cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5658
Views
10
Helpful
12
Replies

Multiple SSIDs/VLAN - NPS Authentication

Gateway Church
Level 4
Level 4

I have recently set up a similar network using Ruckus equipment; however, need to do it now with Cisco...

I have a multiple SSIDs associated to different VLANs broadcasting.  I would like to configure a single Radius server pointed to my NPS server and allow for authentication by group to each SSID. 

With Ruckus I had to put in a vendor specific custom attribute and then use Roles to allow access by AD Security Group. 

Does anyone know how to setup something similar with Cisco?  I just need a single group to be able to autheticate to each SSID.

Josh Price

12 Replies 12

petermitchell
Level 1
Level 1

This is pretty straightforward.

Just create a NPS policy for each SSID.

A simple policy could check 3 conditions.

Windows Groups = DOMAIN\GroupABC

Called Station ID = .*:SSIDNAME$

NAS Port ID = Wireless IEEE or Wireless Other

Just change SSIDNAME to whatever the specific SSID is, and obviously the group that you want mapped.  The SSID condition uses regex. 

Cheers

Peter

Agree with peter. In case it doesn't work, please refer the NPS event viewer logs and check in case it's not hitting the right network access policy.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Peter: Nice answer. +5.

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

Gateway Church
Level 4
Level 4

This is still not working for me. 

With Call Station ID enabled and .*:GatewayIT$  in the field my authentication failed.

If I simply uncheck Call Station ID the RADIUS server authenticates my session. 

I do not see anything in relation to this in the even log. 

Any ideas on where to go next?    

Under Called Station ID, simply use *GatewayIT and try again,

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Gateway Church
Level 4
Level 4

No luck.  I see where the formatting is coming from.  On the controller you can set:

Config>radius>callstationidtype>ap-macaddr-ssid - Sets Call Station Id Type to the format :

By doing this a wildcard:SSIDNAME should work to specify SSID.  Is there a way to verify what the controller is sending out?  ANd how to write it for Microsoft NPS to understand?    

I guess, we can run the following debugs from the WLC CLI to verify the radius access-request:

debug client

debug aaa events enable

debug aaa packet enable

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Make sure its "called station ID" - not "calling station ID".  You mention "Call Station ID"  above. 

Make sure you use conditions not constraints in NPS.

Check windows event log for more details.

Post a screenshot of your policy if your still stuck.

Ho Josh,

Did you get a chance to check the debugs, what exactly you're seeing in the radius request? Also, make sure you have selected called-station-id as suggested by Peter.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Gateway Church
Level 4
Level 4

I am sorry everyone.  I got it working on one ssid.  I then matched the settings for the second and it did not work.  I have been forced to focus on some other projects.  I will update when I return to the issue with what I did wrong or where I get hung up.  Thank you everyone for your help.

No issues. In your next reply do include the debugs from WLC and event viewer logs from NPS for non-working SSID/USER.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: