10-21-2012 05:48 PM - edited 07-03-2021 10:53 PM
I have scoured the WEB & WLC user guide for this answer and so far have come up with nothing (maybe not searching correctly)
Environment:
Lightweight AP's with Cisco 4402 WLC (5.1.151.0).
Windows7 clients using WPA2-Enterprise (PEAP) (User or Computer auth)
Windows AD
Microsoft NPS assigning vlan membership based on AD group membership for Users & domain membership for Machines
Machine authentication (not TLS) pre user-login
I would like to know if the Cisco 4402 WLC supports two-stage authentication. I have seen differing interpretations of "two-stage" authentication, so I shall elaborate. I would like to know if the WLC is capable of only allowing a USER authentication request if the request has come from a MACHINE that has been previously authenticated. I know Juniper (Trapeze) controllers achieve this through a function called "bonded-auth" and currently have a successful setup but I cannot find reference to this in the Cisco world.
We have a restricted WLAN that should be limited to AD domain joined hardware & I am trying to prevent users on BYO devices with valid AD credentials from connecting to it.
Any assistance would be greatly appreciated.
Solved! Go to Solution.
10-21-2012 07:07 PM
You not going to achieve this user and machine unless you have Cisco ACS and using MAR with ACS. If using a 5508 and ISE along with AnyConnect, you can do EAP-Chaining.
Sent from Cisco Technical Support iPhone App
10-21-2012 07:07 PM
You not going to achieve this user and machine unless you have Cisco ACS and using MAR with ACS. If using a 5508 and ISE along with AnyConnect, you can do EAP-Chaining.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide