https://community.cisco.com/t5/network-access-control/acs-5-2-authorization-policy/m-p/1998199#M186249 <HTML><HEAD></HEAD><BODY><P>Yes ths is possible, the ssid is carried in the called station id which is an av pair sent in the access-request. The format of the called-station-id is <SSID>, so you can build your authorization policy with a compound condition of "called-station-id ends with ssid" then you can combine this with the AD1:ExternalGroups and set the permit-access or deny-access result depending on your implementation. Also the ssid is case sensitive when acs makes its decision so keep that in mind.</SSID></P><P></P><P>If you look at the authentication report in ACS you can see the ssid that I am referring to in the called-station id in the logs.</P><P></P><P>Hope that helps</P><P></P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Tue, 07 Aug 2012 10:36:26 GMT Tarik Admani 2012-08-07T10:36:26Z https://community.cisco.com/t5/network-access-control/acs-5-2-authorization-policy/m-p/1998198#M186229 <P>Hello,</P><P></P><P>is there any method to control an access to the different WLAN(PEAP) on the same ACS 5.2 and WLC?</P><P></P><P>That is, there is two AD groups the one have access to domain network only the other group have access to internet only <BR />and may be third group that have access to both networks.</P><P></P><P>Currently if i add new authorization policy the user will have access to both networks... </P><P></P><P>Many thanks, in advance.</P> Mon, 11 Mar 2019 02:23:39 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-authorization-policy/m-p/1998198#M186229 Anatoly Fedchik 2019-03-11T02:23:39Z https://community.cisco.com/t5/network-access-control/acs-5-2-authorization-policy/m-p/1998199#M186249 <HTML><HEAD></HEAD><BODY><P>Yes ths is possible, the ssid is carried in the called station id which is an av pair sent in the access-request. The format of the called-station-id is <SSID>, so you can build your authorization policy with a compound condition of "called-station-id ends with ssid" then you can combine this with the AD1:ExternalGroups and set the permit-access or deny-access result depending on your implementation. Also the ssid is case sensitive when acs makes its decision so keep that in mind.</SSID></P><P></P><P>If you look at the authentication report in ACS you can see the ssid that I am referring to in the called-station id in the logs.</P><P></P><P>Hope that helps</P><P></P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Tue, 07 Aug 2012 10:36:26 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-authorization-policy/m-p/1998199#M186249 Tarik Admani 2012-08-07T10:36:26Z