cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1174
Views
0
Helpful
27
Replies
Highlighted
Beginner

Different authentication per SSID

Hello,

Currently I have three SSIDs each serving it's purpose.. Students, Staff & Guest.. I want to archive different authentication for each SSID, Students will be able to only authenticate only on the Student SSID and same for Staff, Staff shouldn't be able to authenticate on Student and vs..

Is it's possible with Radius server to be authenticated based on AD organizational units?

Any thoughs?

Thanks,

27 REPLIES 27
Highlighted

Hi Sandeep,

We are working with Hussain Al Sayed and we are at the same site.

I will post some screenshots now.

Best Regards

Ramkumar

Message was edited by: Ramkumar B

Highlighted

Hi,

Hussain Al Sayed, Ram Kumar & Waqas made the configuraiton in the IAS and only one Policy is there, when one of the user who is member of the targgeted group tryies to  login, it says username and password is not valid and IAS generate warning as follows;

User zha10264 was denied access.

Fully-Qualified-User-Name = Domain-Name\zha10264

NAS-IP-Address = 172.16.3.3

NAS-Identifier = RCSICiscoWLC01

Called-Station-Identifier = 50-17-ff-34-7c-60:ICT

Calling-Station-Identifier = f0-7b-cb-41-5a-8c

Client-Friendly-Name = ciscowlan

Client-IP-Address = 172.16.3.3

NAS-Port-Type = Wireless - IEEE 802.11

NAS-Port = 13

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name =

Authentication-Type = PAP

EAP-Type =

Reason-Code = 16

Reason = Authentication was not successful because an unknown user name or incorrect password was used.

Any help?

Highlighted

HI Ramkumar,

is there shared secret is same on swicth and IAS server ?

Regards

Highlighted

Hi Snadeep,

Its working now correctly as per the following policy criteria; in order

    

1.NAS-Port-Type Matches Wireless - IEEE 802.11 Or Wireless other

2. Called-Station-ID Matches "ICT.*" AND "Which is the SSID Name we are using

3. Windows-Groups Matches "Domain-Name\SG-GroupName

I have tested this by adding targetted user in the SG-Group and user was able to be authenticated if it's in that Group, if not, error message will appear Username and Password as not valid.

One last question i Have regarding the performance on the IAS Server, we are targeting 900 concurrent user session, will IAS Server 2003 having 2 GB ram and 2.8 GHz x 2 vCPUs will it be enough?

What is your recommendation?

Thanks,

Hussain on behalf of Ram Kumar

Highlighted

Highlighted

Thanks for your reply, I think is is good article as I'm not running IAS on domain controller:

the domain controller or the computer that contains the global catalog, verify that you have an efficient domain and site topology.

Use the MaxConcurrentApi registry entry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\ Parameters) to increase the number of multiplexed connections to the domain controller.

Highlighted

Typically you would want to bring up another IAS server and point he WLC to both... If you ahve two WLC's, this allows you to point one WLC1 to Radisu1 and Radius2 for backup and WLC2 to Radius2 for primary and Radius1 for backup.  The 2GB of ram is questionalble as in the past, I have seen a minimum of 8 in production networks, but I'm not a server guys.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
Highlighted
Hall of Fame Master

Can you export the IAS configuration and email me it PM. Just click in the IAS server in the configuration page and click export. This way I can tweak your policy and send it back.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Highlighted

Hi Scott,

I've tried to send you PM with attachement yesterday, but PM doesn't have attachment options..

Highlighted

will this file be okay for you?

tsh aaaa show config >C:\IASConfig.txt

Highlighted

Send me a PM with your email and I will reply back.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Highlighted

Hi Scott,

I have just sent you a PM.

thanks,

Highlighted

Just replied back:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***