Seperate RADIUS instances on the same server

Is it possible to have multiple instances of RADIUS on a single server?

To elaborate - I use RADIUS authentication along with a GPO to automatically join any laptop on my domain to the Wireless network. The Network policy is configured to allow computers which are part of the "Domain Computers" security group access.

I now want to add a second SSID, on a separate VLAN, to allow "BYOD" devices. I want to configure it with RADIUS authentication as well, but this time using the users' credentials to authenticate.

I believe if I just add it and point it to my current RADIUS server, its going to allow users to sign onto my primary SSID as well, which I don't want to allow. Unless there is a way I can run a new RADIUS instance on a different port?

Have you got any ideas on how I can configure this setup to accommodate BYOD?

We use Ubiquity Unify AP's, with the controller on the same LAN.

Thank you.
LVL 1
Riaan SmithNetwork AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
You don't need separate RADIUS instances for this.

You can create separate access policies in NPS.  Within the access policies you add conditions to ensure that specific authentications only match specific policies.

Let's say you have two SSIDs; Corporate and BYOD.  You'd need 2 separate access policies so that you can enforce different authentication methods for each SSID.  To achieve this you'd use conditions:

Policy 1 - Corporate
Condition 1 - Machine Groups = "Domain Computers"
Condition 2 - Called-Station-ID = ".*:Corporate$"
Constraint 1 - Authentication Method = "Smart Card or Other Certificate"

Policy 2 - BYOD
Condition 1 - Called-Station-ID = ".*:BYOD$"
Constraint 1 - Authentication Method = "Microsoft PEAP (using MSCHAPV2)"
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Riaan SmithNetwork AdministratorAuthor Commented:
Hi craigbeck,

That is an excellent solution! Thank you very much...

I'm curios though, what exactly does the "Called-Station-ID" mean, and what does that string mean? Is it a regex string? Is there a way I can see attempts to authenticate so I can see what the string looks like on my system? I had a look in the event log, but it cant seem to locate a "Called-Station-ID" field?
0
Craig BeckCommented:
The string is indeed a regex string.  The Called-Station-ID is usually the MAC address of the AP and the SSID that the client connected to.  All we're doing in the string is saying:

.* = any AP MAC address
:BYOD$ = must be connecting to "BYOD" SSID

Look in the Custom logs, not the standard Windows logs.  You'll see the field there :-)
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

Riaan SmithNetwork AdministratorAuthor Commented:
Ohh, thats really good :-)

Something else went wrong now though, I created a policy for the users, which worked, then created one for the Domain Computers, which didn't. Thought I'd restart the NPS service, and it now fails to start with a "Member not found" error? Any idea's? Must I ask a new question?
0
Riaan SmithNetwork AdministratorAuthor Commented:
Thank you for your help, I managed to get it running and its working great, thank you! Have a good day...
0
Craig BeckCommented:
No probs.  My pleasure :-)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.