Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

Captive portal auth via RADIUS

Is it possible on WLC to make a guest SSID to use captive portal to authenticate and verify the users for the captive portal on a RADIUS server (Microsoft IAS)?

Besides that, how can I configure the MS IAS to limit which SSID the user can access?

If a user is intended to access only guest SSID I don't want the IAS authenticating it for corporate SSID.

I've seen that for ACS, but I'm going to use Microsoft IAS.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Captive portal auth via RADIUS

Yes you can. In IAS you need to do the following:

  • Go to Edit Dial-In Profile
  • Click on Authentication tab and check Unencryted authentication (PAP, SPAP) and unchekc the others and click OK. (PAP is configured on the controller under the Controller tab)


Change the Service-Type to Login

No to limit certain users to a specific SSID, first you need to make sure the users are in a different AD Group. Then in you IAS wireless policy that you created, you need to add a condition named Called Station ID. There you would use a wildcard then specifiy the SSID. For example, if my SSID was GuestWiFi, I would enter the following in the Called Station ID:

..-..-..-..-..-..:GuestWiFi

Below is a screen shot from NPS, but its the same with IAS

Hope this helps

-Scott
*** Please rate helpful posts ***
3 REPLIES
Hall of Fame Super Silver

Re: Captive portal auth via RADIUS

Yes you can. In IAS you need to do the following:

  • Go to Edit Dial-In Profile
  • Click on Authentication tab and check Unencryted authentication (PAP, SPAP) and unchekc the others and click OK. (PAP is configured on the controller under the Controller tab)


Change the Service-Type to Login

No to limit certain users to a specific SSID, first you need to make sure the users are in a different AD Group. Then in you IAS wireless policy that you created, you need to add a condition named Called Station ID. There you would use a wildcard then specifiy the SSID. For example, if my SSID was GuestWiFi, I would enter the following in the Called Station ID:

..-..-..-..-..-..:GuestWiFi

Below is a screen shot from NPS, but its the same with IAS

Hope this helps

-Scott
*** Please rate helpful posts ***
Bronze

Captive portal auth via RADIUS

Thank you very much for the complete answer.

I will put it to work on next Wednessday and tell you how it was.

Only one doubt about the wildcard for the SSID on the Called Station ID. What is the porpuse of the wildcard in there? Does it need a pater or something?

Hall of Fame Super Silver

Re: Captive portal auth via RADIUS

It's the Mac address of the client. You need that so basically accept any Mac address but specify the SSID.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
1726
Views
0
Helpful
3
Replies