Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

*** New trunking support and multi-SSID usable for role-based access? ***

We are looking at role-based access for our WLAN - simplified, something like this:

Group 1: In-house users with Cisco-only WLAN equipment. We have full control over their client configuration and user settings/access rights and we want maximum security (LEAP etc.).

Group 2: Public users with any kind of WLAN client hardware and software (minimum WiFi compliant or whatever else is appropriate). We have no control over their client setup except we can provide configuration tips pertaining to required settings to connect. I want these users to have no access to our in-house resources except for browsing the Internet etc. Typical "hot spot" scenario, I suppose.

Is there a way to accomplish this with AP configuration only? Is it possible with AP plus Secure ACS configuration? Is it possible with the new trunking feature (separate VLANs per group) and multiple SSIDs (different authentication mechanisms per SSID)? Is it only possible with third-party solutions, such as BlueSocket?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: *** New trunking support and multi-SSID usable for role-base

This is a perfect scenario for utilizing the VLAN trunking capability of the access point. Cisco currently allows for configuration of up to 16 VLANs on the access point. Each VLAN configured has an associated SSID and security framework. Cisco allows for one SSID/VLAN to be configured with no security features enabled.

In your depicted scenario, you would configure two VLAN/SSIDs on the access point. SSIDx/VLANx would be configured for LEAP and/or any other security features you choose. SSIDy/VLANy would be configured with no security features enabled. The key here is keeping clients associated to SSIDy from accessing your internal network. This is accomplished through the configuration of access lists (ACLs) on the upstream router.

Basically, you would want to configure an ACL that allows all clients in the IP subnet assigned to SSIDx to access all resources. You would then create another ACL that denies all clients in the IP subnet assigned to SSIDy access to internal resources, but allows them access to all external resources.

Some things to keep in mind...This configuration requires that the access point be connected to a switch capable of 802.1q trunking and also requires a router that is configured for 802.1q trunking.

This is a quick and dirty description. Cisco has very good documentation on all aspects of the configurations described. Feel free to forward any questions along.

2 REPLIES
New Member

Re: *** New trunking support and multi-SSID usable for role-base

I believe you can acccomplish this in conjunction with the ACS. You have to select CISCO/PIX as the Radius Authenticator for the 1200, and in the Group or User Setup fill in the Cisco/PIX RADIUS VSA a/v pair with "ssid" and respectively. Specify the per-SSID settings on the AP.

New Member

Re: *** New trunking support and multi-SSID usable for role-base

This is a perfect scenario for utilizing the VLAN trunking capability of the access point. Cisco currently allows for configuration of up to 16 VLANs on the access point. Each VLAN configured has an associated SSID and security framework. Cisco allows for one SSID/VLAN to be configured with no security features enabled.

In your depicted scenario, you would configure two VLAN/SSIDs on the access point. SSIDx/VLANx would be configured for LEAP and/or any other security features you choose. SSIDy/VLANy would be configured with no security features enabled. The key here is keeping clients associated to SSIDy from accessing your internal network. This is accomplished through the configuration of access lists (ACLs) on the upstream router.

Basically, you would want to configure an ACL that allows all clients in the IP subnet assigned to SSIDx to access all resources. You would then create another ACL that denies all clients in the IP subnet assigned to SSIDy access to internal resources, but allows them access to all external resources.

Some things to keep in mind...This configuration requires that the access point be connected to a switch capable of 802.1q trunking and also requires a router that is configured for 802.1q trunking.

This is a quick and dirty description. Cisco has very good documentation on all aspects of the configurations described. Feel free to forward any questions along.

240
Views
4
Helpful
2
Replies