Cisco avpair SSID and WLC

Unanswered Question
Jul 22nd, 2009
User Badges:


I'd like to differenciate users sharing the same ldap directory and radius authentication.

For example, if I have a student and a teacher, i'd like to be sure that the student will stay on its vlans and so on.

I can do this by using vlan attributes and aaa override but if I do that, I will have for example a student connected to the teacher SSID but on the student vlan. It's not a pretty situation...

I read that we can use an cisco avpair attribute to force users to connect only on their SSID but it doesn't seem to work with controller.

Is anybody have a solution for my case?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
weterry Wed, 07/22/2009 - 18:59
User Badges:
  • Silver, 250 points or more

I've used av-pair on the WLC for Web Splash Page, but not ssid restrictions.

I did however find this documentation:

It refers to configuing a NAR (Network Access Restriction) in ACS which makes it sound like you can limit a user to a specific SSID.

angedibartolo Wed, 07/22/2009 - 23:07
User Badges:

Thanks for your reply.

So, regarding this document, the WLC include by default an information concerning the SSID on its access-request to a radius server, right?

dancampb Thu, 07/23/2009 - 04:38
User Badges:
  • Cisco Employee,

Correct. The access-request would include the SSID in the access-requests. If the SSID is not one of the ones specified in the DNIS the Radius server would reject the request.

kyawzawhtut Thu, 07/23/2009 - 04:53
User Badges:


let me piggy back your thread. I have the same issue but I am not using WLC instead I am using "Autonomous AP". I believe by default it will not send ssid in authentication request.

How can I achieve the same result in autonomous ap?

Could you please help.

Thanks in advance.




This Discussion



Trending Topics - Security & Network