Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restricting wireless access to specific AD group


I have a problem in restricting wireless access to specific Active Directory group. Whats happening now is every end-user exits in the AD Default group gain access via the wireless network.

Any brilliant idea how to restrict access to only the users defined in a specific group in the active directory.



Cisco Employee

Re: Restricting wireless access to specific AD group

Hi Sami,

A good way is to use dynamic VLAN assignment. First, configure your WLAN to be mapped to a 'blackhole' interface. e.g. an interface in a non-routed subnet. Second, create an interface for the wireless users as per normal. Then, if using ACS, use the group mapping to map the AD group to an ACS user group. In this ACS group configure it to return either a VLAN ID, or airespace interface name for the interface on the WLC for the wireless users. Finally, make sure AAA Override is configured on the WLAN.

This way, if a user does not return the VLAN/interface override they get put on the 'blackhole' VLAN.

This link should show you the configuration steps needed -

If using IAS, check out


Re: Restricting wireless access to specific AD group


What you should do is to create a Wireless group in AD, and put your Wireless-Users and Wireless-Machines in to that Group.  In your RADIUS Server, create a policy that will only authenticate users on the proviso that they are a member of that prerequisite group.  This approach works in pretty much any RADIUS Server you care to mention, is easy to setup and manage, and won't require any changes to your WLCs.



New Member

Re: Restricting wireless access to specific AD group

Thanks Richard for your input. Actually I managed to do it successfully, the way you have said, but that was ahead of your posting. Thank you anyways.

New Member

Re: Restricting wireless access to specific AD group

I can get this to work no problem.  The issue that I have is restricting it now.  If I have 2 wlans, and 2 ad groups it seems that

I can log into either wlans as long as I match either IAS policy.  Can someone point me in the right direction please

Re: Restricting wireless access to specific AD group

Ah, that's easy! 

Read this:

Basically just a question of using the DNIS access restrictions within your appropriate ACS Group and defining a rule along the lines of;

AAA Client - *

Port - *

CLI - *

DNIS - *myssidname

So when you're using this, the logical process within ACS (assuming v4.x ACS) goes like this;

ACS Receives Inbound Request from WLC

ACS Refers to Internal DB (and fails)

ACS Refers to AD (via Unknown User Policy)

AD Returns Group Membership Info (assuming supplied username / password are correct)

ACS Maps AD User to an ACS Group based on their AD Group Membership(s) and the defined ACS Group Mappings

ACS evaluates the DNIS supplied by the WLC and compares to the DNIS Access Restrictions configured within the ACS Group

Then either;

     The User is permitted if ESSID = DNIS


     The User rejected if ESSID != DNIS

Hope this helps,