Solved: 5508 controller with Radius authentication

Stephane Richard · ‎02-17-2012

Hi,

I am setting up a WIFI network with a Cisco 5508 controller. I want to configure a first WIFI network (WIFI1) that will authenticate my business laptop based on the AD computer accounts and will access my corporate network.

I want to setup a second WIFI network (WIFI2) that will authenticate my phones and tablets devices with AD user accounts and will be on a separate vlan with only access to the Internet.

I created 2 policies on the Radius server : one that authenticate computers coming from wireless and a second one authenticating users coming from wireless.

Right now, if a user manually creates the WIFI1 network on his phone and enter his AD username, he is going to have access to the corporate network. I would like to be able to say that when a request is coming from WIFI1, only the policy for authenticating wireless devices with computer accounts will apply and the second policy authenticating user wouldn't apply.

Is this something possible?

Thanks

Justin Kurynny · ‎02-17-2012

Stephane,

If you are using IAS or NPS as your RADIUS server, you can add the Called-Station-ID condition to each policy and use the WLAN name as the conditional value. When the WLC sends this value to the RADIUS server during authentication, the last part of that string is the WLAN name.

In your first access policy, add a condition for Called-Station-ID = WIFI2. Any client that is not a device (i.e., users) will not use this policy and the server will move to the next policy.

In your second access policy, add a condition for Called-Station-ID = WIFI1. Any client that is not a user (devices and everything else) will not use this policy.

Screenshot example using NPS, where my WLAN name of interest is 2106-voice

If you are using ACS, this post should help:

https://supportforums.cisco.com/message/3374582#3374582

Justin

View solution in original post

Justin Kurynny · ‎02-17-2012