While you are correct about the 1500 result limit, this shouldn't be an
issue with wireless authentication as the radius server will only query
for the username requesting authentication. This works fine even with
>4000 members in a group (we have this working right now).
On 01/22/2011 06:21 AM, Osborne, Bruce W wrote:
Mike,
Unfortunately, I do not have a suggestion, but just a caution. I do
not know the size of your organization, but be aware that Microsoft AD
groups with more than 1500 members cannot be queried properly with
generic LDAP. You will only get the first 1500 members.
In my experience here at Liberty University, OpenLDAP & Cisco ACS 4
(& I expect, 5) will not work. We are moving to using Microsoft NOS
server on Server 2008R2 for RADIUS. According to the standard, LDAP
extensions are supposed to be optional. In this case, Microsoft makes
the extension mandatory.
Bruce Osborne
Liberty University
*From:*Williams, Mr. Michael [mailto:[email protected]]
*Sent:* Friday, January 21, 2011 10:56 AM
*Subject:* Link LDAP groups to Separate SSIDs for Authentication
All,
I have been trying to figure this out but have been unable to find a
solution. Here is what we are trying to do.
1 wireless SSID that is open network which uses a web portal for
authentication- this would be the student network
1 wireless SSID that using 802.1x w/WPA and a splash page –this would
be used for Fac/Staff
Is it possible to link the Student SSID to only the Student group in
LDAP and the Fac/Staff SSID to only the Fac/Staff using LDAP? We need
want to keep the Fac/Staff folks from using the open network. Does
anyone have a similar requirements.
We have a Cisco ACS that is linked to LDAP/AD, a WISM and WCS.
/v/r/
//
/Mike/
*//*
*/Michael M. Williams/*
Network Systems Analyst
Information Technology Services
Tarleton State University
/Information Technology Services staff will never ask for your
password in an email. Don't ever email your password to anyone or
share confidential information in emails./
//
/Confidentiality Notice: This electronic message, including any
attachments, is for the sole use of the intended recipients(s) and may
contain confidential and privileged information. Any unauthorized
review, use, disclosure or distribution is prohibited. If you are not
the intended recipient, please contact the sender by reply e-mail and
destroy all copies of the original message./
********** Participation and subscription information for this
EDUCAUSE Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
********** Participation and subscription information for this
EDUCAUSE Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
--
Sam Stelfox
Network Administrator
Vermont Technical College
This message contains confidential information and is intended only for
the individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
contain viruses. The sender therefore does not accept liability for any
errors or omissions in the contents of this message, which arise as a
result of e-mail transmission.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
