10-18-2010 06:57 AM - edited 03-10-2019 05:30 PM
I have created a guest wireless
network using webauth on a 4402 running 6.0.182.
I'm using ACS with a group mapping to Windows Active directory for authentication.
It works perfectly. When i create users in the guest group in Windows, they get mapped properly to the guest group in ACS and are able to login to the guest Network.
The problem is that there are other groups in ACS such as an SSL VPN group. Users that are member of that group are also able to login to the guest wireless network.
My question is, is there a way to lock users down so that they can only login to the guest wireless IF they are a member of the guest group and not other groups?
Thank You
Eric
10-18-2010 09:09 AM
Hi,
this is to be configured on ACS. But you didn't mention which ACS version you have.
What you need is to authenticate users differently if they login to VPN or if they login to wireless. This is done through NAP on ACS 4.x and through service policies on ACS 5.x
I hope this helps.
Nicolas
===
If this answer is useful to you, please rate it.
11-08-2010 08:32 AM
This customer has both ACS 4.2 and 5.2 however
i would like to understand how it works in both 4.2 and 5.2 are there guides on cisco's site that explain how to accomplish this for both 4.X and 5.X?
Thanks
Eric
11-08-2010 12:10 PM
Eric,
There are a couple of ways you can handle this but either way will work off of the calling-station-id, the WLC sets this to
Check the box for Define CLI/DNIS-based access restrictions.
Set it to Permitted Calling/Point of Access Locations.
AAA Client: Set it to you Wireless Network Device or Wireless Network Device Group.
Port: Set it to *
CLI: Set it to *
DNIS: Set it to *:guest
You will also want to add your VPN concentrator as a Permitted device as well.
AAA Client: Set it to you VPN Network Device or VPN Network Device Group.
Port: Set it to *
CLI: Set it to *
DNIS: Set it to *
In ACS 5.2 you can do the same type of thing under Policy Elements -> Network Conditions -> End Staion Filters, you can create a CLI/DNIS filter settings DNIS to *:guest and you can use that end station filter in either a service selection or authorization policy by hitting the customize button on the bottom right of either of those pages and adding the end station filter to the selected column.
--Jesse
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide