Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
862
Views
0
Helpful
1
Replies

two-stage authentication on 4402 WLC

Go to solution
ronwightman
Level 1
Level 1

‎10-21-2012 05:48 PM - edited ‎07-03-2021 10:53 PM

I have scoured the WEB & WLC user guide for this answer and so far have come up with nothing (maybe not searching correctly)

Environment:

Lightweight AP's with Cisco 4402 WLC (5.1.151.0).

Windows7 clients using WPA2-Enterprise (PEAP) (User or Computer auth)

Windows AD

Microsoft NPS assigning vlan membership based on AD group membership for Users & domain membership for Machines

Machine authentication (not TLS) pre user-login

I would like to know if the Cisco 4402 WLC supports two-stage authentication. I have seen differing interpretations of "two-stage" authentication, so I shall elaborate. I would like to know if the WLC is capable of only allowing a USER authentication request if the request has come from a MACHINE that has been previously authenticated. I know Juniper (Trapeze) controllers achieve this through a function called "bonded-auth" and currently have a successful setup but I cannot find reference to this in the Cisco world.

We have a restricted WLAN that should be limited to AD domain joined hardware & I am trying to prevent users on BYO devices with valid AD credentials from connecting to it.

Any assistance would be greatly appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎10-21-2012 07:07 PM

You not going to achieve this user and machine unless you have Cisco ACS and using MAR with ACS. If using a 5508 and ISE along with AnyConnect, you can do EAP-Chaining.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎10-21-2012 07:07 PM

You not going to achieve this user and machine unless you have Cisco ACS and using MAR with ACS. If using a 5508 and ISE along with AnyConnect, you can do EAP-Chaining.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card