I'm implementing a solution based around 4404 WLC, 1113 ACS and Microsoft AD. What I want to achieve is have two WLAN (SSID), one that can only be used by domain users on domain laptops, the other can be used by domain users on personal laptops. The domain laptops will have full connectivity but the personal laptops will be restricted.
I've created the two SSID using 802.1X via ACS / Remote Agent and can authenticate and logon OK.
I thought that I should have user auth and machine auth for the domain laptops but just user auth for personal laptops.
I can have non authenticated machines go to a specific ACS group or blocked but I need to allow them if they're on the restricted SSID. I can't quite figure out how to have two SSIDs authenticating to the same ACS / AD - allow one and block the other.
Am I on the right path?
Anyone done this before or have any bright ideas?
With the use of SSID-based WLAN access, the users can be authenticated based on the SSID they use in order to connect to the WLAN. The Cisco Secure ACS server is used to authenticate the users. Authentication happens in two stages on the Cisco Secure ACS:
1. EAP authentication
2. SSID authentication based on Network Access Restrictions (NARs) on Cisco Secure ACS
For the further description and configuraiton following URL may help you :