Solved: ACS 5.2 authorization policy

Anatoly Fedchik · ‎08-07-2012

Hello,

is there any method to control an access to the different WLAN(PEAP) on the same ACS 5.2 and WLC?

That is, there is two AD groups the one have access to domain network only the other group have access to internet only
and may be third group that have access to both networks.

Currently if i add new authorization policy the user will have access to both networks...

Many thanks, in advance.

Tarik Admani · ‎08-07-2012

Yes ths is possible, the ssid is carried in the called station id which is an av pair sent in the access-request. The format of the called-station-id is , so you can build your authorization policy with a compound condition of "called-station-id ends with ssid" then you can combine this with the AD1:ExternalGroups and set the permit-access or deny-access result depending on your implementation. Also the ssid is case sensitive when acs makes its decision so keep that in mind.

If you look at the authentication report in ACS you can see the ssid that I am referring to in the called-station id in the logs.

Hope that helps

Tarik Admani
*Please rate helpful posts*

View solution in original post

Tarik Admani · ‎08-07-2012

Yes ths is possible, the ssid is carried in the called station id which is an av pair sent in the access-request. The format of the called-station-id is , so you can build your authorization policy with a compound condition of "called-station-id ends with ssid" then you can combine this with the AD1:ExternalGroups and set the permit-access or deny-access result depending on your implementation. Also the ssid is case sensitive when acs makes its decision so keep that in mind.

If you look at the authentication report in ACS you can see the ssid that I am referring to in the called-station id in the logs.

Hope that helps

Tarik Admani
*Please rate helpful posts*