Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1348
Views
0
Helpful
4
Replies

Windows RADIUS server for wifi and anyconnect

Hassan Chalabi
Level 1
Level 1

‎08-06-2016 04:29 PM - edited ‎03-10-2019 11:58 PM

I have Wifi users group and VPN Users group in the AD.

Can I use the same RADIUS Server to authenticate both? if so how?, please help me with thoughts and ideas.

Thanks in advance.

Labels:
0 Helpful
4 Replies 4

Bobby Stojceski
Level 1
Level 1

‎08-07-2016 03:48 PM

Yes you can and it depends on the systems that will be authenticating to RADIUS. For example, you might have a Cisco WLC for your wireless networks and it would be setup to authenticate against a Microsoft RADIUS/NPS server. Whereas if you have a Cisco ASA terminating your VPN clients, it would be setup to use the same RADIUS/NPS server.

So your question is very broad so I can't help you with any more specific than that. Only to say yes it can certainly be done. How? Using multiple policies on that RADIUS/NPS server but the policy settings will be very different depending on the source system such as authentication type (EAP-TLS, PEAP etc).

0 Helpful

Hassan Chalabi
Level 1
Level 1
In response to Bobby Stojceski

‎08-07-2016 08:41 PM

Yes, thats exactly the case, I have WLC for Wifi and ASA for anyconenct.

some users to will authenticate for both, but some users will only get wifi access.

so do you have a configuration example of how to implement a policy? 

Thank you in advance.

0 Helpful

jkuehl
Level 1
Level 1
In response to Hassan Chalabi

‎08-12-2016 01:41 PM

here are some step by step documentation that may help.

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html#anc11

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Hassan Chalabi

‎08-12-2016 03:22 PM

That would be super easy, all your need to have 2 different network access policies differentiated by the NAS IP address. For wireless access, use the WLC IP address and for VPN users, use the ASA IP address sourcing the radius traffic - this can be identified by running show run aaa-server, you should see something like inside or management.

In case you see some challenge with the above suggestion then the other option would be to use NAS-PORT type.

Nas Port Type

Allows you to specify the type of media used by the client computer to connect to the network. For example, if you specify Ethernet, the client computer must be accessing the network over the media type of Ethernet. If you specify a media type and the client computer is connecting to the network over a different media type, the conditions of the policy are not met. For example, if the designated media type is Wireless - IEEE 802.11 and the client computer is attempting to connect to the network with a media type of Virtual (VPN), the conditions of the policy are not met.

Let me know if you have any further questions.

Regards,

Jatin

~ Do rate helpful posts.

~Jatin
0 Helpful
Customers Also Viewed These Support Documents