Currently we have five SSIDs:
Guest - captive portal authentication to a guest VLAN
Device - MAC authentication via the internal DB to the same guest VLAN (for Blu-Ray players and other devices that can't do the captive portal)
Kiosk - MAC authentication via RADIUS/Active Directory to the internal LAN
HC - 802.1x Active Directory authentication through RADIUS to the internal LAN
Rehab - MAC authentication to the internal LAN (same as Kiosk, SSID still exists for legacy reasons only)
I would like to consolidate to two SSIDs:
Public - authenticate via MAC->Internal DB or captive portal
Private - authenticate via MAC->RADIUS->AD, or via 802.1x->Radius>AD
The idea behind this Private authentication scheme is that we can either pre-configure tablets for wireless authentication before shipping them out to our various locations, or people can BYOD and get on the internal network with their normal AD credentials
I'm currently testing this in a lab environment. Public is working exactly the way I want it to, no issues. Public does not work. Depending on configuration, I either get the captive portal instead of 802.1x authentication, or I am completely unable to connect to the network at all.
I have a case open, and have not yet gotten a resolution.
Relevant config:
ap-group "DualSSIDTest"
virtual-ap "EmpResPublic"
virtual-ap "EmpResPrivate"
dot11a-traffic-mgmt-profile "TM-default"
dot11g-traffic-mgmt-profile "TM-default"
wlan virtual-ap "EmpResPrivate"
aaa-profile "EmpResPrivate"
ssid-profile "EmpResPrivate"
vlan 101
band-steering
dynamic-mcast-optimization
broadcast-filter all
wlan virtual-ap "EmpResPublic"
aaa-profile "EmpResPublic"
ssid-profile "EmpResPublic"
vlan 102
band-steering
dynamic-mcast-optimization
broadcast-filter all
aaa profile "EmpResPrivate"
authentication-mac "KioskDevice-macauth-profile"
mac-server-group "EmpResKiosk-group"
authentication-dot1x "EmpResHC-dot1x_prof"
dot1x-default-role "authenticated"
dot1x-server-group "EmpResHC"
l2-auth-fail-through
aaa server-group "EmpResKiosk-group"
allow-fail-through
auth-server Internal
auth-server Radius01-MacAuth
auth-server Radius02-MacAuth
aaa server-group "EmpResHC"
auth-server Radius01
auth-server Radius02
aaa profile "EmpResPublic"
initial-role "guest-logon"
authentication-mac "Device"
mac-server-group "Device"
l2-auth-fail-through
aaa server-group "Device"
auth-server internal