There really isn't a document that covers all of this. Basically we have our 3 methods of assigning an ACL to a client session. So how many different ways can we use AAA override, use different WLANs, or place clients on different interfaces? Many of these methods rely on completely different features, so they are in different documents.
Regards, Jeff Rensink : Sr Instructor : iPexpert <http://www.ipexpert.com/> CCIE # 24834 :: Wireless / R&S :: World-Class Cisco Certification Training Direct: +1.810.326.1444 :: Free Videos <http://www.youtube.com/ipexpertinc> :: Free Training / Product Offerings <http://www.facebook.com/ipexpert> :: CCIE Blog <http://blog.ipexpert.com/> :: Twitter <http://www.twitter.com/ipexpert> On Fri, Feb 21, 2014 at 10:50 AM, cisco 2006 <[email protected]> wrote: > > > Many Thanks for this illustration .Also I will ask you for a fover , if > can send me a document about this . > > Best Regards, > Cisco2006 > ------------------------------ > On Fri, Feb 21, 2014 7:19 PM AST (Arabian) Jeff Rensink wrote: > > >We only have 3 ways of assigning ACLs to client sessions. By the > interface > >that a client is assigned to, by the WLAN that a client associates to, and > >by using AAA override. > > > >If you do authentication locally on the WLC, the only AAA override option > >you have is by MAC address. So if you had 2 separate clients, you could > >use MAC filtering + AAA override and use a MAC filter entry to assign the > >clients to specific interfaces. You then have a different ACL per > >interface. This requires you to pre-populate MAC filtering entries, which > >would be fairly insane to do on a guest network. > > > >Another option would be separate WLANs. There they could use the same > >interface, but each WLAN has a different ACL. > > > >You could also use a combination of interface groups and static IP > >addressing on the clients. That would deterministically place clients > onto > >specific interfaces, which can have their own ACLs. > > > >But if you want a single classic guest WLAN setup, external authentication > >is your only reasonable option that I can think of. > > > >Regards, > > > > > > > >Jeff Rensink : Sr Instructor : iPexpert <http://www.ipexpert.com/> > > > >CCIE # 24834 :: Wireless / R&S > > > >:: World-Class Cisco Certification Training > > > >Direct: +1.810.326.1444 > > > >:: Free Videos <http://www.youtube.com/ipexpertinc> > > > >:: Free Training / Product Offerings <http://www.facebook.com/ipexpert> > > > >:: CCIE Blog <http://blog.ipexpert.com/> > >:: Twitter <http://www.twitter.com/ipexpert> > > > > > >On Thu, Feb 20, 2014 at 1:14 AM, cisco 2006 <[email protected]> wrote: > > > >> Dear All, > >> > >> I need to configure the policy that allow some users access the Internet > >> and the others just get the access to the Internal Network ( inside > >> network ) in WLC 5508. How can I do this without using external server > for > >> authentication and authorization ? > >> > >> Best Regards, > >> Cisco2006 > >> > >> > >> > >> _______________________________________________ > >> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > >> > >> iPexpert on YouTube: www.youtube.com/ipexpertinc > >> > >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
