Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
464
Views
25
Helpful
8
Replies
jwiley1978
Beginner
Beginner
‎11-17-2020 06:59 AM
‎11-17-2020 06:59 AM

Multiple SSIDs with 802.1x

Question for the group:  I have a client that is already setup with one SSID that uses 802.1x authentication.  Now they are wanting an additional SSID setup with the same type of authentication but with a different AD group.  Is that possible?  When I check the config all it does is point to a server.  I'm not finding anyway to differentiate on which AD group would be used for which SSID.

0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Scott Fella
Hall of Fame Master Hall of Fame Master
Hall of Fame Master
In response to jwiley1978
‎02-02-2021 02:25 PM
‎02-02-2021 02:25 PM

I always have to ask this question when I hear about multiple 802.1x SSID's.  If, your 802.1x SSID's have access to basically the same resources, then I would not create another SSID.  If however you just want to place a group (OU) on a different vlan, then you want to keep the same SSID, but use a radius server that is tied to AD and can lookup the user/group/cert/etc and place that device/user on a specific vlan.  There is no need to have another SSID with 802.1x especially if you have a radius server.  There is so much flexibility with 802.1 if you are using a radius server.  I don't think you can do that if you just use LDAP, but not sure as I have never had to just implement LDAP.

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
8 REPLIES 8
Rasika Nayanajith
VIP Mentor VIP Mentor
VIP Mentor
‎11-17-2020 10:44 AM
‎11-17-2020 10:44 AM

That level of a policy configured on your RADIUS server where it integrates with AD. WLC does not directly communicate with AD

 

HTH

Rasika

*** Pls rate all useful responses ***

Sandeep Choudhary
VIP Mentor VIP Mentor
VIP Mentor
‎11-17-2020 10:44 AM
‎11-17-2020 10:44 AM

Yes its possible, you can create diff SSID with same kind of authentication.

 

you need to configure  apolicy on the server (cisco ISE) to use that specific AD group.

MHM Cisco World
Rising star
Rising star
‎11-17-2020 03:04 PM
‎11-17-2020 03:04 PM

think you mean LDAP?
config the multi LDAP under WLC security,
select the LDAP as you want under the WLAN>Secuirty>AAA Server.

0 Helpful
Sandeep Choudhary
VIP Mentor VIP Mentor
VIP Mentor
In response to MHM Cisco World
‎11-17-2020 09:52 PM
‎11-17-2020 09:52 PM

No it should be on Radius server. Radius server integrate with AD. 

jwiley1978
Beginner
Beginner
In response to MHM Cisco World
‎02-02-2021 10:40 AM
‎02-02-2021 10:40 AM

Thanks, I'll have to check into this tomorrow.

Scott Fella
Hall of Fame Master Hall of Fame Master
Hall of Fame Master
In response to jwiley1978
‎02-02-2021 02:25 PM
‎02-02-2021 02:25 PM

I always have to ask this question when I hear about multiple 802.1x SSID's.  If, your 802.1x SSID's have access to basically the same resources, then I would not create another SSID.  If however you just want to place a group (OU) on a different vlan, then you want to keep the same SSID, but use a radius server that is tied to AD and can lookup the user/group/cert/etc and place that device/user on a specific vlan.  There is no need to have another SSID with 802.1x especially if you have a radius server.  There is so much flexibility with 802.1 if you are using a radius server.  I don't think you can do that if you just use LDAP, but not sure as I have never had to just implement LDAP.

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
jwiley1978
Beginner
Beginner
In response to Scott Fella
‎02-03-2021 05:06 AM
‎02-03-2021 05:06 AM

It is using LDAP with Windows NPS so I think you are correct.  I don't think this is going to work out for them.

0 Helpful
Scott Fella
Hall of Fame Master Hall of Fame Master
Hall of Fame Master
In response to jwiley1978
‎02-03-2021 06:35 AM
‎02-03-2021 06:35 AM

Windows NPS is a radius server so you should be able to do this using one SSID that is defined for 802.1x. Just search “Cisco WLC 802.1x with Microsoft NPS”. You should be able to find many different guides and or videos on this. Also “CIsco WLC with Microsoft NPS vlan override”
-Scott
*** Please rate helpful posts ***
0 Helpful
Latest Contents
Cisco IOS-XE 17.5.1 for the Catalyst 9800 Wireless Controlle...
Created by anandg on 04-02-2021 11:02 AM
5
15
5
15
  It’s been about two and half years, since the launch of next generation Cisco Catalyst 9800 Wireless LAN Controllers that has the most deployment flexibility and runs the modular, scalable, highly reliable, open and programmable operating system, I... view more
Wi-Fi 6 and Embeded Wireless Controller (EWC) Demo
Created by eugenelee28 on 03-21-2021 01:48 AM
3
5
3
5
Hi All, I have made this video for Cisco Pitch the Future Contest in Malaysia which talks about Wi-Fi 6 and EWC Demo. Please feel free to view the video below and please support me for this contest by giving the video a like as the Contest will end o... view more
Cisco Wants your Feedback on the Cat9800-80!
Created by caiharve on 03-09-2021 03:43 PM
0
5
0
5
Review the Cisco Catalyst 9800-80 Wireless Controller on TrustRadius and receive a $25 gift card!   
EEM Scripts to Enable/Disable the RLAN Ports on APs Connecte...
Created by justloo on 03-07-2021 10:43 AM
0
10
0
10
Overview On the Cisco Catalyst 9800 Series WLC, enabling/disabling the remote LAN (RLAN) ports on APs requires going into the configuration for each AP and manually enabling/disabling the ports. However, as the number of APs that need to have their RLAN... view more
An End of an Era for Cisco AireOS Controllers
Created by byronm19 on 03-05-2021 12:30 PM
2
5
2
5
It’s been a long road for our AireOS wireless controllers. In fact these products have been around Cisco in some form since 2005. As you may have heard, Cisco made the decision to End-of-Sale (EOS) these products last month. That means that these AireOS ... view more
Content for Community-Ad