I have two SSIDs one for corporate users (Corp-SSID) with certificate base EAP-TLS authentication and its policy is configured on Win2008 MS Radius server as first policy and I have another SSID (corp-mobile) for Cisco 7926G wifi phones, I have configured a second radius policy for PEAP for corp-mobile SSID and I also have configured "Called Station ID" parameter under the Conditions tab with corp-mobile$.
On both policies for both SSIDs I am using the same corporate internal certificate and Corp-SSID's radius policy does not contain "Called Station ID" however corp-mobile does and Corp-SSID works fine.
But I cannot authenticate successfully on corp-mobile ssid and I followed configuration guide found on below link.
I found a Cisco documentation illustrates at above link steps 9 to 19, note below focus on creating the policy itself at section: Create a new Network Policy for the wireless users. Expand Policies, right-click Network Policies, and choose New:
I noticed, corp-mobile ssid authentication always hitting on the first policy and it never hits on the second policy configured for corp-mobile, I don't know why.
Could you please check your Called Station ID setting under the Security > RADIUS > Authentication section of your WLC. See below. This is how my WLC is set and I use a Called Station ID successfully with the same setup as you. If this doesn't work then there must be something within the first policy of yours that is matching what it is seeing from the 7926 handsets.
Thanks Bobby for your reply.
I did checked on my radius server and what selected is "AP MAC Address:SSID".
First policy of the radius server is very generic and on the handset message authentication failed.
Since you're using EAP on both networks it must be matching the first rule. Might be worth adding the Called Station ID for your Corp SSID to the first rule. Or, after hours, try moving the phone rule higher in the order before the CORP rule, then test both the mobiles and laptops again.
Else check the security event log as it should tell you what policy or conditions the mobile has matched in the first rule.
Yes that is correct, as per event-viewer logs it is hitting on the first rule which is so generic rule used by Corp-SSID.
On your radius server do you have the "Called Station ID" is configured in all policies used for wifi SSIDs useage?
Actually no I don't have one for the CORP SSID. In fact my mobile phone policy uses ONLY the called station ID condition whereas my CORP policy matches an AD computer group, IEEE 802.11 and auth type EAP. It works fine for me.
I've always found NPS a bit cumbersome at times. Sometimes you just have to play with the policies until you find the right order and conditions.
Thanks again for your post, it was helpful.
This is what worked for me.
For other readers on the this thread, solution worked is: I moved the phone-policy to top first and created Called-Station-ID such as "myPhoneSSID$" for the phone-policy, you need the dollar sign at the end of your SSID's name and I left out my Corp-SSID's policy without Called-Station-ID and its policy sitting second in the order.