Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Deployment of NAC Solution with NAC Guest Server


I have the NGS (Version = 2.0.3) and Cisco NAC Manager/Server (Version = 4.8.2)...

I have been deployed the Wired and wireless users and using the different Authentication server (LDAP, Radius, VPN SSO, ADSSO) with their mapping roles. It seems working well so far.

My question is, how to best deployment of NGS with NAC Solution for the Wireless Users (having different SSID with unique Roles)

Currently for the Guest Users, i was creating the user accounts on NGS with the role "Wireless Guest", the same role was defined on NAC Manager. The NGS is creating the users on NAC Manager by using the API's.

When the Guest User connects to "Guest SSID", the login pager appears with the default Authentication Provider = Local DB. After Successfull authentication, the user gets the right "Wireless Guest"... So far, it seems working well....

But, now the customer wants another role from NGS to be created e.g., another Guest Role with some additional access to network which will be controlled by having ACL on Core switches. This role will be used another SSID / User subnet / Quarantine | Access VLAN.

After completing all pre-requisites, i came to know that users from both roles can connect to each other SSID's both roles are getting authenticating from Local DB and getting access in the network. For Example,,,

1) Username = User1, Role=Guest1, Quarantine VLAN=214, Access VLAN = 14, SSID = Guest1

2) Username = User2, Role=Guest2, Quarantine VLAN=215, Access VLAN = 15, SSID = Guest2

But, users can connect to each other SSID and getting network Access... Eventhough, we can't use mapping roles in order to avoid this situation due to Local DB.

So, how can we restrict the users not to authenticate from each other and stop getting the network access? OR any other way to deploy this.

Any thoughts or idea wud be appreciated.


Mubasher Sultan


Deployment of NAC Solution with NAC Guest Server


Any idea or suggestion...


Mubasher Sultan

New Member

Deployment of NAC Solution with NAC Guest Server

We are solving this by having multiple nac managers and nac appliances.  The NAC appliance line doesn't seem to have the granularity or flexibility to handle these use cases.

Another thought would be to take this off the NAC appliance some how and do AAA override so that when they auth to the SSID, they get put in the correct VLAN.  I can assume what your response will be, they are guests we can't have them auth becasue of the overhead.

This is exactly why we have come to the conclusion for each use case, a different nac manager is required to allow us to formulate different policies for users in different use cases.

For example, if we want to restrict a set of users, but allow another... Both users have to be tagged, and an attribute via LDAP (We will call it restricted attribute).  One NAC appliance for the un-restricted SSID would look for the restricted TAG and block access to any user wtih a  restricted TAG but allow everyone else. 

Your 2nd NAC appliance / Manager would be utilized for SSID users who are restricted would connect to.  It would look for the restricted flag and allow them, but block users who did not have a restricted flag.

Cisco Employee

Deployment of NAC Solution with NAC Guest Server

If NAC Server is configured for IB VGW mode and is mapping ingress VLAN through to upstream gateway, then the access between SSIDs would appear to be occurring upstream.  Of course you could also configure named ACLs on each WLAN interface of WLC to block traffic to/from the other WLAN subnet.  If IB RIP mode deployed, then should be able to configure traffic filters on untrusted interface of each VLAN to deny traffic to other VLAN IP address space.

CreatePlease login to create content