https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242106#M126283 <HTML><HEAD></HEAD><BODY><P>This is still not working for me.&nbsp; </P><P></P><P>With Call Station ID enabled and .*:GatewayIT$&nbsp; in the field my authentication failed.</P><P></P><P>If I simply uncheck Call Station ID the RADIUS server authenticates my session.&nbsp; </P><P></P><P>I do not see anything in relation to this in the even log.&nbsp; </P><P></P><P>Any ideas on where to go next?&nbsp;&nbsp;&nbsp;&nbsp; </P></BODY></HTML> Tue, 02 Jul 2013 20:22:40 GMT Gateway Church 2013-07-02T20:22:40Z https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242102#M126279 <P>I have recently set up a similar network using Ruckus equipment; however, need to do it now with Cisco...</P><P></P><P>I have a multiple SSIDs associated to different VLANs broadcasting.&nbsp; I would like to configure a single Radius server pointed to my NPS server and allow for authentication by group to each SSID.&nbsp; </P><P></P><P>With Ruckus I had to put in a vendor specific custom attribute and then use Roles to allow access by AD Security Group.&nbsp; </P><P></P><P>Does anyone know how to setup something similar with Cisco?&nbsp; I just need a single group to be able to autheticate to each SSID.</P><P></P><P>Josh Price</P> Mon, 11 Mar 2019 03:35:35 GMT https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242102#M126279 Gateway Church 2019-03-11T03:35:35Z https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242103#M126280 <HTML><HEAD></HEAD><BODY><P>This is pretty straightforward. </P><P></P><P>Just create a NPS policy for each SSID.</P><P></P><P>A simple policy could check 3 conditions.</P><P></P><P>Windows Groups = DOMAIN\GroupABC</P><P>Called Station ID = .*:SSIDNAME$</P><P>NAS Port ID = Wireless IEEE or Wireless Other</P><P></P><P>Just change SSIDNAME to whatever the specific SSID is, and obviously the group that you want mapped.&nbsp; The SSID condition uses regex.&nbsp; </P><P></P><P></P><P>Cheers</P><P>Peter</P></BODY></HTML> Sun, 30 Jun 2013 12:03:49 GMT https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242103#M126280 petermitchell 2013-06-30T12:03:49Z https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242104#M126281 <HTML><HEAD></HEAD><BODY><P>Agree with peter. In case it doesn't work, please refer the NPS event viewer logs and check in case it's not hitting the right network access policy.</P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Sun, 30 Jun 2013 12:09:57 GMT https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242104#M126281 Jatin Katyal 2013-06-30T12:09:57Z https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242105#M126282 <HTML><HEAD></HEAD><BODY><P>Peter: Nice answer. +5.</P><P></P><P></P><P><SPAN style="color: blue;">Rating useful replies is more useful than saying <SPAN style="color: green;"> "<SPAN style="text-decoration: underline;">Thank you</SPAN>"</SPAN></SPAN></P></BODY></HTML> Mon, 01 Jul 2013 08:14:13 GMT https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242105#M126282 Amjad Abdullah 2013-07-01T08:14:13Z https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242106#M126283 <HTML><HEAD></HEAD><BODY><P>This is still not working for me.&nbsp; </P><P></P><P>With Call Station ID enabled and .*:GatewayIT$&nbsp; in the field my authentication failed.</P><P></P><P>If I simply uncheck Call Station ID the RADIUS server authenticates my session.&nbsp; </P><P></P><P>I do not see anything in relation to this in the even log.&nbsp; </P><P></P><P>Any ideas on where to go next?&nbsp;&nbsp;&nbsp;&nbsp; </P></BODY></HTML> Tue, 02 Jul 2013 20:22:40 GMT https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242106#M126283 Gateway Church 2013-07-02T20:22:40Z https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242107#M126284 <HTML><HEAD></HEAD><BODY><P>Under Called Station ID, simply use <STRONG>*GatewayIT</STRONG> and try again,</P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Tue, 02 Jul 2013 20:29:49 GMT https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242107#M126284 Jatin Katyal 2013-07-02T20:29:49Z https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242108#M126285 <HTML><HEAD></HEAD><BODY><P>No luck.&nbsp; I see where the formatting is coming from.&nbsp; On the controller you can set:</P><P>Config&gt;radius&gt;callstationidtype&gt;ap-macaddr-ssid - Sets Call Station Id Type to the format <APMACADDRESS>:<SSID></SSID></APMACADDRESS></P><P></P><P>By doing this a wildcard:SSIDNAME should work to specify SSID.&nbsp; Is there a way to verify what the controller is sending out?&nbsp; ANd how to write it for Microsoft NPS to understand?&nbsp;&nbsp;&nbsp;&nbsp; </P></BODY></HTML> Tue, 02 Jul 2013 21:08:13 GMT https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242108#M126285 Gateway Church 2013-07-02T21:08:13Z https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242109#M126286 <HTML><HEAD></HEAD><BODY><P>I guess, we can run the following debugs from the WLC CLI to verify the radius access-request:</P><P></P><P>debug client <CLIENT mac=""></CLIENT></P><P>debug aaa events enable</P><P>debug aaa packet enable</P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Tue, 02 Jul 2013 23:34:56 GMT https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242109#M126286 Jatin Katyal 2013-07-02T23:34:56Z https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242110#M126287 <HTML><HEAD></HEAD><BODY><P>Make sure its "called station ID" - not "calling station ID".&nbsp; You mention "Call Station ID"&nbsp; above.&nbsp; </P><P></P><P>Make sure you use conditions not constraints in NPS.</P><P></P><P>Check windows event log for more details.</P><P></P><P>Post a screenshot of your policy if your still stuck.</P></BODY></HTML> Wed, 03 Jul 2013 05:54:06 GMT https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242110#M126287 petermitchell 2013-07-03T05:54:06Z https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242111#M126288 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>May the link below solve your query:-</P><P></P><P><A class="jive-link-external-small" href="http://community.arubanetworks.com/t5/Authentication-and-Access/Two-SSID-s-using-802-1x-authentication-with-same-Radius-server/td-p/39038">http://community.arubanetworks.com/t5/Authentication-and-Access/Two-SSID-s-using-802-1x-authentication-with-same-Radius-server/td-p/39038</A></P></BODY></HTML> Mon, 08 Jul 2013 03:58:53 GMT https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242111#M126288 harvisin 2013-07-08T03:58:53Z https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242112#M126289 <HTML><HEAD></HEAD><BODY><P>Ho Josh,</P><P></P><P>Did you get a chance to check the debugs, what exactly you're seeing in the radius request? Also, make sure you have selected called-station-id as suggested by Peter.</P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Mon, 08 Jul 2013 06:13:08 GMT https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242112#M126289 Jatin Katyal 2013-07-08T06:13:08Z https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242113#M126290 <HTML><HEAD></HEAD><BODY><P>I am sorry everyone.&nbsp; I got it working on one ssid.&nbsp; I then matched the settings for the second and it did not work.&nbsp; I have been forced to focus on some other projects.&nbsp; I will update when I return to the issue with what I did wrong or where I get hung up.&nbsp; Thank you everyone for your help.</P></BODY></HTML> Tue, 09 Jul 2013 04:33:28 GMT https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242113#M126290 Gateway Church 2013-07-09T04:33:28Z https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242114#M126291 <HTML><HEAD></HEAD><BODY><P>No issues. In your next reply do include the debugs from WLC and event viewer logs from NPS for non-working SSID/USER.</P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Tue, 09 Jul 2013 14:06:57 GMT https://community.cisco.com/t5/network-access-control/multiple-ssids-vlan-nps-authentication/m-p/2242114#M126291 Jatin Katyal 2013-07-09T14:06:57Z