cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

756
Views
0
Helpful
4
Replies
Highlighted

Restricting Access to SSIDs

Hi,

I have Configured a WLAN with WiSM2 Controller installed on a 6500 series, Aironet 3600series APs and  ACS 5.3 for userauthentication. The ACS is connected to Active directory so users are authenticating using the AD (802.1x is used and not a pre-shared key) on SSID A. I have created a separate SSID B for guest users. I have put restrictions on this SSID. Guest users are also created on the same AD where internal users are created. How can I force Guest users to connect to SSID B and not be able to connect to SSID A? Currently they can connect to both.

Please help!

Stanslaus.

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Rising star

Restricting Access to SSIDs

You will need a way to distinguish your guest users from "internal users". I assume there is some attribute in AD that will allow this

Assuming this to be the case then would add two new conditions to the authorization policy

- User/Guest flag (assume can get this from AD)

- called-station-id (RADIUS attribute). This attributes includes the SSID at the end

Can then define rules

If User/Guest flag equals "Guest" and called-station-id ends-with "Guest SSID" then <<<< allow access. Assign permissions

If User/Guest flag equals "Internal" and called-station-id ends-with "Internal SSID" then <<<< allow access. Assign permissions

default rule would be to deny access

View solution in original post

Highlighted
Beginner

Restricting Access to SSIDs

I was going to suggest a similar way to the post above ^

If you're using AD, you can enforce policies based on your schema to set the guest users to connect that network by default. You can't hide a single network without hiding the other unless you use some form of policy on your pdc and AAA.

Let us know how you get on.

View solution in original post

4 REPLIES 4
Highlighted
Rising star

Restricting Access to SSIDs

You will need a way to distinguish your guest users from "internal users". I assume there is some attribute in AD that will allow this

Assuming this to be the case then would add two new conditions to the authorization policy

- User/Guest flag (assume can get this from AD)

- called-station-id (RADIUS attribute). This attributes includes the SSID at the end

Can then define rules

If User/Guest flag equals "Guest" and called-station-id ends-with "Guest SSID" then <<<< allow access. Assign permissions

If User/Guest flag equals "Internal" and called-station-id ends-with "Internal SSID" then <<<< allow access. Assign permissions

default rule would be to deny access

View solution in original post

Highlighted

Restricting Access to SSIDs

Hi All,

Perfect!!! It works. Actually what i did is to create a Security groups 'GUESTS' in AD. Then create the below rule in ACS:

'AD-AD1:ExternalGroups contains any MYDOMAIN.com/Groups/Security Groups/GUESTS And RADIUS-IETF:Called-Station-ID ends with INTERNALSSID DenyAccess'

As my objective was to deny Guests to connect to the internal SSID, then any user who is a member of that security group will be unable to connect but will be able to connect to GUESTSSID via another  rule which allows a member of Guests to connect to the GUESTSSID.

Again thank you very much!

Stanslaus.

Highlighted
Beginner

Hi ,Actually I am also facing

Hi ,

Actually I am also facing the same issue where I want to restrict one ssid to one group wherein that group will not able to connect any other ssid.

Currently m having 7.4.121 WLC controller and ISE 1.2.1 can any one tell me how to configure this requirment.

 

Regards

Pranav

Highlighted
Beginner

Restricting Access to SSIDs

I was going to suggest a similar way to the post above ^

If you're using AD, you can enforce policies based on your schema to set the guest users to connect that network by default. You can't hide a single network without hiding the other unless you use some form of policy on your pdc and AAA.

Let us know how you get on.

View solution in original post