Wireless Guest Users CoA ( Change of Authorization ) for ACS (TACACS+ ) local Users

ARUNPRABHU A · ‎10-08-2012

Dear Techies,

We are trying to Implement the Wireless Guest Setup with the following requirement.

1. The Guest Users will be created in the ACS user database locally.

2. The Guest will connect to the WLAN SSID, and they should be assigned in a different VLAN ( like Quarantine VLAN ) before authentication i.e. Different IP range and having limited access i.e. no access to internet and intranet resources.

3. Once the Guest users are authenticated via Username and Password , they should be moved dynamically to a different VLAN. i.e. the VLAN for Guest and able to access internet.

Am looking for document or idea how it can be implemented and what are configuration required.

Thanks for reading....

Arun A

Scott Fella · ‎10-08-2012

CoA is an issue with wireless because what you need to do is send a radius attribute to the client to reassociate again or a dhcp release renew. Your best bet is to create a pre-auth acl on the WLC to allow them access to dhcp, dns only prior to being authenticated.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Damon Garner · ‎10-08-2012

You can setup a vlan on the interface that does not have access to anything except dhcp and DNS then setup youy WLAN for AAA override. The radius server will need to be setup for this also.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

from Cisco Technical Support Android App

Scott Fella · ‎10-08-2012

Damon,

That AAA override works fine with layer 2 encryption but not with WebAuth since the device has to obtain an IP address first before authentication. This was the issues with ISE initially.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

ARUNPRABHU A · ‎10-10-2012

Dear Scott,

We are runnning WL 5.X version and ACS and running Radius protocol , i am looking for Dynamic VLAN assignment for Web authentication.

The actual problem we are facing is for Guest users, the IP address pool /16 we assigned are getting exhausted. The guest SSID is configured for Web authentication.

Since the Guest SSID is broadcasted, everyone try to connect andreceive the IP addresss. But only few legitimate guest are authenticated via Web authentication providing user credentials in Browser,the remaining users even not getting authenticated still holding the IP address. This result in exhaustion of our address space. Even we can't clear the entire address space after exhausion because few of the legitimate guest are connected to the WLAN.

So We are looking for a solution to overcome this issue, so we are trying to move the user authenticated via browser to sepearate VLAN and ip address schema.

I have gone through few forums and stating that this option can't be implemented or support. The following threads for your reference.

I can understand 802.1X will not provide IP address before getting authenticatd , but whatever we require is Dynamic VLAN assisgnment In Web authentication

https://supportforums.cisco.com/thread/340132?referring_site=kapi&channel=smartnav

https://supportforums.cisco.com/thread/2055325

I request you expert view whether our solution works ? if so what are changes required/.

Else please provide any alternate solution which can throw some light and overcome.

Thanks for reading....

Arun