05-23-2006 04:37 PM - edited 03-10-2019 02:35 PM
I am looking for ideas on best way to force employees to use the 'employee' ssid instead of the 'guest' ssid.
Using Unified Wireless (LWAPP) + ACS 4.0
One thought is that guest ssid can only access the Internet and -only- the Internet (restrict them from using IPSEC traffic to the company's VPN gateway); it works but it's not elegant.
Another thought is to have ACS return only the list of authorized SSIDs so WLC can use with AAA-Override; it would work, but there is no defined AVP to provide for this (1) -- it also requires both Employee and Guest SSIDs to have MAC-Authentication, which would imply Guests' MAC address be managed.
(1) Airespace WLAN-ID is supposed to work, but the controller still allows users to associate (CSCsd58434)
Any thoughts? TIA
05-25-2006 12:54 AM
Guessing here, but it you cant tell the Airespace AP which SSID is valid, then you have to deny access to invalid ones.
Assuming the authentication request includes an attribute (or VSA) that supplies the SSID name - you could build an ACS v4.0 NAP for each SSID.
Within each NAP you can map certain ACS groups to "No access" within the authorisation policy (in the NAP)
This would work regardless of authentication protocol. The only problem is that you may have wanted to use NAPs for other purposes (eg NAC)
Darran
05-25-2006 10:02 AM
Thanks Darran, but I am using only MAC-auth for guest (just so I could use ACS to deny the invalid ones), but NAP authentication treats MAC-auth as a bypass where EVERY mac address would be allowed, regardless which group they belong to.
So, either I am doing horribly wrong, or this is the wrong approach.
At the moment, my best hope is to get Airespace to accept ACS's WLAN-ID as the VSA to override the SSID, but it does not currently do so.
Remember, I am looking for a clean way to accomplish this - not necessarily hacks.
05-26-2006 03:12 AM
Well the clean way is have the policy dictated by the AAA server. So getting Airespace to accept an SSID authorisation is the right solution.
Darran
04-12-2007 07:21 AM
Take a look to this document. Maybe it will help you.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide