cancel
Showing results for 
Search instead for 
Did you mean: 

UAC + WLC + detect SSID

Occasional Contributor

UAC + WLC + detect SSID

Hi,

 

IÍm setting up a new WLAN with a WLC880R and an IC 4500.

 

I've 3 SSIDs:

 

SSID A: Local LAN on the Switch (no vlan ID)

SSID B: Local VLAN on the Switch (id: 1000)

SSID C: Tunnel to WLC with local LAN and Sign-In Page on the WLC

 

The Network basic Setup is working (Sign-IN Page with local User on the WLC, connecting to the right VLAN based on the SSID. The SSID is protected by WPA-PSK for testing)

 

SSIDs A and B should be authenticated against an AD via UAC.

A with Username+Password (+ certificate)

B with Username+Password

 

SSID C against a local Database on the UAC.

 

Can I identify the on the UAC from witch SSID the user tries to connect to WLAN?

With this information, it should be possible to write 3 different rule-sets?

Is this scenario possible?

 

Regards

Sebastian

4 REPLIES 4
Regular Contributor

Re: UAC + WLC + detect SSID

Hello Sebastian

 

Yes your requirement should be possible.

Typically, SSID is sent from WLC using radius attribute Called-Station-ID.

 

You need create radius request attribute policy and match above said attribute for realm selection.

Based on ream selection you could assign authentication database.

Hope this helps!

 

Regards,

Raveen

Super Contributor

Re: UAC + WLC + detect SSID

Yes this is possible and I have seen this working in many sites

 

You need to have Radius attribute request policies configured for each SSID and enable this request policues under respective relams under Authentication Policy section  where we have authentication server and role mapping rules also enabled.

 

You can  access the below URL;s to understand more on 

RADIUS Request Attribute Policies &  Using RADIUS Attributes in Access Policies

 

http://www.juniper.net/techpubs/en_US/uac5.0/topics/concept/uac-l2-radius-request-attributes-overvie...

 

http://www.juniper.net/techpubs/en_US/uac5.0/topics/task/configuration/uac-l2-radius-attributes-poli...

 

Hope this helps,

 

Regards,

Kannan

Occasional Visitor

Re: UAC + WLC + detect SSID

Hello,

 

I'm trying to differentiate users regarding their SSID names but Called-Station-ID does not work. Can you please help me?

 

Omer

 

Highlighted
Moderator

Re: UAC + WLC + detect SSID

Take a packet capture and look at the RADIUS attributes that are sent from the WLC.

 

Some WLCs will use Called-Station-ID.  Others, like Aruba, use a VSA called "Aruba-ESSID".

 

Once you know which attribute the SSID is sent in, you can then create a RADIUS Request Attribute policy to select the correct realm or use it for role mapping rules.

 

Hope this helps

 

Thanks

 

Craig