topic Yes you can do this as well in Wireless

Profile Wi-Fi users by authentication type

GW M — Mon, 05 Jul 2021 11:55:37 GMT

Is it possible to profile Wi-Fi users by authentication type (i.e. EAP-TLS, EAP-PEAP) with ability to segment via VLAN or through the use of ACL’s restricting access for non-corporate devices (BYOD) and corporate assets? For example, EAP-PEAP users (BYOD) would be restricted to just the Internet through an ACL or segmented VLAN while corporate assets using EAP-TLS would be allowed to Intranet resources in the same manner. Today, both non-corporate devices (BYOD) and corporate assets use the same SSID and the customer would like to keep the same SSID for both if possible.

We are using Cisco Wireless LAN Controller (WLC) 2504 and 5508 running Release 7.6

Thanks

Gregg

Yes you can do it but you

Sandeep Choudhary — Thu, 21 Apr 2016 12:11:43 GMT

Yes you can do it but you will need a RADIUS server to create policies.

How to do it:

http://www.labminutes.com/sec0186_ise_13_wireless_dot1x_eap-tls_peap_1

....and further videos on web.

Regards

Don't forget to rate helpful posts

We aren't using 802.1x. We

GW M — Thu, 21 Apr 2016 12:16:20 GMT

We aren't using 802.1x. We want to handle this thru the profile for the wireless user. Plus, I'm not paying money for a video but thanks anyway.

Greg

You can also use the OU in

George Stefanick — Thu, 21 Apr 2016 12:23:38 GMT

You can also use the OU in the cert to build policy's.

802.1X is the frame work used

George Stefanick — Thu, 21 Apr 2016 12:25:18 GMT

802.1X is the frame work used by peap and TLS. If you are using peap and TLS you are usin 802.1X.

Correct.. we do.

GW M — Thu, 21 Apr 2016 12:31:20 GMT

Correct.. we do.

Ok.

George Stefanick — Thu, 21 Apr 2016 12:35:14 GMT

Ok.

Vlan moving for example is handle by using radius attributes. You build authentication and authorization policies to make this happen. Example if user x uses cert then move them to vlan 5. If user x users peap move them to vlan 10.

This is magic happens on the radius server ..

Can we leverage an ACL per

GW M — Thu, 21 Apr 2016 12:41:26 GMT

Can we leverage an ACL per authentication type, given that we don't have VLAN trunking implemented and all users go thru the same VLAN? Also, are you aware of any issues being able to implement this using Cisco Wireless LAN Controller (WLC) 2504 and 5508 running Release 7.6?

Thanks

Gregg

Yes you can do this as well

George Stefanick — Thu, 21 Apr 2016 12:47:36 GMT

Yes you can do this as well using a radius attribute.

1. The acl would live on the WLC. Sounds like you would have 2. One for peap and one for TLS.

2. You create a policy in radius that says if users x comes in with TLS apply this name acl. That name matches the one in the WLC. When the radius success is returned to to the WLC that radius attribute with acl name is inside. So client goes into run state and the WLC apples that acl.

Make sense ?

Since this his is radius backend stuff I don't think the 7.6 version is a problem.

Make sense. I will give it a

GW M — Thu, 21 Apr 2016 12:49:49 GMT

Make sense. I will give it a try

Thank you

Gregg

Thank you for the rating ..

George Stefanick — Thu, 21 Apr 2016 12:52:43 GMT

Thank you for the rating .. Check back if you have problems ..