10-19-2012 08:52 AM - edited 07-03-2021 10:52 PM
We currently have several 1200 series access points set up providing connections to our LAN via a non-broadcast SSID and using IAS for RADIUS authentication.
We want to provide public/guest our users' personal devices to allow internet access only, via our Websense web filter. We need to authenticate them against their domain accounts before allowing them access to the internet via the VLAN restricting access to the Websense web filter. They should be able to set up their wireless connection on their devices just the once (with minimal assistance/intervention from IT support).
I have tried setting up a Guest SSID authenticating using a different Windows server running IAS for RADIUS authentication, but it doesn't seem to be the right solution. Most notably because I cannot authenticate BB devices as they require preinstallation of a certificate which we will not be able to do for all our users.
Can anyone advise?
10-19-2012 09:32 AM
Is it the WebSense box that requires the authentication?
if it's not, I would just go with a PSK, that way not every device will take up and address. Everything should support the PSK, so minimal config for the user, and WebSense should still be in the path.
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
10-19-2012 10:34 AM
Thank you Stephen for your quick response.
Unfortunately, just a PSK will not do as we need to be able to disable users from time to time without affecting other users. The ability to authenticate (and hence identify web usage) at the WebSense box would be desirable.
10-19-2012 08:30 PM
You could probably setup the wlan to be layer3 webauth and have the IAS authenticate the users this way. This will require the users to open a web browser in order to get authenticated.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml
The other way I know of is to add something like an ISE server that can use MAC address for identifying and profiling.
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml
Remember to mark questions as answered
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide