Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

How to configure Wireless LAN Controller (WLC) authentication for users by SSID verification


How to configure Wireless LAN Controller (WLC) authentication for users by SSID verification.




With the use of service-set identifier (SSID)-based WLAN access, the users can be authenticated based on the SSID they use in order to connect to the WLAN. The Cisco Secure Access Control Server (ACS) is used to authenticate the users. Authentication happens in two stages on the Cisco Secure ACS:

  1. EAP authentication

  2. SSID authentication based on Network Access Restrictions (NARs) on Cisco Secure ACS

If Extensible Authentication Protocol (EAP) and SSID-based authentication are successful, the user is allowed to access the WLAN or else the user is disassociated.

The Cisco Secure ACS uses the NARs feature to restrict user access based on the SSID.  A NAR is a definition, which you make in Cisco Secure ACS, of additional conditions that must be met before a user can access the network. Cisco Secure ACS applies these conditions using information from attributes sent by your AAA clients. Although there are several ways you can set up NARs, they are all based on matching attribute information sent by the AAA client. Therefore, you must understand the format and content of the attributes your AAA clients send if you want to employ effective NARs. When you set up a NAR, you can choose whether the filter operates positively or negatively. That is, in the NAR you specify whether to permit or deny network access, based on a comparison of information sent from AAA clients to the information stored in the NAR. However, if a NAR does not encounter sufficient information to operate, it defaults to denied access.

Basically, the controller sends in the dialed number identification service (DNIS) attribute (the SSID name). So if you build DNIS NAR in either the user or group, you can create per-user SSID restrictions.

For example:

AAA client = WLC
  port = *
  CLI = *

Note: Change the WLC to your configuration in your ACS, and ssid  name to the real name used on your network. Make sure to check spelling as it is case sensitive.

Refer to Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS Configuration Example for more detailed information on SSID-based authentication. Refer to article How to implement RADIUS-based VLAN access control features on the Access Point  for more information.

Problem Type

Configure / Configuration issues


Wireless LAN Controllers

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 04:37 PM
Updated by: