https://community.cisco.com/t5/wireless/5508-controller-with-radius-authentication/m-p/1838657#M69256 <DIV><P>Hi,</P><P></P><P>I am setting up a WIFI network with a Cisco 5508 controller.&nbsp; I want&nbsp; to configure a first WIFI network (WIFI1) that will authenticate my&nbsp; business laptop based on the AD computer accounts and will access my&nbsp; corporate network. </P><P></P><P>I want to setup a second WIFI network (WIFI2) that will authenticate&nbsp; my phones and tablets devices with AD user accounts and will be on a&nbsp; separate vlan with only access to the Internet.</P><P></P><P>I created 2 policies on the Radius server : one that authenticate&nbsp; computers coming from wireless and a second one authenticating users&nbsp; coming from wireless.</P><P></P><P>Right now, if a user manually creates the WIFI1 network on his phone&nbsp; and enter his AD username, he is going to have access to the corporate&nbsp; network.&nbsp; I would like to be able to say that when a request is coming&nbsp; from WIFI1, only the policy for authenticating&nbsp; wireless devices with computer accounts will apply and the second&nbsp; policy authenticating user wouldn't apply.</P><P></P><P>Is this something possible?</P><P></P><P>Thanks</P></DIV> Sun, 04 Jul 2021 04:36:27 GMT Stephane Richard 2021-07-04T04:36:27Z https://community.cisco.com/t5/wireless/5508-controller-with-radius-authentication/m-p/1838657#M69256 <DIV><P>Hi,</P><P></P><P>I am setting up a WIFI network with a Cisco 5508 controller.&nbsp; I want&nbsp; to configure a first WIFI network (WIFI1) that will authenticate my&nbsp; business laptop based on the AD computer accounts and will access my&nbsp; corporate network. </P><P></P><P>I want to setup a second WIFI network (WIFI2) that will authenticate&nbsp; my phones and tablets devices with AD user accounts and will be on a&nbsp; separate vlan with only access to the Internet.</P><P></P><P>I created 2 policies on the Radius server : one that authenticate&nbsp; computers coming from wireless and a second one authenticating users&nbsp; coming from wireless.</P><P></P><P>Right now, if a user manually creates the WIFI1 network on his phone&nbsp; and enter his AD username, he is going to have access to the corporate&nbsp; network.&nbsp; I would like to be able to say that when a request is coming&nbsp; from WIFI1, only the policy for authenticating&nbsp; wireless devices with computer accounts will apply and the second&nbsp; policy authenticating user wouldn't apply.</P><P></P><P>Is this something possible?</P><P></P><P>Thanks</P></DIV> Sun, 04 Jul 2021 04:36:27 GMT https://community.cisco.com/t5/wireless/5508-controller-with-radius-authentication/m-p/1838657#M69256 Stephane Richard 2021-07-04T04:36:27Z https://community.cisco.com/t5/wireless/5508-controller-with-radius-authentication/m-p/1838658#M69257 <HTML><HEAD></HEAD><BODY><P>Stephane,</P><P></P><P>If you are using IAS or NPS as your RADIUS server, you can add the <EM>Called-Station-ID</EM> condition to each policy and use the WLAN name as the conditional value. When the WLC sends this value to the RADIUS server during authentication, the last part of that string is the WLAN name.</P><P></P><UL><LI>In your first access policy, add a condition for Called-Station-ID = WIFI2. Any client that is not a device (i.e., users) will not use this policy and the server will move to the next policy.</LI></UL><P><SPAN style="line-height: 0px;"></SPAN></P><UL><LI>In your second access policy, add a condition for Called-Station-ID = WIFI1. Any client that is not a user (devices and everything else) will not use this policy.</LI></UL><P></P><P>Screenshot example using NPS, where my WLAN name of interest is <EM>2106-voice</EM></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/5/4/7/77745-called-station-id.png" class="jive-image" /></P><P></P><P></P><P></P><P>If you are using ACS, this post should help:</P><P></P><P><A _jive_internal="true" href="https://community.cisco.com/message/3374582#3374582">https://supportforums.cisco.com/message/3374582#3374582</A></P><P></P><P></P><P>Justin</P></BODY></HTML> Fri, 17 Feb 2012 17:07:03 GMT https://community.cisco.com/t5/wireless/5508-controller-with-radius-authentication/m-p/1838658#M69257 Justin Kurynny 2012-02-17T17:07:03Z