Solved: how to create two ssid with LDAP authentication using Radius

Sakthi vel · ‎05-14-2013

Hi,

My requirement is I need to have two ssid with pointing towards same Radius server

SSID 1 : Used for Higher level People (Using LDAP AD authentication) (This People should not get connected by SSID 2)

SSID 2 : Used for Corporate Team (Using LDAP AD Authentication) (This People should not get connected by SSID 1)

How to configure this in ACS 5.3.0.40.8 and WLC 7.0.220.0

Please help on this.

Scott Fella · ‎05-14-2013

Why use LDAP? I would just join the ACS server to the domain and not use LDAP. Anyway's, what you want done comes from how you define your polices and it may vary depending on what your requirement is. What you have to do is create two policies in ACS, one for the higher level people and the other for the slave workers:) You would use the called-station-id attribute or the wlan-id attribute.

Here is a link to a thread regarding your setup.

https://supportforums.cisco.com/thread/2133704

Here is supported attributes

http://www.cisco.com/en/US/products/ps6307/products_tech_note09186a0080870334.shtml

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

View solution in original post

Mark Baggott · ‎05-16-2013

I have acs configured directly connected to AD and the looks ups work well.

For the custom session condtion set the dictionary to radius -IETF and the Attribute "Called-Station-ID"

the called station ID will look like ff:ff:ff:ff:ff:SSID so creating your rule with ends with or contains is a must.

In the access policy menu have you set your custom "Service Selection Rule" for your network higher in the list then the Radius default rule? the selection rules play like firewall rules and will use the first match from top to bottom.

View solution in original post

Scott Fella · ‎05-14-2013

Why use LDAP? I would just join the ACS server to the domain and not use LDAP. Anyway's, what you want done comes from how you define your polices and it may vary depending on what your requirement is. What you have to do is create two policies in ACS, one for the higher level people and the other for the slave workers:) You would use the called-station-id attribute or the wlan-id attribute.

Here is a link to a thread regarding your setup.

https://supportforums.cisco.com/thread/2133704

Here is supported attributes

http://www.cisco.com/en/US/products/ps6307/products_tech_note09186a0080870334.shtml

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Sakthi vel · ‎05-16-2013

Thanks Scott.

we created a new policy with called-station id and ends with SSID, but still i could see there are no hit count for tht list.

Scott Fella · ‎05-16-2013

Are you using a wildcard? Should be something like this: .*SSID

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Mark Baggott · ‎05-16-2013

I have acs configured directly connected to AD and the looks ups work well.

For the custom session condtion set the dictionary to radius -IETF and the Attribute "Called-Station-ID"

the called station ID will look like ff:ff:ff:ff:ff:SSID so creating your rule with ends with or contains is a must.

In the access policy menu have you set your custom "Service Selection Rule" for your network higher in the list then the Radius default rule? the selection rules play like firewall rules and will use the first match from top to bottom.

Sakthi vel · ‎05-20-2013

Scott and Mark

Thanks for your support

We have configured the two ssid and in ACS we have used the "Called station ID" for identiyfing the traffic for each ssid.

Found it is working perfectly