Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
924
Views
0
Helpful
10
Replies

Profile Wi-Fi users by authentication type

Go to solution
GW M
Level 1
Level 1

‎04-21-2016 04:55 AM - edited ‎07-05-2021 04:55 AM

Is it possible to profile Wi-Fi users by authentication type (i.e. EAP-TLS, EAP-PEAP) with ability to segment via VLAN or through the use of ACL’s restricting access for non-corporate devices (BYOD) and corporate assets? For example, EAP-PEAP users (BYOD) would be restricted to just the Internet through an ACL or segmented VLAN while corporate assets using EAP-TLS would be allowed to Intranet resources in the same manner. Today, both non-corporate devices (BYOD) and corporate assets use the same SSID and the customer would like to keep the same SSID for both if possible.

We are using Cisco Wireless LAN Controller (WLC) 2504 and 5508 running Release 7.6

Thanks

Gregg

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to GW M

‎04-21-2016 05:47 AM

Yes you can do this as well using a radius attribute. 

1. The acl would live on the WLC. Sounds like you would have 2. One for peap and one for TLS. 

2. You create a policy in radius that says if users x comes in with TLS apply this name acl. That name matches the one in the WLC. When the radius success is returned to to the WLC that radius attribute with acl name is inside. So client goes into run state and the WLC apples that acl. 

Make sense ? 

Since this his is radius backend stuff I don't think the 7.6 version is a problem. 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni

‎04-21-2016 05:11 AM

Yes you can do it but you will need a RADIUS server to create policies.

How to do it:

http://www.labminutes.com/sec0186_ise_13_wireless_dot1x_eap-tls_peap_1

....and further videos on web.

Regards

Don't forget to rate helpful posts

0 Helpful

Go to solution
GW M
Level 1
Level 1
In response to Sandeep Choudhary

‎04-21-2016 05:16 AM

We aren't using 802.1x. We want to handle this thru the profile for the wireless user. Plus, I'm not paying money for a video but thanks anyway.

Greg

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to GW M

‎04-21-2016 05:25 AM

802.1X is the frame work used by peap and TLS. If you are using peap and TLS you are usin 802.1X. 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
GW M
Level 1
Level 1
In response to George Stefanick

‎04-21-2016 05:31 AM

Correct.. we do. 

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to GW M

‎04-21-2016 05:35 AM

Ok. 

Vlan moving for example is handle by using radius attributes. You build authentication and authorization policies to make this happen. Example if user x uses cert then move them to vlan 5. If user x users peap move them to vlan 10. 

This is magic happens on the radius server .. 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
GW M
Level 1
Level 1
In response to George Stefanick

‎04-21-2016 05:41 AM

Can we leverage an ACL per authentication type, given that we don't have VLAN trunking implemented and all users go thru the same VLAN? Also, are you aware of any issues being able to implement this using Cisco Wireless LAN Controller (WLC) 2504 and 5508 running Release 7.6?

Thanks

Gregg

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to GW M

‎04-21-2016 05:47 AM

Yes you can do this as well using a radius attribute. 

1. The acl would live on the WLC. Sounds like you would have 2. One for peap and one for TLS. 

2. You create a policy in radius that says if users x comes in with TLS apply this name acl. That name matches the one in the WLC. When the radius success is returned to to the WLC that radius attribute with acl name is inside. So client goes into run state and the WLC apples that acl. 

Make sense ? 

Since this his is radius backend stuff I don't think the 7.6 version is a problem. 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
GW M
Level 1
Level 1
In response to George Stefanick

‎04-21-2016 05:49 AM

Make sense. I will give it a try

Thank you

Gregg

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to George Stefanick

‎04-21-2016 05:52 AM

Thank you for the rating .. Check back if you have problems .. 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni

‎04-21-2016 05:23 AM

You can also use the OU in the cert to build policy's. 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card