Chapter 4 Common Scenarios Using ACS

Agentless Network Access

Internal users

Active Directory

You can access the Active Directory via the LDAP API.

You can use the Internal Users identity store for Host Lookup in cases where the relevant host is already listed in the Internal Users identity store, and you prefer not to move the data to the Internal Hosts identity store.

ACS uses the MAC format (XX-XX-XX-XX-XX-XX) and no other conversions are possible. To search the Internal Users identity store using the User-Name attribute (for example, xx:xx:xx:xx:xx:xx) you should leave the Process Host Lookup option unchecked. ACS will handle the request as a PAP request.

When MAC address authentication over PAP or EAP-MD5 is not detected according to the Host Lookup configuration, authentication and authorization occur like regular user authentication over PAP or EAP-MD5. You can use any identity store that supports these authentication protocols. ACS uses the MAC address format as presented in the RADIUS User-Name attribute.

Related Topics

Creating an Access Service for Host Lookup, page 4-18

Viewing and Performing Bulk Operations for Internal Identity Store Hosts, page 8-18

Managing Users and Identity Stores, page 8-1

Authentication with Call Check, page 4-14

Authentication with Call Check

When ACS identifies a network access request with the call check attribute as Host Lookup (RADIUS::ServiceType = 10), ACS authenticates (validates) and authorizes the host by looking up the value in the Calling-Station-ID attribute (for example, the MAC address) in the configured identity store according to the authentication policy.

When ACS receives a RADIUS message, it performs basic parsing and validation, and then checks if the Call Check attribute, RADIUS ServiceType(6), is equal to the value 10. If the RADIUS ServiceType is equal to 10, ACS sets the system dictionary attribute UseCase to a value of Host Lookup.

In the ACS packet processing flow, the detection of Host Lookup according to Call Check service-type is done before the service selection policy. It is possible to use the condition UseCase equals Host Lookup in the service selection policy.

Initially, when RADIUS requests are processed, the RADIUS User-Name attribute is copied to the System UserName attribute. When the RADIUS Service-Type equals 10, the RADIUS Calling-Station-ID attribute is copied to the System User-Name attribute, and it overrides the RADIUS User-Name attribute value.

ACS supports four MAC address formats:

Six groups of two hexadecimal digits, separated by hyphens—01-23-45-67-89-AB

Six groups of two hexadecimal digits, separated by colons—01:23:45:67:89:AB

Three groups of four hexadecimal digits, separated by dots—0123.4567.89AB

Twelve consecutive hexadecimal digits without any separators—0123456789AB

If the Calling-Station-ID attribute is one of the four supported MAC address formats above, ACS copies it to the User-Name attribute with the format of XX-XX-XX-XX-XX-XX. If the MAC address is in a format other than one of the four above, ACS copies the string as is.

 

User Guide for Cisco Secure Access Control System 5.3

4-14

OL-24201-01

Page 78
Image 78
Cisco Systems OL-24201-01 manual Authentication with Call Check