cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

373
Views
0
Helpful
1
Replies
Highlighted
Beginner

SecureACS EAP-TLS & PEAP

I'm trying to figure out the best way that I can authenticate users on different VLANs with different authentication mechanisms.

I currently have my users being able to login with EAP-TLS utilizing SecureACS 5.2, I'd like to open up an additional VLAN that doesn't require them to use certificates, so that they could just use their AD credentials to login, this way they could connect their smartphone, or tablet.

My issue is i'm not sure of how to configure the SecureACS server to *REQUIRE* the authentication mechanism per VLAN.

Currently I can use either credential set in either radius request. (as it simply accepts).

I think this is something that is changed in the identity policy, that would differentiate the identiy policy used based on the source IP of the RADIUS request, but I'm not sure.

Any help would be greatly appreciated. See diagram attached.

My question:

How do I configure SecureACS so that it only allows EAP-TLS in VLAN-A, and the AD authentication in the VLAN-B?

1 REPLY 1
Advocate

SecureACS EAP-TLS & PEAP

You should be able to do this, the access request in a radius packet (if using Cisco Wireless) does send the tunnel-private-group-id (which is the vlan id). You can create a condition in your service selection rules and select the service you want based on the value of your vlan. Then in that service rule you can set the authenticaiton to PEAP.

Hope that helps.

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*