Environment : Controller with multiple dot1x SSIDs running 5.x and above code
Requirement:
Two SSID's (example SSID 1 & SSID 2), both uses same RADIUS server (Microsft NPS),
Requirement is that user A should connect only to SSID 1 and USER B should connect only to SSID 2.
NPS cannot inspect additional radius attributes that Aruba sends that indicates what SSID a Radius Authentication comes from. The Aruba controller sends the following additional parameters:
Aruba-Essid-Name
Aruba-Location-Id
Aruba-AP-Group
Aruba-User-Vlan
To get around this when using NPS, you can:
- Create 2 Radius Server Groups
- Duplicate your first Radius Server (exact ip address, key etc)
- For each individual Radius server, edit the NAS-ID field to any text you want to differentiate one from the other
- Use the NAS-ID as an additional rule on the NPS server