Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1381
Views
0
Helpful
4
Replies

801.x WLANs authenticated via Radius and Active Directory permit any user access any WLAN

Go to solution
Alejandro.Angon
Level 1
Level 1

‎12-26-2014 11:02 AM - edited ‎07-05-2021 02:11 AM

Hi,

I have configured several WLANs with WPA2 and 8021.x which authenticate users through Radius server (Windows Internet authentication service) that conects with an Active Directory, into the AD exists one user group for each WLAN but the problem is that any user that was added to some group can get access to any WLAN, does anyboby know if I need some configuraion on the WLC to restric that?

thanks for your help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎12-26-2014 11:19 AM

The WLC doesn't prevent that, it's your radius policies that you need to look at. Maybe creating a new User Group for specific SSIDs and place users in one of those specific groups and then have a radius policy look at the called station id since the SSID will be present there and then create a policy that points to that specific User Group for that SSID. 

-Scott

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎12-26-2014 11:19 AM

The WLC doesn't prevent that, it's your radius policies that you need to look at. Maybe creating a new User Group for specific SSIDs and place users in one of those specific groups and then have a radius policy look at the called station id since the SSID will be present there and then create a policy that points to that specific User Group for that SSID. 

-Scott

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to Scott Fella

‎12-26-2014 12:21 PM

Scoot is correct. This is also assumimh your other wlans are all dot1x 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
Alejandro.Angon
Level 1
Level 1
In response to Scott Fella

‎01-07-2015 10:18 AM

Hi Scott,

I have done some test modifying the Radius Policy to look at called station ID and test too looking at the NAS-ID, In the first case, I change the Call Station ID Type into WLC RADIUS Authentication Servers configuration to AP MAC Address:SSID and AP Name:SSID and into the Radius Server using .*:SSID-NAME$ and SSID-NAME$ ,but it blocks access for any user. In the second case, I change the NAS-ID into WLC WLAN and interface confguration and into the radius server Policy to match all, but it doesn´t have any impact, what other test could I try?

thanks for your help. 

0 Helpful

Go to solution
Alejandro.Angon
Level 1
Level 1
In response to Alejandro.Angon

‎02-01-2015 03:28 PM

Hi,

I have done some test installing a new Radius Server (Windows NPS) and adding a condition that evaluates the called station ID into the Network Policy and keeping the default IP address option into the WLC Radius server configuration and now user group restricctions works

ragards.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card