09-29-2021 12:17 AM - edited 09-29-2021 01:31 AM
atm i have a wlc with a ssid that uses a group in AD for authentication, question is can i create a second ssid that uses a different group in the same AD for authentication? like can i create a second entry for my same AD with the same IP and enter a different group then tie this second entry to a ssid?
09-29-2021 04:52 AM
Assuming that you are using Radius for authentication, it is perfectly possible. But since the IP range will be same consider using per user dynamic ACL assignment using your radius server to maintain segregation and security if required. You can have a different ACL for Group1 and different one for Group2.
09-29-2021 11:20 AM - edited 09-29-2021 11:24 AM
No I'm not using radius , I just have a wlc and active directory windows server. there is no acl involved, when I added my initial AD I specified a group which contains all the users that will authenticate , i want to add a second ssid that use another group in my AD. is it possible or i can only use one group
09-29-2021 11:58 PM
Are you using LDAP for Dot1x? or Layer3 Auth?
09-30-2021 12:08 AM
DOt1x
09-30-2021 12:54 AM
I haven't done any deployments on this, but as per the Cisco documentation it states that "Users inside a Group cannot be authenticated. They need to be inside a Default Container (CN) or an Organizational Unit (OU)"
If you want more granularity I would suggest that you run NPS service, and do a Radius integration. This will add more security (depends on the EAP mechanism) and will give you more flexibility.
09-30-2021 08:56 AM
My suggestion is to add the NPS Role onto that server (or even better a separate one). That includes Radius functionality. Then you can use Radius between the WLC and the DC and do this (and much more).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide