Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
753
Views
5
Helpful
4
Replies

Active Directory and ACS 5.2.0.26

Go to solution
tdaly
Level 1
Level 1

‎05-01-2013 11:07 AM - edited ‎07-04-2021 12:00 AM

I want to create an SSID that will only allow teachers to authenticate at my school.  Is this possible using ACS?  In other words can ACS allow only certain groups in AD access to a particular SSID or subnet?

Thanks for any suggestions.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎05-01-2013 12:37 PM

In order to restrict access for a specific AD group to specific SSID this is what you need to perform.

When the WLC sends an authentication request to the  ACS, it will include  the SSID that the user is connecting to, in the  attribute  Calling-Station-Id(31). We can use this information to create  multiple  rules in ACS 5.x in order to take actions based on the  information  contained in the attribute.

Under the  Users and Indetity Stores > click on Directory Groups > select  > check the group name you want to add and hit ok. Save the changes.

We  just need to  create a DNIS rule that includes the name of the SSID and  use it as a  condition in any rule that we create for authentication.  The * is  required because the attribute not only contains the SSID but  also a MAC  address so the * is use as a regular expression.

Now go to access-policies > default-network access > identity should be AD1.

Go  to authorization > click on customize > move the  AD1:ExternalGroups and end-station filter attribute on the right side  and hit ok.

After that slect the appropriate ad group for teachers and end-station filter.

Save changes.

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

4 Replies 4

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎05-01-2013 12:24 PM

In order to restrict access for a specific AD group to specific SSID this is what you need to perform.

When the WLC sends an authentication request to the ACS, it will include  the SSID that the user is connecting to, in the attribute  Calling-Station-Id(31). We can use this information to create multiple  rules in ACS 5.x in order to take actions based on the information  contained in the attribute.

Under the Users and Indetity Stores > click on Directory Groups > select > check the group name you want to add and hit ok. Save the changes.

We just need to  create a DNIS rule that includes the name of the SSID and use it as a  condition in any rule that we create for authentication. The * is  required because the attribute not only contains the SSID but also a MAC  address so the * is use as a regular expression.

Now go to access-policies > default-network access > identity should be AD1.

Go to authorization > click on customize > move the AD1:ExternalGroups and end-station filter attribute on the right side and hit ok.

After that slect the appropriate ad group for teachers and end-station filter.

Save changes.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎05-01-2013 12:37 PM

In order to restrict access for a specific AD group to specific SSID this is what you need to perform.

When the WLC sends an authentication request to the  ACS, it will include  the SSID that the user is connecting to, in the  attribute  Calling-Station-Id(31). We can use this information to create  multiple  rules in ACS 5.x in order to take actions based on the  information  contained in the attribute.

Under the  Users and Indetity Stores > click on Directory Groups > select  > check the group name you want to add and hit ok. Save the changes.

We  just need to  create a DNIS rule that includes the name of the SSID and  use it as a  condition in any rule that we create for authentication.  The * is  required because the attribute not only contains the SSID but  also a MAC  address so the * is use as a regular expression.

Now go to access-policies > default-network access > identity should be AD1.

Go  to authorization > click on customize > move the  AD1:ExternalGroups and end-station filter attribute on the right side  and hit ok.

After that slect the appropriate ad group for teachers and end-station filter.

Save changes.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Go to solution
tdaly
Level 1
Level 1
In response to Jatin Katyal

‎05-02-2013 04:14 AM

Thank you so much.  This worked perfectly.  Your instuctions and screenshots made it very easy.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to tdaly

‎05-02-2013 04:18 AM

Glad!!! Have a blessed day.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card