Suppose that the Web Auth and 802.1x are using different SSID. If making one policy for both, will the user for WebAuth can login the network by 802.1x? I want to avoid this.

How can I set the radius server such that this does not happen?

The issues is that the WLC will always check its local data base and then check the first radius it communicates with then the second and third. It doesn't matter that you use different ssid's or not. The process of authentication is always the same. This is why when you have two ssid's using radius, its hard to define a policy that works with both. That is why there are times that users can use their username and password defined in the PEAP setting on the webauth page and bbe able to authenticate on that subnet. The only way you can make this happen is if you define the service type. For webauth use login and for 802.11x use framed. That install was a while back and was using IAS instead of ACS.... wish I had more info for you.

Hi Cliff,

In ACS, you can create different user groups. 1 for WebAuthen and 1 for standard 802.1x authen (e.g. PEAP).

By default, ACS will map the user to corresponding group by lookup the username provided in RADIUS packet.

To give further security control, you can defile "Network Access Filtering" to each group such that ACS will lookup the SSID and assign it to corresponding "user group". This feature is useful in case the user has 1-many mapping in ACS user database.

For user group for WebAuth, you must enable "service-type (006) = Framed" in the group setup.

Hope this will help.