Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Limit EAP methods per SSID in ACS

Hi,

In a WLAN environment that has 2 WLC, lots of LAP´s and clients authenticating with an ACS which has configure an Active Directory as an external data base, I would like to know how I can limit de EAP methods per group or SSID in the ACS.

For example: one SSID can only use PEAP-MSCHAPv2 and the other SSID con only use EAP-TLS.

Thanks in advance.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Limit EAP methods per SSID in ACS

Hi,

You can do this with NAP on ACS. Create a NAP for each SSID you have and under the NAP you can allow only the desired EAP Method.

Thanks

Serge

Cisco Employee

Re: Limit EAP methods per SSID in ACS

As Serge said, you can do it with NAPs.

The trick in on the filter to match the NAP.

Using Cisco WLCs there is an attribute that is sent on the Radius Access-Request which contains the SSID:

"Called-Station-Id=00-26-cb-ac-03-00:test"

Please note that in this example the ssid name is "test".

So on the NAP you need a filter like:

"[030]Called-Station-Id contains test"

HTH,
Tiago

4 REPLIES
Cisco Employee

Re: Limit EAP methods per SSID in ACS

Hi,

You can do this with NAP on ACS. Create a NAP for each SSID you have and under the NAP you can allow only the desired EAP Method.

Thanks

Serge

Cisco Employee

Re: Limit EAP methods per SSID in ACS

As Serge said, you can do it with NAPs.

The trick in on the filter to match the NAP.

Using Cisco WLCs there is an attribute that is sent on the Radius Access-Request which contains the SSID:

"Called-Station-Id=00-26-cb-ac-03-00:test"

Please note that in this example the ssid name is "test".

So on the NAP you need a filter like:

"[030]Called-Station-Id contains test"

HTH,
Tiago

Cisco Employee

Re: Limit EAP methods per SSID in ACS

All correct. Just adding that to have the WLC sending the SSID after the mac address in the called station id, this need to be configured :

(Cisco Controller) >config radius callStationIdType ?
              
ipaddr         Sets Call Station Id Type to the system's IP Address
macaddr        Sets Call Station Id Type to the system's MAC Address
ap-macaddr     Sets Call Station Id Type to the AP's MAC Address
ap-macaddr-ssid Sets Call Station Id Type to the format :

Enjoy !

Cisco Employee

Re: Limit EAP methods per SSID in ACS

The solutions in this thread are great I though I would add one more.  You can also accomplish this with CLI/DNIS Network Access Restrictions in ACS 4.2 with the : Calling-Station-ID configuration (which I believe is default on the WLCs):

-AAA Client would be set to your WLC NDG or IP

-Port would be set to *

-CLI would be set to *

-DNIS would be set to *

You can use a permit or deny based on what you are trying to accomplish.

--Jesse

1149
Views
20
Helpful
4
Replies