locked
NPS Authentication RRS feed

  • Question

  • Is it possible to authenticate multiple 802.11x SSID's using Network Policies? 

    Example:

    SSID A uses NPS server 1 and authenticates using windows group A

    SSID B uses NPS server 1 and authenticates using windows group B

    As of now I have a separate NPS server for each SSID I want authenticated with different group access 

    Tuesday, August 10, 2010 5:59 PM

Answers

  • How about set the policies to authenticate the requests from the different SSIDs based on their IP addresses? Thanks.


    Sorry. My posting is my personal suggestion, Microsoft won't take any responsibilities for my posting. But I am more than happy to try my best to help you.
    • Marked as answer by Miles Zhang Monday, August 30, 2010 1:32 AM
    Tuesday, August 10, 2010 9:11 PM

All replies

  • How about set the policies to authenticate the requests from the different SSIDs based on their IP addresses? Thanks.


    Sorry. My posting is my personal suggestion, Microsoft won't take any responsibilities for my posting. But I am more than happy to try my best to help you.
    • Marked as answer by Miles Zhang Monday, August 30, 2010 1:32 AM
    Tuesday, August 10, 2010 9:11 PM
  • could you suggest how this might be done if a single access point has multiple SSID?

    I too am wondering about this..

    I have cisco 113x and 1252 access points and want to use NPS to authentication two different SSID with different policy.

    It is important for me I can use multiple policy without multiple servers due to the small amount of servers we have to work with.


    Thanks


    VCP, MCITP, MCSE, MCTS Exchange 2007, MCTS SCCM 2007, Server 2008 R2 Virtualization Administrator
    Wednesday, August 18, 2010 1:43 AM
  • Hi, I was wondering if there was any solution to the above post. 

    I am also in the need to have specific NPS policy validations based on unique SSIDs. I have a aruba contoller that will be required to send the RADIUS requests.

    Thanks,

     

    Wednesday, February 9, 2011 2:49 PM
  • Hi Auzzy

    It seems the issue was left hanging anyway.. your SSID's are they linked to a specific vlan or do they each have their own ip address?? or are they just multiple SSID's with different authentication requirements or maybe the same and all connecting to one network??


    tech-nique
    Wednesday, February 9, 2011 6:55 PM
  • Hello,

    If you specified Access Point as standard RADIUS clinet, you can use Called-Station-Id in  condition, my Dlink2100AP sends this data as ACCESS-POINT-MAC:SSID

    for example <Called-Station-Id data_type="1">00-11-22-33-44-55:SUPER-ap1</Called-Station-Id>

     

    So you can try to check logs of your NPS and use corresponding data in Condition of policy for each SSID

    Monday, February 28, 2011 8:21 PM
  • When specifying  the called station-id as a condition, i find that the network policy service errors out when trying to start or restart. When i remove this condition the service starts without a problem.

    Also does any one know of a way to use pattern syntax for the called-station-id? I have many WAPS deployed and i notice that part of the called station id is the MAC address. I would like to filter this out and only have it use the SSID.

     

    • Proposed as answer by Voldsrud Friday, May 6, 2011 1:48 PM
    • Unproposed as answer by Voldsrud Friday, May 6, 2011 1:48 PM
    Thursday, March 31, 2011 12:37 PM
  • You can solve this by specifying the Called Station ID as a condition in the network policy, and use the pattern syntax $.

    If the name of the ssid is "WLAN" add the syntax "WLAN$". This means that it will match everything that ends with "WLAN". 

    Here is a list of pattern matching syntaxes to use: http://technet.microsoft.com/en-us/library/cc737419(WS.10).aspx

    • Proposed as answer by Voldsrud Friday, May 6, 2011 1:58 PM
    Friday, May 6, 2011 1:58 PM
  • I am curious if you ever found a solution to this. I am in the exact same boat. 1 AP with multiple SSID's. They are using different Authentication types but the same credentials. So I want to use two different policies for each SSID.
    Wednesday, May 11, 2011 7:02 PM
  • If they are using different Authentication Types, you can have the policy check this using the Authentication Type as a condition.
    Monday, July 18, 2011 4:49 PM
  • I had the same issue and I tried using Authentication Types to differentiate between the policies, it didn't work. Please suggest a way i can do so as the Access Point i am using doesn't send the SSID information to the Radius server(2008R2) 
    • Edited by Aiesh Tuesday, January 3, 2012 12:57 AM
    Tuesday, January 3, 2012 12:57 AM
  • From looking at the log file for NPS (to find your log file go to server manager, roles, network policy and access services, NPS, Accounting) I was able to see that when I connect to different ssids (single cisco access point, multiple ssids and vlans), the log shows me the mac address of the virtual ap.  I tried to find this mac address on my cisco ap but couldnt so I connected to the different ssid's, looked at the log to get them.

    For example:

    "VMDC01","IAS",01/10/2012,10:00:41,1,"seegrid\bfisk","SEEGRID\bfisk","0023.050c.e751","0811.9688.ffb0",,,"pghap2","192.168.10.25",51105,9,"192.168.10.25","pghap02",,,19,,,1,11,"SGA Wireless",0,"311 1 192.168.10.4 01/10/2012 13:30:09 192",,,,"Microsoft: Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"SGA",1,,,,

     

    After my username bfisk, you will see the mac for the vap and for my client computer connecting to the wifi.  Looking at the logs I found one ssid = e751 and the other was e750. 

     

    I then created network policies, one for each ssid/vlan and used the condition Called Station ID = e751$  for the one ssid, e750$ for the other ssid.  Added the different domain group conditions for each and presto, working like a champ.

     

     

    Tuesday, January 10, 2012 4:18 PM