Block local users acces to web authentication on WLC

Eduardo.Placencia · ‎03-09-2022

I have two SSID with web authentication, ¿Can I restrict the access of 6 users to an especific SSID?

MHM Cisco World · ‎03-09-2022

If I am right try this way

under wlan in WLC, L2 security Mac filter,

add MAC address of user in local Mac tables of WLC .

MHM Cisco World · ‎03-09-2022

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html

Eduardo.Placencia · ‎03-09-2022

Hi, thanks for your replay.

I solved the problem. Let me explain a little bit more about my scenario in a WLC 9800, it´s a little different with legacy WLC, hope you can understand me, English is not my native language.

I have 2 SSIDs for guest users using web authentication, SSID 1 normal behavior is to have access for internet but the users can't reach my internal network, and the SSID 2 normal behavior is to reach my internal network and also everything in Internet.

What I was looking is to create guest users for SSID 1 only and the same for SSID 2.

The problem was that all users have the connection with both SSID.

The problem was solved with this steps in GUI,

1. Creat an attributte list with the association of the SSID (Security==>AAA==>AAA advanced==> Attribute_list)

2. Associate the guest user with the attribute list

3. Associate the user with a wlan-profile-name, because if you do not do this, the guest user authentication is allowed on any WLAN.

4. In the Policy created for the SSID you need to check AAA override.

Example CLI configuration

conf t
user-name XXXXX1
password 0 XXXXX
aaa attribute list XXXXX <== Name_of_attribute_list_created
exit

conf t
username XXXXX1 wlan-profile-name XXXXX <== SSID_name

I just followed this link,

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/16-11/config-guide/b_wl_16_11_cg/b_wl_16_11_cg_chapter_01110110.html

Regards