Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.2 authorization policy

Hello,

is there any method to control an access to the different WLAN(PEAP) on the same ACS 5.2 and WLC?

That is, there is two AD groups the one have access to domain network only the other group have access to internet only
and may be third group that have access to both networks.

Currently if i add new authorization policy the user will have access to both networks...

Many thanks, in advance.

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions

ACS 5.2 authorization policy

Yes ths is possible, the ssid is carried in the called station id which is an av pair sent in the access-request. The format of the called-station-id is , so you can build your authorization policy with a compound condition of "called-station-id ends with ssid" then you can combine this with the AD1:ExternalGroups and set the permit-access or deny-access result depending on your implementation. Also the ssid is case sensitive when acs makes its decision so keep that in mind.

If you look at the authentication report in ACS you can see the ssid that I am referring to in the called-station id in the logs.

Hope that helps

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
1 REPLY

ACS 5.2 authorization policy

Yes ths is possible, the ssid is carried in the called station id which is an av pair sent in the access-request. The format of the called-station-id is , so you can build your authorization policy with a compound condition of "called-station-id ends with ssid" then you can combine this with the AD1:ExternalGroups and set the permit-access or deny-access result depending on your implementation. Also the ssid is case sensitive when acs makes its decision so keep that in mind.

If you look at the authentication report in ACS you can see the ssid that I am referring to in the called-station id in the logs.

Hope that helps

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
424
Views
0
Helpful
1
Replies
CreatePlease to create content