Welcome to Cisco Support Community. We would love to have your feedback.
For an introduction to the new site, click here. And see here for current known issues.
I'd like to differenciate users sharing the same ldap directory and radius authentication.
For example, if I have a student and a teacher, i'd like to be sure that the student will stay on its vlans and so on.
I can do this by using vlan attributes and aaa override but if I do that, I will have for example a student connected to the teacher SSID but on the student vlan. It's not a pretty situation...
I read that we can use an cisco avpair attribute to force users to connect only on their SSID but it doesn't seem to work with controller.
Is anybody have a solution for my case?
I've used av-pair on the WLC for Web Splash Page, but not ssid restrictions.
I did however find this documentation: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
It refers to configuing a NAR (Network Access Restriction) in ACS which makes it sound like you can limit a user to a specific SSID.
Thanks for your reply.
So, regarding this document, the WLC include by default an information concerning the SSID on its access-request to a radius server, right?
Correct. The access-request would include the SSID in the access-requests. If the SSID is not one of the ones specified in the DNIS the Radius server would reject the request.
let me piggy back your thread. I have the same issue but I am not using WLC instead I am using "Autonomous AP". I believe by default it will not send ssid in authentication request.
How can I achieve the same result in autonomous ap?
Could you please help.
Thanks in advance.