Aruba Instant & Cloud Wi-Fi

Reply
New Contributor
Posts: 2
Registered: ‎07-04-2012

Distinguish 2 SSIDs on radius

Hi there,

 

is it possible to distinguish 2 SSIDs on a radius (Windows Server 2008 R2 NPS)?

Do the IAPs send any SSID-Information to the radius that could be used for it?

 

I have 3 IAP 105. There are 2 SSIDs configured to use radius.

One SSID for corporate use and one for "known" guests.

How is it possible to use different radius policies for each SSID?

There must be sent any information to the radius from the IAP to get this work.

 

Is it possible with IAP or do i need to by a controller?

 

thanks for you help

Contributor II
Posts: 37
Registered: ‎10-27-2011

Re: Distinguish 2 SSIDs on radius

[ Edited ]

Are the 2 ssid's on different VLANs?  

 

We just use AD group membership to determine user role, so we have everyone in AD and depdning on what wireless group they belong to they either get - Restricted (Internet Only), Vendor X/Y/Z (Internet and access to whatever specific server belongs to their x/y/z company), and Authenticated (domain computers only, full access)

 

If these SSID's are separate vlans then I'm not sure if the Radius server can differentiate between those.  you may need two radius servers for that, but since you have both SSID's using the same radius box I am assuming that they are on the same network.  Just use groups to dtermine the user role

 

Guru Elite
Posts: 20,591
Registered: ‎03-29-2007

Re: Distinguish 2 SSIDs on radius


arubanewbie wrote:

Hi there,

 

is it possible to distinguish 2 SSIDs on a radius (Windows Server 2008 R2 NPS)?

Do the IAPs send any SSID-Information to the radius that could be used for it?

 

I have 3 IAP 105. There are 2 SSIDs configured to use radius.

One SSID for corporate use and one for "known" guests.

How is it possible to use different radius policies for each SSID?

There must be sent any information to the radius from the IAP to get this work.

 

Is it possible with IAP or do i need to by a controller?

 

thanks for you help


IAS/NPS is not smart enough to read values from the Aruba-essid variable to make decisions so do not expect it to differentiate between SSIDs.  Do what the poster suggested and return a radius attribute that can be used on a single SSID to provide different roles.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 2,931
Registered: ‎10-25-2011

Re: Distinguish 2 SSIDs on radius

Yep if you want specific roles for specific group of users you can do it as poster suggested using derived roles... just return a value from the raidus server maybe filter id depending on whcih group the user belongs...


For example if you got a group called IT

you can return  filter id value IT to the controller, the controller will look for a role called IT(you need to configure it first) in which you put the rules you want inside that role which can be in this case allow any any as you are an IT guy

 

You can then have another group on the NPS called Accounting, which will return a value Accounting to the controller, which will look for a role named Accounting, which you need to configure previusly and then you will create specific rules for that role.

 


Its a really handy way... remenber you dont want to have many SSIDs you want to have less SSIDs for better performance... more SSIDs means less performance.

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
Showing results for 
Search instead for 
Did you mean: