Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Limiting EAP Types on a per WLAN basis on Wireless LAN Controllers

Hello:

 

I have a situation where I have two WLANs on the same WLC, and I'm using 802.1x authentication and using Windows NPS as my NAC solution. I'm using the same NPS servers to authenticate users on both WLANs.

 

That said, is it possible to limit the EAP type on a per WLAN basis? I'd like to limit one WLAN to use Certificate-based auth (EAP-TLS) and the other to use PEAP (manually entering a username and password). My limitation is that I have to use the same NPS servers on the back end. Right now, the NPS servers successfully respond to either EAP method.

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

This is possible.If you set

This is possible.

You can set up a policy on your RADIUS server to check the called-station-ID contain relevant "SSID Name" . If that matches & appropriate EAP type (TLS or PEAP, etc) then you can give permit access. In this way you can restrict particular SSID to use specific EAP type.

HTH

Rasika

**** Pls rate all useful responses ****

2 REPLIES
VIP Purple

This is possible.If you set

This is possible.

You can set up a policy on your RADIUS server to check the called-station-ID contain relevant "SSID Name" . If that matches & appropriate EAP type (TLS or PEAP, etc) then you can give permit access. In this way you can restrict particular SSID to use specific EAP type.

HTH

Rasika

**** Pls rate all useful responses ****

New Member

Hi Rasika, You are right, and

Hi Rasika,

 

You are right, and for anyone else that finds this information useful, here are some further details:

1) In the WLC GUI config, under Security > AAA > RADIUS > Authentication, in the 'Auth Call Station ID Type' drop-down selection, make sure you have selected an item with "SSID" in the selection (I selected "AP Name:SSID"). Apparently, the SSID can't be the lone piece of information sent to the RADIUS server here, so select the item that will be most useful for your environment.

2) For my NPS config, under NPS > Policies > Network Policies, open/create the policy you are going to use, and under the "Conditions" tab, add the "Called Station ID" condition. For the value of this condition, here's where it gets interesting. Since the SSID can't be the lone piece of information here, you have do so some expression matching. For example, if I'm using "AP Name:SSID", and I want to match for all APs using the SSID "TLSTEST1", then the value you might enter here is ".*TLSTEST1" (minus the quotes). Search on-line for regular expressions in NPS for details on this, as there are many potential answers, depending on one's environment.

3) In the constraints tab, under Authentications Methods, choose only the EAP type that I want for this SSID. Since I only want to accept EAP-TLS, I'll choose "Microsoft: Smart Card or Other Certificate"

 

That should do it. This was a result of tinkering in the lab today, so if something throws a red flag for you, please let me know.

60
Views
0
Helpful
2
Replies