denying unauthorized devices ACS

bmarlin · ‎11-24-2009

Hi

Really new at ACS

I was wondering if this is possible.

For a school division using AD,

school division would like to use radius 4.2 ACS for the AD users to access the network wired or wirelss.

For rogue users they want them to go to guest default vlan with only Internet.

Reading some of the information I see that by loading remote agent on windows server I can setup AD users very easy,But I have not found alot of information on unauthorized users,I've seen NAR and NAF and looks like they would work just not sure I understand the attributes needed.

Any help is appreciated

Farrukh Haroon · ‎11-25-2009

Why don't you make two SSIDs (two different VLANs).

On for GUESTs and the other for regular users. Enable more stringent security measures on the REGULAR VLAN e.g. PEAP. For regular users only allow DNS and internet traffic (preferably via a proxy that requires authentication). Of course you need a mechanism to generate temporary passwords for the guest users.

Giving them free access to the internet does not seem to be a good idea, what if someone uses the connection malicously? The Internet is going to see it coming from your public ip!

These are a few PEAP configuration examples:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

Regards

Farrukh

bmarlin · ‎11-25-2009

Good Morning Farrukh

Thanks for the reply,

I guess I should have indicated that all AD users, wired and wireless go to authenticate to AD radius and rogue wired and wireless authenticate to internal ACS db then go to guest vlan. Is this possible for the rogue users?

I was questioning the internet access as well,

I will be going to see this customer in the near future as I have a few other questions as well.

Thanks again