Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
784
Views
0
Helpful
4
Replies

WPA+WPA2+802.1x

chella2ck
Level 1
Level 1

‎09-03-2013 02:48 AM - edited ‎03-10-2019 08:51 PM

Dear Friends,

I appreciate if anyone answer my question. we have a domain more than 10k users, and we are providing corporate wireless access to our employees. currently employees are using their AD credential for authentication via ACS 5.4. We want to add additional security in the wireless that only particular MAC address devices along with right AD credential to gain the wireless access. How could I do this in the ACS 5.4?

Can anyone help me on this?

Regards

Kumar

Labels:
0 Helpful
4 Replies 4

selva Kathir
Level 1
Level 1

‎09-03-2013 03:49 AM

Hi Kumar,

You can do this by adding the MAC address of the Computers in the internal database of ACS.

And it can also be done by adding the prefix of the MAC address also.

And your Access policy has to be configured to verify with ad credentials as well as MAC address

HTH,

Selva

0 Helpful

chella2ck
Level 1
Level 1
In response to selva Kathir

‎09-04-2013 01:14 AM

Hi Selva,

Thanks for your reply. I added the MAC address in the host Identity store. But I couldnt make it work in the access policy. It seems cannot able to match host identity store and AD credential in the Identity policy or in the authorization policy. I am not sure what I am missing, can you give any example?

Regards

Kumar 

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎09-03-2013 05:14 AM

Review this link that states "Machine Access Restrictions"

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1254965

0 Helpful

Anas Naqvi
Level 1
Level 1

‎09-03-2013 08:54 AM

Hello Kumar,

Machine Authentication

Machine  authentication provides access to network services to only these  computers that are listed in Active Directory. This becomes very  important for wireless networks because unauthorized users can try to  access your wireless access points from outside your office building.

Machine  authentication happens while starting up a computer or while logging in  to a computer. Supplicants, such as Funk Odyssey perform machine  authentication periodically while the supplicant is running.

If  you enable machine authentication, ACS authenticates the computer  before a user authentication request comes in. ACS checks the  credentials provided by the computer against the Windows user database.  If the credentials match, the computer is given access to the network.

Attribute Retrieval for Authorization

You can configure ACS to  retrieve user or machine AD attributes to be used in authorization and  group mapping rules. The attributes are mapped to the ACS policy results  and determine the authorization level for the user or machine.

ACS  retrieves user and machine AD attributes after a successful user or  machine authentication and can also retrieve the attributes for  authorization and group mapping purposes independent of authentication.

Please also check the below link,

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170404

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents