09-21-2011 08:47 AM - edited 03-10-2019 06:25 PM
Hi there
I would like to implement a policy, where I specify which client cert (CN name) is allowed. Let's say we have 2 SSID's and 2 different client certs:
- client1.domain.com should only be allowed to connect to SSID1
- client2.domain.com should only be allowed do connect to SSID2
Both SSID's use machine certs for EAP-TLS and both certs are issued by the same CA cert. Does anybody know how to specify this in ACS 5.2?
Thanks in advance and best regards
Dominic
Solved! Go to Solution.
09-21-2011 09:20 AM
This should be possible
You can make conditions based on the CN name as follows:
- Create a custom conditon. Policy Elements > Session Conditions > Custom. Select "Certificate Dictionary" and attribute "Common Name". Give it a name. Once you do this you can create a condition based on this in policies
Do you have a RADIUS attribute to extract the SSID? Is it in the "“Called-Station-ID" field
Then create authorization policy:
- If "Common Name" equals "client1.domain.com" and "SSID" equals SSID1 then "Allow Access"
- If "Common Name" equals "client1.domain.com" and "SSID" equals "Any" then "Deny Access"
- If "Common Name" equals "client2.domain.com" and "SSID" equals SSID2 then "Allow Access"
- If "Common Name" equals "client2.domain.com" and "SSID" equals "Any" then "Deny Access"
09-21-2011 09:20 AM
This should be possible
You can make conditions based on the CN name as follows:
- Create a custom conditon. Policy Elements > Session Conditions > Custom. Select "Certificate Dictionary" and attribute "Common Name". Give it a name. Once you do this you can create a condition based on this in policies
Do you have a RADIUS attribute to extract the SSID? Is it in the "“Called-Station-ID" field
Then create authorization policy:
- If "Common Name" equals "client1.domain.com" and "SSID" equals SSID1 then "Allow Access"
- If "Common Name" equals "client1.domain.com" and "SSID" equals "Any" then "Deny Access"
- If "Common Name" equals "client2.domain.com" and "SSID" equals SSID2 then "Allow Access"
- If "Common Name" equals "client2.domain.com" and "SSID" equals "Any" then "Deny Access"
09-21-2011 09:53 AM
Hi jrabinow
thanks a lot for your very quick response - I will try this next week when I am onsite again and will update this thread.
I extract the SSID with a "end station filter" (link to the thread where I got the information from:
https://supportforums.cisco.com/message/3231646).
Best regards
Dominic
09-21-2011 10:02 PM
Why not use a single SSID and use dynamic vlan assignments to allow only certain clients to go to certain wlans? You can use the end station filters as a Mac list and set up a policy to restrict them to certain wlans.
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide