Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
595
Views
0
Helpful
4
Replies

Wireless Employee Denial to Guest SSID

rupert.wever
Level 1
Level 1

‎05-23-2006 04:37 PM - edited ‎03-10-2019 02:35 PM

I am looking for ideas on best way to force employees to use the 'employee' ssid instead of the 'guest' ssid.

Using Unified Wireless (LWAPP) + ACS 4.0

One thought is that guest ssid can only access the Internet and -only- the Internet (restrict them from using IPSEC traffic to the company's VPN gateway); it works but it's not elegant.

Another thought is to have ACS return only the list of authorized SSIDs so WLC can use with AAA-Override; it would work, but there is no defined AVP to provide for this (1) -- it also requires both Employee and Guest SSIDs to have MAC-Authentication, which would imply Guests' MAC address be managed.

(1) Airespace WLAN-ID is supposed to work, but the controller still allows users to associate (CSCsd58434)

Any thoughts? TIA

Labels:
0 Helpful
4 Replies 4

darpotter
Level 5
Level 5

‎05-25-2006 12:54 AM

Guessing here, but it you cant tell the Airespace AP which SSID is valid, then you have to deny access to invalid ones.

Assuming the authentication request includes an attribute (or VSA) that supplies the SSID name - you could build an ACS v4.0 NAP for each SSID.

Within each NAP you can map certain ACS groups to "No access" within the authorisation policy (in the NAP)

This would work regardless of authentication protocol. The only problem is that you may have wanted to use NAPs for other purposes (eg NAC)

Darran

0 Helpful

rupert.wever
Level 1
Level 1
In response to darpotter

‎05-25-2006 10:02 AM

Thanks Darran, but I am using only MAC-auth for guest (just so I could use ACS to deny the invalid ones), but NAP authentication treats MAC-auth as a bypass where EVERY mac address would be allowed, regardless which group they belong to.

So, either I am doing horribly wrong, or this is the wrong approach.

At the moment, my best hope is to get Airespace to accept ACS's WLAN-ID as the VSA to override the SSID, but it does not currently do so.

Remember, I am looking for a clean way to accomplish this - not necessarily hacks.

0 Helpful

darpotter
Level 5
Level 5
In response to rupert.wever

‎05-26-2006 03:12 AM

Well the clean way is have the policy dictated by the AAA server. So getting Airespace to accept an SSID authorisation is the right solution.

Darran

0 Helpful

nuno.santos
Level 1
Level 1

‎04-12-2007 07:21 AM

Take a look to this document. Maybe it will help you.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

0 Helpful
Customers Also Viewed These Support Documents