cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
699
Views
0
Helpful
1
Replies

SecureACS EAP-TLS & PEAP

GarrettSkj
Level 1
Level 1

I'm trying to figure out the best way that I can authenticate users on different VLANs with different authentication mechanisms.

I currently have my users being able to login with EAP-TLS utilizing SecureACS 5.2, I'd like to open up an additional VLAN that doesn't require them to use certificates, so that they could just use their AD credentials to login, this way they could connect their smartphone, or tablet.

My issue is i'm not sure of how to configure the SecureACS server to *REQUIRE* the authentication mechanism per VLAN.

Currently I can use either credential set in either radius request. (as it simply accepts).

I think this is something that is changed in the identity policy, that would differentiate the identiy policy used based on the source IP of the RADIUS request, but I'm not sure.

Any help would be greatly appreciated. See diagram attached.

My question:

How do I configure SecureACS so that it only allows EAP-TLS in VLAN-A, and the AD authentication in the VLAN-B?

1 Reply 1

Tarik Admani
VIP Alumni
VIP Alumni

You should be able to do this, the access request in a radius packet (if using Cisco Wireless) does send the tunnel-private-group-id (which is the vlan id). You can create a condition in your service selection rules and select the service you want based on the value of your vlan. Then in that service rule you can set the authenticaiton to PEAP.

Hope that helps.

Tarik Admani
*Please rate helpful posts*

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: