must use Dictionary: Radius-IETF

Attribute: Called-Station-ID

Policy Elements > Session Conditions > Custom

Call5

That’s all about Calling and Called Station ID 🙂 don’t have much time otherwise would love to go more in to details.

Certificate Installation on ACS

First we will start with Root CA Certificate installation:

Login to Certificate server http://<ip or xyz>/certsrv

Click on “Download a CA Certificate, certificate chain or CRL

ACS1

Select the Encoding Method „Base 64“and click on Download CA certificate.

ACS2

ACS3

Save it to a location on our file system.

Now we have Root CA, it’s time to install Root CA on ACS.

Login to ACS, go to Users and Identity Stores > External Identity Stores > Certificate Authorities

Click on Add.

ACS4

Now Browse the Root CA, tick the check box “Trust for client with EAP-TLS” (Specially for EAP-TLS authentication) otherwise we will get error…example: 12514 (Failed SSL/TLS handshake)

Then click on Submit.

ACS5

Now we will Download /Install the ACS local server Certificate:

We must use these steps:

  1. Go to System Administration > Local Certificates, then click on Add
  2. Select Generate Certificate Signing Request:
  3. Fill the Certificate Subject name, Key length. Click Submit.

ACS6

Select third option “Generate Certificate Signing Request

ACS7

Click Next.

Enter the Certificate subject name.

Choose key length to 1024 or 4096 (Max value).

ACS8

Click Finish, this prompt will popup.

ACS9

Click OK. Now we can this signing request under Outstanding signing Request.

ACS10

Now Tick the request and click Export.

ACS11

Save it and open in notepad.

ACS12

Copy it

Login backup to certificate server and this time click on Request a Certificate.

ACS13

ACS14

ACS15

Paste the certificate signing request here (Which we opened in notepad)

**Select Web Server

ACS16

Download the Base 64 coded certificate. Click “Download certificate

ACS17

ACS18

Save it.

Now login again to ACS, select Bind CA signed Certificate

ACS19

Click Next, browse the Certificate here.

Also tick EAP and Management interface and click Submit.

ACS20

ACS21

Select OK and Click Finish.

Sometime we need to reboot ACS to complete the certificate installation.

That’s all About ACS certificate installation 🙂