dwysocki
New Contributor

RSSO - Cisco WLC

We are trying to setup the RSSO with our cisco wlc.

 

We are sending the radius accounting traffic to the fortigate.

 

We are seeing the user_names in the  logs but the groups are not showing.

 

Our users connect to the cisco WLC and are auth with the cisco ACS.

I have configured the ACS to send the WLC the correct class attribute, however we hare seeing two class attributes come from the WLC.

 

61,07:45:16,"10.80.0.254""*****blanked out username****","allow","no log","wifi-staff+CACS:ACS1/311035611/31113113",1,No

 

ACS1 is the name of our Cisco ACS radius server.

I have also tried sending the accounting traffic from our WLC to NPS and then to the Fortigate.

 

Same issue.

Is it possible to use a wildcard in the sso-attribute-value?

 

config user radius edit "RSSO Agent" set rsso enable set rsso-radius-response enable set rsso-validate-request-secret enable set rsso-secret ENC  set rsso-endpoint-attribute User-Name next end

 

edit "RSSO-Wifi-Students" set group-type rsso set sso-attribute-value "wifi-students" next edit "RSSO-Wifi-Staff" set group-type rsso set sso-attribute-value "wifi-staff*" next edit "RSSO-Wifi-PHS-Students" set group-type rsso set sso-attribute-value "wifi-phs-students" next

2 REPLIES 2
pami
New Contributor

Hi,

No wildcards, class needs to match the string defined for the rsso-group exactly.

ShawnZA
Contributor II

Hi, I am also trying the same thing. How do you send the Accounting info from the ACS server to the fortigate?