https://community.cisco.com/t5/wireless/active-directory-and-acs-5-2-0-26/m-p/2270423#M34310 <HTML><HEAD></HEAD><BODY><P><STRONG>In order to restrict access for a specific AD group to specific SSID this is what you need to perform.</STRONG></P><P></P><P>When the WLC sends an authentication request to the&nbsp; ACS, it will include&nbsp; the SSID that the user is connecting to, in the&nbsp; attribute&nbsp; Calling-Station-Id(31). We can use this information to create&nbsp; multiple&nbsp; rules in ACS 5.x in order to take actions based on the&nbsp; information&nbsp; contained in the attribute. </P><P></P><P>Under the&nbsp; Users and Indetity Stores &gt; click on Directory Groups &gt; select&nbsp; &gt; check the group name you want to add and hit ok. Save the changes.</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/7/6/5/137567-AD.png" class="jive-image" /></P><P></P><P>We&nbsp; just need to&nbsp; create a DNIS rule that includes the name of the SSID and&nbsp; use it as a&nbsp; condition in any rule that we create for authentication.&nbsp; The * is&nbsp; required because the attribute not only contains the SSID but&nbsp; also a MAC&nbsp; address so the * is use as a regular expression. </P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/5/6/5/137565-end-station.png" class="jive-image" /> </P><P>Now go to access-policies &gt; default-network access &gt; identity should be AD1.</P><P>Go&nbsp; to authorization &gt; click on customize &gt; move the&nbsp; AD1:ExternalGroups and end-station filter attribute on the right side&nbsp; and hit ok.</P><P></P><P>After that slect the appropriate ad group for teachers and end-station filter.</P><P>Save changes.</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/4/6/5/137564-access-policy.png" class="jive-image" /></P><P></P><P>Jatin Katyal <BR />- Do rate helpful posts -</P></BODY></HTML> Wed, 01 May 2013 19:37:08 GMT Jatin Katyal 2013-05-01T19:37:08Z https://community.cisco.com/t5/wireless/active-directory-and-acs-5-2-0-26/m-p/2270421#M34308 <P>I want to create an SSID that will only allow teachers to authenticate at my school.&nbsp; Is this possible using ACS?&nbsp; In other words can ACS allow only certain groups in AD access to a particular SSID or subnet?</P><P></P><P>Thanks for any suggestions.</P> Sun, 04 Jul 2021 07:00:46 GMT https://community.cisco.com/t5/wireless/active-directory-and-acs-5-2-0-26/m-p/2270421#M34308 tdaly 2021-07-04T07:00:46Z https://community.cisco.com/t5/wireless/active-directory-and-acs-5-2-0-26/m-p/2270422#M34309 <HTML><HEAD></HEAD><BODY><P>In order to restrict access for a specific AD group to specific SSID this is what you need to perform.</P><P></P><P>When the WLC sends an authentication request to the ACS, it will include&nbsp; the SSID that the user is connecting to, in the attribute&nbsp; Calling-Station-Id(31). We can use this information to create multiple&nbsp; rules in ACS 5.x in order to take actions based on the information&nbsp; contained in the attribute. </P><P></P><P>Under the Users and Indetity Stores &gt; click on Directory Groups &gt; select &gt; check the group name you want to add and hit ok. Save the changes.</P><P></P><P><IMG src="https://community.cisco.com/" /></P><P></P><P> We just need to&nbsp; create a DNIS rule that includes the name of the SSID and use it as a&nbsp; condition in any rule that we create for authentication. The * is&nbsp; required because the attribute not only contains the SSID but also a MAC&nbsp; address so the * is use as a regular expression. </P><P></P><P><IMG src="https://community.cisco.com/" /></P><P></P><P>Now go to access-policies &gt; default-network access &gt; identity should be AD1.</P><P>Go to authorization &gt; click on customize &gt; move the AD1:ExternalGroups and end-station filter attribute on the right side and hit ok.</P><P></P><P>After that slect the appropriate ad group for teachers and end-station filter.</P><P>Save changes.</P><P></P><P><IMG src="https://community.cisco.com/" /></P><P></P><P>Jatin Katyal <BR />- Do rate helpful posts -</P></BODY></HTML> Wed, 01 May 2013 19:24:53 GMT https://community.cisco.com/t5/wireless/active-directory-and-acs-5-2-0-26/m-p/2270422#M34309 Jatin Katyal 2013-05-01T19:24:53Z https://community.cisco.com/t5/wireless/active-directory-and-acs-5-2-0-26/m-p/2270423#M34310 <HTML><HEAD></HEAD><BODY><P><STRONG>In order to restrict access for a specific AD group to specific SSID this is what you need to perform.</STRONG></P><P></P><P>When the WLC sends an authentication request to the&nbsp; ACS, it will include&nbsp; the SSID that the user is connecting to, in the&nbsp; attribute&nbsp; Calling-Station-Id(31). We can use this information to create&nbsp; multiple&nbsp; rules in ACS 5.x in order to take actions based on the&nbsp; information&nbsp; contained in the attribute. </P><P></P><P>Under the&nbsp; Users and Indetity Stores &gt; click on Directory Groups &gt; select&nbsp; &gt; check the group name you want to add and hit ok. Save the changes.</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/7/6/5/137567-AD.png" class="jive-image" /></P><P></P><P>We&nbsp; just need to&nbsp; create a DNIS rule that includes the name of the SSID and&nbsp; use it as a&nbsp; condition in any rule that we create for authentication.&nbsp; The * is&nbsp; required because the attribute not only contains the SSID but&nbsp; also a MAC&nbsp; address so the * is use as a regular expression. </P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/5/6/5/137565-end-station.png" class="jive-image" /> </P><P>Now go to access-policies &gt; default-network access &gt; identity should be AD1.</P><P>Go&nbsp; to authorization &gt; click on customize &gt; move the&nbsp; AD1:ExternalGroups and end-station filter attribute on the right side&nbsp; and hit ok.</P><P></P><P>After that slect the appropriate ad group for teachers and end-station filter.</P><P>Save changes.</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/4/6/5/137564-access-policy.png" class="jive-image" /></P><P></P><P>Jatin Katyal <BR />- Do rate helpful posts -</P></BODY></HTML> Wed, 01 May 2013 19:37:08 GMT https://community.cisco.com/t5/wireless/active-directory-and-acs-5-2-0-26/m-p/2270423#M34310 Jatin Katyal 2013-05-01T19:37:08Z https://community.cisco.com/t5/wireless/active-directory-and-acs-5-2-0-26/m-p/2270424#M34311 <HTML><HEAD></HEAD><BODY><P>Thank you so much.&nbsp; This worked perfectly.&nbsp; Your instuctions and screenshots made it very easy.</P></BODY></HTML> Thu, 02 May 2013 11:14:36 GMT https://community.cisco.com/t5/wireless/active-directory-and-acs-5-2-0-26/m-p/2270424#M34311 tdaly 2013-05-02T11:14:36Z https://community.cisco.com/t5/wireless/active-directory-and-acs-5-2-0-26/m-p/2270425#M34312 <HTML><HEAD></HEAD><BODY><P>Glad!!! Have a blessed day.</P><P></P><P></P><P>Jatin Katyal <BR />- Do rate helpful posts -</P></BODY></HTML> Thu, 02 May 2013 11:18:58 GMT https://community.cisco.com/t5/wireless/active-directory-and-acs-5-2-0-26/m-p/2270425#M34312 Jatin Katyal 2013-05-02T11:18:58Z