Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1589
Views
0
Helpful
3
Replies

ACS Guest Wireless (AAA Group Lock)

estadlercisco
Level 1
Level 1

‎10-18-2010 06:57 AM - edited ‎03-10-2019 05:30 PM

I have created a guest wireless

network using webauth on a 4402 running 6.0.182.

I'm using ACS with a group mapping to Windows Active directory for authentication.

It works perfectly. When i create users in the guest group in Windows, they get mapped properly to the guest group in ACS and are able to login to the guest Network.

The problem is that there are other groups in ACS such as an SSL VPN group. Users that are member of that group are also able to login to the guest wireless network.

My question is, is there a way to lock users down so that they can only login to the guest wireless IF they are a member of the guest group and not other groups?

Thank You

Eric

Labels:
0 Helpful
3 Replies 3

Nicolas Darchis
Cisco Employee
Cisco Employee

‎10-18-2010 09:09 AM

Hi,

this is to be configured on ACS. But you didn't mention which ACS version you have.

What you need is to authenticate users differently if they login to VPN or if they login to wireless. This is done through NAP on ACS 4.x and through service policies on ACS 5.x

I hope this helps.

Nicolas

===

If this answer is useful to you, please rate it.

0 Helpful

estadlercisco
Level 1
Level 1
In response to Nicolas Darchis

‎11-08-2010 08:32 AM

This customer has both ACS 4.2 and 5.2 however

i would like to understand how it works in both 4.2 and 5.2 are there guides on cisco's site that explain how to accomplish this for both 4.X and 5.X?

Thanks

Eric

0 Helpful

jedubois
Cisco Employee
Cisco Employee
In response to estadlercisco

‎11-08-2010 12:10 PM

Eric,

     There are a couple of ways you can handle this but either way will work off of the calling-station-id, the WLC sets this to :, in ACS 4.2 you can either create CLI/DNIS Network Access Restrictions, say your guest SSID is named "guest" your NAR would look like this:

      Check the box for Define CLI/DNIS-based access restrictions.

      Set it to Permitted Calling/Point of Access Locations.

      AAA Client: Set it to you Wireless Network Device or Wireless Network Device Group.

      Port: Set it to *

      CLI: Set it to *

      DNIS: Set it to *:guest

      You will also want to add your VPN concentrator as a Permitted device as well.

      AAA Client: Set it to you VPN Network Device or VPN Network Device Group.

      Port: Set it to *

      CLI: Set it to *

      DNIS: Set it to *

     In ACS 5.2 you can do the same type of thing under Policy Elements -> Network Conditions -> End Staion Filters, you can create a CLI/DNIS filter settings DNIS to *:guest and you can use that end station filter in either a service selection or authorization policy by hitting the customize button on the bottom right of either of those pages and adding the end station filter to the selected column.

--Jesse

0 Helpful
Customers Also Viewed These Support Documents