Wireless SSID in ACS

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi,
I want to do the restriction on the bases of SSID. I have two SSID on Wireless LAN controller and all authentications are happing through Active directory through ACS. ACS is integrated with Active directory.
Objective is to restrict the users, I want that GROUP-A users can only login on SSID-A and GROUP-B user only login on SSID-B.
GROUP-A users could not login to SSID-B and GROUP-B users could not login to SSID-A
Is it possible in ACS to apply the restriction on the basis on SSID or any other workaround?
Regrds,
Vashdev

Vashdev,
Yes, SSID base restriction is possible with Cisco acs, please configured the GROUP-A and GROUP-B with their respective SSID like (*ssid) as mentioned in the below listed configuration example.
Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
Regds,
JK
Do rate helpful posts-

Similar Messages

  • Wireless SSID with Certificate

    Dear All,
      I have a wireless network with cisco 5508 WLC for corporate network ,Cisco WLC for guest network, ACS 4.2, and 200 accesspoints.
    Corporate SSID authentication-   WPA1 & 2  with Dot1X(Via ACS)
    Guest        SSID authentication- Webauth with ACS
    I need to configure an SSID for scanners.
    Is there any way to configure the scanners wireless authentication via ACS with a trusted certificate?
    Thanks in advance
    Sreelal

    Hai,
    Thanks for your reply.
    Customer has one certificate server(CA). We need to generate the certficate from that CA .
    Our scanner expert will load the generated certficate into the scanner
    My Scanner supports  EAP-FAST,EAP-TLS, LEAP,PEAP,TTLS
    So Can I go with  LEAP for scanners?
    Do you have any document or steps for completeing this task?
    SSID config on WLC?
    ACS 4.2 Config?
    On PC side what config we need to do (If we are connecting a PC to the same SSID)?
    Once again thanking you !!

  • Wireless ssid active on time

    I have a question you can set wireless ssid in the hours and days that it is active ?

    I've looked at my router supports WCS how can you configure it?
    I don't understand what a router has anything to do with a Cisco Wireless Control System (WCS).  IT's a software that manages your Wireless LAN Controllers (WLC) and CAPWAP wireless access points.
    If you want to configure time-based ACL, then click on the link below:
    Time-Based Access Lists Using Time Ranges
    Please don't forget to rate out useful posts.  Thanks. 

  • Wireless SSID Broadcast?

    When wireless SSID broadcast is DISABLED, does this prevent others in the area from seeing your network listed in the "view available wireless networks" list?

    Thanks.
    Forgot to ask:  If a relative comes over and I let them hook into my network, will I have to ENABLE SSID for them to see it in order to log on?
    Message Edited by AceH on 03-20-2008 02:21 PM

  • Dhcp on wireless ssid's ?

    I have a question I would like different DHCP server on my wireless ssid's set with vlan's how you do that ?

    To this I mean I do not know if this is possible
    Ethernet interfaces
    ip range 10.10.10.0 255,255,255,248
    vlan 1
    One ssid
    Vlan 2
    Authentication open
    Mbssid Guest mode
    ip range 20.20.20.0 255,255,255,248
    ssid two
    Vlan 3
    Authentication open
    Mbssid Guest mode
    ip range 20.20.20.0 255,255,255,248

  • Setup a hidden wireless SSID

    I have a problem, I need to setup a hidden wireless SSID and there is no place to change or enter a SSID?

    In the wifi settings there should be an option when you press Menu to Add Network

  • Wireless Virtual LAN - SSID and ACS User Mapping

    Hi Everybody
    We have the following senario:
    - WLC 4402 and ACS 3.3
    - 2 SSID's , One for Emploies - one for gests
    - All users are (guest and emploies) are authentication against the ACS Server.
    We would like to only permit Guest users to use the Guest SSID.
    I've been reading the Wireless Virtual LAN Deployment Guide :
    http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wvlan_an.pdf
    and have tried to use methode 1.
    - RADIUS-based SSID access control:
    "Upon successful 802.1X or MAC address authentication, the RADIUS server
    passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge."
    "This is configured by enableling the ?[026/009/001] cisco-av-pair? option. On the ACS Server
    - Enable and configure Cisco IOS/PIX RADIUS Attribute,
    009\001 cisco-av-pair
    - Example: ssid=LEAP_WEP"
    I've tried this, but regardless of wich SSID the user(-group) has configured, it sill can access all SSID's?
    Does anyone have any idea of what I'm doing wrong?
    Does this setting only apply to Accesspoint, or is it also valid for the WLC 44xx series?
    Greetings
    Jarle

    Hi I'm sorry but this still does not help.
    We have now upgraded ACS to version 4.0 and I'm still having the same problems.
    This is what i have configured:
    WLC:
    - WLAN
    - SSID : Public
    - WLAN id = 3
    - L2 Security : 802.1x
    - Interface Name : GuestVLAN
    - Controller - Interface
    - management - Untagged
    - GuestVLAN - VLAN 112
    - Security
    - RADIUS Servers
    When authenticating a Guest(belonging to the proper group in acs) - the right VLAN is used, IP Adresses from DHCP is recieved, and the Guest can access internet.
    Switch:
    - Port connected to WLC uses Trunking.
    - Guests are connected to VLAN 112 and "native VLAN" is used to connect the Private Users.
    ACS:
    - AAA Client is the WLC, Authenticating using Cisco Airespace
    - Guest Users are member of Group 11
    - Private Users are member of Group 1
    Group 11
    - Use Per Group NAR to only allow WLAN Access
    - Cisco Airespace RADIUS Attributes
    x 14179\001 - Aire-WLAN-ID = 3
    - Cisco IOS / PIX RADIUS Attributes
    x 009\001 Ciso-av-pair = "ssid=Public"
    - IETF Radius Attributes
    x 006 Service Type = Login
    x 007 Framed-Prot = ppp
    x 064 Tunnel-Type = VLAN
    x 065 Tunnel-Medium-tye = 802.1x
    x 081 Tunnel-Private-Group-ID = 112
    Group (default Group)
    - Cisco Airespace RADIUS
    x 14179\001 Aire-WLAN-ID = 1
    - Cisco IOS/PIX Radius Attrib
    x 009\001 Cisco-av-pair = "ssid=Private"
    - IETF RADIUS
    x 008 Service-type = Login
    x 064 Tunnel-Type = VLAN
    x 065 Tunnel-Medium-tye = 802.1x
    x 081 Tunnel-Private-Group-ID = 1
    Do you have any idea of what i should change?
    Greetings
    Jarle

  • Single SSID and ACS

    Hi,
    I would like your help in the following scenario, we currently have a setup of CAS CAM, LDAP, WISM and ACS,
    The main point I'm focusing on is the ACS and WISM.
    Users are to obtain wireless access using a single SSID, and upon validation of credentials, they should gain access to one of 3 vlans, guest, data and voice, the use of separate SSID per vlan was highly discouraged by customer.
    Would appreciate your advice on the best feasible way to implement this.
    Regards,

    Hi,
    You can have single SSID in your setup. You need to set up feature called Dynamic VLAN Assignment.
    Check out this link,
    http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
    Regards,
    ~JG
    Please rate if that helps !

  • What are steps configure Certificate based authentication for Wireless clients with ACS 5.3?

    I need to autheticate my clients connecting via wireless.
    clients have user certificate installed on them, i need help configuring the ACS to do the authentication.
    can some one please help me with the steps.
    Thanks

    Two primary steps
    - define the trust certificates needed to verify the clients user certificates
    Users and Identity Stores > Certificate Authorities
    - change result of identity policy to select a certificate authorization profile. If have the defautl config
    Access Policies > Access Services > Default Network Access > Identity
    by default can select the "CN Username" as a result

  • Best Wireless Auth. methods ACS 3.2(3) and AD

    I am new with ACS and wirless authentication. Have just deployed my ACS 3.2 for Windows, and am trying to select the best methods of authentication for my invironment. I have determined my risk level to be low to medium. I would consider MAC based Auth. to be sufficient for users that don't support LEAP or similar Proto. I have a mixed OS base from Win98, 2000 and XP and MacOS 9.2 to MacOSX, I have AD setup for the external database, and it is working with ACS to allow Radius Auth. on my AP1100G Access Points. My questions are these.
    1- What is the best practice for setting up the MAC address auth.? Do I creat a text list, ACS records, SQL database, or can it be done in AD in some way?
    2- Is Leap the best Auth. Protocol considering my needs? Is there one that would be less difficult to set up but offer low to medium security I need.
    3- I am a little confussed by the config that needs to exhist on the Aironet 1100 series AP. What would be a good document/s for the configuration of these devices?
    Eric Bodily
    Idaho Falls School District 91
    Network Administrator

    I have no issues running Cisco ACS version 3.2 on Windows
    Server 2003 with SP2:
    1) create user test1 in MS Active Directory and put test1
    in users group with dial-in access granted,
    3) Create a group called "LDAP". Actually I renamed
    group name "group 1" to "LDAP".
    3) in ACS external user database configuration, I specified
    domain "CCIE" as for this. unknow user policy is to use
    Windows Database configuration,
    4) Configure the database configuration in ACS to point
    to "CCIE" windows domain,
    5) setup the ACS to authenticate one of your Cisco devices
    and log in using the MS windows account,
    By the way, mgurwara, you are wrong. I run Cisco
    ACS 3.2 on windows 2003 Enterprise Edition with Service
    Pack 2. I am running it on a Dell Optiplex Gx240
    (1.7 GHz with 512MB of RAM) and it is running fine.
    I use it to manage about 20 cisco devices and
    about 200 Wireless LEAP user(s). Furthermore, I am also
    running ACS 4.1 on another identical hardware. It has
    nothing to do with the hardware. I don't know where
    you get that information from.

  • Wireless SSID @ Multiple Sites

    Not sure where to post this , but here goes.
    I have 8 sites all running Motorola Wireless Controllers with multipe SSID's.
    I have recently decided to move to the Cisco 2504 WLC since our Motorola devices were out of warrnaty and support.
    The issue I am experiencing is when I configure my WLC 2504 with the identicle SSID parameters\settings as my Motorola
    devices the users are unable to connect. They have to manually remove the existing wireless profile and re-create it.
    This will be a bit of a pain especially with 700 users.
    Any ideas if such a feature can enable this "talk nice" piece.
    Cheers and hopfully this makes sense.

    Ooops wrong WLAN.
    WLAN Identifier.................................. 5
    Profile Name..................................... PDA
    Network Name (SSID).............................. GLPDABG
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Enabled
    Network Admission Control
      Client Profiling Status ....................... Disabled
       DHCP ......................................... Disabled
       HTTP ......................................... Disabled
      Radius-NAC State............................... Disabled
      SNMP-NAC State................................. Disabled
      Quarantine VLAN................................ 0
    Maximum number of Associated Clients............. 0
    Maximum number of Clients per AP Radio........... 200
    Number of Active Clients......................... 1
    Exclusionlist.................................... Disabled
    Session Timeout.................................. 1800 seconds
    User Idle Timeout................................ 300 seconds
    --More or (q)uit current module or to abort
    User Idle Threshold.............................. 0 Bytes
    NAS-identifier................................... CS-2504-01
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ wifibg
    Multicast Interface.............................. Not Configured
    WLAN IPv4 ACL.................................... unconfigured
    WLAN IPv6 ACL.................................... unconfigured
    mDNS Status...................................... Enabled
    mDNS Profile Name................................ default-mdns-profile
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Disabled
    Static IP client tunneling....................... Disabled
    Quality of Service............................... Silver
    Per-SSID Rate Limits............................. Upstream      Downstream
    Average Data Rate................................   0             0
    Average Realtime Data Rate.......................   0             0
    Burst Data Rate..................................   0             0
    Burst Realtime Data Rate.........................   0             0
    Per-Client Rate Limits........................... Upstream      Downstream
    Average Data Rate................................   0             0
    Average Realtime Data Rate.......................   0             0
    Burst Data Rate..................................   0             0
    --More or (q)uit current module or to abort
    Burst Realtime Data Rate.........................   0             0
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    WMM UAPSD Compliant Client Support............... Disabled
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    Passive Client Feature........................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... 802.11b and 802.11g only
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
       Authentication................................ Global Servers
       Accounting.................................... Global Servers
          Interim Update............................. Disabled
       Dynamic Interface............................. Disabled
       Dynamic Interface Priority.................... wlan
    Local EAP Authentication......................... Disabled
    --More or (q)uit current module or to abort
    Security
       802.11 Authentication:........................ Open System
       FT Support.................................... Disabled
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Enabled
          WPA (SSN IE)............................... Disabled
          WPA2 (RSN IE).............................. Enabled
             TKIP Cipher............................. Disabled
             AES Cipher.............................. Enabled
                                                                   Auth Key Management
             802.1x.................................. Disabled
             PSK..................................... Enabled
             CCKM.................................... Disabled
             FT-1X(802.11r).......................... Disabled
             FT-PSK(802.11r)......................... Disabled
             PMF-1X(802.11w)......................... Disabled
             PMF-PSK(802.11w)........................ Disabled
          FT Reassociation Timeout................... 20
          FT Over-The-DS mode........................ Enabled
          GTK Randomization.......................... Disabled
          SKC Cache Support.......................... Disabled
    --More or (q)uit current module or to abort
          CCKM TSF Tolerance......................... 1000
       WAPI.......................................... Disabled
       Wi-Fi Direct policy configured................ Disabled
       EAP-Passthrough............................... Disabled
       CKIP ......................................... Disabled
       Web Based Authentication...................... Disabled
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
       Auto Anchor................................... Disabled
       FlexConnect Local Switching................... Disabled
       flexconnect Central Dhcp Flag................. Disabled
       flexconnect nat-pat Flag...................... Disabled
       flexconnect Dns Override Flag................. Disabled
       FlexConnect Vlan based Central Switching ..... Disabled
       FlexConnect Local Authentication.............. Disabled
       FlexConnect Learn IP Address.................. Enabled
       Client MFP.................................... Optional
       PMF........................................... Disabled
       PMF Association Comeback Time................. 1
       PMF SA Query RetryTimeout..................... 200
       Tkip MIC Countermeasure Hold-down Timer....... 60
    AVC Visibilty.................................... Disabled
    --More or (q)uit current module or to abort
    AVC Profile Name................................. None
    Flow Monitor Name................................ None
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    SIP CAC Fail Send-486-Busy Policy................ Enabled
    SIP CAC Fail Send Dis-Association Policy......... Disabled
    KTS based CAC Policy............................. Disabled
    Assisted Roaming Prediction Optimization......... Disabled
    802.11k Neighbor List............................ Disabled
    802.11k Neighbor List Dual Band.................. Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
    Multicast Buffer................................. Disabled
    Mobility Anchor List
    WLAN ID     IP Address            Status
    802.11u........................................ Disabled
    MSAP Services.................................. Disabled

  • How to grant wire access to a wireless ssid

    I have a wireless lan controller (5508) broadcasting 2 SSID's, once is a secure vlan grabbing an ip address from a local dhcp server and getting access to the internal network, and the other ssid is for a guest vlan where the dhcp server is in a remote site and internet access is off a circuit in our data center which is accessed over a wan. The secure ssid's vlan is defined on the local switch, but the guest vlan is not defined on the local switch.
    the ap's in the respective sites are trunked to the core switch and the switchport config is :
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 5
    switchport trunk allowed vlan 5
    switchport mode trunk
    srr-queue bandwidth share 10 10 60 20
    srr-queue bandwidth shape 10 0 0 0
    queue-set 2
    priority-queue out
    mls qos trust cos
    auto qos voip trust
    spanning-tree portfast
    it's trunked b/c we have both vlans going across this physical connection.
    I would like get the guest vlan a wired connection, ie. off a switch\hub, but not sure how to do that as this guest vlan is not defined on our local network.

    You may be trunking, but you're only allowing vlan 5 across the trunk.
    On your controller, how are you interfaces configured?
    Your SSIDs should match up with an interface, which matches a L2 vlan, which eventually matches a L3 IP address.
    Can you provide a little more detail?  I've done this setup in the past, so it's doable.

  • Wireless conn not scaning wireless SSID automatically after stanby/hybernate

    Hi,
    I have cisco 1242 access point running WPA2/AES TKIP profile with EAP authentication in broadcast. I have dell laptops that have  3945ABG wireless card. The connection works when you configure the profile on laptop with windows wireless manager and when computer recovers from stanby/hybernat it doesnot scan the network automatically. you have to refresh the wireless network manager and refresh the network list to make the connection with the SSID. Is this issue is with the laptop or with the Access point? I tried a various things on laptop but not able to troubleshoot so i am thinking it may be some timers/beacon/signal settings that needs to be tweeked. Any help will be appriciated.
    Regards

    This is most likely a driver issue. http://support.dell.com/

  • Wireless Autentication + WLC + ACS + AD

    Hello Everyone,
    I'm trying to configure autentication policy in my wireless network.
    I need to autenticate users members of group "Wireless users" in active directory.
    My question is: I need use ACS for this autentication in AD Group? Or only the controller is enough?
    I do not like to use this digital certificate solution.
    My Topology is:
    USER -> AP -> Controller -> ACS -> AD
    Or
    USER -> AP -> Controller -> AD
    Help?
    Tks a lot.

    Well, The kind of requirement you have does ask for digital certs because most of the EAP flavors are dependent on certs.
    However, you may go for LEAP ( doesn't need certs)
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c4
    You may go for WLC and LDAP ( with certs without ACS)
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
    Regds,
    Jatin
    Do rate helpful posts-

  • Restricting Wireless Access using ACS 3.3

    We are currently running ACS 3.3 and I am trying to figure out how to restrict Wireless access to specific user groups. Our current setting is using PEAP and ACS as the Radius. Our user database is mapped to Windows 2003 AD. I've got the PEAP working and the radius authentication is also working but I cannot seem to figure out how to restrict the wireless access to specific Windows/ACS groups.
    Erik

    Hi,
    On ACS 3.3.x You can certinly achive this, al you have to do is configure NAR( Network Access Restriction) Here is the link which should provide you further informatio on it.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
    -Parm

Maybe you are looking for

  • Where can I get a sample pdf to test digital signature?

    I am trying to test my digital signatures in Adobe Reader X on Windows. However, I can't find a PDF file that has the correct "rights" to allow me to sign it. Is there somewhere I can get a sample PDF that will allow me to try my digital signature?

  • How to authenticate outgoing FW users by Windows group membership

    Hi, I need to authenticate all (windows) users who access the internet through an IOS firewall. Applies not only to web traffic (which is easy to do), but also to other applications (e.g. some telebanking programs, RDP sessions etc.) Basically, I nee

  • Problem in create cubes?

    Can any one help me to know, what are all the issues will occur the whole database will convert into a SSAS cube ?

  • Version 3.4 will not import earlier Libraries-HELP!

    I've just upgraded Aperture to 3.4.1 and now I cannot open the 3.3.2 Library, I get this message: There was an error opening the database for the library "/Volumes/PHOTO BU/Aperture Folder/** US iMac Aperture Library 2?.aplibrary". The library could

  • Can't SaveAs to My Favorites via IIS, but can via Tomcat

    We've got BOE XI 3.1 installed on Windows Server 2003 SP2, with both IIS and Tomcat instances. When a non-Admin user uses InfoView via IIS to view a report on a public folder that they don't have rights to save to, they can't save the report to their