restrict which users can authenticate to which WLAN?

vwong · ‎08-30-2007

Hi,

We have a WLC4400 series with LWAP deployeed and we have two employee WLANS and one guest WLAN. Both employee WLANs are authenticated via radius to the same Cisco ACS 4.1 appliance. The ACS authenticates to windows AD. We plan to use EAP-TLS for both employee WLANs.

Is there a way to set up the restrictions in ACS such that users can only associate with the APs in the WLAN they are allowed? Both WLANs authenticates to the same Cisco Secure ACS 4.1 appliance.

For example,

- two usrs: userA, userB

- two SSIDs/WLANs: WLANA, WLANB

- user A can associate with any AP in WLANA but not in WLANB.

- user B can associate with any AP in WLANB but not in WLANA.

Thanks in advance,

Van

Rob Huffman · ‎08-30-2007

Hi Van,

Have a look at this example, it sounds like what you are looking for;

Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

Hope this helps!

Rob

vwong · ‎08-31-2007

Hi Rob,

Thanks for the info. That link wasn't exactly what i was looking for but the below is. :-)

WLC passes the SSID info in the DNIS attribute via radius so I can filter on that.

See below.

Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS Configuration Example

Document ID: 71811

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

Thanks,

Van