cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1566
Views
20
Helpful
4
Replies

Limit EAP methods per SSID in ACS

gsancassano
Level 1
Level 1

Hi,

In a WLAN environment that has 2 WLC, lots of LAPĀ“s and clients authenticating with an ACS which has configure an Active Directory as an external data base, I would like to know how I can limit de EAP methods per group or SSID in the ACS.

For example: one SSID can only use PEAP-MSCHAPv2 and the other SSID con only use EAP-TLS.

Thanks in advance.

2 Accepted Solutions

Accepted Solutions

Serge Yasmine
Cisco Employee
Cisco Employee

Hi,

You can do this with NAP on ACS. Create a NAP for each SSID you have and under the NAP you can allow only the desired EAP Method.

Thanks

Serge

View solution in original post

As Serge said, you can do it with NAPs.

The trick in on the filter to match the NAP.

Using Cisco WLCs there is an attribute that is sent on the Radius Access-Request which contains the SSID:

"Called-Station-Id=00-26-cb-ac-03-00:test"

Please note that in this example the ssid name is "test".

So on the NAP you need a filter like:

"[030]Called-Station-Id contains test"

HTH,
Tiago

View solution in original post

4 Replies 4

Serge Yasmine
Cisco Employee
Cisco Employee

Hi,

You can do this with NAP on ACS. Create a NAP for each SSID you have and under the NAP you can allow only the desired EAP Method.

Thanks

Serge

As Serge said, you can do it with NAPs.

The trick in on the filter to match the NAP.

Using Cisco WLCs there is an attribute that is sent on the Radius Access-Request which contains the SSID:

"Called-Station-Id=00-26-cb-ac-03-00:test"

Please note that in this example the ssid name is "test".

So on the NAP you need a filter like:

"[030]Called-Station-Id contains test"

HTH,
Tiago

All correct. Just adding that to have the WLC sending the SSID after the mac address in the called station id, this need to be configured :

(Cisco Controller) >config radius callStationIdType ?
              
ipaddr         Sets Call Station Id Type to the system's IP Address
macaddr        Sets Call Station Id Type to the system's MAC Address
ap-macaddr     Sets Call Station Id Type to the AP's MAC Address
ap-macaddr-ssid Sets Call Station Id Type to the format :

Enjoy !

The solutions in this thread are great I though I would add one more.  You can also accomplish this with CLI/DNIS Network Access Restrictions in ACS 4.2 with the : Calling-Station-ID configuration (which I believe is default on the WLCs):

-AAA Client would be set to your WLC NDG or IP

-Port would be set to *

-CLI would be set to *

-DNIS would be set to *

You can use a permit or deny based on what you are trying to accomplish.

--Jesse

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: