Solved: restriction base on ssid

Christos Stefaneskou · ‎08-05-2011

Hello,

I have 4 autonomous AP 1142 with 2 ssids : SSID10,vlan10 & SSID20,vlan 20.

I use ACS 4.2 in order to authenticate users (EAP-FAST).How can i restrict access base on ssid or on vlan?

I want users that connect to SSID 10 to not have access to SSID 20 and the opposite.

Any suggestions?

Thanks in advance.

pcroak · ‎08-06-2011

Christos,

Yes, you should have radius-server vsa send authentication configured to send the av-pairs to your server.

You can see if the ssid is being sent by capturing the following debugs when trying to connect:

debug aaa authentication
debug aaa authorization
debug radius
debug dot1x all

-Patrick

View solution in original post

Surendra BG · ‎08-05-2011

Broadcast 1 SSID and do not broadcast another.. or you can block them on the L3 device by configuring ACLs..

Please dont forget to rate the usefull posts!!

Regards

Surendra

Regards
Surendra BG

pcroak · ‎08-05-2011

Christos,

You can also leverage cisco av-pairs to restrict users/groups based on ssid on the ACS.

On the ACS:

Go into the user or group and check 'cisco-av-pair' and then put in 
'ssid=SSID10' (without quotes) to restrict the user. If this attribute 
does not appear on the user or group you want to test, please be sure 
you it turned on under Interface Config --> Radius (Cisco IOS/PIX 
6.x)--> cisco-av-pair is checked on user/group. If it is still not 
showing up under a user, please be sure that you have 'Per-user 
TACACS+/RADIUS Attributes' turned on under Interface Config --> Advanced 
Options.

-Patrick Croak
Wireless TAC

Christos Stefaneskou · ‎08-06-2011

Thanks for your answers.

I tried to restrict access using NARs without success.

I'will try the solution that you suggested (cisco av-pairs) and i'll inform you.

Regards.

Christos Stefaneskou · ‎08-06-2011

Patrick,

Should i use the command "radius-server vsa send authentication" in order to enable av-pairs in access points requests?

pcroak · ‎08-06-2011

Christos,

Yes, you should have radius-server vsa send authentication configured to send the av-pairs to your server.

You can see if the ssid is being sent by capturing the following debugs when trying to connect:

debug aaa authentication
debug aaa authorization
debug radius
debug dot1x all

-Patrick

Christos Stefaneskou · ‎08-07-2011

One more question Patrick,

In my case, should i enable the vendor proprietary attributes with the command " radius-server host xxx.xxx.xxx nonstandard "? Is any other configuration exept the above that i should use on the AP?

Have you tryied this scenario using NAR?

I will test it probably in 3 days so i'll let you know about the result..

Thanks for your help,

Best regards.

Christos Stefaneskou · ‎08-12-2011

5 stars for your answer Patrick!

Your solution works perfect...

The problem i have now is that the clients doesn't get valid DNS server..We are using ACS to act as DHCP and serve ips for the 2 ssids.The clients get a valid ip but the DNS on client appears in HEX.

Thanks for your help.

Regards.