Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1424
Views
0
Helpful
2
Replies

One SSID to authenticate AD, LDAP & Guest

Go to solution
Alitay1983
Level 1
Level 1

‎12-08-2016 02:19 PM - edited ‎02-21-2020 10:31 AM

Equipment:  Cisco ISE 2.1, WLC, APs, AD, LDAP

client types:  

-  AD joined users accessing Wireless through  AD machines.

-  AD joined users accessing Wireless through personal machines ( Apple, Android, Windows ..)

-  Non AD employees accessing wireless and authenticated against an LDAP server.

-  Guest users 

Is the above Scenario applicable with one SSID to be configured and without AnyConnect or other  agent ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bobby Stojceski
Level 1
Level 1

‎12-11-2016 07:42 PM

I've never attempted this but off the top of my head it is possible. However, you'd probably need to work to the lowest common denominator with security. So if you are allowing guests to this same SSID, then you'd likely want them to have their own username and password, which means a web-form based authentication - which in turn means an Open security network.

Based on the above, you'd also be authenticating AD users on an open security network - leaving it open for someone to intercept wireless traffic and get AD credentials from staff.

So I wouldn't do it personally. ISE certainly supports using multiple user database sources (like AD, local database etc), but whether it's good to do it in this case, i'd err on the side of no.

Any particular reason you want to do it this way? My preference would be:

CORPORATE SSID:  Use WLC and direct RADIUS to AD Network Policy Server using 802.1X (EAP-TLS or PEAR-MSCHAPv2 etc). Unless you need NAC and posture from ISE etc of course, then use ISE as the authenticating and authorizing server.

BYOD SSID: If you have an MDM in place (MobileIron, AirWatch etc), have devices enrol and then deliver a certificate to allow EAP-type authentication. Aagin this could be directly against Microsoft NPS or to the ISE.

GUEST SSID:  Use the ISE with an SSID in Mac Filtering mode with RADIUS MAC (called ISE NAC in WLC v8.3+) to authenticate users. You could use this method for BYOD SSID as well if you wanted to.

Hope that helps. In short yes you can do what you want, with the RADIUS server for that SSID being the ISE, setup to use multiple user sources. But I wouldn't do it.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Bobby Stojceski
Level 1
Level 1

‎12-11-2016 07:42 PM

I've never attempted this but off the top of my head it is possible. However, you'd probably need to work to the lowest common denominator with security. So if you are allowing guests to this same SSID, then you'd likely want them to have their own username and password, which means a web-form based authentication - which in turn means an Open security network.

Based on the above, you'd also be authenticating AD users on an open security network - leaving it open for someone to intercept wireless traffic and get AD credentials from staff.

So I wouldn't do it personally. ISE certainly supports using multiple user database sources (like AD, local database etc), but whether it's good to do it in this case, i'd err on the side of no.

Any particular reason you want to do it this way? My preference would be:

CORPORATE SSID:  Use WLC and direct RADIUS to AD Network Policy Server using 802.1X (EAP-TLS or PEAR-MSCHAPv2 etc). Unless you need NAC and posture from ISE etc of course, then use ISE as the authenticating and authorizing server.

BYOD SSID: If you have an MDM in place (MobileIron, AirWatch etc), have devices enrol and then deliver a certificate to allow EAP-type authentication. Aagin this could be directly against Microsoft NPS or to the ISE.

GUEST SSID:  Use the ISE with an SSID in Mac Filtering mode with RADIUS MAC (called ISE NAC in WLC v8.3+) to authenticate users. You could use this method for BYOD SSID as well if you wanted to.

Hope that helps. In short yes you can do what you want, with the RADIUS server for that SSID being the ISE, setup to use multiple user sources. But I wouldn't do it.

0 Helpful

Go to solution
Alitay1983
Level 1
Level 1
In response to Bobby Stojceski

‎12-20-2016 06:10 AM

Thank you Bobby.

What you stated is correct.

I have another question, In case

1- BYOD access using certificate authX was granted to users,

2- NSP provisioning to push 802.1X supplicant is given to the user in case he logged correct LDAP credentials

Do you think that there is a way to limit the number of devices or connection sessions per users ?

especially that this is not a user redirected to a guest portal

0 Helpful
Customers Also Viewed These Support Documents