Cisco Systems 12.3(8)JEE, 12.4(25d)JA, 15.2(2)JA, 15.2(2)JB, IOS Releases 15.2(4)JA Using a RADIUS Server to Restrict SSIDs

7-7

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-29225-01

Chapter7 Configuring Multiple SSIDs

Configuring Multiple SSIDs

ssid buffalo

vlan 7

authentication open

However, this sample output from a show dot11 associations privileged EXEC command shows the

spaces in the SSIDs:

SSID [buffalo] :

SSID [buffalo ] :

Note This command shows only the first 15 characters of the SSID. Use the show dot11 associations client

command to see SSIDs having more than 15 characters.

Using a RADIUS Server to Restrict SSIDs

To prevent client devices from associating to the access point using an unauthorized SSID, you can

create a list of authorized SSIDs that clients must use on your RADIUS authentication server.

The SSID authorization process consists of these steps:

1. A client device associates to the access point using any SSID configured on the access point.

2. The client begins RADIUS authentication.

3. The RADIUS server returns a list of SSIDs that the client is allowed to use. The access point checks

the list for a match of the SSID used by the client. There are three possible outcomes:

a. If the SSID that the client used to associate to the access point matches an entry in the allowed

list returned by the RADIUS server, the client is allowed network access after completing all

authentication requirements.

b. If the access point does not find a match for the client in the allowed list of SSIDs, the access

point disassociates the client.

c. If the RADIUS server does not return any SSIDs (no list) for the client, then the administrator

has not configured the list, and the client is allowed to associate and attempt to authenticate.

The allowed list of SSIDs from the RADIUS server are in the form of Cisco VSAs. The Internet

Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific

information between the access point and the RADIUS server by using the vendor-specific attribute

(attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes

not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option by

using the format recommended in the specification. The Cisco vendor-ID is 9, and the supported option

has vendor-type 1, which is named cisco-avpair. The Radius server is allowed to have zero or more SSID

VSAs per client.

In this example, the following AV pair adds the SSID batman to the list of allowed SSIDs for a user:

cisco-avpair= ”ssid=batman”

For instructions on configuring the access point to recognize and use VSAs, see the “Configuring the

Access Point for Vendor-Proprietary RADIUS Server Communication” section on page13-17”.

Cisco Systems Using a RADIUS Server to Restrict SSIDs