Re: BYOD Wireless authentication help

Joe Clark · ‎03-19-2013

Our company is going to have some contractors on site for a long term project. They are bringing their own laptops and will not be on our domain. We want to set up a separate SSID for this group of people. Our IT Security department wants us to have certificate authentication. We currently do this with our Corporate users using EAP-TLS with user and machine certs via ACS and Active Directory.

The contractors will only have user accounts/certs, no machine certs. I tried testing a new group in ACS but wasn't able to get that working. We have also tried LDAP auth without interaction with ACS unsuccesfully.

I've been testing these on a test SSID on our corporate WiSM but in the end, this network will live on a 5508 guest controller.

In our environment we have the following:

Two WiSM controllers in separate data centers

4402 guest controller (in production now)

5508 guest controller (being installed now)

All controllers running 7.0.235.3

ACS 4.2

NCS 1.1.1.24

Amjad Abdullah · ‎03-19-2013

Joe: you have configured the clients to use only user authentication?

What is the failure reason you see under the failed attemtps logs?

What you can do is configure a group to which users fail machine auth will fail to.

Or

you can excempt specific groups from passing machine auth.

This is configurable under

External User Databases -> Database configuration -> Windows Database -> press configure button -> Windows Auth configuration.

Go to (Windows EAP Settings) area.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Joe Clark · ‎03-19-2013

Ok, if we are to use ACS for this do you know how I can get the users dynamically mapped to a new group? Corporate users are put into the default group right now. Is there an attribute in Active Directory or something we need to specify to put these contractors into their own dynamic group?

Amjad Abdullah · ‎03-19-2013

Joe:

If only those contractors use user auth only (and all others use machine and user auth) then you can map those who do only a user auth (not machine auth) to specific AD group.

Those users are on the AD?? You mentnioned that they are not before? or they are?

Rating useful replies is more useful than saying "Thank you"

Joe Clark · ‎03-19-2013

The users are in AD but not the machines.

Amjad Abdullah · ‎03-19-2013

this is even easier. If they are in same AD gropu you can map the AD group to a specific local ACS group.

External User DB -> DB group mapping.

Rating useful replies is more useful than saying "Thank you"

Joe Clark · ‎03-19-2013

That's what I tried before but with no luck. Right now, the mapping that appears to work for our corporate users is "All other combinations" under NT Groups. Can you tell me how I would get these contractors to match up to another mapping?

I do not have access to Active Directory, that is another group here. So if something needs to be added/changed for these users I will have to let them know.