Question for the group: I have a client that is already setup with one SSID that uses 802.1x authentication. Now they are wanting an additional SSID setup with the same type of authentication but with a different AD group. Is that possible? When I check the config all it does is point to a server. I'm not finding anyway to differentiate on which AD group would be used for which SSID.
Solved! Go to Solution.
I always have to ask this question when I hear about multiple 802.1x SSID's. If, your 802.1x SSID's have access to basically the same resources, then I would not create another SSID. If however you just want to place a group (OU) on a different vlan, then you want to keep the same SSID, but use a radius server that is tied to AD and can lookup the user/group/cert/etc and place that device/user on a specific vlan. There is no need to have another SSID with 802.1x especially if you have a radius server. There is so much flexibility with 802.1 if you are using a radius server. I don't think you can do that if you just use LDAP, but not sure as I have never had to just implement LDAP.
That level of a policy configured on your RADIUS server where it integrates with AD. WLC does not directly communicate with AD
HTH
Rasika
*** Pls rate all useful responses ***
Yes its possible, you can create diff SSID with same kind of authentication.
you need to configure apolicy on the server (cisco ISE) to use that specific AD group.
think you mean LDAP?
config the multi LDAP under WLC security,
select the LDAP as you want under the WLAN>Secuirty>AAA Server.
No it should be on Radius server. Radius server integrate with AD.
Thanks, I'll have to check into this tomorrow.
I always have to ask this question when I hear about multiple 802.1x SSID's. If, your 802.1x SSID's have access to basically the same resources, then I would not create another SSID. If however you just want to place a group (OU) on a different vlan, then you want to keep the same SSID, but use a radius server that is tied to AD and can lookup the user/group/cert/etc and place that device/user on a specific vlan. There is no need to have another SSID with 802.1x especially if you have a radius server. There is so much flexibility with 802.1 if you are using a radius server. I don't think you can do that if you just use LDAP, but not sure as I have never had to just implement LDAP.
It is using LDAP with Windows NPS so I think you are correct. I don't think this is going to work out for them.