| Author |
Message |
Dovelet
Guest
|
 Posted:
Thu Dec 08, 2005 5:20 pm Post subject:
Question about Cisco wireless AP VLAN |
|
|
Hi all,
I have a question about Cisco wireless AP with VLAN and I hope someone
can help me. We are using Cisco AP1200 with PEAP and ACS server. I know
that Cisco AP can configure VLAN for different security level. Suppose
I have this environments:
Wireless:
- SSID: SSID_Int
--- vlan 1
--- for internal staff
--- username: marketing01
--- access right: all internal network
- SSID: SSID_ext
--- vlan 2
--- for vendor
--- username: vendor01
--- access right: Internet only
All users accounts are stored in the ACS server. I suppose the user
account "vendor01" can only access the AP using the SSID "SSID_ext".
How about if the vendor change their SSID to "SSID_int" and use the
"vendor01" account? Can it access the internal network? As I know, the
ACS should not know the authentication request is from which vlan. If
so, it will be very danger. Please advise. Thanks.
Regards,
Dovelet |
|
| Back to top |
|
 |
Uli Link
Guest
|
| Posted:
Thu Dec 08, 2005 5:20 pm Post subject:
Re: Question about Cisco wireless AP VLAN |
|
|
Dovelet schrieb:
| Quote: | Wireless:
- SSID: SSID_Int
--- vlan 1
--- for internal staff
--- username: marketing01
--- access right: all internal network
- SSID: SSID_ext
--- vlan 2
--- for vendor
--- username: vendor01
--- access right: Internet only
All users accounts are stored in the ACS server. I suppose the user
account "vendor01" can only access the AP using the SSID "SSID_ext".
How about if the vendor change their SSID to "SSID_int" and use the
"vendor01" account? Can it access the internal network? As I know, the
ACS should not know the authentication request is from which vlan. If
so, it will be very danger. Please advise. Thanks.
|
You can use different RADIUS server for different SSIDs.
You can tie a user to a list of allowed SSIDs
--
Uli |
|
| Back to top |
|
|
Dovelet
Guest
|
| Posted:
Fri Dec 09, 2005 7:26 am Post subject:
Re: Question about Cisco wireless AP VLAN |
|
|
Hi,
Thanks of your information. Different RADIUS server for different SSID
is a solution but we do not want to maintain two RADIUS servers. For
your second option, what is "tie a user to a list of allowed SSIDs"? Is
it configured in the AP or the ACS server? Please advise. Thanks.
Regards,
Murphy
Uli Link 寫道:
| Quote: | Dovelet schrieb:
Wireless:
- SSID: SSID_Int
--- vlan 1
--- for internal staff
--- username: marketing01
--- access right: all internal network
- SSID: SSID_ext
--- vlan 2
--- for vendor
--- username: vendor01
--- access right: Internet only
All users accounts are stored in the ACS server. I suppose the user
account "vendor01" can only access the AP using the SSID "SSID_ext".
How about if the vendor change their SSID to "SSID_int" and use the
"vendor01" account? Can it access the internal network? As I know, the
ACS should not know the authentication request is from which vlan. If
so, it will be very danger. Please advise. Thanks.
You can use different RADIUS server for different SSIDs.
You can tie a user to a list of allowed SSIDs
--
Uli |
|
|
| Back to top |
|
|
Uli Link
Guest
|
| Posted:
Fri Dec 09, 2005 9:21 am Post subject:
Re: Question about Cisco wireless AP VLAN |
|
|
Dovelet schrieb:
| Quote: | Thanks of your information. Different RADIUS server for different SSID
is a solution but we do not want to maintain two RADIUS servers. For
your second option, what is "tie a user to a list of allowed SSIDs"? Is
it configured in the AP or the ACS server? Please advise. Thanks.
|
It is configured in the RADIUS or the authentication database behind.
Even the IOS embedded RADIUS can limit the allowed SSIDs per group. The
same user/passwd will fail authentication associated through a not
allowed SSID.
Perhaps it is possible for you to setup your RADIUS to listen on 2 IP
adresses. So if the APs request comes in via address A check for rule1,
else check for rule2...
For the AP this will be 2 different RADIUS and the RADIUS needs a
criteria to differenciate between the requests, this can be an ip
address or a subinterface/VLAN or the associated SSID. Whichever is
easier for to setup/evaluated in your RADIUS setup.
--
Uli |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in