Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Filtering muliple EAP authenticated Vlan


A have the following scenario:

5 vlans configured on my AP, 3 of them use PEAP to authenticate users (not computers), I'm using ACS 3.3.3 connected to my Active Directory.

The thing is, How can I filter access from one SSID to another if I am using PEAP in those 3 SSIDs?

Let me explain the scenario:

I have one SSDI for Students (PEAP), other for Employees (Also PEAP) and the last one for IT (PEAP again)

How can I prevent a student from jumping to one SSID to another? Is there a Way to use some kind of key in addition to the domain username and password? How can I configure ACS to realise from wich SSID the user is trying to connect?

I anyone have an Idea, please help me!

Thank you guys, I will post my AP config so you can understand what I am talking about.


Re: Filtering muliple EAP authenticated Vlan

think you are referring to filter access between different vlans. If I am right, you can do this at the router level. To enable or disable routing between 2 vlans, router needs to be configured above the AP. Here, to filtter between these 3 vlans, donot configure the router with networks from all three vlans. This ensures that router doesn't have a route to reach other vlan and hence inter-vlan communication is filtered.

Is this the one you were expecting?. On the AP, if you want, you can create ACL to deny traffic to the subnets associated with those vlan.

New Member

Re: Filtering muliple EAP authenticated Vlan


I'm having similar problems in my deployment. Students wlan only has captive portal, no wireless encryption, while employees and IT wlan are protected with EAP-PEAP / WPA1 / TKIP.

Since I don't have PKI deployed (server certs aren't validated in the wireless clients), if a student associates with employees wlan and enter his credentials, he will gain acces to employees wlan, because the RADIUS database stores all users and passwords.

Is there any RADIUS attributes I can use to discern which user is trying to get access to the network?

I.e. a tunnel-ID attribute associated with access-request packet, so RADIUS can check that attribute matches proper user-password pair.

thanks in advance,

Ignacio Siles

New Member

Re: Filtering muliple EAP authenticated Vlan

Hello again,

I forgot to mention I have three WLC 4402, if this information is needed to specify the RADIUS attributes provided by cisco WLC.

New Member

Re: Filtering muliple EAP authenticated Vlan


There is a doc on CCO explaining how to restrict access to a SSID based on the user.

Have a look at



CreatePlease to create content