Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1056
Views
0
Helpful
7
Replies

ISE authentication WPA2

adamgibs7
Level 6
Level 6

‎11-04-2017 01:36 PM - edited ‎02-21-2020 10:37 AM

Dears

i dont know what i am asking is correct but i am confused,

I want to authenticate users via WPA2 pre-shared key on SSID but these should be only apple users and from windows AD particular group,

Is it possible ??

Labels:
0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎11-04-2017 01:55 PM

Hi,

 

If you want to allow only users from an AD group then you will need to use WPA2 Enterprise NOT a pre-shared key. If you use a pre-shared key anyone on any device can type use thus without requiring to authenticate to the SSID,

 

HTH

0 Helpful

adamgibs7
Level 6
Level 6
In response to Rob Ingram

‎11-04-2017 02:03 PM - edited ‎11-04-2017 02:11 PM

thanks for the reply,

 

so you mean to say 802.1X authentication on AD ??? my goal is to separate apple IPAD users from  iphone and android devices, how i can achieve that ,, what conditions i can choose to make IPAD unique, if it is difficult to separate ipad and iphone then no problem atleast i will deny android 

0 Helpful

Rob Ingram
VIP
VIP
In response to adamgibs7

‎11-04-2017 02:08 PM

Yes, if you want to authenticate against AD you'd use 802.1x

0 Helpful

adamgibs7
Level 6
Level 6
In response to Rob Ingram

‎11-04-2017 02:12 PM

thanks again for the quick reply

 

my goal is to separate apple IPAD users from  iphone and android devices, how i can achieve that ,, what conditions i can choose to make IPAD unique, if it is difficult to separate ipad and iphone then no problem atleast i will deny android

0 Helpful

Rob Ingram
VIP
VIP
In response to adamgibs7

‎11-04-2017 02:15 PM - edited ‎11-04-2017 02:16 PM

You can use ISE profiling to determine the OS of the device - therefore determine if it's an apple iphone/ipad or android device. You can then create authorisation rules to permit/deny depending on the type of device

0 Helpful

adamgibs7
Level 6
Level 6
In response to Rob Ingram

‎11-04-2017 02:23 PM

Dear

recently i created a condition of wireless dot1.X and below the  attributes such as

 

  • windows AD particular manager group
  • logical profiles contains ipad and iphone

but the problem is if the manager from the particular group gets his personal android he is able to authenticate and he gets the ip address,

when i see the authorization policy it falls proper to which i created then why it is accepting from the android.

0 Helpful

adamgibs7
Level 6
Level 6
In response to adamgibs7

‎11-06-2017 12:02 PM

Dear Expert,
how i can troubleshoot such problem
0 Helpful
Customers Also Viewed These Support Documents