Solved: Restricting SSIDs using Win2008 Radius Servers

mjohnson1914 · ‎02-06-2013

Hello All,

I have a customer that wants to restrict SSIDs that groups get based on their AD credentials. Currently, he is using Windows 2008 Radius Server and AD with Cisco 5508 WLCs. I found examples that shows this is possible but my question is if I have 2 user groups (teachers and students) in AD and apply a policy for the Radius to send SSID x to teachers and SSID y to students. Upon successfully authentication, would this deny teachers access to SSID y and students access to SSID x?

Thanks in advance for you help! Any suggestions, comments, or links to documents on how this can be done would be greatly appreciated as well!!

Stephen Rodriguez · ‎02-06-2013

It should deny access to the other SSID. The users profile wouldn't match the SSID sent up, so they should be denied.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

David Watkins · ‎02-06-2013

I would trust Steve's comments, but I am thinking they will be "moved" the appropraite WLAN ID, however as the documentation states, if this is regarding a "Web Authentication" WLAN, they would be "rejected/denied".

Would just have to test this to verify.

View solution in original post

stefan.angerer · ‎02-06-2013

Hi

I had similar requirements in many installations, usually one of these two options satisfied the customer's need:

- one SSID for all users (e.g. teachers and students), and using dynamic vlan assignment based on AD groups

- two SSID and using a filter on the "called-station" radius attribute which includes the SSID the client wants to authenticate to; so you can allow teachers only access to the teacher SSID and deny students, and vice versa. (this can of course be done with NPS)

maybe this helps

regards

Stefan

View solution in original post

Stephen Rodriguez · ‎02-06-2013

yeah, in ACS it's called NAR. in the config you would say * and then either permit or deny, link to the user group and done.

Now the other way around like David was talking about was, One ssid with forced VLAN assignment, IEEE 64/65/81. Then it wouldn't matter what SSID they were on, AAA sends back the VLAN that the user/user group should be on.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

Scott Fella · ‎02-06-2013

For NPS, I have done the following... one SSID and I would create two policies, one for the Staff and the other for the student

Here is an example.... I'm not doing any dynamic vlans here, but it just so you can see... For the second policy, you don't have to specify a called station id, since its your last rule. IF you had more than three policies that you needed to create, then the top two would need that attribute defined.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

View solution in original post

Stephen Rodriguez · ‎02-06-2013

It should deny access to the other SSID. The users profile wouldn't match the SSID sent up, so they should be denied.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

mjohnson1914 · ‎02-06-2013

Thanks!

David Watkins · ‎02-06-2013

From my recent memory, this would simply force the client to be placed in the appropriate WLAN ID. RADIUS will respond with WLAN ID the client should be "placed in", therefore if your "teacher policy (x)" authenticates a user, they will be pushed to WLAN ID , regardless if they connected to WLAN X or Y, presuming they're hitting the same NPS server/policies; and vice versa.

Bottom line is the network policy on the NPS is going to make the client move to the respective WLAN ID based on the "credentials" authenticated in the respective policy, regardless if they connect to WLAN X or Y. Make sure AAA override is enabled on each WLAN

List of VSAs supported on WLC

http://www.cisco.com/en/US/products/ps6307/products_tech_note09186a0080870334.shtml

WLAN ID

—When the WLAN-ID attribute is present in the RADIUS Access Accept, the system applies the WLAN-ID (SSID) to the client station after it authenticates. The WLAN ID is sent by the WLC in all instances of authentication except IPsec. In case of web authentication, if the WLC receives a WLAN-ID attribute in the authentication response from the AAA server, and it does not match the ID of the WLAN, authentication is rejected. Other types of security methods do not do this.

Taken from

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008082d5b5.shtml#C2

This is for IAS but the VSAs will all be the same when configured in NPS

For setting the WLAN-ID on a per-user basis:

Attribute Name—Airespace-WLAN-Id
Vendor-assigned attribute number—1
Attribute Format—Integer/Decimal
Value—WLAN-ID

David Watkins · ‎02-06-2013

I would trust Steve's comments, but I am thinking they will be "moved" the appropraite WLAN ID, however as the documentation states, if this is regarding a "Web Authentication" WLAN, they would be "rejected/denied".

Would just have to test this to verify.

mjohnson1914 · ‎02-06-2013

Thanks for the response so if I'm a student and I log on to a PC, laptop, or tablet in school would I only see SSID y because that's what the NPS would push me too? The customer also doesn't want the student to be tempted to try and associate to the teacher SSID. I know you can hide SSIDs and all but with MACs once you authenticate to an WLAN it will show the name of the network in the wireless settings.

stefan.angerer · ‎02-06-2013

Hi

I had similar requirements in many installations, usually one of these two options satisfied the customer's need:

- one SSID for all users (e.g. teachers and students), and using dynamic vlan assignment based on AD groups

- two SSID and using a filter on the "called-station" radius attribute which includes the SSID the client wants to authenticate to; so you can allow teachers only access to the teacher SSID and deny students, and vice versa. (this can of course be done with NPS)

maybe this helps

regards

Stefan

David Watkins · ‎02-06-2013

That sounds like a good solution. Use of the call-station would probably be the "trigger" for whether NPS itself actually sends accept vs reject based on upon the WLAN-ID presented by the WLC in the client's access-request; this seems like more of a "condition" of the authentication as opposed to the previously discussed "result". If you're just sending a VSA with WLAN-ID as a "result" of a successful authentication from NPS, I don't think it will deny access, only override WLAN-ID.

Stephen Rodriguez · ‎02-06-2013

yeah, in ACS it's called NAR. in the config you would say * and then either permit or deny, link to the user group and done.

Now the other way around like David was talking about was, One ssid with forced VLAN assignment, IEEE 64/65/81. Then it wouldn't matter what SSID they were on, AAA sends back the VLAN that the user/user group should be on.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Scott Fella · ‎02-06-2013

For NPS, I have done the following... one SSID and I would create two policies, one for the Staff and the other for the student

Here is an example.... I'm not doing any dynamic vlans here, but it just so you can see... For the second policy, you don't have to specify a called station id, since its your last rule. IF you had more than three policies that you needed to create, then the top two would need that attribute defined.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

mjohnson1914 · ‎02-07-2013

Guys, thanks so much for the insight ... this really helped!!!