topic Hello,I hope this will help in Network Access Control

ACS - SSID - MAC-Filter separation

Kai Onken — Mon, 11 Mar 2019 04:33:49 GMT

Hello,

I’m trying to setup following environment:

WLC 5508 (OS 7.5)
Up to 60 Access Points 1602I
Two SSID’s are required
WPA/WPA2 Authentication is required
MAC-Filter should also be used

I’ve done the following configuration:

LAN Enviroment works
WLC Setup works also with all Access Points
SSID with WPA/WPA2 Authentication work
Clients can connect to each SSID

For the MAC Filter Setup I’m going to use an ACS 5.4 and an Active Directory. The ACS has successfully joined the Active Directory and at the active Directory I’ve create to groups:

CN=SSID1,OU=Authentication,DC=global,DC=lan

CN=SSID2,OU=Authentication,DC=global,DC=lan

These two groups I’ve selected after I joined the Active Directoy. I used the Active Directory (AD1) as an Identity group, which is used by a Network Access based Access Service. In my second step, I configured the WLC to use Radius authentication for MAC-Filter and everything works.

But now I’ve found my problem:

The ACS Server like work top down and first rule matches:

If a MAC is member of group SSID1 and the Client wants to join SSID 1 it works

If a MAC is member of group SSID2 and the Client wants to join SSID 1 it works, too. Because the rules are checkt top down first match. And the ACS will find the MAC in group SSID.

Is it possible to check at the ACS which SSID send the MAC-Filter request? or
Is it possible to get the ssid value from the Active Directory to use this value in my policies?

I would like to restrict the MACs from group SSID1 to SSID 1 and the MACs from group SSID to SSID 2.

Thanks and kind regards

Kai

Problem is solved, the caller

Kai Onken — Mon, 05 May 2014 18:37:06 GMT

Problem is solved, the caller-station-id can be used, it transfers the SSID and "contains" can be used.

Hello, I am looking for this

cmonks119 — Tue, 02 Dec 2014 19:11:51 GMT

Hello, I am looking for this config as well. Is it possible to post screenshots of ACS showing how you created your Access Policies, and how you restricted authentication by SSID (Using end-station filters for calling-station-id, DNIS??)

Thanks.

Hello,I hope this will help

Kai Onken — Wed, 03 Dec 2014 07:29:18 GMT

Hello,

I hope this will help you. The username and password will be the MAC-Address of your client wirelss device, e.g.

Username: aabbccddeeff

Password: aabbccddeeff

You've to check, in which kind you have to send the MAC Address (aa:bb:cc:dd:ee:ff, aabbcc-ddeeff, AA:BB:CC:DD:EE:FF, and so on)

The attachments will show you a sample ACS Access Policy and the "caller-station-id" configuration and the configuration of a SSID from a Cico WLC 5508.

Hi Onken, Is your problem

kamlenegi — Wed, 27 May 2015 10:06:57 GMT

Hi Onken,

Is your problem solved only basis on ACS configuration SSID "contains" , in which corporate user connect only corporate ssid and staff users connects only staff ssid?

Regards,

Kamlesh