If your situation is like mine, and your institution is using Aruba wireless hardware and Cisco ACS you will not find many resources on making the two work together. We recently implemented eduroam and wanted to make access rules in ACS dependent on which SSID a user was connecting to. With the default ACS 5.3 installation RADIUS attributes from Aruba cannot be used to create access rules.
Not knowing how to proceed, I Googled around a bit and could not find a solid answer. So I began exploring the ACS user interface, and wrote up this tutorial to share what I found. For this tutorial I am using ACS 5.3; I’m not sure how the interface differs with other versions.
First you will need to get the Aruba RADIUS dictionary file for Cisco ACS. Aruba has a page containing several dictionary files for different RADIUS servers, they are available here: http://support.arubanetworks.com/TOOLSRESOURCES/tabid/76/DMXModule/514/Default.aspx?EntryId=115
From the link above download the Dictionary for Cisco ACS. Once you have downloaded the dictionary file open it in a text editor. Next open up the web user interface for ACS and login. Once logged in navigate to System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA screen.
We will now manually create a dictionary for the Aruba attributes, to start click the Create button at the bottom of the page. Here you the only important value is the Vendor ID. The value from the dictionary file is listed under IETF Code for Aruba the vendor ID is 14823. The other fields you may enter whatever values you would like.
After hitting the Submit button you will be returned to the Vendor Specific Dictionary page. Next click the checkbox for the Aruba definition we just created and click the Show Vendor attributes button at the bottom of the page. We will now have to add the attributes from the downloaded dictionary file. It is not necessary to add all the attributes, you can just add the attributes you are interested in using.
To add an attribute click the Create button at the bottom of the page. For the Attribute field I am using the VSA field name from the dictionary file. In this example I will enter information for Aruba-Essid-Name. You may enter whatever description you would like, for the Vendor Attribute ID field enter the VSA number for the field you are adding. Match the direction and Attribute type from the dictionary file.
If you want this attribute logged select the check box Include attribute in log and you will probably want to add a policy condition, so you can create rules biased off of this information. You can do that by selecting Add Policy Condition and typing in a name in the Policy Condition Display Name field.
Hit submit and you are done. If you checked the Include attribute in log checkbox you can then open the Monitoring & Report Viewer and verify that ACS is receiving the information correctly.
That concludes this tutorial. If you have questions please leave a comment and I’ll try to get back to you in a timely fashion.
3 thoughts on “Configuring Cisco ACS to use Aruba RADIUS Attributes”
Hi, Thanks for the informative blog.
We have an issue on configuring ACS 5.6 with Aruba Controller.
In your blog, you mentioned on configuring for Radius. How about for Tacacs+?.
Currently, we are trying to authorize users based on the role. I understand that It shd be same way as how you demonstrated. Would appreciate if you could let me know the steps for tacacs+. Thanks
Ratnam, I no longer work for the same employer and where I am at now we don’t use ACS. The last version I used was 5.4 and that was years ago, so I am not able to give you instructions using TACACS+ on ACS 5.6, sorry.
trying to locate Aruba – tacacs – attributes for ACS. (RO access)
Need to know:
SHELL & COMMAND SET.
I know RW is:
SHELL is: Aruba-Admin-Role Mandatory root
COMMAND SET is: PermitAllCommands
But I need to know what RO is.