1. Home
  2. Cisco Systems
  3. Question about Cisco wireless AP VLAN

Question about Cisco wireless AP VLAN

Hi all,

I have a question about Cisco wireless AP with VLAN and I hope someone can help me. We are using Cisco AP1200 with PEAP and ACS server. I know that Cisco AP can configure VLAN for different security level. Suppose I have this environments:

Wireless:

- SSID: SSID_Int

--- vlan 1

--- for internal staff

--- username: marketing01

--- access right: all internal network

- SSID: SSID_ext

--- vlan 2

--- for vendor

--- username: vendor01

--- access right: Internet only

All users accounts are stored in the ACS server. I suppose the user account "vendor01" can only access the AP using the SSID "SSID_ext". How about if the vendor change their SSID to "SSID_int" and use the "vendor01" account? Can it access the internal network? As I know, the ACS should not know the authentication request is from which vlan. If so, it will be very danger. Please advise. Thanks.

Regards, Dovelet

Reply to
Dovelet
Loading thread data ...

Dovelet schrieb:

You can use different RADIUS server for different SSIDs. You can tie a user to a list of allowed SSIDs

Reply to
Uli Link

Hi,

Thanks of your information. Different RADIUS server for different SSID is a solution but we do not want to maintain two RADIUS servers. For your second option, what is "tie a user to a list of allowed SSIDs"? Is it configured in the AP or the ACS server? Please advise. Thanks.

Regards, Murphy

Uli Link =E5=AF=AB=E9=81=93=EF=BC=9A

Reply to
Dovelet

Dovelet schrieb:

It is configured in the RADIUS or the authentication database behind. Even the IOS embedded RADIUS can limit the allowed SSIDs per group. The same user/passwd will fail authentication associated through a not allowed SSID. Perhaps it is possible for you to setup your RADIUS to listen on 2 IP adresses. So if the APs request comes in via address A check for rule1, else check for rule2... For the AP this will be 2 different RADIUS and the RADIUS needs a criteria to differenciate between the requests, this can be an ip address or a subinterface/VLAN or the associated SSID. Whichever is easier for to setup/evaluated in your RADIUS setup.

Reply to
Uli Link

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.