vcomtech
asked on
Restricting access to multiple SSIDs using a single NPS server
We have a Cisco WLC 5508 with two SSIDs that point to the same 2012R2 server running NPS. Let's call the SSIDs USER and IT
I created two Network Policies in NPS: USER allows any domain user to join. IT should only allow members of the IT Wireless domain group to join.
Radius authentication works for all users. The problem I'm having is that any domain member is currently able to join the IT SSID via radius. I added the NAS-ID to the WLAN and to the Network Policy but that didn't seem to help. I'm not sure if the WLC is passing over what it needs for NPS to identify which SSID is being joined.
Any suggestions welcome.
Thank you
I created two Network Policies in NPS: USER allows any domain user to join. IT should only allow members of the IT Wireless domain group to join.
Radius authentication works for all users. The problem I'm having is that any domain member is currently able to join the IT SSID via radius. I added the NAS-ID to the WLAN and to the Network Policy but that didn't seem to help. I'm not sure if the WLC is passing over what it needs for NPS to identify which SSID is being joined.
Any suggestions welcome.
Thank you
ASKER
We're using Radius authentication on the WLC so it forces SSID to use domain credentials. It is based on the user who is authenticating, rather than a device restriction.
I don't see why you can't do this?
Set each SSID to use a different NAP server and configure the IT Staff one for either EAP or EAP-TLS
Cisco WLC: EAP-TLS Secured Wireless with Certificate Services
Then its secured by group membership or user certificate?
Regards,
Pete
Set each SSID to use a different NAP server and configure the IT Staff one for either EAP or EAP-TLS
Cisco WLC: EAP-TLS Secured Wireless with Certificate Services
Then its secured by group membership or user certificate?
Regards,
Pete
You said, "We're using Radius authentication on the WLC so it forces SSID to use domain credentials."
You can easily force credentials. You cannot easily hide SSIDs.
Any cellphone with tethering enabled will show up.
Any service tech or any other person with a mobile hotspot device will have their SSID show up to any nearby devices.
If you log all SSID that appear + disappear during a normal day, you'll be very surprised + wonder how in the world so many SSIDs come on/off line in a day.
You can easily force credentials. You cannot easily hide SSIDs.
Any cellphone with tethering enabled will show up.
Any service tech or any other person with a mobile hotspot device will have their SSID show up to any nearby devices.
If you log all SSID that appear + disappear during a normal day, you'll be very surprised + wonder how in the world so many SSIDs come on/off line in a day.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SSID lists are generated by each device with WiFi hardware.
You'd have to do SSID restrictions on every device inside your network.
Complex + error prone.
Likely anyone with marginal intelligence can defeat any SSID restrictions put in place, so unsure if this would really be very useful.