https://community.cisco.com/t5/wireless/801-x-wlans-authenticated-via-radius-and-active-directory-permit/m-p/2577715#M51581 <P>Scoot is correct. This is also assumimh your other wlans are all dot1x&nbsp;</P> Fri, 26 Dec 2014 20:21:55 GMT George Stefanick 2014-12-26T20:21:55Z https://community.cisco.com/t5/wireless/801-x-wlans-authenticated-via-radius-and-active-directory-permit/m-p/2577713#M51578 <P>Hi,</P><P>I have configured several WLANs with WPA2 and 8021.x which authenticate users <SPAN class="short_text" id="result_box" lang="en"><SPAN class="hps">through Radius server (Windows Internet authentication service) that conects with an Active Directory, into the AD exists one user group for each WLAN but the problem is that any user that was added to some group can get access to any WLAN, does anyboby know if I need some configuraion on the WLC to restric that?</SPAN></SPAN></P><P><SPAN class="short_text" lang="en"><SPAN class="hps">thanks for your help.</SPAN></SPAN></P> Mon, 05 Jul 2021 09:11:07 GMT https://community.cisco.com/t5/wireless/801-x-wlans-authenticated-via-radius-and-active-directory-permit/m-p/2577713#M51578 Alejandro.Angon 2021-07-05T09:11:07Z https://community.cisco.com/t5/wireless/801-x-wlans-authenticated-via-radius-and-active-directory-permit/m-p/2577714#M51579 <P>The WLC doesn't prevent that, it's your radius policies that you need to look at. Maybe creating a new User Group for specific SSIDs and place users in one of those specific groups and then have a radius policy look at the called station id since the SSID will be present there and then create a policy that points to that specific User Group for that SSID.&nbsp;</P><P>-Scott</P> Fri, 26 Dec 2014 19:19:36 GMT https://community.cisco.com/t5/wireless/801-x-wlans-authenticated-via-radius-and-active-directory-permit/m-p/2577714#M51579 Scott Fella 2014-12-26T19:19:36Z https://community.cisco.com/t5/wireless/801-x-wlans-authenticated-via-radius-and-active-directory-permit/m-p/2577715#M51581 <P>Scoot is correct. This is also assumimh your other wlans are all dot1x&nbsp;</P> Fri, 26 Dec 2014 20:21:55 GMT https://community.cisco.com/t5/wireless/801-x-wlans-authenticated-via-radius-and-active-directory-permit/m-p/2577715#M51581 George Stefanick 2014-12-26T20:21:55Z https://community.cisco.com/t5/wireless/801-x-wlans-authenticated-via-radius-and-active-directory-permit/m-p/2577716#M51582 <P>Hi Scott,</P><P>I have done some test modifying the Radius Policy to look at called station ID and test too looking at the NAS-ID, In the first case, I change the Call Station ID Type into WLC RADIUS Authentication Servers configuration to <STRONG>AP MAC Address:SSID</STRONG> and AP <STRONG>Name:SSID</STRONG> and into the Radius Server using <STRONG>.*:SSID-NAME$</STRONG> and <STRONG>SSID-NAME$</STRONG> ,but it blocks access for any user. In the second case, I change the NAS-ID into WLC WLAN and interface confguration and into the radius server Policy to match all, but it doesn´t have any impact, what other test could I try?</P><P>thanks for your help.&nbsp;</P> Wed, 07 Jan 2015 18:18:21 GMT https://community.cisco.com/t5/wireless/801-x-wlans-authenticated-via-radius-and-active-directory-permit/m-p/2577716#M51582 Alejandro.Angon 2015-01-07T18:18:21Z https://community.cisco.com/t5/wireless/801-x-wlans-authenticated-via-radius-and-active-directory-permit/m-p/2577717#M51584 <P>Hi,</P><P>I have done some test installing a new Radius Server (Windows NPS) and adding a condition that evaluates the called station ID into the Network Policy and keeping the default IP address option into the WLC Radius server configuration and now user group restricctions works</P><P>ragards.</P> Sun, 01 Feb 2015 23:28:48 GMT https://community.cisco.com/t5/wireless/801-x-wlans-authenticated-via-radius-and-active-directory-permit/m-p/2577717#M51584 Alejandro.Angon 2015-02-01T23:28:48Z