11-17-2020 06:59 AM - edited 07-05-2021 12:47 PM
Question for the group: I have a client that is already setup with one SSID that uses 802.1x authentication. Now they are wanting an additional SSID setup with the same type of authentication but with a different AD group. Is that possible? When I check the config all it does is point to a server. I'm not finding anyway to differentiate on which AD group would be used for which SSID.
Solved! Go to Solution.
02-02-2021 02:25 PM
I always have to ask this question when I hear about multiple 802.1x SSID's. If, your 802.1x SSID's have access to basically the same resources, then I would not create another SSID. If however you just want to place a group (OU) on a different vlan, then you want to keep the same SSID, but use a radius server that is tied to AD and can lookup the user/group/cert/etc and place that device/user on a specific vlan. There is no need to have another SSID with 802.1x especially if you have a radius server. There is so much flexibility with 802.1 if you are using a radius server. I don't think you can do that if you just use LDAP, but not sure as I have never had to just implement LDAP.
11-17-2020 10:44 AM
That level of a policy configured on your RADIUS server where it integrates with AD. WLC does not directly communicate with AD
HTH
Rasika
*** Pls rate all useful responses ***
11-17-2020 10:44 AM
Yes its possible, you can create diff SSID with same kind of authentication.
you need to configure apolicy on the server (cisco ISE) to use that specific AD group.
11-17-2020 03:04 PM - edited 11-17-2020 03:07 PM
think you mean LDAP?
config the multi LDAP under WLC security,
select the LDAP as you want under the WLAN>Secuirty>AAA Server.
11-17-2020 09:52 PM
No it should be on Radius server. Radius server integrate with AD.
02-02-2021 10:40 AM
Thanks, I'll have to check into this tomorrow.
02-02-2021 02:25 PM
I always have to ask this question when I hear about multiple 802.1x SSID's. If, your 802.1x SSID's have access to basically the same resources, then I would not create another SSID. If however you just want to place a group (OU) on a different vlan, then you want to keep the same SSID, but use a radius server that is tied to AD and can lookup the user/group/cert/etc and place that device/user on a specific vlan. There is no need to have another SSID with 802.1x especially if you have a radius server. There is so much flexibility with 802.1 if you are using a radius server. I don't think you can do that if you just use LDAP, but not sure as I have never had to just implement LDAP.
02-03-2021 05:06 AM
It is using LDAP with Windows NPS so I think you are correct. I don't think this is going to work out for them.
02-03-2021 06:35 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: