06-18-2012 01:13 PM - edited 07-03-2021 10:19 PM
We set up a wireless network several years ago. We have upgraded all of our hardware but never how we authenticate users. The bulk of our users authenticate to an 802.1x SSID through an ACS (5.0) We have both machine and user authentication to the domain with mac filtering on top of that. It's overkill and not foolproof this I do know. We also have another SSID with WPA2-PSK and Mac Filtering for things like iPads and Macs.
I am looking into certificate based authentication but I am not finding exactly what I want. For example, if I set up PEAP with certificates is that a secure solution? From what I understand I need to have the ACS server trust the domain certificate. Can I then have the pc's auto enroll for a certificate?
The end result would be this. A pc/Mac on the domain would authenticate to the network when it first boots via a certificate. Then a user can walk up and log into the pc just as they do wired. If a pc that is not on our domain tries to join then the domain will know it does not have a cert and deny access.
Sorry if some of my terminology seems off. The cert thing is very new to me and I am having a hard time getting my head around it.
Thanks!
06-18-2012 02:51 PM
What you need to look at is EAP-TLS which is only for domain computers and works well in a shared environment. ACS does have to have a certificate from your PKI infrastructure and has to be on the domain which it is already. Then you can push out via GPO auto enrollment of computer certificates. This way a computer that is on your domain and has a valid certificate can access the network and doesn't have to depend on username and password like PEAP.
Sent from Cisco Technical Support iPhone App
06-20-2012 08:08 AM
From what I have found it I understand where the certs need to be install such as the ACS and the pc from the domain. How does this STOP anyone without a cert for authenticating? Does the PC send the cert to the ACS and the ACS checks with the domain every time?
06-20-2012 09:19 AM
Well the ACS will only trust the domain certificate since you will configure the domain CA as a trusted CA. Then the computer must be part of the domain computer group to be allowed access. Now it can be something other than the domain computer group, but that is default location for all domain computers.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide