Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

5508 controller with Radius authentication

Hi,

I am setting up a WIFI network with a Cisco 5508 controller.  I want  to configure a first WIFI network (WIFI1) that will authenticate my  business laptop based on the AD computer accounts and will access my  corporate network.

I want to setup a second WIFI network (WIFI2) that will authenticate  my phones and tablets devices with AD user accounts and will be on a  separate vlan with only access to the Internet.

I created 2 policies on the Radius server : one that authenticate  computers coming from wireless and a second one authenticating users  coming from wireless.

Right now, if a user manually creates the WIFI1 network on his phone  and enter his AD username, he is going to have access to the corporate  network.  I would like to be able to say that when a request is coming  from WIFI1, only the policy for authenticating  wireless devices with computer accounts will apply and the second  policy authenticating user wouldn't apply.

Is this something possible?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

5508 controller with Radius authentication

Stephane,

If you are using IAS or NPS as your RADIUS server, you can add the Called-Station-ID condition to each policy and use the WLAN name as the conditional value. When the WLC sends this value to the RADIUS server during authentication, the last part of that string is the WLAN name.

  • In your first access policy, add a condition for Called-Station-ID = WIFI2. Any client that is not a device (i.e., users) will not use this policy and the server will move to the next policy.

  • In your second access policy, add a condition for Called-Station-ID = WIFI1. Any client that is not a user (devices and everything else) will not use this policy.

Screenshot example using NPS, where my WLAN name of interest is 2106-voice

If you are using ACS, this post should help:

https://supportforums.cisco.com/message/3374582#3374582

Justin

1 REPLY

5508 controller with Radius authentication

Stephane,

If you are using IAS or NPS as your RADIUS server, you can add the Called-Station-ID condition to each policy and use the WLAN name as the conditional value. When the WLC sends this value to the RADIUS server during authentication, the last part of that string is the WLAN name.

  • In your first access policy, add a condition for Called-Station-ID = WIFI2. Any client that is not a device (i.e., users) will not use this policy and the server will move to the next policy.

  • In your second access policy, add a condition for Called-Station-ID = WIFI1. Any client that is not a user (devices and everything else) will not use this policy.

Screenshot example using NPS, where my WLAN name of interest is 2106-voice

If you are using ACS, this post should help:

https://supportforums.cisco.com/message/3374582#3374582

Justin

1623
Views
0
Helpful
1
Replies
CreatePlease to create content