03-05-2013 02:54 AM - edited 07-03-2021 11:40 PM
Hi.
I am working on setting up a new WLAN infrastructure. I have set up different SSIDs connected to different VLANs, in the AP.
I also want to use Windows NPS for authenticating users on the different SSIDs, with different authentication methods based on which SSID the user/device is connecting to. To do that, NPS needs to get the SSID, but the Aironet 1240 only sends its MAC address in the Called-Station-Id. I have read a bit about this, and found out that if I have a WLC, it will add the SSID to to the Called-Station-Id. But since we do not have a WLC, I am trying to get this to work anyway.
Is it possible to modify the Called-Station-Id to include the SSID on an Aironet 1240? If not, is it possible to send the SSID as a separate attribute that can be read by the NPS?
03-05-2013 04:06 AM
on autonomous APs , it can be accomplished in a different way:
the client associate to any ssid that is using RADIUS server, where the radius server is going to to return the list of allowed
SSIDs in the RADIUS access accept packet within specific attribute value pair, if the ssid at which the client is trying to associate at the moment is part of the list, the client continues without issues, but if the ssid is not part of the returned list , , the client wont survive the association.
If the RADIUS server hasn't been configured with any SSID then the user will be able to access any SSID available that makes use of the RADIUS server.
the attribute that should be configured on the RADIUS server is [009/001] cisco -av-pair
under that attribute we configure the ssid allowed for that user
ssid=ssidname
03-05-2013 04:13 AM
You need to check with microsoft how to add vendor specific attributes on NPS and make use of them.
-------------------------------------------------------------------------------------------------------------
Please make sure to rate correct answer
03-05-2013 04:15 AM
Hi.
Thank you for your response. Do I need to configure anything on the APs for this, or will it work as soon as I have added it on the radius server?
03-05-2013 04:22 AM
all what you need on the AP
aaa new-model
aaa authentication login .... group radius
radius-server host a.b.c.d auth-port 1812 acct-port 1813 key ....
make sure to have the method list added under your ssids and everything should be ok.
------------------------------------------------------------------------------------------
Please make sure to rate correct answers and flag this thread as answered
03-05-2013 04:38 AM
OK, I have tested this a bit.
It seems like it will not work, unfortunately. I can only connect to the SSID that matches the first policy on the radius server (NPS). If I try to connect to another SSID, NPS will still try to authenticate me using the first policy, since all conditions match, and I will be unable to connect because of the ssid avpair.
So if I am not missing something here, I would need to be able to send the SSID from the AP to the NPS, so that NPS can choose the correct policy based on the SSID.
03-05-2013 04:49 AM
I have tested this many times with ACS 4.x and ACS 5.x and it is working perfectly without issues.
You need to troubleshoot your issue now with microsoft.
there is no option to send your ssid in the called station id attribute on autonomous.
-------------------------------------------------------------------------------------------------
Rating helpful answers motivates helpful people on this forum
03-05-2013 05:16 AM
OK.
I cannot see how I can make NPS choose the correct policy if it can't do it based on the SSID. I might be missing something basic, but I think we will have to go with a WLC.
There are 6 APs, otherwise I could have matched on the MAC in Called-Station-Id, since each SSID has its own MAC.
Could of course make 6 copies of each policy, but that is a bit messy.
03-05-2013 05:24 AM
The thing is that you should configure your NPS to return that attribute in RADIUS access accept packet
with the vlaue of the ssid allowed for that user, it is not in the access request.
---------------------------------------------------------------------------------------
Pleae make sure to mark this thread as answered
03-05-2013 05:46 AM
Yes, I think that is what I did. But does I don't think I can get NPS to authenticate against any policy except the first one if I can't use the SSID as a condition.
Can't say that I'm an expert on NPS though, so I might be missing something.
03-05-2013 06:00 AM
For your reference , please check the following two links about having custom VSAs on NPS:
http://technet.microsoft.com/en-us/library/cc754417%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc731611%28v=ws.10%29.aspx
Information about the custome attributes i mentioned above:
name : cisco-av-pair
ID : 1
Type : String
Direction: Both
Multiple allowed : True
IETF vendor code for Cisco is 6
-----------------------------------------------------------------------------------------------------------------
Please Make sure to rate correct answers , and flag this thred as answered
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide