Hi I'm sorry but this still does not help.

We have now upgraded ACS to version 4.0 and I'm still having the same problems.

This is what i have configured:

WLC:

- WLAN

- SSID : Public

- WLAN id = 3

- L2 Security : 802.1x

- Interface Name : GuestVLAN

- Controller - Interface

- management - Untagged

- GuestVLAN - VLAN 112

- Security

- RADIUS Servers

When authenticating a Guest(belonging to the proper group in acs) - the right VLAN is used, IP Adresses from DHCP is recieved, and the Guest can access internet.

Switch:

- Port connected to WLC uses Trunking.

- Guests are connected to VLAN 112 and "native VLAN" is used to connect the Private Users.

ACS:

- AAA Client is the WLC, Authenticating using Cisco Airespace

- Guest Users are member of Group 11

- Private Users are member of Group 1

Group 11

- Use Per Group NAR to only allow WLAN Access

- Cisco Airespace RADIUS Attributes

x 14179\001 - Aire-WLAN-ID = 3

- Cisco IOS / PIX RADIUS Attributes

x 009\001 Ciso-av-pair = "ssid=Public"

- IETF Radius Attributes

x 006 Service Type = Login

x 007 Framed-Prot = ppp

x 064 Tunnel-Type = VLAN

x 065 Tunnel-Medium-tye = 802.1x

x 081 Tunnel-Private-Group-ID = 112

Group (default Group)

- Cisco Airespace RADIUS

x 14179\001 Aire-WLAN-ID = 1

- Cisco IOS/PIX Radius Attrib

x 009\001 Cisco-av-pair = "ssid=Private"

- IETF RADIUS

x 008 Service-type = Login

x 064 Tunnel-Type = VLAN

x 065 Tunnel-Medium-tye = 802.1x

x 081 Tunnel-Private-Group-ID = 1

Do you have any idea of what i should change?

Greetings

Jarle

I've forgotten to set "Allow AAA Override" = Enabled".

As soon as this was "checked" it worked.

(with minor issues of controller DHCP problems)

Thanx

Jarle

HI no - without Quoatas : ssid=mypublicwlan Greetings Jarle

ssid-list is an atonomous mode feature and does not work properly in an LWAPP environment. For ssid restrictions in an LWAPP environment it is recommended to use the WLAN-ID field in the Cisco-Airespace-Radius configuration. Instead of specifying the ssid name, you specify the corresponding WLAN-ID number found on your controllers. Unfortunately, there is a AAA override bug (cscsd58434) that prevents this feature from working properly in some 3.2 and all 4.0 controller versions. The TAC workaround is to fall back to dynamic VLAN assignments. This is not a flexible enough workaround for most. Those still wishing to use SSID restrictions should use ACS Network Access Restrictions as follows:

AAA Client= Controllers

Port= *

CLI= *

DNIS= *ssidname

The * for the DNIS entry is required.

hi mkisiel, our senario is similar to the above one, I've configured non-ip-based nar as you suggested, however, it turns out that both users can't pass authenticate process, when I unchecked the cli/dnci nar box, both users can access any ssid. here is my configuration:

WLC:

- WLAN

- SSID : public

- WLAN id = 2

- L2 Security : 802.1x

- Interface Name : public

- Controller - Interface

- management - 128 (vlan id of management interface)

- public - VLAN 205

- vlan id - 205

- SSID : private

- WLAN id = 3

- L2 Security : 802.1x

- Interface Name : private

- private - VLAN 204

- vlan id - 204

- Security

- RADIUS Servers

ACS:

- AAA client = WLC, use Cisco Airespace authentication

- public user assinged to Group 1

- private user assinged to Default Group

Group 1

- Use Per Group NAR to only allow WLAN Access

x aaa client = wlc

x port = *

x cli = *

x dnli = *public

Default Group

- Use Per Group NAR to only allow WLAN Access

x aaa client = wlc

x port = *

x cli = *

x dnli = *private

do i have to fill the wlan id in Cisco Airespace RADIUS Attributes blank? Or 64, 65, 81 attribute blanks under IETF RADIUS Attributes? I've tried all the options above, however it still doesn't work, please help!

Doublecheck your NAR permit or deny conditions.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e960.html#wp697095

Airespace parameter wlan-id can be blank. It won't have any effect anyway due to the AAA override bug. IETF RADIUS attributes won't matter b/c you are not defining IETF RADIUS as your authentication mechanism.