How to Restrict Students from SSID

  • 1
  • Question
  • Updated 4 years ago
  • Answered
I have three SSID's: wylie, student, and guest. Wylie and student are both configured for WPA/WPA2 802.1X and are authenticated through RADIUS to eDirectory. How can I restrict students from using the wylie SSID?
Photo of Tony Spradlin

Tony Spradlin

  • 1 Post
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1026 Posts
  • 269 Reply Likes
I have no direct hands-on experience with eDirectory. Does it allow you to do conditional authentication based on attributes like Called-Station-ID? If so, perhaps you can add logic so that members of group-A who attempt to use SSID-B are denied?
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Depending on the radius server configuration will vary

you will have identity store,service selection rules for identity and authorization

for example in cisco acs

create a identity store for edirectory and select which attributes you want to pull in

Directory attributes of user or subject records can be referenced as policy conditions in policy rules. If you wish to do this, define the attributes that are to be available for use in policy rules here. Specify a sample user / subject name below, then click 'Select...' to launch a dialog to select attributes from this subject. If you wish to modify the Default and Policy Condition Name for an attribute, edit it in the table below.

create a service rule that identifies the type of service from a device and protocols allowed
check authentication against the identity store

for example you can create a service rule that says
select this rule if the aaa clients are x,y and z and the SSID is wylie then use the wylie identity rule.

which then checks the auth against the edirectory but the authorization or the authentication is specific to a ldap attribute ie teacher or student

then under the authorization section create a rule that checks the edirectory attribute
this attribute could be groupmembership or a custom field that you can create for example
teacher Y or N

or groupmember of teacher or student or employee etc...

here is an example where I authorize only people that have a Y for VPN usage that is pulled from edirectory, a custom field created