Cisco Support Community
Community Member

ACS Policy

Hi There

Is it possible to "link" a SSID to a User Group in ACS 3.3 ?

If there are 10 User Groups (Active Directory) in ACS and there are 4 SSID's, how can you prevent "Guest Users" from User Group 100 to connect to a non-Guest user SSID ? The Guest User group IS a valid group. If there is no match with the "production group", but there is a match with the Guest Group, the guest users can log in to the production SSID. Isn't it ?



Hall of Fame Super Blue

Re: ACS Policy

Hi Remco

Yes you can do this. You can either assign the user into a specific vlan with Radius or you can assign a user to a specific SSID with Radius.

I'm assuming that you have ACS configured to authenticate against AD.

Have a read of this link. At the end it gives configuration examples of how to setup per user SSID assignment.



Community Member

Re: ACS Policy

Hi Jon

I dont think that this is the solution. Maybe you do not understand what my problem is. I'll trie to explain it in another way..

There are two SSID's. 1=Production, 2=Guest

VLAN assignment on 4400 controller is done by the ACS RADIUS Server

John is member of Production AD Group, Peter is member of Guest AD Group.

When Peter configures the "Production" SSID, he has to authenticate... ACS can see that he belongs just to Group "Guests" and places Peter in VLAN Guest. Right now Peter is conected to SSID Production, but in VLAN Guest....

And another problem: What will happen when a user can connect to two different SSID's (Production and Test) with the same username ? I think that the first match will allways places the user in the VLAN corresponding to the first group... Isn't it ?


CreatePlease to create content