Re: differentiate between wireless lans

networknoob · ‎04-01-2011

We are using ACS 5.2 as a radius server for our wireless network. Our current wireless lan is wpa2 with 802.1x enabled. ACS is checking against AD. We would like to setup a new wireless ssid for internal staff that we would grant permission to use. It would be less firewalled, and the staff member needs to sign a form to use it. So two questions..

1. How do we differentiate between the ssids when the radius requests come in? When someone trys to connect to the internal staff ssid and trys to auth, how can we separate that out from the rest of the wireless connections?

2. How do we only grant permission to certain people? We would want to add the username to the internal users group, but have the password auth against AD instead of typing one in.

Thanks for any help you guys can give.

Tiago Antunes · ‎04-06-2011

Hi,

When a RADIUS request arrives to the ACS it contains the ssid the user is trying to connect to.

Please take a look at this document where it explains that the ssid name in present on the RADIUS attribute 30 called-station-ID:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml.

Using ACS 5.x, you need to create a rule that compares that attribute with the ssid name you want to filter.

Please take a look at the screenshot example:

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

networknoob · ‎04-06-2011

Thanks, that screenshot was very helpful. I'm still learning about how different ACS 5 is compared to our acs 3 servers. The other part of that question is how to allow only users we select able to log in. We could use internal users, but need to set a password. They should still be able to use thier AD passwords.