AP Restriction via UserID/MAC

rsumpter · ‎04-08-2008

Has anyone found away to limit or control via a userID or client MAC address which AP a client is allowed to connect to in an LWAPP environment? I'm able to make this work in an autonomous environment by applying restrictions within ACS which controls what APs users are able to connect to. I'd like to be able to do the same in an LWAPP environment but, I can't locate a way to identify which AP the user authentication is sourced from (all authentications are being sourced from the WLC). Is there some other Radius attribute that the WLC can send to ACS to identify which AP the authentication is sourced from?

Any help is greatly appreciated.

ericgarnel · ‎04-09-2008

Why not do it by ssid and use ssid override which can be applied to specific APs?

rsumpter · ‎04-09-2008

Thank you for the suggestion.

I considered that but I still have the issue of restricting the userID/MAC to a specific grouping of APs. Is there away to pass the SSID information to the Radius server during a user authentication?

Scott Fella · ‎04-09-2008

Just curious why you would do this. Like Eric mentioned, the best way is to have users associate to a certain ssid and then using wlan override to determine what ssid's an AP will have. With LWAPP, everything will be sourced from the WLC management IP.

-Scott
*** Please rate helpful posts ***

rsumpter · ‎04-10-2008

We have devices that have to be program with a static user ID and password to allow authentication to the WLAN. I'm trying to restrict this user IDs so it can only login to a group of APs. I'm very familiar with the use of WLAN Override but, adding another SSID doesn't help because the user ID would still be allowed to login to any other SSID from the WLC.

Scott Fella · ‎04-10-2008

You will not be able to do this because of the fact that with lwapp, you have only one AAA client and a policy. before you had multiple AAA clients and each can have a different policy. The only way I can see it ever happening is if the wlc was able to pass down a VC to the radius sever with the ap hostname. then you might be able to do something.

-Scott
*** Please rate helpful posts ***

john.gudmann · ‎04-10-2008

Take a look at this:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008058ed26.shtml

rsumpter · ‎05-06-2008

Update: Found out that the WLCs do send the SSID information to the Radius servers in the DNIS field/attribute. In ACS you can filter via a NAR on the DNIS setting via a group or user. This allows user restriction per SSIDs.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

bbxie · ‎05-07-2008

Hi Rob,

To set DNIS, have to manually create user account in ACS, if customer use external database ,for example AD, how to set DNIS? In AD, can they configure DNIS when create user account?

rsumpter · ‎05-08-2008

With AD and ACS you can use group mappings to map the AD user into a group within ACS dynamically. Then you can set the DNIS restrictions on the group within ACS. Hope this helps.

Rob