09-27-2010 12:48 PM - edited 07-03-2021 07:13 PM
Hi,
In a WLAN environment that has 2 WLC, lots of LAP´s and clients authenticating with an ACS which has configure an Active Directory as an external data base, I would like to know how I can limit de EAP methods per group or SSID in the ACS.
For example: one SSID can only use PEAP-MSCHAPv2 and the other SSID con only use EAP-TLS.
Thanks in advance.
Solved! Go to Solution.
10-08-2010 04:25 AM
Hi,
You can do this with NAP on ACS. Create a NAP for each SSID you have and under the NAP you can allow only the desired EAP Method.
Thanks
Serge
10-08-2010 05:00 AM
As Serge said, you can do it with NAPs.
The trick in on the filter to match the NAP.
Using Cisco WLCs there is an attribute that is sent on the Radius Access-Request which contains the SSID:
"Called-Station-Id=00-26-cb-ac-03-00:test"
Please note that in this example the ssid name is "test".
So on the NAP you need a filter like:
"[030]Called-Station-Id contains test"
HTH,
Tiago
10-08-2010 04:25 AM
Hi,
You can do this with NAP on ACS. Create a NAP for each SSID you have and under the NAP you can allow only the desired EAP Method.
Thanks
Serge
10-08-2010 05:00 AM
As Serge said, you can do it with NAPs.
The trick in on the filter to match the NAP.
Using Cisco WLCs there is an attribute that is sent on the Radius Access-Request which contains the SSID:
"Called-Station-Id=00-26-cb-ac-03-00:test"
Please note that in this example the ssid name is "test".
So on the NAP you need a filter like:
"[030]Called-Station-Id contains test"
HTH,
Tiago
10-08-2010 05:05 AM
All correct. Just adding that to have the WLC sending the SSID after the mac address in the called station id, this need to be configured :
(Cisco Controller) >config radius callStationIdType ?
ipaddr Sets Call Station Id Type to the system's IP Address
macaddr Sets Call Station Id Type to the system's MAC Address
ap-macaddr Sets Call Station Id Type to the AP's MAC Address
ap-macaddr-ssid Sets Call Station Id Type to the format
Enjoy !
10-08-2010 12:24 PM
The solutions in this thread are great I though I would add one more. You can also accomplish this with CLI/DNIS Network Access Restrictions in ACS 4.2 with the
-AAA Client would be set to your WLC NDG or IP
-Port would be set to *
-CLI would be set to *
-DNIS would be set to *
You can use a permit or deny based on what you are trying to accomplish.
--Jesse
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide