Assigning SSID by RADIUS

dwesterhouse · ‎09-06-2011

Here is what I am trying to accomplish:

I have a Guest SSID on its own VLAN, a Office Data SSID on its own VLAN, and a Voice SSID on its own VLAN. None broadcast.

I authenticated my desired clients to both the Office Data and Voice clients by MAC authentication to RADIUS which in turn looks at Active Directory for the MAC.

What I would like to do is make the Guest SSID broadcast, but explicitly prevent the MAC clients from using the Guest SSID. What is the simplest way to do this? So far I have come up with setting SSID assignement using RADIUS, but I have never seen this implemented. If someone has a quick lesson would be greatly appreciated. Mayber there is a really easy way and I am just not seeing it.

All replies are greatly appreciated.

Thank You.

Nicolas Darchis · ‎09-06-2011

You cannot "Assign" an SSID by radius. That would mean that the WLC could force the client to change SSID.

If the clients associates to a given SSID, no external device can make him change his mind, you just can't "control" a client like that.

However you can make the authentication fail when a client connects to the guest ssid. This is much easier to do.

If you configure the following command on the WLC :

config radius callstationidtype ap-macaddr-ssid

It means that the calling station id radius attribute will contain the ap mac address followed by the SSID. With a radius server like ACS 5 it's very easy to then make a rule to accept authentication if the SSID is x or y but refuse it if it's anythign else.