AP Restriction via UserID/MAC

Unanswered Question
Apr 8th, 2008

Has anyone found away to limit or control via a userID or client MAC address which AP a client is allowed to connect to in an LWAPP environment? I'm able to make this work in an autonomous environment by applying restrictions within ACS which controls what APs users are able to connect to. I'd like to be able to do the same in an LWAPP environment but, I can't locate a way to identify which AP the user authentication is sourced from (all authentications are being sourced from the WLC). Is there some other Radius attribute that the WLC can send to ACS to identify which AP the authentication is sourced from?

Any help is greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ericgarnel Wed, 04/09/2008 - 05:41

Why not do it by ssid and use ssid override which can be applied to specific APs?

rsumpter Wed, 04/09/2008 - 10:32

Thank you for the suggestion.

I considered that but I still have the issue of restricting the userID/MAC to a specific grouping of APs. Is there away to pass the SSID information to the Radius server during a user authentication?

Scott Fella Wed, 04/09/2008 - 14:45

Just curious why you would do this. Like Eric mentioned, the best way is to have users associate to a certain ssid and then using wlan override to determine what ssid's an AP will have. With LWAPP, everything will be sourced from the WLC management IP.

rsumpter Thu, 04/10/2008 - 08:53

We have devices that have to be program with a static user ID and password to allow authentication to the WLAN. I'm trying to restrict this user IDs so it can only login to a group of APs. I'm very familiar with the use of WLAN Override but, adding another SSID doesn't help because the user ID would still be allowed to login to any other SSID from the WLC.

Scott Fella Thu, 04/10/2008 - 10:14

You will not be able to do this because of the fact that with lwapp, you have only one AAA client and a policy. before you had multiple AAA clients and each can have a different policy. The only way I can see it ever happening is if the wlc was able to pass down a VC to the radius sever with the ap hostname. then you might be able to do something.

bbxie Wed, 05/07/2008 - 17:06

Hi Rob,

To set DNIS, have to manually create user account in ACS, if customer use external database ,for example AD, how to set DNIS? In AD, can they configure DNIS when create user account?

rsumpter Thu, 05/08/2008 - 13:29

With AD and ACS you can use group mappings to map the AD user into a group within ACS dynamically. Then you can set the DNIS restrictions on the group within ACS. Hope this helps.



This Discussion



Trending Topics - Security & Network