Solved: Multiple SSID authentication with NPS

mataalfredo · ‎05-16-2013

Hello all,

I have a Wireless LAN controller and multiple Cisco APs with 8 SSIDs configured. Each one for the different business departments.

I want to allow Windows users to authenticate only to their specific SSID and windows group. I have a Microsoft NPS for user authentication but I dont know how to validate the SSID and the domain user at the same time.

I read in some websites about the VSA parameters, but I dont know how to configure the controller to send the SSID to my NPS and what I need to configure in my RADIUS server to validate both conditions, username and SSID.

Any help will be really appreciate.

Scott Fella · ‎05-16-2013

For the SSID, you just need to add the called station id or use the wlan id radius attribute. See the following links.

http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/fa662135-3ddd-4699-a8eb-83f9f85b5674/

https://lavazzza.wordpress.com/2010/05/29/wlc-school-for-network-admin’s-who-can-read-real-good-part-2-ok-so-it-has-been-awhile/

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎05-16-2013

For the SSID, you just need to add the called station id or use the wlan id radius attribute. See the following links.

http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/fa662135-3ddd-4699-a8eb-83f9f85b5674/

https://lavazzza.wordpress.com/2010/05/29/wlc-school-for-network-admin’s-who-can-read-real-good-part-2-ok-so-it-has-been-awhile/

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

mataalfredo · ‎05-17-2013

I already try to use the called station ID and is not working. Do you need to type a specific command on the WLC?

mataalfredo · ‎05-17-2013

After reviewing the logs in NPS, I modified the called station ID and its working now.

Thanks for the answer.

Scott Fella · ‎05-17-2013

No problem. Just becareful when you start upgrading the WLC. There might be a point in time when the SSID will not be passed onto the called station attribute. The WLAN-ID would then have to be used. This would require all your SSID's to have the identical WLAN ID.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎05-17-2013

Just an FYI.... The newer v7.4 code doesn't send the SSID in the radius packet. I ran into that using the v7.4 beta so I have to change my policy to use look at the WLAN-ID instead.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Report Inappropriate Content · ‎05-23-2013

Hi!, Can you explain how to change the policy to wlan-id ? ,

Currently I use Called Station ID , http://i.imgur.com/06g0Lnd.png

Thanks!

ALIAOF_ · ‎04-16-2019

Hey Scott, I know this post is old but wanted to verify this SSID in called station ID did you face any issues with the newer versions? I'm wondering if 7.4 had an issue but got fixed perhaps? Looks like 8.x is fine.

Thank you in advance for confirming.

Abhishek Abhishek · ‎05-17-2013

Hello Fredo,

As per your query i can suggest you the following solution-

Having 8 SSIDs configured and to validate SSID with the domain user you just need to add the station id to NPS or use wlan id radius attribute to achieve the same.

Hope this will help.

habibalby · ‎01-23-2014

Thanks, will have a look on it.

Scott Fella · ‎01-23-2014

Should work out fine or else let me know and I can bring up an NPS server and show you a test policy. The links should help though.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Sven Kutzer · ‎02-28-2014

The best way is to use the "Called Station ID" in the Policy under the Conditions.

We added the RegEx Pattern "$" to use the String on the End.

If your SSID is "DATA" the use the Condition in the Policy -> Called Station ID - DATA$

Attached you can find a Sample...

Best Regards,

Sven

habibalby · ‎02-28-2014

Hi,

What is the point of having Data$ ? Currently each ssid having called-stationID as .SSIDName* on each Radius profiles and it works fine the way how I want it.

Could you please elaborate on this?

Thanks

Sven Kutzer · ‎02-28-2014

Hi,

the "$" is a Metacharacter in Regular Expression -> Matches the ending position of the string or the position just before a string-ending newline. In line-based tools, it matches the ending position of any line.

So this mean you can choose the name of your SSID and attach the "$" Sign to get the right condition.

Regards,

Sven

Augustus041701 · ‎09-11-2019

Hi Sir,

Is this one working on scenario where one user able to connect to any SSID. As long as it is inside the group of in the condition?