different authentification with different ssid on one radius

  • 1
  • Question
  • Updated 4 years ago
  • Answered
hello,
i would like to know and how to do ?
i have 2 ssid, my radius is also my AD (windows server 2008)
- corpo
- employe
i want a certificate authentication on the corpo ssid and i want an AD credential authentication on the employe ssid (login/password)
but i'm not able to connect me with my AD credentials on corpo ssid, same thing in employe ssid i don't want authenticate me by a certificat.
can you help me please ?

thank you so much for your help
Photo of ph

ph

  • 1 Post
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Jonathan Hurtt

Jonathan Hurtt

  • 98 Posts
  • 48 Reply Likes
If you are using Microsoft NPS you can use Pattern Matching for the Calling Station ID to create policies that only allow EAP-TLS with certain SSIDs and PEAP on others.

Here is a tech note around this technology - http://technet.microsoft.com/en-us/library/dd197583%28WS.10%29.aspx
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
If want to restrict what is possible based on the SSID, use a regular expression against the Called-Station-Id in the policy conditions to discriminate between the SSIDs:

^(?:[0-9A-F]{2}[-:]?){6}:corporate$

^(?:[0-9A-F]{2}[-:]?){6}:employee$
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Actually, a better regex would be:

^(?:[0-9A-F]{2}[-:]?){5}[0-9A-F]{2}:corporate$

^(?:[0-9A-F]{2}[-:]?){5}[0-9A-F]{2}:employee$

Minor optimisation here as this change avoids a backtrack by the MAC address part of the regex not consuming the : before the SSID.
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The Calling-Station-Id is the clients MAC address so you won't want that. (Easily confused!)
Photo of Jonathan Hurtt

Jonathan Hurtt

  • 98 Posts
  • 48 Reply Likes
Good Catch on that Nick.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
There is of course the 'Why are you doing this?' perspective as it achieves little to nothing. I would run with one more generically named SSID if you can as you have lower overheads with fewer SSIDs.
(Edited)
Photo of Jonathan Hurtt

Jonathan Hurtt

  • 98 Posts
  • 48 Reply Likes
I am guessing segmenting BYOD devices from Corporate Owned Devices. EAP-TLS for Corp and PEAP for BYOD, just a guess..
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Sure, but it's not needed hence the 'Why are you doing this?'. VLANs and profiles come in to give the segmentation, entirely decoupled from the SSID, via RADIUS attributes; Tunnel-Private-Group-Id and Filter-Id in a standards based setup. You can, as we know, offer multiple EAP types on a single SSID.
(Edited)
Photo of Jonathan Hurtt

Jonathan Hurtt

  • 98 Posts
  • 48 Reply Likes
I think you are 100% correct. 1 SSID with two User Profiles (Employee and Corp) and based on NPS Policy (with regex) and return Attributes place users in one of two user profiles. 

Nick 2 - Jonathan 0  

:)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
 Screen shot from Aerohive's excellent documentation:

Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
This is what I do to separate out students from faculty/staff, and it works great.