Betr.: Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users?

[Kees Pronk]

Nick,

You want to keep the amount of SSID's flying around as low as possible.
Why?
http://revolutionwifi.blogspot.com/2010/10/limit-ssids-data-rates-to-maintain.html?spref=tw

My 2 cents

Best regards, Kees.

Netwerkbeheer
 
Avans Hogeschool
Diensteenheid ICT en Facilitaire Dienst (DIF) - ICT-Beheer
 
Bezoekadres:
Hogeschoollaan 1, Kamer HG204
4818 CR  Breda
 
Postadres:
Postbus 90116
4800 RA Breda
 
E: cl.pr...@avans.nl
T: 076-5238054
@rovinguser ( people move, networks don't )


>>> "Hanset, Philippe C"  9/19/2011 7:50 PM >>>
Nick,

Most RADIUS servers will let you do that
(freeRADIUS, RADIATOR, ACS...)
If you want to separate users you can also
Use the same SSID that you use currently
And return an attribute item from AD that would
Set the VLAN per user or per group of users.


Philippe,
eduroamus.org
University of Tennessee
(using a tiny keyboard)

On Sep 19, 2011, at 9:33 AM, "Urrea, Nick" 
mailto:urr...@uchastings.edu>> wrote:

We at UC Hastings would like to create a new SSID that only allows certain 
users with WPA-Enterprise authentication to access.
We currently have two SSIDs one which uses WPA-Enterprise with RADIUS which 
checks against and Active Directory group and the other which uses Web-Auth 
which checks against the same Active Directory.
We are using the Cisco Solution for enterprise wireless.

I would like to use the same RADIUS server for both WPA-Enterprise SSIDs.
Any ideas?




---
Nicholas Urrea
Information Technology
UC Hastings College of the Law
San Francisco, CA, 94102
urr...@uchastings.edu
help desk: 415-581-8802
helpd...@uchastings.edu

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


--- 
Op deze e-mail zijn de volgende voorwaarden van toepassing: 
The following conditions apply to this e-mail: 
http://emaildisclaimer.avans.nl 
--- 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users?

[Jason Todd]

We're not using Cisco but what we do is evaluate the NAS Identifier (which is 
the same as the SSID in our environment) along with AD group membership to 
determine what wireless networks our users can connect to. We are using Windows 
Network Policy Server and FreeRADIUS for our RADIUS servers.

Jason Todd
Western University of Health Sciences

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Urrea, Nick
Sent: Monday, September 19, 2011 1:07 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different 
groups of users?

I would like to limit the SSID so only a certain group can access it.
I want to use different QoS rates on different SSIDs so one network has more 
bandwidth available to individual users than the other.
SSID for students 5 MB/s
SSID for staff/faculty 20 MB/s

-Nick

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike King
Sent: Monday, September 19, 2011 11:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different 
groups of users?

Nick, I've used both NPS (New RADIUS server from Microsoft) and IAS.  What you 
want to do is Extremely simple.

FYI:
Do NOT under any circumstances roll out a new SSID using WPA.   Use WPA2.

I have 3 SSID's that go back to the same RADIUS server.

Is there anything special you want to do?   Limit the groups so that only one 
SSID is availble to them?

with VLAN id's you can even have users on the same SSID be in different VLAN's, 
amoung other tricks.

Mike

On Mon, Sep 19, 2011 at 12:24 PM, Urrea, Nick 
mailto:urr...@uchastings.edu>> wrote:
We at UC Hastings would like to create a new SSID that only allows certain 
users with WPA-Enterprise authentication to access.
We currently have two SSIDs one which uses WPA-Enterprise with RADIUS which 
checks against and Active Directory group and the other which uses Web-Auth 
which checks against the same Active Directory.
We are using the Cisco Solution for enterprise wireless.

I would like to use the same RADIUS server for both WPA-Enterprise SSIDs.
Any ideas?




---
Nicholas Urrea
Information Technology
UC Hastings College of the Law
San Francisco, CA, 94102
urr...@uchastings.edu<mailto:urr...@uchastings.edu>
help desk: 415-581-8802
helpd...@uchastings.edu<mailto:helpd...@uchastings.edu>

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users?

[Urrea, Nick]

I would like to limit the SSID so only a certain group can access it.

I want to use different QoS rates on different SSIDs so one network has
more bandwidth available to individual users than the other.

SSID for students 5 MB/s 

SSID for staff/faculty 20 MB/s

 

-Nick

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike King
Sent: Monday, September 19, 2011 11:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Same Radius server, more than one SSID,
different groups of users?

 

Nick, I've used both NPS (New RADIUS server from Microsoft) and IAS.
What you want to do is Extremely simple.

 

FYI:

Do NOT under any circumstances roll out a new SSID using WPA.   Use
WPA2.  

 

I have 3 SSID's that go back to the same RADIUS server.

 

Is there anything special you want to do?   Limit the groups so that
only one SSID is availble to them?

 

with VLAN id's you can even have users on the same SSID be in different
VLAN's, amoung other tricks.

 

Mike

 

On Mon, Sep 19, 2011 at 12:24 PM, Urrea, Nick 
wrote:

We at UC Hastings would like to create a new SSID that only allows
certain users with WPA-Enterprise authentication to access.

We currently have two SSIDs one which uses WPA-Enterprise with RADIUS
which checks against and Active Directory group and the other which uses
Web-Auth which checks against the same Active Directory. 

We are using the Cisco Solution for enterprise wireless.

 

I would like to use the same RADIUS server for both WPA-Enterprise
SSIDs.

Any ideas?

 

 

 

 

---

Nicholas Urrea

Information Technology

UC Hastings College of the Law

San Francisco, CA, 94102

urr...@uchastings.edu

help desk: 415-581-8802

helpd...@uchastings.edu

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users?

[Mike King]

Nick, I've used both NPS (New RADIUS server from Microsoft) and IAS.  What
you want to do is Extremely simple.

FYI:
Do NOT under any circumstances roll out a new SSID using WPA.   Use WPA2.

I have 3 SSID's that go back to the same RADIUS server.

Is there anything special you want to do?   Limit the groups so that only
one SSID is availble to them?

with VLAN id's you can even have users on the same SSID be in different
VLAN's, amoung other tricks.

Mike


On Mon, Sep 19, 2011 at 12:24 PM, Urrea, Nick  wrote:

> We at UC Hastings would like to create a new SSID that only allows certain
> users with WPA-Enterprise authentication to access.
>
> We currently have two SSIDs one which uses WPA-Enterprise with RADIUS which
> checks against and Active Directory group and the other which uses Web-Auth
> which checks against the same Active Directory. 
>
> We are using the Cisco Solution for enterprise wireless.
>
> ** **
>
> I would like to use the same RADIUS server for both WPA-Enterprise SSIDs.*
> ***
>
> Any ideas?
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ---
>
> *Nicholas Urrea*
>
> *Information Technology*
>
> UC Hastings College of the Law
>
> San Francisco, CA, 94102
>
> urr...@uchastings.edu
>
> help desk: 415-581-8802
>
> helpd...@uchastings.edu
>
> ** **
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users?

[Hanset, Philippe C]

Nick,

Most RADIUS servers will let you do that
(freeRADIUS, RADIATOR, ACS...)
If you want to separate users you can also
Use the same SSID that you use currently
And return an attribute item from AD that would
Set the VLAN per user or per group of users.


Philippe,
eduroamus.org
University of Tennessee
(using a tiny keyboard)

On Sep 19, 2011, at 9:33 AM, "Urrea, Nick" 
mailto:urr...@uchastings.edu>> wrote:

We at UC Hastings would like to create a new SSID that only allows certain 
users with WPA-Enterprise authentication to access.
We currently have two SSIDs one which uses WPA-Enterprise with RADIUS which 
checks against and Active Directory group and the other which uses Web-Auth 
which checks against the same Active Directory.
We are using the Cisco Solution for enterprise wireless.

I would like to use the same RADIUS server for both WPA-Enterprise SSIDs.
Any ideas?




---
Nicholas Urrea
Information Technology
UC Hastings College of the Law
San Francisco, CA, 94102
urr...@uchastings.edu
help desk: 415-581-8802
helpd...@uchastings.edu

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users?

[James J J Hooper]

On 19/09/2011 18:12, Urrea, Nick wrote:

Cisco shop yes we use a WISM2 with CAPWAP APs.
We are currently using IAS as our RADIUS server.

Can you have FreeRADIUS talk to AD or do you need another LDAP?


We also use AD as our primary credentials DB. FR can talk to AD by using 
ntlm_auth (part of samba) for authentication, and LDAP for authorization.


-James

--
James J J Hooper
Senior Network Specialist, University of Bristol 
http://www.wireless.bristol.ac.uk

--

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users?

[Urrea, Nick]

Cisco shop yes we use a WISM2 with CAPWAP APs.
We are currently using IAS as our RADIUS server.

Can you have FreeRADIUS talk to AD or do you need another LDAP? 

-Nick

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of James J J Hooper
Sent: Monday, September 19, 2011 10:02 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different 
groups of users?

On 19/09/2011 17:24, Urrea, Nick wrote:
> We at UC Hastings would like to create a new SSID that only allows 
> certain users with WPA-Enterprise authentication to access.
>
> We currently have two SSIDs one which uses WPA-Enterprise with RADIUS 
> which checks against and Active Directory group and the other which 
> uses Web-Auth which checks against the same Active Directory.
>
> We are using the Cisco Solution for enterprise wireless.
>
> I would like to use the same RADIUS server for both WPA-Enterprise SSIDs.
>
> Any ideas?

** If by "Cisco Solution" you meant Cisco WLC's with controller based APs:

This would be very easy to do with FreeRADIUS (http://www.freeradius.org/).

Do you have any other constraints? e.g. FreeRADIUS is unix/linux based, if you 
are a solely Windows shop, it'd be a bit of a learning curve.

We use FreeRADIUS to AAA our: VPN, Web-Auth wireless & multiple WPA2-Enterprise 
Wireless (inc. eduroam). A single instance can handle these simultaneously.

I believe the majority of the eduroam community use FreeRADIUS too.

** If you meant with Cisco ACS as your RADIUS server:
...sorry, no idea

Regards,
   James

--
James J J Hooper
Senior Network Specialist, University of Bristol 
http://www.wireless.bristol.ac.uk
-- 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users?

[James J J Hooper]

On 19/09/2011 17:24, Urrea, Nick wrote:

We at UC Hastings would like to create a new SSID that only allows certain
users with WPA-Enterprise authentication to access.

We currently have two SSIDs one which uses WPA-Enterprise with RADIUS
which checks against and Active Directory group and the other which uses
Web-Auth which checks against the same Active Directory.

We are using the Cisco Solution for enterprise wireless.

I would like to use the same RADIUS server for both WPA-Enterprise SSIDs.

Any ideas?


** If by "Cisco Solution" you meant Cisco WLC's with controller based APs:

This would be very easy to do with FreeRADIUS (http://www.freeradius.org/).

Do you have any other constraints? e.g. FreeRADIUS is unix/linux based, if 
you are a solely Windows shop, it'd be a bit of a learning curve.


We use FreeRADIUS to AAA our: VPN, Web-Auth wireless & multiple 
WPA2-Enterprise Wireless (inc. eduroam). A single instance can handle 
these simultaneously.


I believe the majority of the eduroam community use FreeRADIUS too.

** If you meant with Cisco ACS as your RADIUS server:
...sorry, no idea

Regards,
  James

--
James J J Hooper
Senior Network Specialist, University of Bristol
http://www.wireless.bristol.ac.uk
--

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Same Radius server, more than one SSID, different groups of users?

[Urrea, Nick]

We at UC Hastings would like to create a new SSID that only allows
certain users with WPA-Enterprise authentication to access.

We currently have two SSIDs one which uses WPA-Enterprise with RADIUS
which checks against and Active Directory group and the other which uses
Web-Auth which checks against the same Active Directory. 

We are using the Cisco Solution for enterprise wireless.

 

I would like to use the same RADIUS server for both WPA-Enterprise
SSIDs.

Any ideas?

 

 

 

 

---

Nicholas Urrea

Information Technology

UC Hastings College of the Law

San Francisco, CA, 94102

urr...@uchastings.edu  

help desk: 415-581-8802

helpd...@uchastings.edu

 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.