08-05-2011 02:25 PM - edited 07-03-2021 08:31 PM
Hello,
I have 4 autonomous AP 1142 with 2 ssids : SSID10,vlan10 & SSID20,vlan 20.
I use ACS 4.2 in order to authenticate users (EAP-FAST).How can i restrict access base on ssid or on vlan?
I want users that connect to SSID 10 to not have access to SSID 20 and the opposite.
Any suggestions?
Thanks in advance.
Solved! Go to Solution.
08-06-2011 09:28 AM
Christos,
Yes, you should have radius-server vsa send authentication configured to send the av-pairs to your server.
You can see if the ssid is being sent by capturing the following debugs when trying to connect:
debug aaa authentication
debug aaa authorization
debug radius
debug dot1x all
-Patrick
08-05-2011 05:35 PM
Broadcast 1 SSID and do not broadcast another.. or you can block them on the L3 device by configuring ACLs..
Please dont forget to rate the usefull posts!!
Regards
Surendra
08-05-2011 05:39 PM
Christos,
You can also leverage cisco av-pairs to restrict users/groups based on ssid on the ACS.
On the ACS:
Go into the user or group and check 'cisco-av-pair' and then put in
'ssid=SSID10' (without quotes) to restrict the user. If this attribute
does not appear on the user or group you want to test, please be sure
you it turned on under Interface Config --> Radius (Cisco IOS/PIX
6.x)--> cisco-av-pair is checked on user/group. If it is still not
showing up under a user, please be sure that you have 'Per-user
TACACS+/RADIUS Attributes' turned on under Interface Config --> Advanced
Options.
-Patrick Croak
Wireless TAC
08-06-2011 04:45 AM
Thanks for your answers.
I tried to restrict access using NARs without success.
I'will try the solution that you suggested (cisco av-pairs) and i'll inform you.
Regards.
08-06-2011 05:14 AM
Patrick,
Should i use the command "radius-server vsa send authentication" in order to enable av-pairs in access points requests?
08-06-2011 09:28 AM
Christos,
Yes, you should have radius-server vsa send authentication configured to send the av-pairs to your server.
You can see if the ssid is being sent by capturing the following debugs when trying to connect:
debug aaa authentication
debug aaa authorization
debug radius
debug dot1x all
-Patrick
08-07-2011 09:48 AM
One more question Patrick,
In my case, should i enable the vendor proprietary attributes with the command " radius-server host xxx.xxx.xxx nonstandard "? Is any other configuration exept the above that i should use on the AP?
Have you tryied this scenario using NAR?
I will test it probably in 3 days so i'll let you know about the result..
Thanks for your help,
Best regards.
08-12-2011 11:46 AM
5 stars for your answer Patrick!
Your solution works perfect...
The problem i have now is that the clients doesn't get valid DNS server..We are using ACS to act as DHCP and serve ips for the 2 ssids.The clients get a valid ip but the DNS on client appears in HEX.
Thanks for your help.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide