Security

last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Two SSID's using 802.1x authentication with same Radius server

This thread has been viewed 11 times

  • 1.  Two SSID's using 802.1x authentication with same Radius server

    Posted Jul 08, 2012 12:32 PM

    Hi,

     

    How would I implement below secenario.

     

    Two SSID's (example SSID 1 & SSID 2), both uses same RADIUS server (Microsft NPS), We want user A can connect only to SSID 1 (for example), and USER B can connect only to SSID 2. Is this a RADIUS only configuration or set up any policy in the controller?

     

    Thanks

     



  • 2.  RE: Two SSID's using 802.1x authentication with same Radius server

    EMPLOYEE
    Posted Jul 08, 2012 02:43 PM

    The true problem is that NPS cannot inspect additional radius attributes that Aruba sends that indicates what SSID a Radius Authentication comes from.  The Aruba controller sends the following additional parameters:

     

    Aruba-Essid-Name

    Aruba-Location-Id

     Aruba-AP-Group

     Aruba-User-Vlan

     

    To get around this when using NPS, you can:

     

    - Create 2 Radius Server Groups

    - Duplicate your first Radius Server (exact ip address, key etc)

    - For each individual Radius server, edit the NAS-ID field to any text you want to differentiate one from the other

    - Use the NAS-ID as an additional rule on the NPS server...

     

    Does this make sense?

     

    nasid.png

    nasid.png



  • 3.  RE: Two SSID's using 802.1x authentication with same Radius server

    Posted Feb 27, 2014 08:16 AM

    Hi Joseph,

     

    In my case, any group linked to NPS authenticates.
    Even I put the NAS-ID and NAS-IP controller.

     

    Best regards!!!



  • 4.  RE: Two SSID's using 802.1x authentication with same Radius server

    Posted Oct 13, 2014 01:27 AM

    Hi Colin ,

     

    We have the exact requirement and tried this option with wireless policies on NPS side to match a particluar LDAP group and NAS ID as well. However we have another policy below to match all users on the domain but no NAS ID , what we observe here is that if the first policy check fails , then users are getting connected using the policy that matches the domain user group with out NAS ID . Is this an expected behavior  ?

     

    Thanks,

    Ranjith



  • 5.  RE: Two SSID's using 802.1x authentication with same Radius server

    Posted Oct 16, 2014 01:24 PM

    i think you can configure your NPS to require a NAS ID

     

    or create two services, one with NAS ID one and one with NAS ID two so it matches for sure.



  • 6.  RE: Two SSID's using 802.1x authentication with same Radius server

    Posted Feb 19, 2017 11:48 AM

    This feature may not have been available in the older versions, but you can now include the ESSID in the called-station Id.  In the radius server settings at the bottom you can enable include_ssid and set the delimiter (I don't think it matters what it is). Then in NAP under the Conditions tab add the Called-Station ID and just put in the SSID here.  It does let you use regex here too, but I found just putting the full SSID worked fine. Then set up one policy with one SSID and another with the other SSID, and use different windows groups to dictate which users can connect to each one.  



  • 7.  RE: Two SSID's using 802.1x authentication with same Radius server
    Best Answer

    Posted Jul 09, 2012 11:20 AM

    Thanks Joseph, you are a champion.