Security

Reply
Contributor II

Two SSID's using 802.1x authentication with same Radius server

Hi,

 

How would I implement below secenario.

 

Two SSID's (example SSID 1 & SSID 2), both uses same RADIUS server (Microsft NPS), We want user A can connect only to SSID 1 (for example), and USER B can connect only to SSID 2. Is this a RADIUS only configuration or set up any policy in the controller?

 

Thanks

 

Guru Elite

Re: Two SSID's using 802.1x authentication with same Radius server

The true problem is that NPS cannot inspect additional radius attributes that Aruba sends that indicates what SSID a Radius Authentication comes from.  The Aruba controller sends the following additional parameters:

 

Aruba-Essid-Name

Aruba-Location-Id

 Aruba-AP-Group

 Aruba-User-Vlan

 

To get around this when using NPS, you can:

 

- Create 2 Radius Server Groups

- Duplicate your first Radius Server (exact ip address, key etc)

- For each individual Radius server, edit the NAS-ID field to any text you want to differentiate one from the other

- Use the NAS-ID as an additional rule on the NPS server...

 

Does this make sense?

 

nasid.png

nasid.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II

Re: Two SSID's using 802.1x authentication with same Radius server

Thanks Joseph, you are a champion.

Re: Two SSID's using 802.1x authentication with same Radius server

Hi Joseph,

 

In my case, any group linked to NPS authenticates.
Even I put the NAS-ID and NAS-IP controller.

 

Best regards!!!

New Contributor

Re: Two SSID's using 802.1x authentication with same Radius server

Hi Colin ,

 

We have the exact requirement and tried this option with wireless policies on NPS side to match a particluar LDAP group and NAS ID as well. However we have another policy below to match all users on the domain but no NAS ID , what we observe here is that if the first policy check fails , then users are getting connected using the policy that matches the domain user group with out NAS ID . Is this an expected behavior  ?

 

Thanks,

Ranjith

Re: Two SSID's using 802.1x authentication with same Radius server

i think you can configure your NPS to require a NAS ID

 

or create two services, one with NAS ID one and one with NAS ID two so it matches for sure.

Contributor I

Re: Two SSID's using 802.1x authentication with same Radius server

This feature may not have been available in the older versions, but you can now include the ESSID in the called-station Id.  In the radius server settings at the bottom you can enable include_ssid and set the delimiter (I don't think it matters what it is). Then in NAP under the Conditions tab add the Called-Station ID and just put in the SSID here.  It does let you use regex here too, but I found just putting the full SSID worked fine. Then set up one policy with one SSID and another with the other SSID, and use different windows groups to dictate which users can connect to each one.  

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: