Controllerless Networks

last person joined: 23 hours ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Distinguish 2 SSIDs on radius

This thread has been viewed 0 times

  • 1.  Distinguish 2 SSIDs on radius

    Posted Nov 15, 2012 03:22 PM

    Hi there,

     

    is it possible to distinguish 2 SSIDs on a radius (Windows Server 2008 R2 NPS)?

    Do the IAPs send any SSID-Information to the radius that could be used for it?

     

    I have 3 IAP 105. There are 2 SSIDs configured to use radius.

    One SSID for corporate use and one for "known" guests.

    How is it possible to use different radius policies for each SSID?

    There must be sent any information to the radius from the IAP to get this work.

     

    Is it possible with IAP or do i need to by a controller?

     

    thanks for you help



  • 2.  RE: Distinguish 2 SSIDs on radius

    Posted Nov 15, 2012 04:00 PM

    Are the 2 ssid's on different VLANs?  

     

    We just use AD group membership to determine user role, so we have everyone in AD and depdning on what wireless group they belong to they either get - Restricted (Internet Only), Vendor X/Y/Z (Internet and access to whatever specific server belongs to their x/y/z company), and Authenticated (domain computers only, full access)

     

    If these SSID's are separate vlans then I'm not sure if the Radius server can differentiate between those.  you may need two radius servers for that, but since you have both SSID's using the same radius box I am assuming that they are on the same network.  Just use groups to dtermine the user role

     



  • 3.  RE: Distinguish 2 SSIDs on radius

    EMPLOYEE
    Posted Nov 15, 2012 09:17 PM
    @arubanewbie wrote:

    Hi there,

     

    is it possible to distinguish 2 SSIDs on a radius (Windows Server 2008 R2 NPS)?

    Do the IAPs send any SSID-Information to the radius that could be used for it?

     

    I have 3 IAP 105. There are 2 SSIDs configured to use radius.

    One SSID for corporate use and one for "known" guests.

    How is it possible to use different radius policies for each SSID?

    There must be sent any information to the radius from the IAP to get this work.

     

    Is it possible with IAP or do i need to by a controller?

     

    thanks for you help

    IAS/NPS is not smart enough to read values from the Aruba-essid variable to make decisions so do not expect it to differentiate between SSIDs.  Do what the poster suggested and return a radius attribute that can be used on a single SSID to provide different roles.

     



  • 4.  RE: Distinguish 2 SSIDs on radius

    Posted Nov 15, 2012 10:51 PM

    Yep if you want specific roles for specific group of users you can do it as poster suggested using derived roles... just return a value from the raidus server maybe filter id depending on whcih group the user belongs...


    For example if you got a group called IT

    you can return  filter id value IT to the controller, the controller will look for a role called IT(you need to configure it first) in which you put the rules you want inside that role which can be in this case allow any any as you are an IT guy

     

    You can then have another group on the NPS called Accounting, which will return a value Accounting to the controller, which will look for a role named Accounting, which you need to configure previusly and then you will create specific rules for that role.

     


    Its a really handy way... remenber you dont want to have many SSIDs you want to have less SSIDs for better performance... more SSIDs means less performance.

     

    Cheers

    Carlos