I am looking for ideas on best way to force employees to use the 'employee' ssid instead of the 'guest' ssid.
Using Unified Wireless (LWAPP) + ACS 4.0
One thought is that guest ssid can only access the Internet and -only- the Internet (restrict them from using IPSEC traffic to the company's VPN gateway); it works but it's not elegant.
Another thought is to have ACS return only the list of authorized SSIDs so WLC can use with AAA-Override; it would work, but there is no defined AVP to provide for this (1) -- it also requires both Employee and Guest SSIDs to have MAC-Authentication, which would imply Guests' MAC address be managed.
(1) Airespace WLAN-ID is supposed to work, but the controller still allows users to associate (CSCsd58434)
Thanks Darran, but I am using only MAC-auth for guest (just so I could use ACS to deny the invalid ones), but NAP authentication treats MAC-auth as a bypass where EVERY mac address would be allowed, regardless which group they belong to.
So, either I am doing horribly wrong, or this is the wrong approach.
At the moment, my best hope is to get Airespace to accept ACS's WLAN-ID as the VSA to override the SSID, but it does not currently do so.
Remember, I am looking for a clean way to accomplish this - not necessarily hacks.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :