If your situation is like mine, and your institution is using Aruba wireless hardware and Cisco ACS you will not find many resources on making the two work together. We recently implemented eduroam and wanted to make access rules in ACS dependent on which SSID a user was connecting to. With the default ACS 5.3 installation RADIUS attributes from Aruba cannot be used to create access rules.
Not knowing how to proceed, I Googled around a bit and could not find a solid answer. So I began exploring the ACS user interface, and wrote up this tutorial to share what I found. For this tutorial I am using ACS 5.3; I’m not sure how the interface differs with other versions.
First you will need to get the Aruba RADIUS dictionary file for Cisco ACS. Aruba has a page containing several dictionary files for different RADIUS servers, they are available here: http://support.arubanetworks.com/TOOLSRESOURCES/tabid/76/DMXModule/514/Default.aspx?EntryId=115
From the link above download the Dictionary for Cisco ACS. Once you have downloaded the dictionary file open it in a text editor. Next open up the web user interface for ACS and login. Once logged in navigate to System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA screen.
We will now manually create a dictionary for the Aruba attributes, to start click the Create button at the bottom of the page. Here you the only important value is the Vendor ID. The value from the dictionary file is listed under IETF Code for Aruba the vendor ID is 14823. The other fields you may enter whatever values you would like.
After hitting the Submit button you will be returned to the Vendor Specific Dictionary page. Next click the checkbox for the Aruba definition we just created and click the Show Vendor attributes button at the bottom of the page. We will now have to add the attributes from the downloaded dictionary file. It is not necessary to add all the attributes, you can just add the attributes you are interested in using.
To add an attribute click the Create button at the bottom of the page. For the Attribute field I am using the VSA field name from the dictionary file. In this example I will enter information for Aruba-Essid-Name. You may enter whatever description you would like, for the Vendor Attribute ID field enter the VSA number for the field you are adding. Match the direction and Attribute type from the dictionary file.
If you want this attribute logged select the check box Include attribute in log and you will probably want to add a policy condition, so you can create rules biased off of this information. You can do that by selecting Add Policy Condition and typing in a name in the Policy Condition Display Name field.
Hit submit and you are done. If you checked the Include attribute in log checkbox you can then open the Monitoring & Report Viewer and verify that ACS is receiving the information correctly.
That concludes this tutorial. If you have questions please leave a comment and I’ll try to get back to you in a timely fashion.