12-26-2014 11:02 AM - edited 07-05-2021 02:11 AM
Hi,
I have configured several WLANs with WPA2 and 8021.x which authenticate users through Radius server (Windows Internet authentication service) that conects with an Active Directory, into the AD exists one user group for each WLAN but the problem is that any user that was added to some group can get access to any WLAN, does anyboby know if I need some configuraion on the WLC to restric that?
thanks for your help.
Solved! Go to Solution.
12-26-2014 11:19 AM
The WLC doesn't prevent that, it's your radius policies that you need to look at. Maybe creating a new User Group for specific SSIDs and place users in one of those specific groups and then have a radius policy look at the called station id since the SSID will be present there and then create a policy that points to that specific User Group for that SSID.
-Scott
12-26-2014 11:19 AM
The WLC doesn't prevent that, it's your radius policies that you need to look at. Maybe creating a new User Group for specific SSIDs and place users in one of those specific groups and then have a radius policy look at the called station id since the SSID will be present there and then create a policy that points to that specific User Group for that SSID.
-Scott
12-26-2014 12:21 PM
Scoot is correct. This is also assumimh your other wlans are all dot1x
01-07-2015 10:18 AM
Hi Scott,
I have done some test modifying the Radius Policy to look at called station ID and test too looking at the NAS-ID, In the first case, I change the Call Station ID Type into WLC RADIUS Authentication Servers configuration to AP MAC Address:SSID and AP Name:SSID and into the Radius Server using .*:SSID-NAME$ and SSID-NAME$ ,but it blocks access for any user. In the second case, I change the NAS-ID into WLC WLAN and interface confguration and into the radius server Policy to match all, but it doesn´t have any impact, what other test could I try?
thanks for your help.
02-01-2015 03:28 PM
Hi,
I have done some test installing a new Radius Server (Windows NPS) and adding a condition that evaluates the called station ID into the Network Policy and keeping the default IP address option into the WLC Radius server configuration and now user group restricctions works
ragards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide