topic Re: Different authentication per SSID in Wireless

Different authentication per SSID

habibalby — Mon, 05 Jul 2021 07:02:10 GMT

Hello,

Currently I have three SSIDs each serving it's purpose.. Students, Staff & Guest.. I want to archive different authentication for each SSID, Students will be able to only authenticate only on the Student SSID and same for Staff, Staff shouldn't be able to authenticate on Student and vs..

Is it's possible with Radius server to be authenticated based on AD organizational units?

Any thoughs?

Thanks,

Different authentication per SSID

Scott Fella — Thu, 23 Jan 2014 11:27:33 GMT

Yes... there is a radius attribute... called-station-id which you can use to differentiate between the SSID's. This is passed in that attribute and you would create two policies, one for student and one for staff.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Re: Different authentication per SSID

Scott Fella — Thu, 23 Jan 2014 11:28:54 GMT

Here are some links:

https://supportforums.cisco.com/thread/2098434

http://mrncciew.com/2013/07/22/called-calling-station-id/

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Re: Different authentication per SSID

Scott Fella — Thu, 23 Jan 2014 11:30:41 GMT

What radius server do you have?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Different authentication per SSID

habibalby — Thu, 23 Jan 2014 12:17:16 GMT

Hello,

I'm using Windows 2003 as Radius server..

Re: Different authentication per SSID

Scott Fella — Thu, 23 Jan 2014 12:36:26 GMT

You should be able to still use the called-station-ID radius attribute for this.

Sent from Cisco Technical Support iPhone App

Re: Different authentication per SSID

Scott Fella — Thu, 23 Jan 2014 12:39:48 GMT

Take a look at this thread also. Has some links you can follow.

https://supportforums.cisco.com/thread/2217685

Sent from Cisco Technical Support iPhone App

Different authentication per SSID

habibalby — Wed, 29 Jan 2014 10:05:33 GMT

Hello Scott,

I have gone through the tutorials you have given and what I understood is The Called-Station-id is being used for MAC authentication against the devices connected into the WiFi Network, but not against Active Directory username.

I have tried now creating Guest SSID and in that Guest SSID, I have made the Authentication based on LOCAL only. This works perfect as it allows only the users created under the LobbyAdmin are being authenticated and not the Active Directory Accounts.

I would like to do the same on but on different SSID, on the Staff which only be applied on the Staff-Security-AD-Group and on Student SSID where only be applied on Student-Security-AD-Group. This will eliminate the Staff from being authenticated on Student SSID & Guest SSID and same for Students which will be eliminated from being authenticated on the Staff & Guest SSID as well.

Is it ahieveable with Raius Server 2003?

Different authentication per SSID

Scott Fella — Wed, 29 Jan 2014 13:14:16 GMT

Yes it is... you would have to create two separate policies in your IAS 2003 radius server. The only difference between the two would be the called-station-id and the AD group mapping. WIth IAS, you need to use a regex like something like this. If your ssid was named secure:

.*secure

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Different authentication per SSID

habibalby — Wed, 29 Jan 2014 15:52:34 GMT

Hi Scott,

Thanks for your reply. Do you an example configuration on Radius and what sort of additional configuration would WLC required?

Different authentication per SSID

Scott Fella — Wed, 29 Jan 2014 15:57:13 GMT

I really need to know how everything is setup, which makes it hard to explain the setup over the forum. The only thing I can really help with is if you post your show run-config and screen shots of your radius policies so I can see what you need to do. Also I would need to know what you want for each of the ssids.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Different authentication per SSID

habibalby — Wed, 29 Jan 2014 16:00:27 GMT

Will give you all the details tonight or tomorrow morning.

Different authentication per SSID

Scott Fella — Wed, 29 Jan 2014 16:12:00 GMT

No problem

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Different authentication per SSID

ramkumar-b — Sat, 01 Feb 2014 10:57:37 GMT

Hi Scott,

we are here, would you like to give example on Radius server 2003 how this would be configured?

Different authentication per SSID

Sandeep Choudhary — Sat, 01 Feb 2014 11:01:29 GMT

HI Ramkumar,

Can you please create a new thred and post your issue in brief.

Regards

Re: Different authentication per SSID

ramkumar-b — Sat, 01 Feb 2014 11:05:14 GMT

Hi Sandeep,

We are working with Hussain Al Sayed and we are at the same site.

I will post some screenshots now.

Best Regards

Ramkumar

Message was edited by: Ramkumar B

Re: Different authentication per SSID

ramkumar-b — Sat, 01 Feb 2014 11:36:11 GMT

Hi,

Hussain Al Sayed, Ram Kumar & Waqas made the configuraiton in the IAS and only one Policy is there, when one of the user who is member of the targgeted group tryies to login, it says username and password is not valid and IAS generate warning as follows;

User zha10264 was denied access.

Fully-Qualified-User-Name = Domain-Name\zha10264

NAS-IP-Address = 172.16.3.3

NAS-Identifier = RCSICiscoWLC01

Called-Station-Identifier = 50-17-ff-34-7c-60:ICT

Calling-Station-Identifier = f0-7b-cb-41-5a-8c

Client-Friendly-Name = ciscowlan

Client-IP-Address = 172.16.3.3

NAS-Port-Type = Wireless - IEEE 802.11

NAS-Port = 13

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name =

Authentication-Type = PAP

EAP-Type =

Reason-Code = 16

Reason = Authentication was not successful because an unknown user name or incorrect password was used.

Any help?

Re: Different authentication per SSID

Sandeep Choudhary — Sat, 01 Feb 2014 11:43:58 GMT

HI Ramkumar,

is there shared secret is same on swicth and IAS server ?

Regards

Re: Different authentication per SSID

ramkumar-b — Sat, 01 Feb 2014 12:08:50 GMT

Hi Snadeep,

Its working now correctly as per the following policy criteria; in order

1.NAS-Port-Type Matches Wireless - IEEE 802.11 Or Wireless other

2. Called-Station-ID Matches "ICT.*" AND "Which is the SSID Name we are using

3. Windows-Groups Matches "Domain-Name\SG-GroupName

I have tested this by adding targetted user in the SG-Group and user was able to be authenticated if it's in that Group, if not, error message will appear Username and Password as not valid.

One last question i Have regarding the performance on the IAS Server, we are targeting 900 concurrent user session, will IAS Server 2003 having 2 GB ram and 2.8 GHz x 2 vCPUs will it be enough?

What is your recommendation?

Thanks,

Hussain on behalf of Ram Kumar

Re: Different authentication per SSID

Sandeep Choudhary — Sat, 01 Feb 2014 12:20:13 GMT

HI,

You can check this:

http://technet.microsoft.com/en-us/library/cc758523(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/bb742387.aspx

Hope this helps.

Reagrds