Thank you for your reply, my mistake i didnt explain on the requested potions. Am using WiSM Blade, AP's are LWAPP AP's. Am just using the WLC splash screen. I just need to block the AD users from using the web access.

There's a guide here which relates to this feature:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

I've implemented this on my current project, but run into a bit of a hitch: My guest users are correctly blocked from connecting to the internal SSID; however, my internal users are NOT being blocked from using the guest SSID. I suspect this may be because the guest SSID does not use 802.1X, and the guide seems to imply that 802.1X is a mandatory part of this config.

Under IOS, it was possible to set up Radius VSAs in ACS which would let you use Cisco AV-Pairs to limit the permissible SSIDs per group or user, as per this document:

http://www.cisco.com/en/US/docs/wireless/access_point/12.2_15_JA/configuration/guide/s15ssid.html#wp1037147

However, the WLCs do not recognize AV-Pairs as far as I know.

I have a TAC case open on the issue currently; I'll post results when I have any.

This is a well known and documented bug that was allowed to stay in as a feature. To stop your internal people from connecting go to the WiSM gui to controller. Under the Web RADIUS Authentication select a method not currently configure on your RADIUS server. In most case MD5-CHAP is not installed on a RADIUS. This will cause the client to fail. The process is for authentication flows like this. First attempt to resolve username and password is against internal database on controller and the second attempt is against the RADIUS configured on the management interface.

Hope this helps.

hi gamccall,

really appreciate the information you have posted, i will check on the information after read your link. please update me once you have close the TAC case. at least i will have a clear picture on this issue.