01-20-2012 09:06 AM
I am running dual 3400 controllers and about 60 AP 105's. I am broadcasting 2 SSID's .
1 of those ID's is a "secure" wireless that authenticates through an NPS radius server. to connect, you need to have a domain pc and an AD username/password.
The second ID is a "guest". I want to secure it to require an AD username/password that i create. SO, i have it setup to go to a captive portal page that requires username/password. I setup a seperate access policy in NPS.
THe problem is the processing order of the policies in NPS. If i put my "secure" policy first, then my captive portal will not work, it will say authentication failed. If i raise my "guest" policy to the top, captive portal will work but "secure" will not.
So i guess my question is, how do i setup NPS so that it can use 2 seperate policies from the same radius client?
01-20-2012 09:23 AM
Define two different AAA servers that use the same IP/key. Use one for the non-CP SSID and put the name of the SSID in the NAS-ID. Use the other for the CP SSID and put the SSID in the NAS-ID.
Now, from NPS, you can use the NAS-ID as a filter and know which SSID is sending the request.
01-23-2012 06:59 AM
It is done via the AAA profile. You should create a new AAA profile (make a copy of the one you use today) and set the NAS-ID in one of them to the name of the first SSID and the NAS-ID in the other to the name of the second SSID. Then, in the AP-Group settings, click on the VAPs, then change the AAA profile for VAP1 to the AAA profile for SSID1. Set the AAA profile for VAP2 to the AAA that has SSID2 as the NAS-ID. All other settings should be the same between the two AAA profiles (server IP, key, NAS-IP, etc).
Does tha make sense?
Once you have that done, the IAS/NPS rules can differentiate based on the NAS-ID of the request.
01-23-2012 07:26 AM
Thats what I get for going on memory and not double checking things...
It is actually done via the AAA server, not the AAA profile. I recommend using the GUI for this as there are a lot of things that are intertwined and the GUI "Save As" will come in handy... There is a "clone" command in the CLI, but in this case, the GUI is easier.
aaa authentication-server radius xyz (where xyz is the name you want to use for the server)
Click on Configuration>Authentication>RADIUS server
Add a new RADIUS server by clicking on the existing one, then clicking Save As and giving it a new name
Click on Server Group and create a new Server Group. Add the new Server created above.
Click on AAA profiles (tab)
Add a new AAA profile by clicking on the existing one, then clicking Save As and giving it a new name
Now you are ready to set the new SSID profile to use the new AAA profile.