WISM Multiple SSID authenticate with ACS SE, and getting different network
I would like to seek for your expertise to solve my question.
I have 1x WISM with Few lightweight AP, now i configure 3 SSID which all bind to one AP group in the WISM.
Each SSID has different AP interface(VLAN ID), and all SSID is using layer 3 security - Web Authetication via the Cisco Secure ACS-SE Internal Database. Inside the ACS-SE, it has 3 group - Student, Staff, and Guest which same with WISM SSID.
My objective is to make sure each SSID user only authenticate to cisco secure ACS-SE specific "group local database"(not sure right term or not), to avoid authorization issue For example - student/Guest intent to use the "staff SSID" then authetication success and gain the more right(due to same local database).
1. How to bind the specific SSID to Cisco Secure ACS-SE Group, and authenticate the user only which using the specific group database ? It is possible ?? Otherwise, it look like have to implement one more ACS to achieve the objetive.
2. The reason to do that is allowed different user get own privilege without step over own line, or in other word - Get the specific IP address via DHCP Server. Then I can control user based on the IP address.
3. Any other way to achieve getting different network address with using Layer 3 Security - Web authication via 1 Cisco secure ACS-SE.
Re: WISM Multiple SSID authenticate with ACS SE, and getting dif
Dear Jagdeep Gambhir,
Appreciate the Doc, and it look great.
So, i would like to double confirm one key point for the Doc.
Once we use the NARs features inside the ACS to specific the Non-IP-based filters based on the SSID, it only able to authenticate with the specific SSID.
For example, Admin user not able to get authentication success if he try to click the Sales SSID with key in own ID/PWS. The ACS will authenticate user based on the DNIS-*ssidname. Because I'm afraid, due to they are sharing the same local database, even Admin user click Sales SSID and he also able to get the Sales IP.
It is possible, i put all admin user inside one group, and just configure the NARS Non-IP-based filters in the group setting. Is it all group user that will inherit the setting without key in each user.