11-19-2018 02:31 AM - edited 07-05-2021 09:28 AM
Hi all,
We are migrating some of our offices over to use ISE for Wireless 802.1x authentication. At the moment we are using an external Radius Server to authenticate clients for our Corporate SSID.
Does anyone know if there is a way to use a different Radius server based on the AP Group client is connecting through? Currently I am using two different SSIDs for this (one to old Radius and one for new ISE). Ideally want all clients on same SSID.
Flexconnect AAA Servers are only for when the AP moves into standalone mode right?
Could / Should I used a Flexconnect ACL to block radius requests to the old radius server?
11-19-2018 06:17 AM
not in the way your question is formulated, the radiusserver is configured at the WLAN level.
when multiple radiusservers are defined, the other are only questioned when the first is down!
but....
instead of using the wlan-ssid you CAN use the ap-group as call station id sent to the radiusserver!
so if you forward all radius requests to ISE, then in your policies you can use a condition based on ap-group
-> group-old authenticate to the old-radiusserver
-> group-new to LDAP/AD/ISE-internal
there may be a minimum ISE version to do this
11-19-2018 07:10 AM
Thanks Pieter,
Good idea but when ISE is configured to proxy to an external Radius Server is a base license consumed? We've only purchased enough for the local office.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide