Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Virtual WLC and NPS called station id wildcard

Running the virtual version 7.3.101.0 of WLC.  Using NPS as our radius server on 2008 R2 and 2012 servers.  Right now I'm testing with 2012 server.  I can't seem to get the Called Station ID to work using any wildcards.  If I put the exact in it works. 

So looking at the event view I know I have the right called station ID.  Let's say it is XX-XX-XX-XX-XX-XX:SSID1$.

In my policy under NPS I put in a condition.  Here are my conditions:

Windows Groups -- domain\wireless

NAS Port Type -- Wireless - IEEE 802.11

Authentication Type -- EAP

Called Station ID -- XX-XX-XX-XX-XX-XX:SSID1$

Without the Called Station ID it works.  With the exact Called Station ID it works.  If I put in say .*:SSID1$ the event logs show it hits the connection request policy but then doesn't match the network policy. 

Maybe there is another solution? We have 2 SSIDs in each office.    We have multiple 2008 R2 servers running NPS.  I want to be able to have any office authenticate any SSID against any of our NPS servers.  Right now the SSIDs vary per office too though.  An example is:

XX-AA-YYYY

XX-AA-ZZZZ

XX-BB-YYYY

XX-BB-ZZZZ

XX-CC-YYYY

XX-CC-ZZZZ

Each SSID has a different Windows group to authenticate against too.  Just having different authentication conditions wasn't working for me so that is why I thought about maybe using the called station id. 

Any help or other recommendations would be great.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Ahh..ok that makes sense then

Ahh..ok that makes sense then.

 

Ok, so under each WLAN you specify the AAA server they should use. Then in the Global AAA configuration, you check the Network User box. This will allow users to fallback to another server if theirs is not available.

as for the NPS side...

 

http://social.technet.microsoft.com/Forums/windowsserver/en-US/fa662135-3ddd-4699-a8eb-83f9f85b5674/nps-calledstationid-regex-pattern

 

HTH,

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
6 REPLIES

What are you looking to do?

What are you looking to do?

 

Not to redesign your network, but why have different SSID per location? One corporate SSID and use windows groups to push attributes on a per user basis.

 

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

The SSIDs were setup before I

The SSIDs were setup before I got here.  I'm just trying to make the back end work without having to change the user end.  I'm not sure why they did different SSIDs.  I might be able to get that changed but for now just trying to work with what is in place.

I tried to explain what I was looking to do in my first post.  So SSID XX-AA-YYYY is in Office AA.  I want that to authenticate against its own local radius server.  As a backup I want it to be able to authenticate against a radius server in another office.  I don't want to create tons of network policies to match each different offices SSIDs, let alone do this for each radius server in each office to work with all SSIDs from all our offices.

Does that explain it a little better?

 

Ahh..ok that makes sense then

Ahh..ok that makes sense then.

 

Ok, so under each WLAN you specify the AAA server they should use. Then in the Global AAA configuration, you check the Network User box. This will allow users to fallback to another server if theirs is not available.

as for the NPS side...

 

http://social.technet.microsoft.com/Forums/windowsserver/en-US/fa662135-3ddd-4699-a8eb-83f9f85b5674/nps-calledstationid-regex-pattern

 

HTH,

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Ok I think I'm making

Ok I think I'm making progress.  This * wildcard wasn't working for me, so I took it out and it worked.  So I have .:XX-..-YYYY and .:XX-..-ZZZZ for my called station ids and then each one has a different windows group.  I got authenticated to both like I wanted.

Now, where is Global AAA configuration and the Network User box?  The only AAA I can find is under each WLAN.  I can set up to 6 radius servers under each WLAN.

New Member

Even though not 100% in

Even though not 100% in solving my issue, you did point me in the right direction so I will mark the above as correct.  I had already actually looked at that thread and after trying those variations with no luck I moved on.  Looking at it a second time made me think to try it without the star.  Plus I'm sure between your suggestions and that thread others will find it helpful.

Now on to my VPN policy which isn't working.  I will start another thread on that ;)

Thanks

Global is under Security >

Global is under Security > RADIUS
HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
1367
Views
0
Helpful
6
Replies
CreatePlease to create content