Security

Reply
Contributor II
Posts: 54
Registered: ‎08-29-2010

Two SSID's using 802.1x authentication with same Radius server

Hi,

 

How would I implement below secenario.

 

Two SSID's (example SSID 1 & SSID 2), both uses same RADIUS server (Microsft NPS), We want user A can connect only to SSID 1 (for example), and USER B can connect only to SSID 2. Is this a RADIUS only configuration or set up any policy in the controller?

 

Thanks

 

Guru Elite
Posts: 19,949
Registered: ‎03-29-2007

Re: Two SSID's using 802.1x authentication with same Radius server

The true problem is that NPS cannot inspect additional radius attributes that Aruba sends that indicates what SSID a Radius Authentication comes from.  The Aruba controller sends the following additional parameters:

 

Aruba-Essid-Name

Aruba-Location-Id

 Aruba-AP-Group

 Aruba-User-Vlan

 

To get around this when using NPS, you can:

 

- Create 2 Radius Server Groups

- Duplicate your first Radius Server (exact ip address, key etc)

- For each individual Radius server, edit the NAS-ID field to any text you want to differentiate one from the other

- Use the NAS-ID as an additional rule on the NPS server...

 

Does this make sense?

 

nasid.png

nasid.png

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor II
Posts: 54
Registered: ‎08-29-2010

Re: Two SSID's using 802.1x authentication with same Radius server

Thanks Joseph, you are a champion.

New Contributor
Posts: 1
Registered: ‎06-21-2013

Re: Two SSID's using 802.1x authentication with same Radius server

Hi Joseph,

 

In my case, any group linked to NPS authenticates.
Even I put the NAS-ID and NAS-IP controller.

 

Best regards!!!

New Contributor
Posts: 1
Registered: ‎10-12-2014

Re: Two SSID's using 802.1x authentication with same Radius server

Hi Colin ,

 

We have the exact requirement and tried this option with wireless policies on NPS side to match a particluar LDAP group and NAS ID as well. However we have another policy below to match all users on the domain but no NAS ID , what we observe here is that if the first policy check fails , then users are getting connected using the policy that matches the domain user group with out NAS ID . Is this an expected behavior  ?

 

Thanks,

Ranjith

MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: Two SSID's using 802.1x authentication with same Radius server

i think you can configure your NPS to require a NAS ID

 

or create two services, one with NAS ID one and one with NAS ID two so it matches for sure.

Search Airheads
Showing results for 
Search instead for 
Did you mean: