topic restriction base on ssid in Wireless

restriction base on ssid

Christos Stefaneskou — Sun, 04 Jul 2021 03:31:50 GMT

Hello,

I have 4 autonomous AP 1142 with 2 ssids : SSID10,vlan10 & SSID20,vlan 20.

I use ACS 4.2 in order to authenticate users (EAP-FAST).How can i restrict access base on ssid or on vlan?

I want users that connect to SSID 10 to not have access to SSID 20 and the opposite.

Any suggestions?

Thanks in advance.

restriction base on ssid

Surendra BG — Sat, 06 Aug 2011 00:35:11 GMT

Broadcast 1 SSID and do not broadcast another.. or you can block them on the L3 device by configuring ACLs..

Please dont forget to rate the usefull posts!!

Regards

Surendra

restriction base on ssid

pcroak — Sat, 06 Aug 2011 00:39:50 GMT

Christos,

You can also leverage cisco av-pairs to restrict users/groups based on ssid on the ACS.

On the ACS:

Go into the user or group and check 'cisco-av-pair' and then put in 
'ssid=SSID10' (without quotes) to restrict the user. If this attribute 
does not appear on the user or group you want to test, please be sure 
you it turned on under Interface Config --> Radius (Cisco IOS/PIX 
6.x)--> cisco-av-pair is checked on user/group. If it is still not 
showing up under a user, please be sure that you have 'Per-user 
TACACS+/RADIUS Attributes' turned on under Interface Config --> Advanced 
Options.

-Patrick Croak
Wireless TAC

restriction base on ssid

Christos Stefaneskou — Sat, 06 Aug 2011 11:45:27 GMT

Thanks for your answers.

I tried to restrict access using NARs without success.

I'will try the solution that you suggested (cisco av-pairs) and i'll inform you.

Regards.

restriction base on ssid

Christos Stefaneskou — Sat, 06 Aug 2011 12:14:38 GMT

Patrick,

Should i use the command "radius-server vsa send authentication" in order to enable av-pairs in access points requests?

restriction base on ssid

pcroak — Sat, 06 Aug 2011 16:28:50 GMT

Christos,

Yes, you should have radius-server vsa send authentication configured to send the av-pairs to your server.

You can see if the ssid is being sent by capturing the following debugs when trying to connect:

debug aaa authentication
debug aaa authorization
debug radius
debug dot1x all

-Patrick

restriction base on ssid

Christos Stefaneskou — Sun, 07 Aug 2011 16:48:29 GMT

One more question Patrick,

In my case, should i enable the vendor proprietary attributes with the command " radius-server host xxx.xxx.xxx nonstandard "? Is any other configuration exept the above that i should use on the AP?

Have you tryied this scenario using NAR?

I will test it probably in 3 days so i'll let you know about the result..

Thanks for your help,

Best regards.

restriction base on ssid

Christos Stefaneskou — Fri, 12 Aug 2011 18:46:09 GMT

5 stars for your answer Patrick!

Your solution works perfect...

The problem i have now is that the clients doesn't get valid DNS server..We are using ACS to act as DHCP and serve ips for the 2 ssids.The clients get a valid ip but the DNS on client appears in HEX.

Thanks for your help.

Regards.