Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
564
Views
0
Helpful
3
Replies

Wireless Authentication (Searching for a better way)

fing8733
Level 1
Level 1

‎06-18-2012 01:13 PM - edited ‎07-03-2021 10:19 PM

We set up a wireless network several years ago.  We have upgraded all of our hardware but never how we authenticate users.  The bulk of our users authenticate to an 802.1x SSID through an ACS (5.0) We have both machine and user authentication to the domain with mac filtering on top of that.  It's overkill and not foolproof this I do know.  We also have another SSID with WPA2-PSK and Mac Filtering for things like iPads and Macs. 

I am looking into certificate based authentication but I am not finding exactly what I want.  For example, if I set up PEAP with certificates is that a secure solution?  From what I understand I need to have the ACS server trust the domain certificate.  Can I then have the pc's auto enroll for a certificate? 

The end result would be this.  A pc/Mac on the domain would authenticate to the network when it first boots via a certificate.  Then a user can walk up and log into the pc just as they do wired.  If a pc that is not on our domain tries to join then the domain will know it does not have a cert and deny access.

Sorry if some of my terminology seems off.  The cert thing is very new to me and I am having a hard time getting my head around it.

Thanks!                  

Labels:
0 Helpful
3 Replies 3

Scott Fella
Hall of Fame
Hall of Fame

‎06-18-2012 02:51 PM

What you need to look at is EAP-TLS which is only for domain computers and works well in a shared environment. ACS does have to have a certificate from your PKI infrastructure and has to be on the domain which it is already. Then you can push out via GPO auto enrollment of computer certificates. This way a computer that is on your domain and has a valid certificate can access the network and doesn't have to depend on username and password like PEAP.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

fing8733
Level 1
Level 1
In response to Scott Fella

‎06-20-2012 08:08 AM

From what I have found it I understand where the certs need to be install such as the ACS and the pc from the domain.  How does this STOP anyone without a cert for authenticating?  Does the PC send the cert to the ACS and the ACS checks with the domain every time?

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to fing8733

‎06-20-2012 09:19 AM

Well the ACS will only trust the domain certificate since you will configure the domain CA as a trusted CA. Then the computer must be part of the domain computer group to be allowed access. Now it can be something other than the domain computer group, but that is default location for all domain computers.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card