06-27-2013 10:57 AM - edited 03-10-2019 08:35 PM
I have recently set up a similar network using Ruckus equipment; however, need to do it now with Cisco...
I have a multiple SSIDs associated to different VLANs broadcasting. I would like to configure a single Radius server pointed to my NPS server and allow for authentication by group to each SSID.
With Ruckus I had to put in a vendor specific custom attribute and then use Roles to allow access by AD Security Group.
Does anyone know how to setup something similar with Cisco? I just need a single group to be able to autheticate to each SSID.
Josh Price
06-30-2013 05:03 AM
This is pretty straightforward.
Just create a NPS policy for each SSID.
A simple policy could check 3 conditions.
Windows Groups = DOMAIN\GroupABC
Called Station ID = .*:SSIDNAME$
NAS Port ID = Wireless IEEE or Wireless Other
Just change SSIDNAME to whatever the specific SSID is, and obviously the group that you want mapped. The SSID condition uses regex.
Cheers
Peter
06-30-2013 05:09 AM
Agree with peter. In case it doesn't work, please refer the NPS event viewer logs and check in case it's not hitting the right network access policy.
~BR
Jatin Katyal
**Do rate helpful posts**
07-01-2013 01:14 AM
Peter: Nice answer. +5.
Rating useful replies is more useful than saying "Thank you"
07-02-2013 01:22 PM
This is still not working for me.
With Call Station ID enabled and .*:GatewayIT$ in the field my authentication failed.
If I simply uncheck Call Station ID the RADIUS server authenticates my session.
I do not see anything in relation to this in the even log.
Any ideas on where to go next?
07-02-2013 01:29 PM
Under Called Station ID, simply use *GatewayIT and try again,
~BR
Jatin Katyal
**Do rate helpful posts**
07-02-2013 02:08 PM
No luck. I see where the formatting is coming from. On the controller you can set:
Config>radius>callstationidtype>ap-macaddr-ssid - Sets Call Station Id Type to the format
By doing this a wildcard:SSIDNAME should work to specify SSID. Is there a way to verify what the controller is sending out? ANd how to write it for Microsoft NPS to understand?
07-02-2013 04:34 PM
I guess, we can run the following debugs from the WLC CLI to verify the radius access-request:
debug client
debug aaa events enable
debug aaa packet enable
~BR
Jatin Katyal
**Do rate helpful posts**
07-02-2013 10:54 PM
Make sure its "called station ID" - not "calling station ID". You mention "Call Station ID" above.
Make sure you use conditions not constraints in NPS.
Check windows event log for more details.
Post a screenshot of your policy if your still stuck.
07-07-2013 11:13 PM
Ho Josh,
Did you get a chance to check the debugs, what exactly you're seeing in the radius request? Also, make sure you have selected called-station-id as suggested by Peter.
~BR
Jatin Katyal
**Do rate helpful posts**
07-07-2013 08:58 PM
Hello,
May the link below solve your query:-
07-08-2013 09:33 PM
I am sorry everyone. I got it working on one ssid. I then matched the settings for the second and it did not work. I have been forced to focus on some other projects. I will update when I return to the issue with what I did wrong or where I get hung up. Thank you everyone for your help.
07-09-2013 07:06 AM
No issues. In your next reply do include the debugs from WLC and event viewer logs from NPS for non-working SSID/USER.
~BR
Jatin Katyal
**Do rate helpful posts**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide