Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3781
Views
0
Helpful
5
Replies

Iron Port Transparent Authentication of Mobile Devices

Steven Mills
Level 1
Level 1

‎11-19-2012 02:34 PM

Hello,

I have an IronPort S170 WSA running 7.5.0-833 and AD Agent (v1.0.0.32.1-build-598) installed on a Windows 2008 R2 server. Transparent authentication of Windows devices is working fine, users login to their domain devices and are showing up in the cache on the server and reports within the WSA.

I want to authenticate wireless devices such as iPads and Android phones transparently, I have configured Network Policy Server (NPS) on the Windows 2008 R2 server that has the AD Agent installed (NPS ports have been changed to 7777 and 7778 to avoid breaking the existing transparent authentication) using PEAP-MSHCHAPv2 authentication. I have updated the group policy configuration so that the NPS server generates Audit Success messages when the users logs successfully but since the 802.1x authentication happens before the user gets an IP address they are no good.

The NPS logs the MAC address of the connecting device as the Called-Station-ID and the DHCP server also logs the MAC address to IP address mapping I was hoping that the AD Agent would be put that together. Has anyone had a similar issue and found a way to resolve it?

Thanks.

2 people had this problem
Labels:
0 Helpful
5 Replies 5

hallvard.solem
Level 1
Level 1

‎11-21-2012 01:41 AM

Hi,

I tried the exact same thing as you, handheld devices with NPS authentication.

Unfortunately the cisco ad agent supports only kerberos authenticated devices, not radius. And this is not possible.

0 Helpful

Steven Mills
Level 1
Level 1
In response to hallvard.solem

‎11-21-2012 02:14 AM

Unfortunately I came to the same conclusion. I am working with support to raise a feature request though so maybe one day this will work.

Sent from Cisco Technical Support iPad App

0 Helpful

keithsauer507
Level 5
Level 5
In response to Steven Mills

‎12-14-2012 01:05 PM

Hey if you get anywhere with this I would LOVE to know how to do it.

Currently we have to put DHCP reservations in our DHCP server so that each handheld gets the same IP address all the time.

Then there is a seperate policy in our S160 that has all of those IP addresses listed.  Its a little more of a pain to manage and in the event you wanted to do any kind of tracking, you have to do a little investigation work rather than being able to search by active directory user account name.

0 Helpful

Bechara.abouraha
Level 1
Level 1
In response to Steven Mills

‎03-28-2013 02:06 AM

Dears,

did you find a solution for this ?

0 Helpful

MaxHedron
Level 1
Level 1
In response to Bechara.abouraha

‎04-23-2013 12:21 PM

have this issue also... including non IE browsers and Macs

0 Helpful
Customers Also Viewed These Support Documents