Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
583
Views
4
Helpful
2
Replies

*** New trunking support and multi-SSID usable for role-based access? ***

Go to solution
schm196
Level 1
Level 1

‎01-26-2003 12:33 PM - edited ‎07-04-2021 08:28 AM

We are looking at role-based access for our WLAN - simplified, something like this:

Group 1: In-house users with Cisco-only WLAN equipment. We have full control over their client configuration and user settings/access rights and we want maximum security (LEAP etc.).

Group 2: Public users with any kind of WLAN client hardware and software (minimum WiFi compliant or whatever else is appropriate). We have no control over their client setup except we can provide configuration tips pertaining to required settings to connect. I want these users to have no access to our in-house resources except for browsing the Internet etc. Typical "hot spot" scenario, I suppose.

Is there a way to accomplish this with AP configuration only? Is it possible with AP plus Secure ACS configuration? Is it possible with the new trunking feature (separate VLANs per group) and multiple SSIDs (different authentication mechanisms per SSID)? Is it only possible with third-party solutions, such as BlueSocket?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kkulp
Level 1
Level 1

‎01-31-2003 06:36 AM

This is a perfect scenario for utilizing the VLAN trunking capability of the access point. Cisco currently allows for configuration of up to 16 VLANs on the access point. Each VLAN configured has an associated SSID and security framework. Cisco allows for one SSID/VLAN to be configured with no security features enabled.

In your depicted scenario, you would configure two VLAN/SSIDs on the access point. SSIDx/VLANx would be configured for LEAP and/or any other security features you choose. SSIDy/VLANy would be configured with no security features enabled. The key here is keeping clients associated to SSIDy from accessing your internal network. This is accomplished through the configuration of access lists (ACLs) on the upstream router.

Basically, you would want to configure an ACL that allows all clients in the IP subnet assigned to SSIDx to access all resources. You would then create another ACL that denies all clients in the IP subnet assigned to SSIDy access to internal resources, but allows them access to all external resources.

Some things to keep in mind...This configuration requires that the access point be connected to a switch capable of 802.1q trunking and also requires a router that is configured for 802.1q trunking.

This is a quick and dirty description. Cisco has very good documentation on all aspects of the configurations described. Feel free to forward any questions along.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
bruce.johnson
Level 1
Level 1

‎01-30-2003 08:25 PM

I believe you can acccomplish this in conjunction with the ACS. You have to select CISCO/PIX as the Radius Authenticator for the 1200, and in the Group or User Setup fill in the Cisco/PIX RADIUS VSA a/v pair with "ssid" and respectively. Specify the per-SSID settings on the AP.

Go to solution
kkulp
Level 1
Level 1

‎01-31-2003 06:36 AM

This is a perfect scenario for utilizing the VLAN trunking capability of the access point. Cisco currently allows for configuration of up to 16 VLANs on the access point. Each VLAN configured has an associated SSID and security framework. Cisco allows for one SSID/VLAN to be configured with no security features enabled.

In your depicted scenario, you would configure two VLAN/SSIDs on the access point. SSIDx/VLANx would be configured for LEAP and/or any other security features you choose. SSIDy/VLANy would be configured with no security features enabled. The key here is keeping clients associated to SSIDy from accessing your internal network. This is accomplished through the configuration of access lists (ACLs) on the upstream router.

Basically, you would want to configure an ACL that allows all clients in the IP subnet assigned to SSIDx to access all resources. You would then create another ACL that denies all clients in the IP subnet assigned to SSIDy access to internal resources, but allows them access to all external resources.

Some things to keep in mind...This configuration requires that the access point be connected to a switch capable of 802.1q trunking and also requires a router that is configured for 802.1q trunking.

This is a quick and dirty description. Cisco has very good documentation on all aspects of the configurations described. Feel free to forward any questions along.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card