device authorisation on ACS

Unanswered Question
Jun 27th, 2007

Hi All, Can any one help me on Device authentication on ACS server. I have WI-FI setup with some lighteight access point & Wireless controller (WiSM). Now I want to controll device access like PDA can have limited access to network over wireless where as laptop users have unlimited access to network..I have configured single SSID & multiple vlans with the help of ACS 4.1.I can not configure another SSID on controller.Even I can not configure different user ID for PDA users, they want to use Windows User ID on laptop as well as on PDA. So I dont have option to controll PDA & Laptops on user id & ssid basis. Is there any other way to controll these devices on ACS or wireless controller so that I can controll the devices's access.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Premdeep Banga Wed, 06/27/2007 - 04:01


That is quite interesting....

What I can think of right now is to use NAP.

Filter the authentication request based on MAC address, calling station ID, that will come in Access Request.

PDA's (if of a particular manufacturer) will have some similarity in MAC address as compared to Laptops.

Which, you can filter based on Advanced Filtering option.

And once that request comes under the defined NAP, for for RAC, and configure radius attribute 64, 65 and 81, to make PDA's go into different VLAN's as compared to Laptops.

Logically it should work, if I understand this correctly :)

Worth a try.

Please share the results, if you decide to go for it.



jain.nitin Tue, 07/03/2007 - 00:56

Hi Prem, Thanks for you reply. I just want to know do you have procedure how to configure it. Actually I want to know how can I feed the mac address in ACS for 1000+ devices....can you explain me in deep.


Premdeep Banga Tue, 07/03/2007 - 05:47

I can give you a hint, you have to test it,

Under NAP, under Profile Setup, make use of Advanced Filtering.

Calling station Id = xx:xx:xx*

Where xx:xx:xx is the vendor specific MAC code, that you can use to differentiate b/w Laptops and PDA's, then using Authorization under NAP, configure attribute 64, 65 and 81.



JAMES HARVEY Fri, 12/03/2010 - 12:09

Did you ever figure this out? We're trying to do precisely the same thing. (Without much luck)


This Discussion