Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
399
Views
0
Helpful
2
Replies

ACS Policy

remco.gussen
Level 1
Level 1

‎01-10-2008 07:56 AM - last edited on ‎03-25-2019 05:24 PM by Community Manager

Hi There

Is it possible to "link" a SSID to a User Group in ACS 3.3 ?

If there are 10 User Groups (Active Directory) in ACS and there are 4 SSID's, how can you prevent "Guest Users" from User Group 100 to connect to a non-Guest user SSID ? The Guest User group IS a valid group. If there is no match with the "production group", but there is a match with the Guest Group, the guest users can log in to the production SSID. Isn't it ?

Gr.

Remco

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎01-10-2008 11:22 AM

Hi Remco

Yes you can do this. You can either assign the user into a specific vlan with Radius or you can assign a user to a specific SSID with Radius.

I'm assuming that you have ACS configured to authenticate against AD.

Have a read of this link. At the end it gives configuration examples of how to setup per user SSID assignment.

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html

HTH

Jon

0 Helpful

remco.gussen
Level 1
Level 1
In response to Jon Marshall

‎01-11-2008 07:43 AM

Hi Jon

I dont think that this is the solution. Maybe you do not understand what my problem is. I'll trie to explain it in another way..

There are two SSID's. 1=Production, 2=Guest

VLAN assignment on 4400 controller is done by the ACS RADIUS Server

John is member of Production AD Group, Peter is member of Guest AD Group.

When Peter configures the "Production" SSID, he has to authenticate... ACS can see that he belongs just to Group "Guests" and places Peter in VLAN Guest. Right now Peter is conected to SSID Production, but in VLAN Guest....

And another problem: What will happen when a user can connect to two different SSID's (Production and Test) with the same username ? I think that the first match will allways places the user in the VLAN corresponding to the first group... Isn't it ?

Remco

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents