05-01-2013 11:07 AM - edited 07-04-2021 12:00 AM
I want to create an SSID that will only allow teachers to authenticate at my school. Is this possible using ACS? In other words can ACS allow only certain groups in AD access to a particular SSID or subnet?
Thanks for any suggestions.
Solved! Go to Solution.
05-01-2013 12:37 PM
In order to restrict access for a specific AD group to specific SSID this is what you need to perform.
When the WLC sends an authentication request to the ACS, it will include the SSID that the user is connecting to, in the attribute Calling-Station-Id(31). We can use this information to create multiple rules in ACS 5.x in order to take actions based on the information contained in the attribute.
Under the Users and Indetity Stores > click on Directory Groups > select > check the group name you want to add and hit ok. Save the changes.
We just need to create a DNIS rule that includes the name of the SSID and use it as a condition in any rule that we create for authentication. The * is required because the attribute not only contains the SSID but also a MAC address so the * is use as a regular expression.
Now go to access-policies > default-network access > identity should be AD1.
Go to authorization > click on customize > move the AD1:ExternalGroups and end-station filter attribute on the right side and hit ok.
After that slect the appropriate ad group for teachers and end-station filter.
Save changes.
Jatin Katyal
- Do rate helpful posts -
05-01-2013 12:24 PM
In order to restrict access for a specific AD group to specific SSID this is what you need to perform.
When the WLC sends an authentication request to the ACS, it will include the SSID that the user is connecting to, in the attribute Calling-Station-Id(31). We can use this information to create multiple rules in ACS 5.x in order to take actions based on the information contained in the attribute.
Under the Users and Indetity Stores > click on Directory Groups > select > check the group name you want to add and hit ok. Save the changes.
We just need to create a DNIS rule that includes the name of the SSID and use it as a condition in any rule that we create for authentication. The * is required because the attribute not only contains the SSID but also a MAC address so the * is use as a regular expression.
Now go to access-policies > default-network access > identity should be AD1.
Go to authorization > click on customize > move the AD1:ExternalGroups and end-station filter attribute on the right side and hit ok.
After that slect the appropriate ad group for teachers and end-station filter.
Save changes.
Jatin Katyal
- Do rate helpful posts -
05-01-2013 12:37 PM
In order to restrict access for a specific AD group to specific SSID this is what you need to perform.
When the WLC sends an authentication request to the ACS, it will include the SSID that the user is connecting to, in the attribute Calling-Station-Id(31). We can use this information to create multiple rules in ACS 5.x in order to take actions based on the information contained in the attribute.
Under the Users and Indetity Stores > click on Directory Groups > select > check the group name you want to add and hit ok. Save the changes.
We just need to create a DNIS rule that includes the name of the SSID and use it as a condition in any rule that we create for authentication. The * is required because the attribute not only contains the SSID but also a MAC address so the * is use as a regular expression.
Now go to access-policies > default-network access > identity should be AD1.
Go to authorization > click on customize > move the AD1:ExternalGroups and end-station filter attribute on the right side and hit ok.
After that slect the appropriate ad group for teachers and end-station filter.
Save changes.
Jatin Katyal
- Do rate helpful posts -
05-02-2013 04:14 AM
Thank you so much. This worked perfectly. Your instuctions and screenshots made it very easy.
05-02-2013 04:18 AM
Glad!!! Have a blessed day.
Jatin Katyal
- Do rate helpful posts -
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: