Configuring windows Radius to accept Extreme wifi VSA SSID to authenticate users to the wireles network


We nee to configure windows Radius to accept Extreme wifi VSA SSID to authenticate users to the wireles network. We have Radius authentication working fine however due to both pupils and staff being in the radius server they can both authenticate and connect. The SSID is a "Staff" SSID which we only want "Staff" to be able to connect to and not "pupils". I have seen in the "Radius TLV's" within the "WLAN Service/Auth&Acct/RadiusTLV's" you can send the "SSID" to the Radius server. How do we make the radius server read this and how do we configure the Radius server to only allow the group "Staff" connect and not the group "pupils"?

3 replies

Userlevel 7
Hi Reene,

you don't need to send the SSID/VSAs just filter on the NAS identifier (default = VNS name).
So in the WLAN controller GUI > VNS > WLAN services > Auth&Acc > select the RADIUS and click configure.
In the below screenshot you'd see the default for NAS identifier is the VNS name, if you'd like to send another keyword remove the checkmark and put in the name that you'd like to filter in the field on the right.



On the NPS now create a network policy with the conditions for the correct NAS identifier and the Windows group name.
In my example below the condition is that the request is from a Wifi device (the controller), NAS ID = SecureAccess, Windows group = WL3.



If you like you'd send all VSAs and add even more conditions on the network policy but for your scenario that isn't really necessary.

-Ron
Ron wrote:

Hi Reene,

you don't need to send the SSID/VSAs just filter on the NAS identifier (default = VNS name).
So in the WLAN controller GUI > VNS > WLAN services > Auth&Acc > select the RADIUS and click configure.
In the below screenshot you'd see the default for NAS identifier is the VNS name, if you'd like to send another keyword remove the checkmark and put in the name that you'd like to filter in the field on the right.



On the NPS now create a network policy with the conditions for the correct NAS identifier and the Windows group name.
In my example below the condition is that the request is from a Wifi device (the controller), NAS ID = SecureAccess, Windows group = WL3.



If you like you'd send all VSAs and add even more conditions on the network policy but for your scenario that isn't really necessary.

-Ron

Thanks for details, i will ask the customer to set this up on their Radius server and confirm if it works. appreciated.
Userlevel 7
Ron wrote:

Hi Reene,

you don't need to send the SSID/VSAs just filter on the NAS identifier (default = VNS name).
So in the WLAN controller GUI > VNS > WLAN services > Auth&Acc > select the RADIUS and click configure.
In the below screenshot you'd see the default for NAS identifier is the VNS name, if you'd like to send another keyword remove the checkmark and put in the name that you'd like to filter in the field on the right.



On the NPS now create a network policy with the conditions for the correct NAS identifier and the Windows group name.
In my example below the condition is that the request is from a Wifi device (the controller), NAS ID = SecureAccess, Windows group = WL3.



If you like you'd send all VSAs and add even more conditions on the network policy but for your scenario that isn't really necessary.

-Ron

Come back and let us know if it worked 🙂

Reply