07-08-2012 09:32 AM
How would I implement below secenario.
Two SSID's (example SSID 1 & SSID 2), both uses same RADIUS server (Microsft NPS), We want user A can connect only to SSID 1 (for example), and USER B can connect only to SSID 2. Is this a RADIUS only configuration or set up any policy in the controller?
Solved! Go to Solution.
07-08-2012 11:42 AM
The true problem is that NPS cannot inspect additional radius attributes that Aruba sends that indicates what SSID a Radius Authentication comes from. The Aruba controller sends the following additional parameters:
To get around this when using NPS, you can:
- Create 2 Radius Server Groups
- Duplicate your first Radius Server (exact ip address, key etc)
- For each individual Radius server, edit the NAS-ID field to any text you want to differentiate one from the other
- Use the NAS-ID as an additional rule on the NPS server...
Does this make sense?
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
10-12-2014 10:26 PM
Hi Colin ,
We have the exact requirement and tried this option with wireless policies on NPS side to match a particluar LDAP group and NAS ID as well. However we have another policy below to match all users on the domain but no NAS ID , what we observe here is that if the first policy check fails , then users are getting connected using the policy that matches the domain user group with out NAS ID . Is this an expected behavior ?
02-19-2017 08:48 AM
This feature may not have been available in the older versions, but you can now include the ESSID in the called-station Id. In the radius server settings at the bottom you can enable include_ssid and set the delimiter (I don't think it matters what it is). Then in NAP under the Conditions tab add the Called-Station ID and just put in the SSID here. It does let you use regex here too, but I found just putting the full SSID worked fine. Then set up one policy with one SSID and another with the other SSID, and use different windows groups to dictate which users can connect to each one.