Security

Hi Airheads,

We successfully configured 802.1x authentication on a Windows 2008R2 NPS radius server with an Aruba 620 controller. Everything works fine but now we need a second virtual AP with another SSID that uses another network and NPS policy than the first one.

Is there a way that the radius client (Aruba620) can transmit some sort of attribute to the radius server, which then can used by NPS, to distinguish between the two virtual access points and apply the appropriate NPS policy?

If someone can help or knows if there is an alternative solution to do this please don’t hesitate ;)

Thanks in advance
-Dennis

Can you go into a bit more detail of exactly what you are attempting to do?

Are the SSIDs configured to be on different VLANs?
Is there just one NPS server?
What is the basis for letting certain users on an SSID?

It might well be possible to do what you want to do using the firewall on the controller.

Dennis - you can add another server instance and in the NAS ID, add the second eSSID (name of the SSID).

Add another server group as well and place the new server instance into it.

Edit the existing NPS server and add the old eSSID to the NAS ID.

Next, add a new VAP and apply the NEW RADIUS server group to it.

The NPS server can now distinguish between the SSIDs by looking at the NAS ID. The NPS policies can treat the two SSIDs differently.