cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1193
Views
0
Helpful
3
Replies
Beginner

ACS Guest Wireless (AAA Group Lock)

I have created a guest wireless

network using webauth on a 4402 running 6.0.182.

I'm using ACS with a group mapping to Windows Active directory for authentication.

It works perfectly. When i create users in the guest group in Windows, they get mapped properly to the guest group in ACS and are able to login to the guest Network.

The problem is that there are other groups in ACS such as an SSL VPN group. Users that are member of that group are also able to login to the guest wireless network.

My question is, is there a way to lock users down so that they can only login to the guest wireless IF they are a member of the guest group and not other groups?

Thank You

Eric

3 REPLIES 3
Cisco Employee

Re: ACS Guest Wireless (AAA Group Lock)

Hi,

this is to be configured on ACS. But you didn't mention which ACS version you have.

What you need is to authenticate users differently if they login to VPN or if they login to wireless. This is done through NAP on ACS 4.x and through service policies on ACS 5.x

I hope this helps.

Nicolas

===

If this answer is useful to you, please rate it.

Beginner

Re: ACS Guest Wireless (AAA Group Lock)

This customer has both ACS 4.2 and 5.2 however

i would like to understand how it works in both 4.2 and 5.2 are there guides on cisco's site that explain how to accomplish this for both 4.X and 5.X?

Thanks

Eric

Highlighted
Cisco Employee

Re: ACS Guest Wireless (AAA Group Lock)

Eric,

     There are a couple of ways you can handle this but either way will work off of the calling-station-id, the WLC sets this to :, in ACS 4.2 you can either create CLI/DNIS Network Access Restrictions, say your guest SSID is named "guest" your NAR would look like this:

      Check the box for Define CLI/DNIS-based access restrictions.

      Set it to Permitted Calling/Point of Access Locations.

      AAA Client: Set it to you Wireless Network Device or Wireless Network Device Group.

      Port: Set it to *

      CLI: Set it to *

      DNIS: Set it to *:guest

      You will also want to add your VPN concentrator as a Permitted device as well.

      AAA Client: Set it to you VPN Network Device or VPN Network Device Group.

      Port: Set it to *

      CLI: Set it to *

      DNIS: Set it to *

     In ACS 5.2 you can do the same type of thing under Policy Elements -> Network Conditions -> End Staion Filters, you can create a CLI/DNIS filter settings DNIS to *:guest and you can use that end station filter in either a service selection or authorization policy by hitting the customize button on the bottom right of either of those pages and adding the end station filter to the selected column.

--Jesse