04-08-2008 01:22 PM - edited 07-03-2021 03:41 PM
Has anyone found away to limit or control via a userID or client MAC address which AP a client is allowed to connect to in an LWAPP environment? I'm able to make this work in an autonomous environment by applying restrictions within ACS which controls what APs users are able to connect to. I'd like to be able to do the same in an LWAPP environment but, I can't locate a way to identify which AP the user authentication is sourced from (all authentications are being sourced from the WLC). Is there some other Radius attribute that the WLC can send to ACS to identify which AP the authentication is sourced from?
Any help is greatly appreciated.
04-09-2008 05:41 AM
Why not do it by ssid and use ssid override which can be applied to specific APs?
04-09-2008 10:32 AM
Thank you for the suggestion.
I considered that but I still have the issue of restricting the userID/MAC to a specific grouping of APs. Is there away to pass the SSID information to the Radius server during a user authentication?
04-09-2008 02:45 PM
Just curious why you would do this. Like Eric mentioned, the best way is to have users associate to a certain ssid and then using wlan override to determine what ssid's an AP will have. With LWAPP, everything will be sourced from the WLC management IP.
04-10-2008 08:53 AM
We have devices that have to be program with a static user ID and password to allow authentication to the WLAN. I'm trying to restrict this user IDs so it can only login to a group of APs. I'm very familiar with the use of WLAN Override but, adding another SSID doesn't help because the user ID would still be allowed to login to any other SSID from the WLC.
04-10-2008 10:14 AM
You will not be able to do this because of the fact that with lwapp, you have only one AAA client and a policy. before you had multiple AAA clients and each can have a different policy. The only way I can see it ever happening is if the wlc was able to pass down a VC to the radius sever with the ap hostname. then you might be able to do something.
04-10-2008 10:20 AM
05-06-2008 04:43 PM
Update: Found out that the WLCs do send the SSID information to the Radius servers in the DNIS field/attribute. In ACS you can filter via a NAR on the DNIS setting via a group or user. This allows user restriction per SSIDs.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
05-07-2008 05:06 PM
Hi Rob,
To set DNIS, have to manually create user account in ACS, if customer use external database ,for example AD, how to set DNIS? In AD, can they configure DNIS when create user account?
05-08-2008 01:29 PM
With AD and ACS you can use group mappings to map the AD user into a group within ACS dynamically. Then you can set the DNIS restrictions on the group within ACS. Hope this helps.
Rob
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: