Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1550
Views
10
Helpful
4
Replies

ACS - SSID - MAC-Filter separation

Kai Onken
Level 1
Level 1

‎03-21-2014 09:41 AM - edited ‎03-10-2019 09:33 PM

Hello,

I’m trying to setup following environment:

  1. WLC 5508 (OS 7.5)
  2. Up to 60 Access Points 1602I
  3. Two SSID’s are required
  4. WPA/WPA2 Authentication is required
  5. MAC-Filter should also be used

I’ve done the following configuration:

  • LAN Enviroment works
  • WLC Setup works also with all Access Points
  • SSID with WPA/WPA2 Authentication work
  • Clients can connect to each SSID

For the MAC Filter Setup I’m going to use an ACS 5.4 and an Active Directory. The ACS has successfully joined the Active Directory and at the active Directory I’ve create to groups:

CN=SSID1,OU=Authentication,DC=global,DC=lan

CN=SSID2,OU=Authentication,DC=global,DC=lan

These two groups I’ve selected after I joined the Active Directoy. I used the Active Directory (AD1) as an Identity group, which is used by a Network Access based Access Service. In my second step, I configured the WLC to use Radius authentication for MAC-Filter and everything works.

But now I’ve found my problem:

The ACS Server like work top down and first rule matches:

If a MAC is member of group SSID1 and the Client wants to join SSID 1 it works

If a MAC is member of group SSID2 and the Client wants to join SSID 1 it works, too. Because the rules are checkt top down first match. And the ACS will find the MAC in group SSID.

  • Is it possible to check at the ACS which SSID send the MAC-Filter request? or
  • Is it possible to get the ssid value from the Active Directory to use this value in my policies?

I would like to restrict the MACs from group SSID1 to SSID 1 and the MACs from group SSID to SSID 2.

Thanks and kind regards

Kai

Labels:
Preview file
43 KB
0 Helpful
4 Replies 4

Kai Onken
Level 1
Level 1

‎05-05-2014 11:37 AM

Problem is solved, the caller-station-id can be used, it transfers the SSID and "contains" can be used.

cmonks119
Level 1
Level 1
In response to Kai Onken

‎12-02-2014 11:11 AM

Hello, I am looking for this config as well. Is it possible to post screenshots of ACS showing how you created your Access Policies, and how you restricted authentication by SSID (Using end-station filters for calling-station-id, DNIS??)

 

Thanks.

0 Helpful

Kai Onken
Level 1
Level 1
In response to cmonks119

‎12-02-2014 11:29 PM

Hello,

I hope this will help you. The username and password will be the MAC-Address of your client wirelss device, e.g.

Username:  aabbccddeeff

Password:  aabbccddeeff

You've to check, in which kind you have to send the MAC Address (aa:bb:cc:dd:ee:ff, aabbcc-ddeeff, AA:BB:CC:DD:EE:FF, and so on)

The attachments will show you a sample ACS Access Policy and the "caller-station-id" configuration and the configuration of a SSID from a Cico WLC 5508.

Preview file
205 KB
Preview file
73 KB
Preview file
79 KB

kamlenegi
Level 1
Level 1
In response to Kai Onken

‎05-27-2015 03:06 AM

Hi Onken,

 

Is your problem solved only basis on ACS configuration SSID "contains" , in which corporate user connect only corporate ssid and staff users connects only staff ssid?

 

Regards,

 

Kamlesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents