Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Wireless Employee Denial to Guest SSID

I am looking for ideas on best way to force employees to use the 'employee' ssid instead of the 'guest' ssid.

Using Unified Wireless (LWAPP) + ACS 4.0

One thought is that guest ssid can only access the Internet and -only- the Internet (restrict them from using IPSEC traffic to the company's VPN gateway); it works but it's not elegant.

Another thought is to have ACS return only the list of authorized SSIDs so WLC can use with AAA-Override; it would work, but there is no defined AVP to provide for this (1) -- it also requires both Employee and Guest SSIDs to have MAC-Authentication, which would imply Guests' MAC address be managed.

(1) Airespace WLAN-ID is supposed to work, but the controller still allows users to associate (CSCsd58434)

Any thoughts? TIA


Re: Wireless Employee Denial to Guest SSID

Guessing here, but it you cant tell the Airespace AP which SSID is valid, then you have to deny access to invalid ones.

Assuming the authentication request includes an attribute (or VSA) that supplies the SSID name - you could build an ACS v4.0 NAP for each SSID.

Within each NAP you can map certain ACS groups to "No access" within the authorisation policy (in the NAP)

This would work regardless of authentication protocol. The only problem is that you may have wanted to use NAPs for other purposes (eg NAC)


New Member

Re: Wireless Employee Denial to Guest SSID

Thanks Darran, but I am using only MAC-auth for guest (just so I could use ACS to deny the invalid ones), but NAP authentication treats MAC-auth as a bypass where EVERY mac address would be allowed, regardless which group they belong to.

So, either I am doing horribly wrong, or this is the wrong approach.

At the moment, my best hope is to get Airespace to accept ACS's WLAN-ID as the VSA to override the SSID, but it does not currently do so.

Remember, I am looking for a clean way to accomplish this - not necessarily hacks.


Re: Wireless Employee Denial to Guest SSID

Well the clean way is have the policy dictated by the AAA server. So getting Airespace to accept an SSID authorisation is the right solution.


New Member

Re: Wireless Employee Denial to Guest SSID

CreatePlease to create content