AP1231G & ACS 3.3 - ssid user restrictions
Last Post: July 16, 2021:
-
Hello everyone!
I have another problem.
I want to build wireless network with few ssid's. Each ssid is in other VLAN (AP is connected to a trunk port).
All wireless users authenticate with PEAP-GTC on ACS 3.3 server.
And here's the problem.
Does anybody know if I can assign user to a specific ssid. Users must have access only to theirs ssid's. Can I configure this somehow on ACS ??
It can be similar sollution as in VPN concentrator for example. In ACS Radius Attributes you can put Group Name for a specific user. ACS sends this attribute to a VPN concentrator and user is automaticaly assign to this group. Anyway, this is VPN sollution.
Maybe someone would have some tips. :-)
Thanks a lot
Tom -
Your looking for RBAC, Roll based Access Control! I don't think ACS will do that!! Look into EWG's like Roving Planet, they are just a wireless Firewall!
Look at this one: http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1100/accsspts/i12213ja/i12213sc/s13ssid.htm -
AP1200 and ACS can assign users to VLANs based on RADIUS attributes...not SSIDs (this would require that the client change its configuration). I believe that this is what you actually want.
Using a RADIUS Server to Assign Users to VLANs
You can configure your RADIUS authentication server to assign users or groups of users to a VLAN when they authenticate to the network.
Note Unicast and multicast cipher suites advertised in WPA information element (and negotiated during 802.11 association) might mismatch with the cipher suite supported in an explicitly assigned VLAN. If the RADIUS server assigns a new VLAN ID that uses a different cipher suite from the previously negotiated cipher suite, there is no way for the access point and client to switch back to the new cipher suite. Currently, the WPA protocol does not allow the cipher suite to be changed after the initial 802.11 cipher negotiation phase. In this scenario, the client device is disassociated from the wireless LAN.
The VLAN-mapping process consists of these steps:
1. A client device associates to the access point using any SSID configured on the access point.
2. The client begins RADIUS authentication.
3. When the client authenticates to the access point sucessfully, the RADIUS server maps the client to a specific VLAN, which might be different from the VLAN mapping defined for an SSID the client was using on the access point. If the server does not return any VLAN attribute for the client, the client is assigned to the VLAN specified by the SSID mapped locally on the access point.
These are the RADIUS user attributes used for VLAN ID assignment.
?¡é?€?¡éIETF 64 (Tunnel Type): Set this attribute to VLAN
?¡é?€?¡éIETF 65 (Tunnel Medium Type): Set this attribute to 802
?¡é?€?¡éIETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id
Each attribute must have a common tag value between 1 and 31 to identify the grouped relationship.
- 1