Solved: Restricting Access to SSIDs

IT_Data_CorporateNet · ‎10-30-2012

Hi,

I have Configured a WLAN with WiSM2 Controller installed on a 6500 series, Aironet 3600series APs and ACS 5.3 for userauthentication. The ACS is connected to Active directory so users are authenticating using the AD (802.1x is used and not a pre-shared key) on SSID A. I have created a separate SSID B for guest users. I have put restrictions on this SSID. Guest users are also created on the same AD where internal users are created. How can I force Guest users to connect to SSID B and not be able to connect to SSID A? Currently they can connect to both.

Please help!

Stanslaus.

jrabinow · ‎10-30-2012

You will need a way to distinguish your guest users from "internal users". I assume there is some attribute in AD that will allow this

Assuming this to be the case then would add two new conditions to the authorization policy

- User/Guest flag (assume can get this from AD)

- called-station-id (RADIUS attribute). This attributes includes the SSID at the end

Can then define rules

If User/Guest flag equals "Guest" and called-station-id ends-with "Guest SSID" then <<<< allow access. Assign permissions

If User/Guest flag equals "Internal" and called-station-id ends-with "Internal SSID" then <<<< allow access. Assign permissions

default rule would be to deny access

View solution in original post

Oliver Eve · ‎10-30-2012

I was going to suggest a similar way to the post above ^

If you're using AD, you can enforce policies based on your schema to set the guest users to connect that network by default. You can't hide a single network without hiding the other unless you use some form of policy on your pdc and AAA.

Let us know how you get on.

View solution in original post

jrabinow · ‎10-30-2012

You will need a way to distinguish your guest users from "internal users". I assume there is some attribute in AD that will allow this

Assuming this to be the case then would add two new conditions to the authorization policy

- User/Guest flag (assume can get this from AD)

- called-station-id (RADIUS attribute). This attributes includes the SSID at the end

Can then define rules

If User/Guest flag equals "Guest" and called-station-id ends-with "Guest SSID" then <<<< allow access. Assign permissions

If User/Guest flag equals "Internal" and called-station-id ends-with "Internal SSID" then <<<< allow access. Assign permissions

default rule would be to deny access

IT_Data_CorporateNet · ‎10-31-2012

Hi All,

Perfect!!! It works. Actually what i did is to create a Security groups 'GUESTS' in AD. Then create the below rule in ACS:

'AD-AD1:ExternalGroups contains any MYDOMAIN.com/Groups/Security Groups/GUESTS And RADIUS-IETF:Called-Station-ID ends with INTERNALSSID DenyAccess'

As my objective was to deny Guests to connect to the internal SSID, then any user who is a member of that security group will be unable to connect but will be able to connect to GUESTSSID via another rule which allows a member of Guests to connect to the GUESTSSID.

Again thank you very much!

Stanslaus.

Pranav Gade · ‎08-13-2014

Hi ,

Actually I am also facing the same issue where I want to restrict one ssid to one group wherein that group will not able to connect any other ssid.

Currently m having 7.4.121 WLC controller and ISE 1.2.1 can any one tell me how to configure this requirment.

Regards

Pranav

Oliver Eve · ‎10-30-2012

I was going to suggest a similar way to the post above ^

If you're using AD, you can enforce policies based on your schema to set the guest users to connect that network by default. You can't hide a single network without hiding the other unless you use some form of policy on your pdc and AAA.

Let us know how you get on.