SSID to Radius without WLC (Aironet 1240)

Johan Sjöberg · ‎03-05-2013

Hi.

I am working on setting up a new WLAN infrastructure. I have set up different SSIDs connected to different VLANs, in the AP.

I also want to use Windows NPS for authenticating users on the different SSIDs, with different authentication methods based on which SSID the user/device is connecting to. To do that, NPS needs to get the SSID, but the Aironet 1240 only sends its MAC address in the Called-Station-Id. I have read a bit about this, and found out that if I have a WLC, it will add the SSID to to the Called-Station-Id. But since we do not have a WLC, I am trying to get this to work anyway.

Is it possible to modify the Called-Station-Id to include the SSID on an Aironet 1240? If not, is it possible to send the SSID as a separate attribute that can be read by the NPS?

maldehne · ‎03-05-2013

on autonomous APs , it can be accomplished in a different way:

the client associate to any ssid that is using RADIUS server, where the radius server is going to to return the list of allowed

SSIDs in the RADIUS access accept packet within specific attribute value pair, if the ssid at which the client is trying to associate at the moment is part of the list, the client continues without issues, but if the ssid is not part of the returned list , , the client wont survive the association.

If the RADIUS server hasn't been configured with any SSID then the user will be able to access any SSID available that makes use of the RADIUS server.

the attribute that should be configured on the RADIUS server is [009/001] cisco -av-pair

under that attribute we configure the ssid allowed for that user

ssid=ssidname

maldehne · ‎03-05-2013

You need to check with microsoft how to add vendor specific attributes on NPS and make use of them.

-------------------------------------------------------------------------------------------------------------

Please make sure to rate correct answer

Johan Sjöberg · ‎03-05-2013

Hi.

Thank you for your response. Do I need to configure anything on the APs for this, or will it work as soon as I have added it on the radius server?

maldehne · ‎03-05-2013

all what you need on the AP

aaa new-model

aaa authentication login .... group radius

radius-server host a.b.c.d auth-port 1812 acct-port 1813 key ....

make sure to have the method list added under your ssids and everything should be ok.

------------------------------------------------------------------------------------------

Please make sure to rate correct answers and flag this thread as answered

Johan Sjöberg · ‎03-05-2013

OK, I have tested this a bit.

It seems like it will not work, unfortunately. I can only connect to the SSID that matches the first policy on the radius server (NPS). If I try to connect to another SSID, NPS will still try to authenticate me using the first policy, since all conditions match, and I will be unable to connect because of the ssid avpair.

So if I am not missing something here, I would need to be able to send the SSID from the AP to the NPS, so that NPS can choose the correct policy based on the SSID.

maldehne · ‎03-05-2013

I have tested this many times with ACS 4.x and ACS 5.x and it is working perfectly without issues.

You need to troubleshoot your issue now with microsoft.

there is no option to send your ssid in the called station id attribute on autonomous.

-------------------------------------------------------------------------------------------------

Rating helpful answers motivates helpful people on this forum

Johan Sjöberg · ‎03-05-2013

OK.

I cannot see how I can make NPS choose the correct policy if it can't do it based on the SSID. I might be missing something basic, but I think we will have to go with a WLC.

There are 6 APs, otherwise I could have matched on the MAC in Called-Station-Id, since each SSID has its own MAC.

Could of course make 6 copies of each policy, but that is a bit messy.

maldehne · ‎03-05-2013

The thing is that you should configure your NPS to return that attribute in RADIUS access accept packet

with the vlaue of the ssid allowed for that user, it is not in the access request.

---------------------------------------------------------------------------------------

Pleae make sure to mark this thread as answered

Johan Sjöberg · ‎03-05-2013

Yes, I think that is what I did. But does I don't think I can get NPS to authenticate against any policy except the first one if I can't use the SSID as a condition.

Can't say that I'm an expert on NPS though, so I might be missing something.

maldehne · ‎03-05-2013

For your reference , please check the following two links about having custom VSAs on NPS:

http://technet.microsoft.com/en-us/library/cc754417%28v=ws.10%29.aspx

http://technet.microsoft.com/en-us/library/cc731611%28v=ws.10%29.aspx

Information about the custome attributes i mentioned above:

name : cisco-av-pair

ID : 1

Type : String

Direction: Both

Multiple allowed : True

IETF vendor code for Cisco is 6

-----------------------------------------------------------------------------------------------------------------

Please Make sure to rate correct answers , and flag this thred as answered