https://community.cisco.com/t5/network-access-control/acs-5-2-allow-only-specified-client-cert/m-p/1782669#M228743 <HTML><HEAD></HEAD><BODY><P>Why not use a single SSID and use dynamic vlan assignments to allow only certain clients to go to certain wlans? You can use the end station filters as a Mac list and set up a policy to restrict them to certain wlans.</P><P></P><P>Sent from Cisco Technical Support iPad App</P></BODY></HTML> Thu, 22 Sep 2011 05:02:28 GMT ewood2624 2011-09-22T05:02:28Z https://community.cisco.com/t5/network-access-control/acs-5-2-allow-only-specified-client-cert/m-p/1782666#M228638 <P>Hi there</P><P></P><P>I would like to implement a policy, where I specify which client cert (CN name) is allowed. Let's say we have 2 SSID's and 2 different client certs:</P><P></P><P>- client1.domain.com should only be allowed to connect to SSID1</P><P>- client2.domain.com should only be allowed do connect to SSID2</P><P></P><P>Both SSID's use machine certs for EAP-TLS and both certs are issued by the same CA cert. Does anybody know how to specify this in ACS 5.2?</P><P></P><P>Thanks in advance and best regards</P><P>Dominic</P> Mon, 11 Mar 2019 01:25:22 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-allow-only-specified-client-cert/m-p/1782666#M228638 Dominic Stalder (old profile) 2019-03-11T01:25:22Z https://community.cisco.com/t5/network-access-control/acs-5-2-allow-only-specified-client-cert/m-p/1782667#M228687 <HTML><HEAD></HEAD><BODY><P>This should be possible </P><P></P><P>You can make conditions based on the CN name as follows:</P><P>- Create a custom conditon. Policy Elements &gt; Session Conditions &gt; Custom. Select "Certificate Dictionary" and attribute "Common Name". Give it a name. Once you do this you can create a condition based on this in policies</P><P></P><P>Do you have a RADIUS attribute to extract the SSID? Is it in the "“Called-Station-ID" field</P><P></P><P>Then create authorization policy:</P><P>- If "Common Name" equals "client1.domain.com"&nbsp; and "SSID" equals SSID1&nbsp; then "Allow Access"</P><P>- If "Common Name" equals "client1.domain.com"&nbsp; and "SSID" equals "Any"&nbsp; then "Deny Access"</P><P>- If "Common Name" equals "client2.domain.com"&nbsp; and "SSID" equals SSID2&nbsp; then "Allow Access"</P><P>- If "Common Name" equals "client2.domain.com"&nbsp; and "SSID" equals "Any"&nbsp; then "Deny Access"</P></BODY></HTML> Wed, 21 Sep 2011 16:20:21 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-allow-only-specified-client-cert/m-p/1782667#M228687 jrabinow 2011-09-21T16:20:21Z https://community.cisco.com/t5/network-access-control/acs-5-2-allow-only-specified-client-cert/m-p/1782668#M228716 <HTML><HEAD></HEAD><BODY><P>Hi jrabinow</P><P></P><P>thanks a lot for your very quick response - I will try this next week when I am onsite again and will update this thread.</P><P></P><P>I extract the SSID with a "end station filter" (link to the thread where I got the information from: </P><P><A class="jive-link-external-small" href="https://community.cisco.com/message/3231646#3231646">https://supportforums.cisco.com/message/3231646</A><SPAN>).</SPAN></P><P></P><P>Best regards</P><P>Dominic</P></BODY></HTML> Wed, 21 Sep 2011 16:53:24 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-allow-only-specified-client-cert/m-p/1782668#M228716 Dominic Stalder (old profile) 2011-09-21T16:53:24Z https://community.cisco.com/t5/network-access-control/acs-5-2-allow-only-specified-client-cert/m-p/1782669#M228743 <HTML><HEAD></HEAD><BODY><P>Why not use a single SSID and use dynamic vlan assignments to allow only certain clients to go to certain wlans? You can use the end station filters as a Mac list and set up a policy to restrict them to certain wlans.</P><P></P><P>Sent from Cisco Technical Support iPad App</P></BODY></HTML> Thu, 22 Sep 2011 05:02:28 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-allow-only-specified-client-cert/m-p/1782669#M228743 ewood2624 2011-09-22T05:02:28Z