RADIUS and multiple SSIDs

I have some issues with my current wifi/authentication design and need some help. When a user connects to an AP via a certain SSID, I want them to be allowed or blocked based on membership in our Network Policy Server. For example, when a student attempts to connect to the staff network, I want it to not authenticate him or her.

My APs all broadcast multiple SSIDs--most of which require authentication. However, any login works on any network because the AP as a RADIUS client just dumps the requests to the RADIUS server. The RADIUS server has no idea which SSID gave it the request, and just uses the first criteria to determine authentication.

Is there anyway to get my NPS server to approve only certain groups for certain networks?
CCUITAdminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
You need to create conditions in the Network Access Policy.

Condition 1] AD Group membership
Condition 2] RADIUS Called-Station-ID = .*:<SSID>$ (where <SSID> is the actual SSID)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CCUITAdminAuthor Commented:
That's brilliant! I'll post my result once I get it. Thanks!!!
0
CCUITAdminAuthor Commented:
@Craigbeck

I finally got a chance to try this. I have quick question. When I add the called station ID condition, do I literally add:

=.*:NAMEOFSSID$
0
CCUITAdminAuthor Commented:
Thanks very much. I got it to work. I just ditched the = sign.


.*:NAMEOFSSSID$
0
Craig BeckCommented:
Correct - the = isn't required.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.