Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
8187
Views
5
Helpful
0
Comments

How to configure Wireless LAN Controller (WLC) authentication for users by SSID verification

TCC_2
Level 10
Level 10

‎06-22-2009 04:37 PM - edited ‎11-18-2020 02:33 AM

Introduction:-

How to configure Wireless LAN Controller (WLC) authentication for users by SSID verification.

Topology:-

1.jpg

Resolution:-

With the use of service-set identifier (SSID)-based WLAN access, the users can be authenticated based on the SSID they use in order to connect to the WLAN. The Cisco Secure Access Control Server (ACS) is used to authenticate the users. Authentication happens in two stages on the Cisco Secure ACS:

  1. EAP authentication

  2. SSID authentication based on Network Access Restrictions (NARs) on Cisco Secure ACS

If Extensible Authentication Protocol (EAP) and SSID-based authentication are successful, the user is allowed to access the WLAN or else the user is disassociated.

The Cisco Secure ACS uses the NARs feature to restrict user access based on the SSID.  A NAR is a definition, which you make in Cisco Secure ACS, of additional conditions that must be met before a user can access the network. Cisco Secure ACS applies these conditions using information from attributes sent by your AAA clients. Although there are several ways you can set up NARs, they are all based on matching attribute information sent by the AAA client. Therefore, you must understand the format and content of the attributes your AAA clients send if you want to employ effective NARs. When you set up a NAR, you can choose whether the filter operates positively or negatively. That is, in the NAR you specify whether to permit or deny network access, based on a comparison of information sent from AAA clients to the information stored in the NAR. However, if a NAR does not encounter sufficient information to operate, it defaults to denied access.

Basically, the controller sends in the dialed number identification service (DNIS) attribute (the SSID name). So if you build DNIS NAR in either the user or group, you can create per-user SSID restrictions.

For example:

AAA client = WLC
  port = *
  CLI = *
  DNIS=*ssidname

Note: Change the WLC to your configuration in your ACS, and ssid  name to the real name used on your network. Make sure to check spelling as it is case sensitive.

Refer to Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS Configuration Example for more detailed information on SSID-based authentication. Refer to article How to implement RADIUS-based VLAN access control features on the Access Point  for more information.

Problem Type

Configure / Configuration issues

Products

Wireless LAN Controllers

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents