Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Different authentication per SSID

Hello,

Currently I have three SSIDs each serving it's purpose.. Students, Staff & Guest.. I want to archive different authentication for each SSID, Students will be able to only authenticate only on the Student SSID and same for Staff, Staff shouldn't be able to authenticate on Student and vs..

Is it's possible with Radius server to be authenticated based on AD organizational units?

Any thoughs?

Thanks,

4 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Re: Different authentication per SSID

Take a look at this thread also. Has some links you can follow.

https://supportforums.cisco.com/thread/2217685

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Different authentication per SSID

I really need to know how everything is setup, which makes it hard to explain the setup over the forum.  The only thing I can really help with is if you post your show run-config and screen shots of your radius policies so I can see what you need to do.  Also I would need to know what you want for each of the ssids.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Different authentication per SSID

No problem

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
VIP Purple

Different authentication per SSID

HI Ramkumar,

Can you please create a new thred and post your issue in brief.

Regards

27 REPLIES
Hall of Fame Super Silver

Different authentication per SSID

Yes... there is a radius attribute... called-station-id which you can use to differentiate between the SSID's.  This is passed in that attribute and you would create two policies, one for student and one for staff. 

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: Different authentication per SSID

Here are some links:

https://supportforums.cisco.com/thread/2098434

http://mrncciew.com/2013/07/22/called-calling-station-id/

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

Thanks,


Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: Different authentication per SSID

What radius server do you have?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Different authentication per SSID

Hello,

I'm using Windows 2003 as Radius server..

Hall of Fame Super Silver

Re: Different authentication per SSID

You should be able to still use the called-station-ID radius attribute for this.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: Different authentication per SSID

Take a look at this thread also. Has some links you can follow.

https://supportforums.cisco.com/thread/2217685

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Different authentication per SSID

Hello Scott,

I have gone through the tutorials you have given and what I understood is The Called-Station-id is being used for MAC authentication against the devices connected into the WiFi Network, but not against Active Directory username.

I have tried now creating Guest SSID and in that Guest SSID, I have made the Authentication based on LOCAL only. This works perfect as it allows only the users created under the LobbyAdmin are being authenticated and not the Active Directory Accounts.

I would like to do the same on but on different SSID, on the Staff which only be applied on the Staff-Security-AD-Group and on Student SSID where only be applied on Student-Security-AD-Group. This will eliminate the Staff from being authenticated on Student SSID & Guest SSID and same for Students which will be eliminated from being authenticated on the Staff & Guest SSID as well.

Is it ahieveable with Raius Server 2003?

Hall of Fame Super Silver

Different authentication per SSID

Yes it is... you would have to create two separate policies in your IAS 2003 radius server.  The only difference between the two would be the called-station-id and the AD group mapping.  WIth IAS, you need to use a regex like something like this.  If your ssid was named secure:

.*secure

Thanks,


Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Different authentication per SSID

Hi Scott,

Thanks for your reply. Do you an example configuration on Radius and what sort of additional configuration would WLC required?

Hall of Fame Super Silver

Different authentication per SSID

I really need to know how everything is setup, which makes it hard to explain the setup over the forum.  The only thing I can really help with is if you post your show run-config and screen shots of your radius policies so I can see what you need to do.  Also I would need to know what you want for each of the ssids.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Different authentication per SSID

Will give you all the details tonight or tomorrow morning.

Hall of Fame Super Silver

Different authentication per SSID

No problem

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Different authentication per SSID

Hi Scott,

we are here, would you like to give example on Radius server 2003 how this would be configured?

VIP Purple

Different authentication per SSID

HI Ramkumar,

Can you please create a new thred and post your issue in brief.

Regards

New Member

Re: Different authentication per SSID

Hi Sandeep,

We are working with Hussain Al Sayed and we are at the same site.

I will post some screenshots now.

Best Regards

Ramkumar

Message was edited by: Ramkumar B

New Member

Re: Different authentication per SSID

Hi,

Hussain Al Sayed, Ram Kumar & Waqas made the configuraiton in the IAS and only one Policy is there, when one of the user who is member of the targgeted group tryies to  login, it says username and password is not valid and IAS generate warning as follows;

User zha10264 was denied access.

Fully-Qualified-User-Name = Domain-Name\zha10264

NAS-IP-Address = 172.16.3.3

NAS-Identifier = RCSICiscoWLC01

Called-Station-Identifier = 50-17-ff-34-7c-60:ICT

Calling-Station-Identifier = f0-7b-cb-41-5a-8c

Client-Friendly-Name = ciscowlan

Client-IP-Address = 172.16.3.3

NAS-Port-Type = Wireless - IEEE 802.11

NAS-Port = 13

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name =

Authentication-Type = PAP

EAP-Type =

Reason-Code = 16

Reason = Authentication was not successful because an unknown user name or incorrect password was used.

Any help?

VIP Purple

Re: Different authentication per SSID

HI Ramkumar,

is there shared secret is same on swicth and IAS server ?

Regards

New Member

Re: Different authentication per SSID

Hi Snadeep,

Its working now correctly as per the following policy criteria; in order

    

1.NAS-Port-Type Matches Wireless - IEEE 802.11 Or Wireless other

2. Called-Station-ID Matches "ICT.*" AND "Which is the SSID Name we are using

3. Windows-Groups Matches "Domain-Name\SG-GroupName

I have tested this by adding targetted user in the SG-Group and user was able to be authenticated if it's in that Group, if not, error message will appear Username and Password as not valid.

One last question i Have regarding the performance on the IAS Server, we are targeting 900 concurrent user session, will IAS Server 2003 having 2 GB ram and 2.8 GHz x 2 vCPUs will it be enough?

What is your recommendation?

Thanks,

Hussain on behalf of Ram Kumar

VIP Purple

Re: Different authentication per SSID

New Member

Re: Different authentication per SSID

Thanks for your reply, I think is is good article as I'm not running IAS on domain controller:

the domain controller or the computer that contains the global catalog, verify that you have an efficient domain and site topology.

Use the MaxConcurrentApi registry entry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\ Parameters) to increase the number of multiplexed connections to the domain controller.

Hall of Fame Super Silver

Different authentication per SSID

Typically you would want to bring up another IAS server and point he WLC to both... If you ahve two WLC's, this allows you to point one WLC1 to Radisu1 and Radius2 for backup and WLC2 to Radius2 for primary and Radius1 for backup.  The 2GB of ram is questionalble as in the past, I have seen a minimum of 8 in production networks, but I'm not a server guys.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: Different authentication per SSID

Can you export the IAS configuration and email me it PM. Just click in the IAS server in the configuration page and click export. This way I can tweak your policy and send it back.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Different authentication per SSID

Hi Scott,

I've tried to send you PM with attachement yesterday, but PM doesn't have attachment options..

New Member

Different authentication per SSID

will this file be okay for you?

tsh aaaa show config >C:\IASConfig.txt

Hall of Fame Super Silver

Re: Different authentication per SSID

Send me a PM with your email and I will reply back.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Different authentication per SSID

Hi Scott,

I have just sent you a PM.

thanks,

Hall of Fame Super Silver

Re: Different authentication per SSID

Just replied back:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
617
Views
0
Helpful
27
Replies
CreatePlease to create content