locked
Restrict user connection to specific WiFi via RADIUS RRS feed

  • Question

  • Hi all,<o:p></o:p>

    Sorry for my English,<o:p></o:p>

    I am looking for a way in which I restrict users to connect only to a specific network according to VLAN.<o:p></o:p>

    My infrastructure is this:<o:p></o:p>

    Windows server 2012 – AD, CA,DHCP, DC<o:p></o:p>

    Windows server 2016 – Radius server <o:p></o:p>

    Cisco WLC for WiFi and VLAN<o:p></o:p>


    There are groups in AD with the association of users.<o:p></o:p>

    I try to set up with Radius Server and Certificate, It works for me but not as much as I want. <o:p></o:p>

    I can connect to all networks without a username and password, via certificate deployed via GPO. <o:p></o:p>

    But the problem is that everyone can connect to all networks even if they are not in the AD group associated with the network.

    <o:p></o:p>

    For example;<o:p></o:p>

    There is a network called Sales-WiFi, RnD-WiFi<o:p></o:p>

    AD security group named: Sales-WiFi, RnD-WiFi <o:p></o:p>

    In Sales-WiFi security group I have the users:<o:p></o:p>

    salesUser1<o:p></o:p>

    salesUser2, and so on.<o:p></o:p>

    In RnD-WiFi security group I have the users:<o:p></o:p>

    RnDuser1<o:p></o:p>

    RnDuser2, and so on<o:p></o:p>

    When I connect to Sales-WiFi using salesUser1 user, I get the VLAN and all good.<o:p></o:p>

    But I can connect with user salesUser1 to RnD-WiFi as well – Not good.<o:p></o:p>

    In Radius NPS I created in Network Policies, police with the name of each of my WiFi with the "Windows Group" of the WiFi security group I created in AD under Conditions.<o:p></o:p>

    And it’s not working.<o:p></o:p>

    Can you please help me?<o:p></o:p>

    is it posibla to block or grant access based on security group

     

    Thank you in advance <o:p></o:p>


    Tuesday, March 12, 2019 1:38 PM

Answers

All replies

  • Hi,

    You can configure a network policy that assigns users to a VLAN. When you use VLAN-aware network hardware, such as routers, switches, and access controllers, you can configure network policy to instruct the access servers to place members of specific Active Directory groups on specific VLANs. This ability to group network resources logically with VLANs provides flexibility when designing and implementing network solutions.

    When you configure the settings of an NPS network policy for use with VLANs, you must configure the attributes Tunnel-Medium-Type, Tunnel-Pvt-Group-ID, Tunnel-Type, and Tunnel-Tag.

    Please refer to the link below:

    https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-np-configure

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 13, 2019 2:47 AM
  • Hi,

    Thank you for your reply.

    I tried the guide and set it with VLAN but it didn't work.

    I'll try to explain my issue again,

    My WLC Cisco is broadcast the SSID and have the VLAN's on it.

    I created Network policies for each SSID, and in each one of them at the "Conditions" tab I add the security group that contains the users that are allowed to connect to the specific SSID WLAN. Didn't work.

    In my understanding, I don't need to assign VLAN in the NPS, or do I? and I just doing something wrong.

    Thank you in Advance

       

    Thursday, March 14, 2019 1:25 PM
  • Hi,

    Do you mean authenticate multiple WIFI SSIDs on a single NPS server ?

    Please refer to the link below:

    https://blogs.technet.microsoft.com/netgeeks/2017/05/02/how-to-authenticate-multiple-wifi-ssids-on-a-single-nps-server-radius/

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by GuyxIT Sunday, March 17, 2019 7:50 AM
    Friday, March 15, 2019 9:42 AM
  • Exactly,

    I just find out that what I was missing is to add the 

    called station ID = SSID Name

    Thank you for your Help

    Sunday, March 17, 2019 7:51 AM