cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2759
Views
5
Helpful
8
Replies

NAC Guest Server and Multiple Guest SSID's/Splashpages

eoinwhite
Level 1
Level 1

Hi All,

If I have multiple guest SSID's on a single controller and I use NGS as the Radius. How do I configure NGS to "send" the clients to differnet login pages corresponding to the SSID they came from.

I can configure different splash pages in HotSpots section but how do I map the different SSID's from the controller to the different splash pages. Then I guess that raises the question when I generate guest users on NGS is it possile to only allow them associate to a specific SSID.

TIA,

Eoin.

8 Replies 8

Nicolas Darchis
Cisco Employee
Cisco Employee

Hi,

this is actually a WLC question.

On each SSID, you have the layer 3 security page.

When you enable web authentication, you can select "override global configuration". There you can configure different hotspots URL for each SSID.

I hope it helps.

Nicolas

Hi Nicolas,

Thanks for the reply. I can see that config on the WLC and have used it before where there is only a single guest SSID. What I dont know is if the NAC Guest server sees radius requests coming from different guest SSID's on the same WLC. How does the NAC Guest server apply the correct guest policy to that user. And when sponsors genereate guest accounts how do they specific which policy is to be applied to that guest so it can only get access to a specfic guest network/SSID I'm not sure where the "mapping" of accounts/splash pages/policies takes place on the NAC guest server. I've only ever set up NAC Guest when there has been a single guest SSID.

Regards,

Eoin.

Is your Guest Server also acting as radius ? Or only web portal ?

If only web portal, my answer is the right one. Each SSID uses a different webpage on the NGS.

If you want to authorize user (radius auth) from the NGS itself, then you need to use custom attributes to detect ssids. Is that what you are looking for ?

I'd need to search if that's possible

Nicolas

Hi Nicolas,

Yes the Nac Guest Server will also store the guest accounts locally and perform authentication. I think this is possible by IP address but I can't see how I can specify that a specific user can only logon to a specific portal.

I.E I only want login X to be able loging into web portal X only and not other portals Y,Z ... e.t.c. Thus gaining access to guest areas I dont want it to access.

eoinwhite
Level 1
Level 1

It seems guest roles is the way to achieve this. Didn't spot it earlier:

http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_guestpol.html#wp1063316

Friend has already accomplished this task using a CAM, CAM is now no possible?


Having GUEST + ACS.

Is there a document that explains how RADIUS attribute format should look like?

I am trying to support 2 Guest SSID's, each mapped to a different interface-name/vlan-id on the 5508 and want to use this as a way to enforce the right user is mapped to the right interface.

Did you manage to get the attribute format that can restrict guest roles to specific SSID?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: