Solved: WLC - create 3 SSID with different rules

wanmohdhafiz · ‎12-17-2011

Hi..my curent campus network infrastructure as below :

Scenario

- 2 unit WiSM module

- 2 unit ACS server

- 100 unit LWAP

We have 3 group of user with 3 SSID which is staff, student & guest. All the SSID have different rules. Current network setup describe below :

1) staff - authenticate from WiSM & ACS-1. Grab information for login & password from existing Oracle database using stored procedure.

2) student - authenticate from WiSM & ACS-2. Grab information for login & password from MySQL database. Using cron schduler to push data from oracle DB to MySQL DB.

3) Guest - Not authenticate yet. Planning to authenticate using another ACS server.

Problem

1- Currently we have 2 unit of ACS to handle SSID for staff & student. If we plan to create SSID for guest, do we need to buy another ACS server? The problem for using 1 ACS server to handle 3 different SSID was that it cannot differentiate rules between staff, student & guest. Meaning that anyone can use any SSID & they can login & surfing to internet / intranet with same previlage. For your info, we don't have domain controller (Active directory, LDAP, etc2).

2- I have heard about guest NAC server. My collegue recommended to use it for guest wireless. From my existing wireless network setup, do you recommend to use guest NAC server or just using existing wireless infrastructure for guest login?

Please advice.

Thanks

Scott Fella · ‎12-21-2011

You should be able to use one ACS server for both SSIDs. You would need to create different user groups and authenticate against those. It might be tricky but you should be able it to work as long as you define multiple access service policies.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎12-17-2011

Well for guest in a school scenario, are you planing on having someone create a username and password for every user. I say this, because in most of my education installs, the staff doesn't want to have to deal with all the usernames and passwords. Most have just used a splash page with the AUP and put them on the DMZ. Some have just used a default username and password and changed that every so often. You can use a NAC guest serve... basically it's a radius box if you want. That can do self registration along with ISE.

For ACS, you can always define an end station filter and use that in your policy to define the SSID. This way you can differentiate by looking at that ssid and user group.

Below shows how you would define your SSID. My ssid name is "PEAP"

NGS

http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html

ISE

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html

-Scott
*** Please rate helpful posts ***

wanmohdhafiz · ‎12-21-2011

For guest i think we will create the username & password for them...

Do we really need 2 ACS server to handle 2 different SSID - if we don't have any domain controller?

Scott Fella · ‎12-21-2011

You should be able to use one ACS server for both SSIDs. You would need to create different user groups and authenticate against those. It might be tricky but you should be able it to work as long as you define multiple access service policies.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

wanmohdhafiz · ‎12-22-2011

Scott Fella wrote:

You should be able to use one ACS server for both SSIDs. You would need to create different user groups and authenticate against those. It might be tricky but you should be able it to work as long as you define multiple access service policies.

Sent from Cisco Technical Support iPhone App

Great to hear that. Maybe i will open a new discussion topic regarding that matter.