Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.


ACS - SSID - MAC-Filter separation


I’m trying to setup following environment:

  1. WLC 5508 (OS 7.5)
  2. Up to 60 Access Points 1602I
  3. Two SSID’s are required
  4. WPA/WPA2 Authentication is required
  5. MAC-Filter should also be used

I’ve done the following configuration:

  • LAN Enviroment works
  • WLC Setup works also with all Access Points
  • SSID with WPA/WPA2 Authentication work
  • Clients can connect to each SSID

For the MAC Filter Setup I’m going to use an ACS 5.4 and an Active Directory. The ACS has successfully joined the Active Directory and at the active Directory I’ve create to groups:



These two groups I’ve selected after I joined the Active Directoy. I used the Active Directory (AD1) as an Identity group, which is used by a Network Access based Access Service. In my second step, I configured the WLC to use Radius authentication for MAC-Filter and everything works.

But now I’ve found my problem:

The ACS Server like work top down and first rule matches:

If a MAC is member of group SSID1 and the Client wants to join SSID 1 it works

If a MAC is member of group SSID2 and the Client wants to join SSID 1 it works, too. Because the rules are checkt top down first match. And the ACS will find the MAC in group SSID.

  • Is it possible to check at the ACS which SSID send the MAC-Filter request? or
  • Is it possible to get the ssid value from the Active Directory to use this value in my policies?

I would like to restrict the MACs from group SSID1 to SSID 1 and the MACs from group SSID to SSID 2.

Thanks and kind regards



Problem is solved, the caller

Problem is solved, the caller-station-id can be used, it transfers the SSID and "contains" can be used.

New Member

Hello, I am looking for this

Hello, I am looking for this config as well. Is it possible to post screenshots of ACS showing how you created your Access Policies, and how you restricted authentication by SSID (Using end-station filters for calling-station-id, DNIS??)




Hello,I hope this will help


I hope this will help you. The username and password will be the MAC-Address of your client wirelss device, e.g.

Username:  aabbccddeeff

Password:  aabbccddeeff

You've to check, in which kind you have to send the MAC Address (aa:bb:cc:dd:ee:ff, aabbcc-ddeeff, AA:BB:CC:DD:EE:FF, and so on)

The attachments will show you a sample ACS Access Policy and the "caller-station-id" configuration and the configuration of a SSID from a Cico WLC 5508.

New Member

Hi Onken, Is your problem

Hi Onken,


Is your problem solved only basis on ACS configuration SSID "contains" , in which corporate user connect only corporate ssid and staff users connects only staff ssid?





CreatePlease login to create content