05-16-2013 09:14 PM - edited 07-04-2021 12:05 AM
Hello all,
I have a Wireless LAN controller and multiple Cisco APs with 8 SSIDs configured. Each one for the different business departments.
I want to allow Windows users to authenticate only to their specific SSID and windows group. I have a Microsoft NPS for user authentication but I dont know how to validate the SSID and the domain user at the same time.
I read in some websites about the VSA parameters, but I dont know how to configure the controller to send the SSID to my NPS and what I need to configure in my RADIUS server to validate both conditions, username and SSID.
Any help will be really appreciate.
Solved! Go to Solution.
05-16-2013 10:40 PM
For the SSID, you just need to add the called station id or use the wlan id radius attribute. See the following links.
http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/fa662135-3ddd-4699-a8eb-83f9f85b5674/
https://lavazzza.wordpress.com/2010/05/29/wlc-school-for-network-admin’s-who-can-read-real-good-part-2-ok-so-it-has-been-awhile/
Sent from Cisco Technical Support iPhone App
05-16-2013 10:40 PM
For the SSID, you just need to add the called station id or use the wlan id radius attribute. See the following links.
http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/fa662135-3ddd-4699-a8eb-83f9f85b5674/
https://lavazzza.wordpress.com/2010/05/29/wlc-school-for-network-admin’s-who-can-read-real-good-part-2-ok-so-it-has-been-awhile/
Sent from Cisco Technical Support iPhone App
05-17-2013 12:38 AM
I already try to use the called station ID and is not working. Do you need to type a specific command on the WLC?
05-17-2013 10:12 AM
After reviewing the logs in NPS, I modified the called station ID and its working now.
Thanks for the answer.
05-17-2013 10:38 AM
No problem. Just becareful when you start upgrading the WLC. There might be a point in time when the SSID will not be passed onto the called station attribute. The WLAN-ID would then have to be used. This would require all your SSID's to have the identical WLAN ID.
Sent from Cisco Technical Support iPhone App
05-17-2013 12:59 PM
Just an FYI.... The newer v7.4 code doesn't send the SSID in the radius packet. I ran into that using the v7.4 beta so I have to change my policy to use look at the WLAN-ID instead.
Sent from Cisco Technical Support iPhone App
05-23-2013 01:26 PM
Hi!, Can you explain how to change the policy to wlan-id ? ,
Currently I use Called Station ID , http://i.imgur.com/06g0Lnd.png
Thanks!
04-16-2019 05:51 AM
Hey Scott, I know this post is old but wanted to verify this SSID in called station ID did you face any issues with the newer versions? I'm wondering if 7.4 had an issue but got fixed perhaps? Looks like 8.x is fine.
Thank you in advance for confirming.
05-17-2013 02:45 PM
Hello Fredo,
As per your query i can suggest you the following solution-
Having 8 SSIDs configured and to validate SSID with the domain user you just need to add the station id to NPS or use wlan id radius attribute to achieve the same.
Hope this will help.
01-23-2014 04:43 AM
Thanks, will have a look on it.
01-23-2014 04:52 AM
Should work out fine or else let me know and I can bring up an NPS server and show you a test policy. The links should help though.
Sent from Cisco Technical Support iPhone App
02-28-2014 12:16 PM
The best way is to use the "Called Station ID" in the Policy under the Conditions.
We added the RegEx Pattern "$" to use the String on the End.
If your SSID is "DATA" the use the Condition in the Policy -> Called Station ID - DATA$
Attached you can find a Sample...
Best Regards,
Sven
02-28-2014 01:36 PM
Hi,
What is the point of having Data$ ? Currently each ssid having called-stationID as .SSIDName* on each Radius profiles and it works fine the way how I want it.
Could you please elaborate on this?
Thanks
02-28-2014 01:52 PM
Hi,
the "$" is a Metacharacter in Regular Expression -> Matches the ending position of the string or the position just before a string-ending newline. In line-based tools, it matches the ending position of any line.
So this mean you can choose the name of your SSID and attach the "$" Sign to get the right condition.
Regards,
Sven
09-11-2019 07:14 PM
Hi Sir,
Is this one working on scenario where one user able to connect to any SSID. As long as it is inside the group of in the condition?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide