5 vlans configured on my AP, 3 of them use PEAP to authenticate users (not computers), I'm using ACS 3.3.3 connected to my Active Directory.
The thing is, How can I filter access from one SSID to another if I am using PEAP in those 3 SSIDs?
Let me explain the scenario:
I have one SSDI for Students (PEAP), other for Employees (Also PEAP) and the last one for IT (PEAP again)
How can I prevent a student from jumping to one SSID to another? Is there a Way to use some kind of key in addition to the domain username and password? How can I configure ACS to realise from wich SSID the user is trying to connect?
I anyone have an Idea, please help me!
Thank you guys, I will post my AP config so you can understand what I am talking about.
think you are referring to filter access between different vlans. If I am right, you can do this at the router level. To enable or disable routing between 2 vlans, router needs to be configured above the AP. Here, to filtter between these 3 vlans, donot configure the router with networks from all three vlans. This ensures that router doesn't have a route to reach other vlan and hence inter-vlan communication is filtered.
Is this the one you were expecting?. On the AP, if you want, you can create ACL to deny traffic to the subnets associated with those vlan.
I'm having similar problems in my deployment. Students wlan only has captive portal, no wireless encryption, while employees and IT wlan are protected with EAP-PEAP / WPA1 / TKIP.
Since I don't have PKI deployed (server certs aren't validated in the wireless clients), if a student associates with employees wlan and enter his credentials, he will gain acces to employees wlan, because the RADIUS database stores all users and passwords.
Is there any RADIUS attributes I can use to discern which user is trying to get access to the network?
I.e. a tunnel-ID attribute associated with access-request packet, so RADIUS can check that attribute matches proper user-password pair.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...