Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
519
Views
20
Helpful
6
Replies

possible to have 2 ssid using two different AD groups?

baselzind
Level 6
Level 6

‎09-29-2021 12:17 AM - edited ‎09-29-2021 01:31 AM

atm i have a wlc with a ssid that uses a group in AD for authentication, question is can i create a second ssid that uses a different group in the same AD for authentication? like can i create a second entry for my same AD with the same IP and enter a different group then tie this second entry to a ssid?

Labels:
0 Helpful
6 Replies 6

Arshad Safrulla
VIP Alumni
VIP Alumni

‎09-29-2021 04:52 AM

Assuming that you are using Radius for authentication, it is perfectly possible. But since the IP range will be same consider using per user dynamic ACL assignment using your radius server to maintain segregation and security if required. You can have a different ACL for Group1 and different one for Group2. 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

baselzind
Level 6
Level 6
In response to Arshad Safrulla

‎09-29-2021 11:20 AM - edited ‎09-29-2021 11:24 AM

No I'm not using radius , I just have a wlc and active directory windows server. there is no acl involved, when I added my initial AD I specified a group which contains all the users that will authenticate , i want to add a second ssid that use another group in my AD. is it possible or i can only use one group

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎09-29-2021 11:58 PM

Are you using LDAP for Dot1x? or Layer3 Auth?

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

baselzind
Level 6
Level 6
In response to Arshad Safrulla

‎09-30-2021 12:08 AM

DOt1x

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎09-30-2021 12:54 AM

I haven't done any deployments on this, but as per the Cisco documentation it states that "Users inside a Group cannot be authenticated. They need to be inside a Default Container (CN) or an Organizational Unit (OU)"

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/211277-WLC-with-LDAP-Authentication-Configurati.html

 

If you want more granularity I would suggest that you run NPS service, and do a Radius integration. This will add more security (depends on the EAP mechanism) and will give you more flexibility.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

patoberli
VIP Alumni
VIP Alumni

‎09-30-2021 08:56 AM

My suggestion is to add the NPS Role onto that server (or even better a separate one). That includes Radius functionality. Then you can use Radius between the WLC and the DC and do this (and much more). 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card