cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

728
Views
0
Helpful
10
Replies

WLC4400 + FreeRadius Restrict user to a particular SSID

Hi,

I'm building a lab with WLC4404 and freeradius + daloradius gui.

WLC can comunicate with the freeradius but my problem is that the users can login and no  matter in which SSID they connect they get in.

 

I want to know the way to policy this on the freeradius or the WLC with the AVpairs as every user should remain in a specific SSID.

 

Thanks,

Everyone's tags (1)
10 REPLIES 10
VIP Mentor

HI,I am not sure if this is

HI,

I am not sure if this is what you wnat to hear or not!

 

You can use mac filtering feature on WLC for WLANs.

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html

 

Regards

Dont forget to rate helpful posts

 

Hi and thanks for your answer

Hi and thanks for your answer,

 

Unfortunately mac filtering didn´t fit my requirements as the final implementation will be around 100 LAPs and 1000 users (BYOD).

 

Regards,

Hi,Right now the freeradius

Hi,

Right now the freeradius is passing the ssid value to the WLC but when the user is registered it get moved from the assigned vlan in freeradius to the one that he try to connect.

 

This is the message of the WLC:

DISCONECT_MOBILE_DUE_TO_WLAN_SW: apf_policy.c:577 Disconnecting mobile #:#:#:#:#:# due to switch of WLANs from 3(STAFF) to 1(STUDENTS)

 

Is any way to change this WLC behavior so if the assigned WLAN is not the same as the one that the user is trying to connect the WLC reject the connection.

 

Thanks,

 

 

VIP Mentor

This can be a problem in WLC

This can be a problem in WLC software.

 

I don't have any experience with free radius server but if you ISE or ACS then you do it by AAA override option.

 

May be this doc helps:

 

http://kb.netgear.com/ci/fattach/get/126/1317294811/redirect/1/session/L2F2LzEvdGltZS8xNDE2NTYxNzc5L3NpZC9hbFF0NVo3bQ==/filename/Dynamic%20VLAN%20Assignment%20using%20RADIUS.pdf

 

http://serverfault.com/questions/300735/dynamic-vlans-with-freeradius-openldap-cisco-wlc

 

Regards

 

Hi Sandeep,AAA override is

Hi Sandeep,

AAA override is enabled in the WLC and the software version is the 7.0.250 that is the last one for the WLC4404 series.

 

Regards,

VIP Mentor

Hi,Then you must check ur

Hi,

Then you must check ur freeRadius server configuration.

Check this doc:

http://freeradius.org/doc/

Regards

Hi Sandeep, Finally i managed

Hi Sandeep,

 

Finally i managed to implement it but instead enforcing the vlans in the WLC i modified the freeradius config to issue a SSID check against the user group name (for example students) and now is working smoothly.

 

Thanks,

VIP Mentor

Hi, great to hear that you

Hi, great to hear that you got it working.

 

mostly it always to do with RADuS server because on WLC you just have to mention ip of server.

 

Regards

 

Hola Saul Te escribo desde

Hola Saul

 

Te escribo desde Colombia para pedirte ayuda, me podrias indicar como lo hiciste funcionar, que el modificaste a la configuración del freeradius, por ahí leí que hay un parametro DNIS que envia el SSID al cual se debe conectar cada usuario.

 

Quedo atento, y muchas gracias por tu tiempo.

Highlighted
Cisco Employee

Please refer to the below

Please refer to the below link :

http://serverfault.com/questions/399741/restrict-freeradius-clients-to-access-service-from-different-lans-with-same-user

CreatePlease to create content
Content for Community-Ad

August's Community Spotlight Awards