Showing results for 
Search instead for 
Did you mean: 

UAC + WLC + detect SSID

Occasional Contributor

UAC + WLC + detect SSID



IÍm setting up a new WLAN with a WLC880R and an IC 4500.


I've 3 SSIDs:


SSID A: Local LAN on the Switch (no vlan ID)

SSID B: Local VLAN on the Switch (id: 1000)

SSID C: Tunnel to WLC with local LAN and Sign-In Page on the WLC


The Network basic Setup is working (Sign-IN Page with local User on the WLC, connecting to the right VLAN based on the SSID. The SSID is protected by WPA-PSK for testing)


SSIDs A and B should be authenticated against an AD via UAC.

A with Username+Password (+ certificate)

B with Username+Password


SSID C against a local Database on the UAC.


Can I identify the on the UAC from witch SSID the user tries to connect to WLAN?

With this information, it should be possible to write 3 different rule-sets?

Is this scenario possible?




Regular Contributor

Re: UAC + WLC + detect SSID

Hello Sebastian


Yes your requirement should be possible.

Typically, SSID is sent from WLC using radius attribute Called-Station-ID.


You need create radius request attribute policy and match above said attribute for realm selection.

Based on ream selection you could assign authentication database.

Hope this helps!




Super Contributor

Re: UAC + WLC + detect SSID

Yes this is possible and I have seen this working in many sites


You need to have Radius attribute request policies configured for each SSID and enable this request policues under respective relams under Authentication Policy section  where we have authentication server and role mapping rules also enabled.


You can  access the below URL;s to understand more on 

RADIUS Request Attribute Policies &  Using RADIUS Attributes in Access Policies


Hope this helps,




Occasional Visitor

Re: UAC + WLC + detect SSID



I'm trying to differentiate users regarding their SSID names but Called-Station-ID does not work. Can you please help me?





Re: UAC + WLC + detect SSID

Take a packet capture and look at the RADIUS attributes that are sent from the WLC.


Some WLCs will use Called-Station-ID.  Others, like Aruba, use a VSA called "Aruba-ESSID".


Once you know which attribute the SSID is sent in, you can then create a RADIUS Request Attribute policy to select the correct realm or use it for role mapping rules.


Hope this helps