Different AAA Server Per AP Group

malone352 · ‎11-19-2018

Hi all,

We are migrating some of our offices over to use ISE for Wireless 802.1x authentication. At the moment we are using an external Radius Server to authenticate clients for our Corporate SSID.

Does anyone know if there is a way to use a different Radius server based on the AP Group client is connecting through? Currently I am using two different SSIDs for this (one to old Radius and one for new ISE). Ideally want all clients on same SSID.

Flexconnect AAA Servers are only for when the AP moves into standalone mode right?

Could / Should I used a Flexconnect ACL to block radius requests to the old radius server?

pieterh · ‎11-19-2018

not in the way your question is formulated, the radiusserver is configured at the WLAN level.

when multiple radiusservers are defined, the other are only questioned when the first is down!

but....

instead of using the wlan-ssid you CAN use the ap-group as call station id sent to the radiusserver!

so if you forward all radius requests to ISE, then in your policies you can use a condition based on ap-group

-> group-old authenticate to the old-radiusserver

-> group-new to LDAP/AD/ISE-internal

there may be a minimum ISE version to do this

malone352 · ‎11-19-2018

Thanks Pieter,

Good idea but when ISE is configured to proxy to an external Radius Server is a base license consumed? We've only purchased enough for the local office.