Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AP Restriction via UserID/MAC

Has anyone found away to limit or control via a userID or client MAC address which AP a client is allowed to connect to in an LWAPP environment? I'm able to make this work in an autonomous environment by applying restrictions within ACS which controls what APs users are able to connect to. I'd like to be able to do the same in an LWAPP environment but, I can't locate a way to identify which AP the user authentication is sourced from (all authentications are being sourced from the WLC). Is there some other Radius attribute that the WLC can send to ACS to identify which AP the authentication is sourced from?

Any help is greatly appreciated.

9 REPLIES

Re: AP Restriction via UserID/MAC

Why not do it by ssid and use ssid override which can be applied to specific APs?

New Member

Re: AP Restriction via UserID/MAC

Thank you for the suggestion.

I considered that but I still have the issue of restricting the userID/MAC to a specific grouping of APs. Is there away to pass the SSID information to the Radius server during a user authentication?

Hall of Fame Super Silver

Re: AP Restriction via UserID/MAC

Just curious why you would do this. Like Eric mentioned, the best way is to have users associate to a certain ssid and then using wlan override to determine what ssid's an AP will have. With LWAPP, everything will be sourced from the WLC management IP.

-Scott
*** Please rate helpful posts ***
New Member

Re: AP Restriction via UserID/MAC

We have devices that have to be program with a static user ID and password to allow authentication to the WLAN. I'm trying to restrict this user IDs so it can only login to a group of APs. I'm very familiar with the use of WLAN Override but, adding another SSID doesn't help because the user ID would still be allowed to login to any other SSID from the WLC.

Hall of Fame Super Silver

Re: AP Restriction via UserID/MAC

You will not be able to do this because of the fact that with lwapp, you have only one AAA client and a policy. before you had multiple AAA clients and each can have a different policy. The only way I can see it ever happening is if the wlc was able to pass down a VC to the radius sever with the ap hostname. then you might be able to do something.

-Scott
*** Please rate helpful posts ***
New Member

Re: AP Restriction via UserID/MAC

New Member

Re: AP Restriction via UserID/MAC

Update: Found out that the WLCs do send the SSID information to the Radius servers in the DNIS field/attribute. In ACS you can filter via a NAR on the DNIS setting via a group or user. This allows user restriction per SSIDs.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

Bronze

Re: AP Restriction via UserID/MAC

Hi Rob,

To set DNIS, have to manually create user account in ACS, if customer use external database ,for example AD, how to set DNIS? In AD, can they configure DNIS when create user account?

New Member

Re: AP Restriction via UserID/MAC

With AD and ACS you can use group mappings to map the AD user into a group within ACS dynamically. Then you can set the DNIS restrictions on the group within ACS. Hope this helps.

Rob

150
Views
0
Helpful
9
Replies