08-06-2016 04:29 PM - edited 03-10-2019 11:58 PM
I have Wifi users group and VPN Users group in the AD.
Can I use the same RADIUS Server to authenticate both? if so how?, please help me with thoughts and ideas.
Thanks in advance.
08-07-2016 03:48 PM
Yes you can and it depends on the systems that will be authenticating to RADIUS. For example, you might have a Cisco WLC for your wireless networks and it would be setup to authenticate against a Microsoft RADIUS/NPS server. Whereas if you have a Cisco ASA terminating your VPN clients, it would be setup to use the same RADIUS/NPS server.
So your question is very broad so I can't help you with any more specific than that. Only to say yes it can certainly be done. How? Using multiple policies on that RADIUS/NPS server but the policy settings will be very different depending on the source system such as authentication type (EAP-TLS, PEAP etc).
08-07-2016 08:41 PM
Yes, thats exactly the case, I have WLC for Wifi and ASA for anyconenct.
some users to will authenticate for both, but some users will only get wifi access.
so do you have a configuration example of how to implement a policy?
Thank you in advance.
08-12-2016 01:41 PM
here are some step by step documentation that may help.
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html#anc11
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html
08-12-2016 03:22 PM
That would be super easy, all your need to have 2 different network access policies differentiated by the NAS IP address. For wireless access, use the WLC IP address and for VPN users, use the ASA IP address sourcing the radius traffic - this can be identified by running show run aaa-server, you should see something like inside or management.
In case you see some challenge with the above suggestion then the other option would be to use NAS-PORT type.
Nas Port Type
Allows you to specify the type of media used by the client computer to connect to the network. For example, if you specify Ethernet, the client computer must be accessing the network over the media type of Ethernet. If you specify a media type and the client computer is connecting to the network over a different media type, the conditions of the policy are not met. For example, if the designated media type is Wireless - IEEE 802.11 and the client computer is attempting to connect to the network with a media type of Virtual (VPN), the conditions of the policy are not met.
Let me know if you have any further questions.
Regards,
Jatin
~ Do rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide