Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
470
Views
0
Helpful
4
Replies

Filtering muliple EAP authenticated Vlan

carlosmadriz
Level 1
Level 1

‎01-17-2007 10:01 AM - edited ‎07-03-2021 01:29 PM

Hi,

A have the following scenario:

5 vlans configured on my AP, 3 of them use PEAP to authenticate users (not computers), I'm using ACS 3.3.3 connected to my Active Directory.

The thing is, How can I filter access from one SSID to another if I am using PEAP in those 3 SSIDs?

Let me explain the scenario:

I have one SSDI for Students (PEAP), other for Employees (Also PEAP) and the last one for IT (PEAP again)

How can I prevent a student from jumping to one SSID to another? Is there a Way to use some kind of key in addition to the domain username and password? How can I configure ACS to realise from wich SSID the user is trying to connect?

I anyone have an Idea, please help me!

Thank you guys, I will post my AP config so you can understand what I am talking about.

Labels:
Preview file
9 KB
0 Helpful
4 Replies 4

umedryk
Level 5
Level 5

‎01-23-2007 11:42 AM

think you are referring to filter access between different vlans. If I am right, you can do this at the router level. To enable or disable routing between 2 vlans, router needs to be configured above the AP. Here, to filtter between these 3 vlans, donot configure the router with networks from all three vlans. This ensures that router doesn't have a route to reach other vlan and hence inter-vlan communication is filtered.

Is this the one you were expecting?. On the AP, if you want, you can create ACL to deny traffic to the subnets associated with those vlan.

0 Helpful

chorl0232
Level 1
Level 1
In response to umedryk

‎02-14-2007 01:44 AM

Hello,

I'm having similar problems in my deployment. Students wlan only has captive portal, no wireless encryption, while employees and IT wlan are protected with EAP-PEAP / WPA1 / TKIP.

Since I don't have PKI deployed (server certs aren't validated in the wireless clients), if a student associates with employees wlan and enter his credentials, he will gain acces to employees wlan, because the RADIUS database stores all users and passwords.

Is there any RADIUS attributes I can use to discern which user is trying to get access to the network?

I.e. a tunnel-ID attribute associated with access-request packet, so RADIUS can check that attribute matches proper user-password pair.

thanks in advance,

Ignacio Siles

0 Helpful

chorl0232
Level 1
Level 1
In response to chorl0232

‎02-14-2007 02:06 AM

Hello again,

I forgot to mention I have three WLC 4402, if this information is needed to specify the RADIUS attributes provided by cisco WLC.

0 Helpful

claeysg
Level 1
Level 1
In response to chorl0232

‎02-28-2007 01:53 AM

Hello,

There is a doc on CCO explaining how to restrict access to a SSID based on the user.

Have a look at http://www.cisco.com/en/US/customer/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

Rgds,

Gaetan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card