User Profile using Radius Authentication

  • 1
  • Question
  • Updated 3 years ago
  • (Edited)
I currently have configured against a single SSID using Radius
If users are using our Corporate Laptops they are authenticated and placed into the Corporate user profile.
If they use they personal devices against the same SSID then they are pushed to the guest profile using device classification within the user profile.

What i want to also achieve is when they bring in their own laptops. 
Use 802.1x and get pushed to the Guest Profile

Can this be achieved using Radius Attributes for both Domain devices and non-domain devices as users are using both domain/byod devices
Photo of Shane


  • 19 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
you may be able to get this functionality by implementing a guest user profile as the default user profile in the AH network configuration, but you're probably better off with a BYOD/Guest SSID.
Photo of Rusty Wyatt

Rusty Wyatt, Technical Support Engineer

  • 14 Posts
  • 15 Reply Likes
In theory, it is possible to authenticate domain devices by their computer object instead of their user login - this might would work, but it is potentially less secure (in case of lost or stolen devices) and can cause troubles if the cascading authentication fails - or, actually, completes (computer then user).  You would, however, not be able to utilize the user object to subsequently move user profiles based upon the users login name as it would become entangled with the guest configuration.  The reason is that the authentication methods on the AP RADIUS server are not cumulative and, therefore, cannot be branched into an if-then scenario.  This configuration is perhaps possible with an external RADIUS server.

For guest access for encrypted sessions, it is best to utilize a PPSK solution on a unique, guest SSID - be that provided through IDManager or User Manager.  If you have will allow guest access via an Open SSID - you could opt to use Social Login or a Captive Web Portal with the SSID.

Additionally, there are SSL certificate trust issues that will come up on certain clients that you will not be able to control.  See this old post for information.