How to configure Wireless LAN Controller (WLC) authentication for users by SSID verification

Document

Aug 29, 2011 8:10 AM
Jun 22nd, 2009

Introduction:-

How to configure Wireless LAN Controller (WLC) authentication for users by SSID verification.

Topology:-

1.jpg

Resolution:-

With the use of service-set identifier (SSID)-based WLAN access, the users can be authenticated based on the SSID they use in order to connect to the WLAN. The Cisco Secure Access Control Server (ACS) is used to authenticate the users. Authentication happens in two stages on the Cisco Secure ACS:

  1. EAP authentication

  2. SSID authentication based on Network Access Restrictions (NARs) on Cisco Secure ACS

If Extensible Authentication Protocol (EAP) and SSID-based authentication are successful, the user is allowed to access the WLAN or else the user is disassociated.

The Cisco Secure ACS uses the NARs feature to restrict user access based on the SSID.  A NAR is a definition, which you make in Cisco Secure ACS, of additional conditions that must be met before a user can access the network. Cisco Secure ACS applies these conditions using information from attributes sent by your AAA clients. Although there are several ways you can set up NARs, they are all based on matching attribute information sent by the AAA client. Therefore, you must understand the format and content of the attributes your AAA clients send if you want to employ effective NARs. When you set up a NAR, you can choose whether the filter operates positively or negatively. That is, in the NAR you specify whether to permit or deny network access, based on a comparison of information sent from AAA clients to the information stored in the NAR. However, if a NAR does not encounter sufficient information to operate, it defaults to denied access.

Basically, the controller sends in the dialed number identification service (DNIS) attribute (the SSID name). So if you build DNIS NAR in either the user or group, you can create per-user SSID restrictions.

For example:

AAA client = WLC
  port = *
  CLI = *
  DNIS=*ssidname

Note: Change the WLC to your configuration in your ACS, and ssid  name to the real name used on your network. Make sure to check spelling as it is case sensitive.

Refer to Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS Configuration Example for more detailed information on SSID-based authentication. Refer to article How to implement RADIUS-based VLAN access control features on the Access Point  for more information.

Problem Type

Configure / Configuration issues

Products

Wireless LAN Controllers

Overall Rating: 5 (1 ratings)

Actions

Login or Register to take actions

This Document

Posted June 22, 2009 at 4:37 PM
Updated August 29, 2011 at 8:10 AM
Stats:
Comments:0 Overall Rating:5
Views:6230 Contributors:0
Shares:0

Related Content

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode