I have noticed that with a basic setup on ACS 5 I can not differentiate between PEAP clients that i want to authenticate against AD and PEAP clients that I want to authenticate against a locally created database on the ACS. All clients, regardless of what SSID they are connected to, will be tried against the AD if there is no match the the client is promted for a username and password to be authenticated against the local information store.
Can someone point me to some documentaion that describes how I can seperate the two, so that the clients on one SSID are checked against AD and clients on another are checked against the local info store.
One of the attributes that the WLC sends in a RADIUS authentication request is the Called-Station-ID field. That field contains both the BSSID and ESSID (WLAN name) the client is trying to access, which means that you can do a compare on this field as a condition of your access rule. The format is xx-xx-xx-xx-xx-xx:wlanName. We don't really care about the BSSID, but the WLAN at the end of this string is very useful.
Here's how you can use this attribute value to influence access policy decisions:
1. Create a custom session condition (under Policy Elements) of type RADIUS-IETF using the Called-Station-ID (not the Calling-Station-ID).
2. Customize your access policy template so that your new custom session condition is available to your access policies
3. Edit your access policy: a) check the custom session condition to enable it, b) choose the "Ends with" operator, and c) type in the name of your WLAN (case sensitive).