cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1223
Views
0
Helpful
4
Replies

Restricting Access to SSIDs

Hi,

I have Configured a WLAN with WiSM2 Controller installed on a 6500 series, Aironet 3600series APs and  ACS 5.3 for userauthentication. The ACS is connected to Active directory so users are authenticating using the AD (802.1x is used and not a pre-shared key) on SSID A. I have created a separate SSID B for guest users. I have put restrictions on this SSID. Guest users are also created on the same AD where internal users are created. How can I force Guest users to connect to SSID B and not be able to connect to SSID A? Currently they can connect to both.

Please help!

Stanslaus.

2 Accepted Solutions

Accepted Solutions

jrabinow
Rising star
Rising star

You will need a way to distinguish your guest users from "internal users". I assume there is some attribute in AD that will allow this

Assuming this to be the case then would add two new conditions to the authorization policy

- User/Guest flag (assume can get this from AD)

- called-station-id (RADIUS attribute). This attributes includes the SSID at the end

Can then define rules

If User/Guest flag equals "Guest" and called-station-id ends-with "Guest SSID" then <<<< allow access. Assign permissions

If User/Guest flag equals "Internal" and called-station-id ends-with "Internal SSID" then <<<< allow access. Assign permissions

default rule would be to deny access

View solution in original post

Oliver Eve
Beginner
Beginner

I was going to suggest a similar way to the post above ^

If you're using AD, you can enforce policies based on your schema to set the guest users to connect that network by default. You can't hide a single network without hiding the other unless you use some form of policy on your pdc and AAA.

Let us know how you get on.

View solution in original post

4 Replies 4

jrabinow
Rising star
Rising star

You will need a way to distinguish your guest users from "internal users". I assume there is some attribute in AD that will allow this

Assuming this to be the case then would add two new conditions to the authorization policy

- User/Guest flag (assume can get this from AD)

- called-station-id (RADIUS attribute). This attributes includes the SSID at the end

Can then define rules

If User/Guest flag equals "Guest" and called-station-id ends-with "Guest SSID" then <<<< allow access. Assign permissions

If User/Guest flag equals "Internal" and called-station-id ends-with "Internal SSID" then <<<< allow access. Assign permissions

default rule would be to deny access

Hi All,

Perfect!!! It works. Actually what i did is to create a Security groups 'GUESTS' in AD. Then create the below rule in ACS:

'AD-AD1:ExternalGroups contains any MYDOMAIN.com/Groups/Security Groups/GUESTS And RADIUS-IETF:Called-Station-ID ends with INTERNALSSID DenyAccess'

As my objective was to deny Guests to connect to the internal SSID, then any user who is a member of that security group will be unable to connect but will be able to connect to GUESTSSID via another  rule which allows a member of Guests to connect to the GUESTSSID.

Again thank you very much!

Stanslaus.

Hi ,

Actually I am also facing the same issue where I want to restrict one ssid to one group wherein that group will not able to connect any other ssid.

Currently m having 7.4.121 WLC controller and ISE 1.2.1 can any one tell me how to configure this requirment.

 

Regards

Pranav