Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
838
Views
0
Helpful
1
Replies

SecureACS EAP-TLS & PEAP

GarrettSkj
Level 1
Level 1

‎01-08-2013 02:13 PM - edited ‎03-10-2019 07:57 PM

I'm trying to figure out the best way that I can authenticate users on different VLANs with different authentication mechanisms.

I currently have my users being able to login with EAP-TLS utilizing SecureACS 5.2, I'd like to open up an additional VLAN that doesn't require them to use certificates, so that they could just use their AD credentials to login, this way they could connect their smartphone, or tablet.

My issue is i'm not sure of how to configure the SecureACS server to *REQUIRE* the authentication mechanism per VLAN.

Currently I can use either credential set in either radius request. (as it simply accepts).

I think this is something that is changed in the identity policy, that would differentiate the identiy policy used based on the source IP of the RADIUS request, but I'm not sure.

Any help would be greatly appreciated. See diagram attached.

My question:

How do I configure SecureACS so that it only allows EAP-TLS in VLAN-A, and the AD authentication in the VLAN-B?

Labels:
Preview file
22 KB
0 Helpful
1 Reply 1

Tarik Admani
VIP Alumni
VIP Alumni

‎01-08-2013 08:33 PM

You should be able to do this, the access request in a radius packet (if using Cisco Wireless) does send the tunnel-private-group-id (which is the vlan id). You can create a condition in your service selection rules and select the service you want based on the value of your vlan. Then in that service rule you can set the authenticaiton to PEAP.

Hope that helps.

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents