Security

Hi guys:

Now I have a problem with the the restrict on per ssid. If I have a ssid A , ssid B. And I just permit the user abc1 can connect the ssid A and can't connect the ssid B.While the abc2 can connect the ssid B and can't connect the ssid A.

The cisco's acs can identify the ssid to restrict.It need the information Calling-Station-Id. So how to set this information on ac when my radius request is forwarded to ac.

Is there any other approach to do on acs?

any help os suggestion will be appreciated

RADIUS uses the concept of request attributes and reply attributes, so yes, you can include the ESSID in the request, have ACS have rules for both conditions.

Use two Server Groups on the Controller to set the "NAS Identifier" for each ESSID (and make it the ESSID for example...)

Rule 1 - Allow user  abc1 (or the user's group)  on ESSID A for requests with "NAS Identifier" set to "ESSID A".

Rule 2 - Allow user abc2 (or a group) on ESSID B for requests with "NAS Identifier" set to "ESSID B".

I think nas-identifier is just the radius-server ip address.

The essid information is brought in the radius request.

Now you can see my  called-station-id it's my ac's mac,but i want to set this vlue is SSID A or SSID B.

And the acs's nas can choose this value to restrict per ssid.

And this is the present's wifi network and its radius request's called-station-id is its wifi's  ssid.

Then the acs can choose this information to do restrict  on per ssid.

It seems my last picture can't be opened normaly.

I reupload one.

You should be able to reference the Aruba-ESSID-Name that will be received in the RADIUS Access-Request to identify the SSID a user is connected to.

From there you would need to build a rule in ACS to reject the user authentication request if they were not connected to the correct SSID. From memory this would be configured under the User or User Group settings in ACS.

Yes, cam is correct.  I use the Aruba-Essid-Name as a RADIUS request attribute to determine which set of dot1x protocols a user is allowed to use on certain SSIDs.  I use Juniper's IC RADIUS product to do that, but I'm sure ACS can do it as well and using it to allow users/groups to connect to certain SSIDs should be pretty straightforward.

Sorry to bring up old subject, but at the moment I'm facing the same issue connecting WIFI using ACS as the Radius Gateway (ACS will connect to AD for user authentication process).

- On controller I have setup WLAN with WPA2-Enterprise authentication, set the auth-server to ACS. 

- On ACS I have define controller as the client and test the process (AAA test server)

- On ACS, my customer use NAR (Network Access Restriction) features to restrict user access to certain SSID only. They using attribute called DNIS* | The called-station-ID (attribute 30) is used

- Their existing network are Cisco based but they're claiming that when using other brand (Motorola), the NAR rules are applied to the network and run smoothly.

- Attached are the sample of their NAR/DNIS configuration on the ACS

- My customer doesn't want to change their ACS setting, based on their claim that other vendor (Mtrla) can achieve the same result with their existing network.

The problem is, when using Aruba wifi, the NAR rules are not applied to the wifi network. 

I have try using different method for the ssid name inside DNIS box. Using *SSID_Name or just SSID_Name didn't give me the result as I expected.

But when I disabled the NAR, I can connect to the SSID just fine.

So please confirm/help if anyone has ever have this setup with successful result:

- Is there any other thing that I have to setup on controller side?

- DNIS are using attribute 30 (as Cisco Documentation said), what is the relevance on Aruba side?