Configuring Cisco ACS to use Aruba RADIUS Attributes

If your situation is like mine, and your institution is using Aruba wireless hardware and Cisco ACS you will not find many resources on making the two work together. We recently implemented eduroam and wanted to make access rules in ACS dependent on which SSID a user was connecting to. With the default ACS 5.3 installation RADIUS attributes from Aruba cannot be used to create access rules.

Not knowing how to proceed, I Googled around a bit and could not find a solid answer. So I began exploring the ACS user interface, and wrote up this tutorial to share what I found. For this tutorial I am using ACS 5.3; I’m not sure how the interface differs with other versions.

First you will need to get the Aruba RADIUS dictionary file for Cisco ACS. Aruba has a page containing several dictionary files for different RADIUS servers, they are available here: http://support.arubanetworks.com/TOOLSRESOURCES/tabid/76/DMXModule/514/Default.aspx?EntryId=115

From the link above download the Dictionary for Cisco ACS. Once you have downloaded the dictionary file open it in a text editor. Next open up the web user interface for ACS and login. Once logged in navigate to System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA screen.

We will now manually create a dictionary for the Aruba attributes, to start click the Create button at the bottom of the page. Here you the only important value is the Vendor ID. The value from the dictionary file is listed under IETF Code for Aruba the vendor ID is 14823. The other fields you may enter whatever values you would like.

Create Dictionary Screen Shot

After hitting the Submit button you will be returned to the Vendor Specific Dictionary page. Next click the checkbox for the Aruba definition we just created and click the Show Vendor attributes button at the bottom of the page. We will now have to add the attributes from the downloaded dictionary file. It is not necessary to add all the attributes, you can just add the attributes you are interested in using.

To add an attribute click the Create button at the bottom of the page. For the Attribute field I am using the VSA field name from the dictionary file. In this example I will enter information for Aruba-Essid-Name. You may enter whatever description you would like, for the Vendor Attribute ID field enter the VSA number for the field you are adding. Match the direction and Attribute type from the dictionary file.

RADIUS Dictionary Attributes Screen Shot

If you want this attribute logged select the check box Include attribute in log and you will probably want to add a policy condition, so you can create rules biased off of this information. You can do that by selecting Add Policy Condition and typing in a name in the Policy Condition Display Name field.

Hit submit and you are done. If you checked the Include attribute in log checkbox you can then open the Monitoring & Report Viewer and verify that ACS is receiving the information correctly.

Report Viewer Screen Shot

That concludes this tutorial. If you have questions please leave a comment and I’ll try to get back to you in a timely fashion.

Extracting Geotag Information from Jpeg Images in Java.

While working on a project recently, I ran into a need to be able to extract geotag information from a jpeg image.  I’ve seen many application that do this so I figured it had to be a solved problem.

After a few minutes of searching I found two libraries that looked promising:  Apache Commons Imaging and Drew Noakes’s Metadata-Extractor.  The Apache library hasn’t been updated since 2009 and when trying to download it, I get 404 error.  So I quickly gave up on that library.

Next I tried the Metadata-Extractor; this library is very robust and has options for reading all sorts of exif tags.  I played around a bit with the library and quickly decided I didn’t need the majority of the library’s functions for my project.  Rather than importing the whole library and only using a bit of it, I thought that I would create a slimmed down version.  I condensed the library down to two classes.  Of course much of the functionality has been cut away, but for extracting the geotag information from a jpeg image, it works great.  It fits cleanly into my project and I suspect it will for other projects as well.

So if you have a java project that requires extracting only geotag information from jpeg images check out my project on Github at: https://github.com/alecdhuse/Java-Jpeg-Geotag-Reader  If you are looking for something with more features check out the Metadata Extractor at: http://drewnoakes.com/code/exif/ and Thanks to Drew Nokes for all the hard initial work!