cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
464
Views
25
Helpful
8
Replies
jwiley1978
Beginner

Multiple SSIDs with 802.1x

Question for the group:  I have a client that is already setup with one SSID that uses 802.1x authentication.  Now they are wanting an additional SSID setup with the same type of authentication but with a different AD group.  Is that possible?  When I check the config all it does is point to a server.  I'm not finding anyway to differentiate on which AD group would be used for which SSID.

1 ACCEPTED SOLUTION

Accepted Solutions

I always have to ask this question when I hear about multiple 802.1x SSID's.  If, your 802.1x SSID's have access to basically the same resources, then I would not create another SSID.  If however you just want to place a group (OU) on a different vlan, then you want to keep the same SSID, but use a radius server that is tied to AD and can lookup the user/group/cert/etc and place that device/user on a specific vlan.  There is no need to have another SSID with 802.1x especially if you have a radius server.  There is so much flexibility with 802.1 if you are using a radius server.  I don't think you can do that if you just use LDAP, but not sure as I have never had to just implement LDAP.

-Scott
*** Please rate helpful posts ***

View solution in original post

8 REPLIES 8
Rasika Nayanajith
VIP Mentor

That level of a policy configured on your RADIUS server where it integrates with AD. WLC does not directly communicate with AD

 

HTH

Rasika

*** Pls rate all useful responses ***

Sandeep Choudhary
VIP Mentor

Yes its possible, you can create diff SSID with same kind of authentication.

 

you need to configure  apolicy on the server (cisco ISE) to use that specific AD group.

MHM Cisco World
Rising star

think you mean LDAP?
config the multi LDAP under WLC security,
select the LDAP as you want under the WLAN>Secuirty>AAA Server.

No it should be on Radius server. Radius server integrate with AD. 

Thanks, I'll have to check into this tomorrow.

I always have to ask this question when I hear about multiple 802.1x SSID's.  If, your 802.1x SSID's have access to basically the same resources, then I would not create another SSID.  If however you just want to place a group (OU) on a different vlan, then you want to keep the same SSID, but use a radius server that is tied to AD and can lookup the user/group/cert/etc and place that device/user on a specific vlan.  There is no need to have another SSID with 802.1x especially if you have a radius server.  There is so much flexibility with 802.1 if you are using a radius server.  I don't think you can do that if you just use LDAP, but not sure as I have never had to just implement LDAP.

-Scott
*** Please rate helpful posts ***

View solution in original post

It is using LDAP with Windows NPS so I think you are correct.  I don't think this is going to work out for them.

Windows NPS is a radius server so you should be able to do this using one SSID that is defined for 802.1x. Just search “Cisco WLC 802.1x with Microsoft NPS”. You should be able to find many different guides and or videos on this. Also “CIsco WLC with Microsoft NPS vlan override”
-Scott
*** Please rate helpful posts ***
Content for Community-Ad