Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Wireless Virtual LAN - SSID and ACS User Mapping

Hi Everybody

We have the following senario:

- WLC 4402 and ACS 3.3

- 2 SSID's , One for Emploies - one for gests

- All users are (guest and emploies) are authentication against the ACS Server.

We would like to only permit Guest users to use the Guest SSID.

I've been reading the Wireless Virtual LAN Deployment Guide :

http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wvlan_an.pdf

and have tried to use methode 1.

- RADIUS-based SSID access control:

"Upon successful 802.1X or MAC address authentication, the RADIUS server

passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge."

"This is configured by enableling the ?[026/009/001] cisco-av-pair? option. On the ACS Server

- Enable and configure Cisco IOS/PIX RADIUS Attribute,

009\001 cisco-av-pair

- Example: ssid=LEAP_WEP"

I've tried this, but regardless of wich SSID the user(-group) has configured, it sill can access all SSID's?

Does anyone have any idea of what I'm doing wrong?

Does this setting only apply to Accesspoint, or is it also valid for the WLC 44xx series?

Greetings

Jarle

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Wireless Virtual LAN - SSID and ACS User Mapping

j -

What is the exact syntax for the avpair in ACS?

"ssid=ssid" in quotations?

8 REPLIES
Silver

Re: Wireless Virtual LAN - SSID and ACS User Mapping

Put the guest users in seperate VLAN and associating the Default VLAN ID to the native VLAN field is known as mapping the VLAN to the SSID. The mapping process is how the bridge is able to "connect" to the VLAN on the switch. So due to this only guset users will be assigned the SSID.

New Member

Re: Wireless Virtual LAN - SSID and ACS User Mapping

Hi I'm sorry but this still does not help.

We have now upgraded ACS to version 4.0 and I'm still having the same problems.

This is what i have configured:

WLC:

- WLAN

- SSID : Public

- WLAN id = 3

- L2 Security : 802.1x

- Interface Name : GuestVLAN

- Controller - Interface

- management - Untagged

- GuestVLAN - VLAN 112

- Security

- RADIUS Servers

When authenticating a Guest(belonging to the proper group in acs) - the right VLAN is used, IP Adresses from DHCP is recieved, and the Guest can access internet.

Switch:

- Port connected to WLC uses Trunking.

- Guests are connected to VLAN 112 and "native VLAN" is used to connect the Private Users.

ACS:

- AAA Client is the WLC, Authenticating using Cisco Airespace

- Guest Users are member of Group 11

- Private Users are member of Group 1

Group 11

- Use Per Group NAR to only allow WLAN Access

- Cisco Airespace RADIUS Attributes

x 14179\001 - Aire-WLAN-ID = 3

- Cisco IOS / PIX RADIUS Attributes

x 009\001 Ciso-av-pair = "ssid=Public"

- IETF Radius Attributes

x 006 Service Type = Login

x 007 Framed-Prot = ppp

x 064 Tunnel-Type = VLAN

x 065 Tunnel-Medium-tye = 802.1x

x 081 Tunnel-Private-Group-ID = 112

Group (default Group)

- Cisco Airespace RADIUS

x 14179\001 Aire-WLAN-ID = 1

- Cisco IOS/PIX Radius Attrib

x 009\001 Cisco-av-pair = "ssid=Private"

- IETF RADIUS

x 008 Service-type = Login

x 064 Tunnel-Type = VLAN

x 065 Tunnel-Medium-tye = 802.1x

x 081 Tunnel-Private-Group-ID = 1

Do you have any idea of what i should change?

Greetings

Jarle

New Member

Re: Wireless Virtual LAN - SSID and ACS User Mapping

I've forgotten to set "Allow AAA Override" = Enabled".

As soon as this was "checked" it worked.

(with minor issues of controller DHCP problems)

Thanx

Jarle

New Member

Re: Wireless Virtual LAN - SSID and ACS User Mapping

j -

What is the exact syntax for the avpair in ACS?

"ssid=ssid" in quotations?

New Member

Re: Wireless Virtual LAN - SSID and ACS User Mapping

HI no - without Quoatas : ssid=mypublicwlan Greetings Jarle

New Member

Re: Wireless Virtual LAN - SSID and ACS User Mapping

ssid-list is an atonomous mode feature and does not work properly in an LWAPP environment. For ssid restrictions in an LWAPP environment it is recommended to use the WLAN-ID field in the Cisco-Airespace-Radius configuration. Instead of specifying the ssid name, you specify the corresponding WLAN-ID number found on your controllers. Unfortunately, there is a AAA override bug (cscsd58434) that prevents this feature from working properly in some 3.2 and all 4.0 controller versions. The TAC workaround is to fall back to dynamic VLAN assignments. This is not a flexible enough workaround for most. Those still wishing to use SSID restrictions should use ACS Network Access Restrictions as follows:

AAA Client= Controllers

Port= *

CLI= *

DNIS= *ssidname

The * for the DNIS entry is required.

New Member

Re: Wireless Virtual LAN - SSID and ACS User Mapping

hi mkisiel, our senario is similar to the above one, I've configured non-ip-based nar as you suggested, however, it turns out that both users can't pass authenticate process, when I unchecked the cli/dnci nar box, both users can access any ssid. here is my configuration:

WLC:

- WLAN

- SSID : public

- WLAN id = 2

- L2 Security : 802.1x

- Interface Name : public

- Controller - Interface

- management - 128 (vlan id of management interface)

- public - VLAN 205

- vlan id - 205

- SSID : private

- WLAN id = 3

- L2 Security : 802.1x

- Interface Name : private

- private - VLAN 204

- vlan id - 204

- Security

- RADIUS Servers

ACS:

- AAA client = WLC, use Cisco Airespace authentication

- public user assinged to Group 1

- private user assinged to Default Group

Group 1

- Use Per Group NAR to only allow WLAN Access

x aaa client = wlc

x port = *

x cli = *

x dnli = *public

Default Group

- Use Per Group NAR to only allow WLAN Access

x aaa client = wlc

x port = *

x cli = *

x dnli = *private

do i have to fill the wlan id in Cisco Airespace RADIUS Attributes blank? Or 64, 65, 81 attribute blanks under IETF RADIUS Attributes? I've tried all the options above, however it still doesn't work, please help!

New Member

Re: Wireless Virtual LAN - SSID and ACS User Mapping

Doublecheck your NAR permit or deny conditions.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e960.html#wp697095

Airespace parameter wlan-id can be blank. It won't have any effect anyway due to the AAA override bug. IETF RADIUS attributes won't matter b/c you are not defining IETF RADIUS as your authentication mechanism.

714
Views
0
Helpful
8
Replies
CreatePlease login to create content