01-08-2013 02:13 PM - edited 03-10-2019 07:57 PM
I'm trying to figure out the best way that I can authenticate users on different VLANs with different authentication mechanisms.
I currently have my users being able to login with EAP-TLS utilizing SecureACS 5.2, I'd like to open up an additional VLAN that doesn't require them to use certificates, so that they could just use their AD credentials to login, this way they could connect their smartphone, or tablet.
My issue is i'm not sure of how to configure the SecureACS server to *REQUIRE* the authentication mechanism per VLAN.
Currently I can use either credential set in either radius request. (as it simply accepts).
I think this is something that is changed in the identity policy, that would differentiate the identiy policy used based on the source IP of the RADIUS request, but I'm not sure.
Any help would be greatly appreciated. See diagram attached.
My question:
How do I configure SecureACS so that it only allows EAP-TLS in VLAN-A, and the AD authentication in the VLAN-B?
01-08-2013 08:33 PM
You should be able to do this, the access request in a radius packet (if using Cisco Wireless) does send the tunnel-private-group-id (which is the vlan id). You can create a condition in your service selection rules and select the service you want based on the value of your vlan. Then in that service rule you can set the authenticaiton to PEAP.
Hope that helps.
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide