You should be able to do this with ACS 5(if your LDAP can return different groups for student and faculty/staff). You can create following rules:
1. If "wireless SSID(with Cisco WLC, it is called-station-id) == open SSID" and "LDAP.Group == Student", then Permit_Access. 2. If "wireless SSID(with Cisco WLC, it is called-station-id) == 802.1x SSID" and "LDAP.Group == Faculty/Staff", then Permit_Access. 3. If anything else, deny_access. --- Dennis Xu Network Analyst Networking and Security Cluster Computing and Communication Services University of Guelph 5198244120 x 56217 ----- Original Message ----- From: "Bruce W Osborne" <[email protected]> To: [email protected] Sent: Monday, 24 January, 2011 9:16:15 AM Subject: Re: [WIRELESS-LAN] Link LDAP groups to Separate SSIDs for Authentication If you use AD groups to determine any access restrictions / vlans (Student vs. staff vs. IS Admins, etc.) then this can be an issue. It works with NPS Server (Sorry for the original typo). Bruce From: Sam Stelfox [mailto:[email protected]] Sent: Monday, January 24, 2011 9:02 AM To: The EDUCAUSE Wireless Issues Constituent Group Listserv Cc: Osborne, Bruce W Subject: Re: [WIRELESS-LAN] Link LDAP groups to Separate SSIDs for Authentication While you are correct about the 1500 result limit, this shouldn't be an issue with wireless authentication as the radius server will only query for the username requesting authentication. This works fine even with >4000 members in a group (we have this working right now). On 01/22/2011 06:21 AM, Osborne, Bruce W wrote: Mike, Unfortunately, I do not have a suggestion, but just a caution. I do not know the size of your organization, but be aware that Microsoft AD groups with more than 1500 members cannot be queried properly with generic LDAP. You will only get the first 1500 members. In my experience here at Liberty University, OpenLDAP & Cisco ACS 4 (& I expect, 5) will not work. We are moving to using Microsoft NOS server on Server 2008R2 for RADIUS. According to the standard, LDAP extensions are supposed to be optional. In this case, Microsoft makes the extension mandatory. Bruce Osborne Liberty University From: Williams, Mr. Michael [mailto:[email protected]] Sent: Friday, January 21, 2011 10:56 AM Subject: Link LDAP groups to Separate SSIDs for Authentication All, I have been trying to figure this out but have been unable to find a solution. Here is what we are trying to do. 1 wireless SSID that is open network which uses a web portal for authentication- this would be the student network 1 wireless SSID that using 802.1x w/WPA and a splash page -this would be used for Fac/Staff Is it possible to link the Student SSID to only the Student group in LDAP and the Fac/Staff SSID to only the Fac/Staff using LDAP? We need want to keep the Fac/Staff folks from using the open network. Does anyone have a similar requirements. We have a Cisco ACS that is linked to LDAP/AD, a WISM and WCS. v/r Mike Michael M. Williams Network Systems Analyst Information Technology Services Tarleton State University Information Technology Services staff will never ask for your password in an email. Don't ever email your password to anyone or share confidential information in emails. Confidentiality Notice: This electronic message, including any attachments, is for the sole use of the intended recipients(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Sam Stelfox Network Administrator Vermont Technical College This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
