Guest Wireless ACS + AD Authentication question

fgao · ‎01-14-2013

Hello all

Client has a guest wireless is looking for a special authentication .

Client want all company user can use same domain account to login into guest network , but they cannot use company laptop .

Also for the real guest people , it will create a local account .

Client would like use Layer 3 authentication in WLC , which is for all Layer 2 authenticaon such as 802 will be not consider , everyone can get "connect" and get IP . but authentication will happened on layer 3 with Web Authentication .

does anyone has experience for simliar case? What is best way to do it?

Amjad Abdullah · ‎01-15-2013

Hello,

What I understood is:

- One guest account on AD MUST be used for all company users connecting from non-company laptops.

- Other guests will use local account (NOT AD account) to connect to the guest network from non-company laptops.

- Only Layer 3 authentication (web auth) will be used. No dot1x authentication.

In WebAuth you can not check if the laptops is a company laptop that is in the domain or not!

If you are using L2 authentication, that can be done by (supposing you use ACS 5.x) creating the policy rules to mandate the specific guest AD account to connect from non-domain machines (use machine auth to check) and create a policy that allows all other non-AD machines to the guest network.

Let me know if there is any point that need me to clarify more.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

fgao · ‎01-15-2013

Thanks Amjad

Now, Let us forget about machine authentication for the Guest , I just want to use ACS +AD for the Guest as well, because I need all domain user can access by their domain account .

I am trying set up this with exist ACS which is for CORP Authentication .

I set up "End Station Filter" with DNIS , DNIS based on SSID .

And I created another access policy for Guest. So in the Service Selection Policy, I made ACS choose policy by DNIS.

This is worked for CORP authentication , But for the Guest , when user input domain username and password, The ACS will deny the access ,

In Guest policy , I permit everything , but base on log , it looks like no rule (even default rule) can be hit.

Anyone knows how to set up 2 SSID authentication in 1 ACS?

Access Policy
Access Service:	DenyAccess
Identity Store:
Authorization Profiles:
Exception Authorization Profiles:
Active Directory Domain:
Identity Group:
Access Service Selection Matched Rule:	Default
Identity Policy Matched Rule:
Selected Identity Stores:
Query Identity Stores:
Selected Query Identity Stores:
Group Mapping Policy Matched Rule:
Authorization Policy Matched Rule:
Authorization Exception Policy Matched Rule

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

Evaluating Service Selection Policy

15006 Matched Default Rule

15012 Selected Access Service - DenyAccess

11019 Selected DenyAccess Service

11003 Returned RADIUS Access-Reject

Amjad Abdullah · ‎01-16-2013

Hello,

I am using my ACS and I have multiple dot1x SSIDs and I am using the end-station-filter to make sure only appropriate people can connect to the appropriate SSID.

In your case you are saying the first rule for the CORP works fine? Is that a dot1x SSID or webAuth SSID?

Note please that the WLC does not send the SSID name for webAuth SSIDs to the radius server by default. You must manually tell the WLC to do that via the command:

config radius callstationidtype ap-macaddr-ssid

The above command depends on your WLC's version though if it is available or not. What is the version that you are using?

If that is not the issue please provide more clear screenshots as I can not see those you provided clearly. Please provide also a screenshots for the DNIS configuratoin in the end-station-filter.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"