Wireless SSID in ACS
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi,
I want to do the restriction on the bases of SSID. I have two SSID on Wireless LAN controller and all authentications are happing through Active directory through ACS. ACS is integrated with Active directory.
Objective is to restrict the users, I want that GROUP-A users can only login on SSID-A and GROUP-B user only login on SSID-B.
GROUP-A users could not login to SSID-B and GROUP-B users could not login to SSID-A
Is it possible in ACS to apply the restriction on the basis on SSID or any other workaround?
Regrds,
Vashdev
Vashdev,
Yes, SSID base restriction is possible with Cisco acs, please configured the GROUP-A and GROUP-B with their respective SSID like (*ssid) as mentioned in the below listed configuration example.
Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
Regds,
JK
Do rate helpful posts-
Similar Messages
-
Wireless SSID with Certificate
Dear All,
I have a wireless network with cisco 5508 WLC for corporate network ,Cisco WLC for guest network, ACS 4.2, and 200 accesspoints.
Corporate SSID authentication- WPA1 & 2 with Dot1X(Via ACS)
Guest SSID authentication- Webauth with ACS
I need to configure an SSID for scanners.
Is there any way to configure the scanners wireless authentication via ACS with a trusted certificate?
Thanks in advance
SreelalHai,
Thanks for your reply.
Customer has one certificate server(CA). We need to generate the certficate from that CA .
Our scanner expert will load the generated certficate into the scanner
My Scanner supports EAP-FAST,EAP-TLS, LEAP,PEAP,TTLS
So Can I go with LEAP for scanners?
Do you have any document or steps for completeing this task?
SSID config on WLC?
ACS 4.2 Config?
On PC side what config we need to do (If we are connecting a PC to the same SSID)?
Once again thanking you !! -
I have a question you can set wireless ssid in the hours and days that it is active ?
I've looked at my router supports WCS how can you configure it?
I don't understand what a router has anything to do with a Cisco Wireless Control System (WCS). IT's a software that manages your Wireless LAN Controllers (WLC) and CAPWAP wireless access points.
If you want to configure time-based ACL, then click on the link below:
Time-Based Access Lists Using Time Ranges
Please don't forget to rate out useful posts. Thanks. -
Wireless SSID Broadcast?
When wireless SSID broadcast is DISABLED, does this prevent others in the area from seeing your network listed in the "view available wireless networks" list?
Thanks.
Forgot to ask: If a relative comes over and I let them hook into my network, will I have to ENABLE SSID for them to see it in order to log on?
Message Edited by AceH on 03-20-2008 02:21 PM -
Dhcp on wireless ssid's ?
I have a question I would like different DHCP server on my wireless ssid's set with vlan's how you do that ?
To this I mean I do not know if this is possible
Ethernet interfaces
ip range 10.10.10.0 255,255,255,248
vlan 1
One ssid
Vlan 2
Authentication open
Mbssid Guest mode
ip range 20.20.20.0 255,255,255,248
ssid two
Vlan 3
Authentication open
Mbssid Guest mode
ip range 20.20.20.0 255,255,255,248 -
I have a problem, I need to setup a hidden wireless SSID and there is no place to change or enter a SSID?
In the wifi settings there should be an option when you press Menu to Add Network
-
Wireless Virtual LAN - SSID and ACS User Mapping
Hi Everybody
We have the following senario:
- WLC 4402 and ACS 3.3
- 2 SSID's , One for Emploies - one for gests
- All users are (guest and emploies) are authentication against the ACS Server.
We would like to only permit Guest users to use the Guest SSID.
I've been reading the Wireless Virtual LAN Deployment Guide :
http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wvlan_an.pdf
and have tried to use methode 1.
- RADIUS-based SSID access control:
"Upon successful 802.1X or MAC address authentication, the RADIUS server
passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge."
"This is configured by enableling the ?[026/009/001] cisco-av-pair? option. On the ACS Server
- Enable and configure Cisco IOS/PIX RADIUS Attribute,
009\001 cisco-av-pair
- Example: ssid=LEAP_WEP"
I've tried this, but regardless of wich SSID the user(-group) has configured, it sill can access all SSID's?
Does anyone have any idea of what I'm doing wrong?
Does this setting only apply to Accesspoint, or is it also valid for the WLC 44xx series?
Greetings
JarleHi I'm sorry but this still does not help.
We have now upgraded ACS to version 4.0 and I'm still having the same problems.
This is what i have configured:
WLC:
- WLAN
- SSID : Public
- WLAN id = 3
- L2 Security : 802.1x
- Interface Name : GuestVLAN
- Controller - Interface
- management - Untagged
- GuestVLAN - VLAN 112
- Security
- RADIUS Servers
When authenticating a Guest(belonging to the proper group in acs) - the right VLAN is used, IP Adresses from DHCP is recieved, and the Guest can access internet.
Switch:
- Port connected to WLC uses Trunking.
- Guests are connected to VLAN 112 and "native VLAN" is used to connect the Private Users.
ACS:
- AAA Client is the WLC, Authenticating using Cisco Airespace
- Guest Users are member of Group 11
- Private Users are member of Group 1
Group 11
- Use Per Group NAR to only allow WLAN Access
- Cisco Airespace RADIUS Attributes
x 14179\001 - Aire-WLAN-ID = 3
- Cisco IOS / PIX RADIUS Attributes
x 009\001 Ciso-av-pair = "ssid=Public"
- IETF Radius Attributes
x 006 Service Type = Login
x 007 Framed-Prot = ppp
x 064 Tunnel-Type = VLAN
x 065 Tunnel-Medium-tye = 802.1x
x 081 Tunnel-Private-Group-ID = 112
Group (default Group)
- Cisco Airespace RADIUS
x 14179\001 Aire-WLAN-ID = 1
- Cisco IOS/PIX Radius Attrib
x 009\001 Cisco-av-pair = "ssid=Private"
- IETF RADIUS
x 008 Service-type = Login
x 064 Tunnel-Type = VLAN
x 065 Tunnel-Medium-tye = 802.1x
x 081 Tunnel-Private-Group-ID = 1
Do you have any idea of what i should change?
Greetings
Jarle -
Hi,
I would like your help in the following scenario, we currently have a setup of CAS CAM, LDAP, WISM and ACS,
The main point I'm focusing on is the ACS and WISM.
Users are to obtain wireless access using a single SSID, and upon validation of credentials, they should gain access to one of 3 vlans, guest, data and voice, the use of separate SSID per vlan was highly discouraged by customer.
Would appreciate your advice on the best feasible way to implement this.
Regards,Hi,
You can have single SSID in your setup. You need to set up feature called Dynamic VLAN Assignment.
Check out this link,
http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
Regards,
~JG
Please rate if that helps ! -
I need to autheticate my clients connecting via wireless.
clients have user certificate installed on them, i need help configuring the ACS to do the authentication.
can some one please help me with the steps.
ThanksTwo primary steps
- define the trust certificates needed to verify the clients user certificates
Users and Identity Stores > Certificate Authorities
- change result of identity policy to select a certificate authorization profile. If have the defautl config
Access Policies > Access Services > Default Network Access > Identity
by default can select the "CN Username" as a result -
Best Wireless Auth. methods ACS 3.2(3) and AD
I am new with ACS and wirless authentication. Have just deployed my ACS 3.2 for Windows, and am trying to select the best methods of authentication for my invironment. I have determined my risk level to be low to medium. I would consider MAC based Auth. to be sufficient for users that don't support LEAP or similar Proto. I have a mixed OS base from Win98, 2000 and XP and MacOS 9.2 to MacOSX, I have AD setup for the external database, and it is working with ACS to allow Radius Auth. on my AP1100G Access Points. My questions are these.
1- What is the best practice for setting up the MAC address auth.? Do I creat a text list, ACS records, SQL database, or can it be done in AD in some way?
2- Is Leap the best Auth. Protocol considering my needs? Is there one that would be less difficult to set up but offer low to medium security I need.
3- I am a little confussed by the config that needs to exhist on the Aironet 1100 series AP. What would be a good document/s for the configuration of these devices?
Eric Bodily
Idaho Falls School District 91
Network AdministratorI have no issues running Cisco ACS version 3.2 on Windows
Server 2003 with SP2:
1) create user test1 in MS Active Directory and put test1
in users group with dial-in access granted,
3) Create a group called "LDAP". Actually I renamed
group name "group 1" to "LDAP".
3) in ACS external user database configuration, I specified
domain "CCIE" as for this. unknow user policy is to use
Windows Database configuration,
4) Configure the database configuration in ACS to point
to "CCIE" windows domain,
5) setup the ACS to authenticate one of your Cisco devices
and log in using the MS windows account,
By the way, mgurwara, you are wrong. I run Cisco
ACS 3.2 on windows 2003 Enterprise Edition with Service
Pack 2. I am running it on a Dell Optiplex Gx240
(1.7 GHz with 512MB of RAM) and it is running fine.
I use it to manage about 20 cisco devices and
about 200 Wireless LEAP user(s). Furthermore, I am also
running ACS 4.1 on another identical hardware. It has
nothing to do with the hardware. I don't know where
you get that information from. -
Wireless SSID @ Multiple Sites
Not sure where to post this , but here goes.
I have 8 sites all running Motorola Wireless Controllers with multipe SSID's.
I have recently decided to move to the Cisco 2504 WLC since our Motorola devices were out of warrnaty and support.
The issue I am experiencing is when I configure my WLC 2504 with the identicle SSID parameters\settings as my Motorola
devices the users are unable to connect. They have to manually remove the existing wireless profile and re-create it.
This will be a bit of a pain especially with 700 users.
Any ideas if such a feature can enable this "talk nice" piece.
Cheers and hopfully this makes sense.Ooops wrong WLAN.
WLAN Identifier.................................. 5
Profile Name..................................... PDA
Network Name (SSID).............................. GLPDABG
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Enabled
Network Admission Control
Client Profiling Status ....................... Disabled
DHCP ......................................... Disabled
HTTP ......................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 1
Exclusionlist.................................... Disabled
Session Timeout.................................. 1800 seconds
User Idle Timeout................................ 300 seconds
--More or (q)uit current module or to abort
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... CS-2504-01
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ wifibg
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
--More or (q)uit current module or to abort
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... 802.11b and 802.11g only
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Interim Update............................. Disabled
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
--More or (q)uit current module or to abort
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
--More or (q)uit current module or to abort
CCKM TSF Tolerance......................... 1000
WAPI.......................................... Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
AVC Visibilty.................................... Disabled
--More or (q)uit current module or to abort
AVC Profile Name................................. None
Flow Monitor Name................................ None
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
802.11u........................................ Disabled
MSAP Services.................................. Disabled -
How to grant wire access to a wireless ssid
I have a wireless lan controller (5508) broadcasting 2 SSID's, once is a secure vlan grabbing an ip address from a local dhcp server and getting access to the internal network, and the other ssid is for a guest vlan where the dhcp server is in a remote site and internet access is off a circuit in our data center which is accessed over a wan. The secure ssid's vlan is defined on the local switch, but the guest vlan is not defined on the local switch.
the ap's in the respective sites are trunked to the core switch and the switchport config is :
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport trunk allowed vlan 5
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
priority-queue out
mls qos trust cos
auto qos voip trust
spanning-tree portfast
it's trunked b/c we have both vlans going across this physical connection.
I would like get the guest vlan a wired connection, ie. off a switch\hub, but not sure how to do that as this guest vlan is not defined on our local network.You may be trunking, but you're only allowing vlan 5 across the trunk.
On your controller, how are you interfaces configured?
Your SSIDs should match up with an interface, which matches a L2 vlan, which eventually matches a L3 IP address.
Can you provide a little more detail? I've done this setup in the past, so it's doable. -
Wireless conn not scaning wireless SSID automatically after stanby/hybernate
Hi,
I have cisco 1242 access point running WPA2/AES TKIP profile with EAP authentication in broadcast. I have dell laptops that have 3945ABG wireless card. The connection works when you configure the profile on laptop with windows wireless manager and when computer recovers from stanby/hybernat it doesnot scan the network automatically. you have to refresh the wireless network manager and refresh the network list to make the connection with the SSID. Is this issue is with the laptop or with the Access point? I tried a various things on laptop but not able to troubleshoot so i am thinking it may be some timers/beacon/signal settings that needs to be tweeked. Any help will be appriciated.
RegardsThis is most likely a driver issue. http://support.dell.com/
-
Wireless Autentication + WLC + ACS + AD
Hello Everyone,
I'm trying to configure autentication policy in my wireless network.
I need to autenticate users members of group "Wireless users" in active directory.
My question is: I need use ACS for this autentication in AD Group? Or only the controller is enough?
I do not like to use this digital certificate solution.
My Topology is:
USER -> AP -> Controller -> ACS -> AD
Or
USER -> AP -> Controller -> AD
Help?
Tks a lot.Well, The kind of requirement you have does ask for digital certs because most of the EAP flavors are dependent on certs.
However, you may go for LEAP ( doesn't need certs)
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c4
You may go for WLC and LDAP ( with certs without ACS)
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
Regds,
Jatin
Do rate helpful posts- -
Restricting Wireless Access using ACS 3.3
We are currently running ACS 3.3 and I am trying to figure out how to restrict Wireless access to specific user groups. Our current setting is using PEAP and ACS as the Radius. Our user database is mapped to Windows 2003 AD. I've got the PEAP working and the radius authentication is also working but I cannot seem to figure out how to restrict the wireless access to specific Windows/ACS groups.
ErikHi,
On ACS 3.3.x You can certinly achive this, al you have to do is configure NAR( Network Access Restriction) Here is the link which should provide you further informatio on it.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
-Parm
Maybe you are looking for
-
Where can I get a sample pdf to test digital signature?
I am trying to test my digital signatures in Adobe Reader X on Windows. However, I can't find a PDF file that has the correct "rights" to allow me to sign it. Is there somewhere I can get a sample PDF that will allow me to try my digital signature?
-
How to authenticate outgoing FW users by Windows group membership
Hi, I need to authenticate all (windows) users who access the internet through an IOS firewall. Applies not only to web traffic (which is easy to do), but also to other applications (e.g. some telebanking programs, RDP sessions etc.) Basically, I nee
-
Problem in create cubes?
Can any one help me to know, what are all the issues will occur the whole database will convert into a SSAS cube ?
-
Version 3.4 will not import earlier Libraries-HELP!
I've just upgraded Aperture to 3.4.1 and now I cannot open the 3.3.2 Library, I get this message: There was an error opening the database for the library "/Volumes/PHOTO BU/Aperture Folder/** US iMac Aperture Library 2?.aplibrary". The library could
-
Can't SaveAs to My Favorites via IIS, but can via Tomcat
We've got BOE XI 3.1 installed on Windows Server 2003 SP2, with both IIS and Tomcat instances. When a non-Admin user uses InfoView via IIS to view a report on a public folder that they don't have rights to save to, they can't save the report to their