Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
594
Views
0
Helpful
3
Replies

Authentication with ACS combined with AD + CA

d.heo
Level 1
Level 1

‎10-04-2012 10:18 AM - edited ‎07-03-2021 10:46 PM

Hi Experts,

I have 2 questions regarding authentication of wireless users.

1. We have 2 SSID (Executive and Employee), and using Certificate Authority as authentication.

Here is simple topology like below.

AP - WLC - ACS - AD - CA

WLC is configured ACS as Radius server for both of SSIDs.

Here is my question. Is there anyway we can only allow Executive to access Executive SSID ?

The issue is employees can access Executive SSID as long as the laptop has valid certificate.

2. Another question is, is there anyway we can use "Certificate and window credential together only" to access the SSID ?

I could not find the option on the ACS allow using "Certificate and window credential together only" I have a client who used autonomous AP before. And he mentioned that both credentials (Certificate and window credential together) are needed to join WLAN before.

Thank you for your answers in advance.

Roger

"Carpe Diem"

Labels:
0 Helpful
3 Replies 3

Stephen Rodriguez
Cisco Employee
Cisco Employee

‎10-04-2012 11:04 AM

For question one, you would want to use NAR.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

For teh second, I'm not sure it is possible, if you are using TLS for machine authentication, and then PEAP for user, the user auth would supercede the machine auth, IIRC.

Maybe Scott will have a different opinion on it.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

d.heo
Level 1
Level 1
In response to Stephen Rodriguez

‎10-04-2012 11:32 AM

Thank you Steve !

Could you tell me a bit more detail regarding configuration on ACS ? The white paper is a bit blurry though.

Thanks,

Roger

"Carpe Diem"

0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to d.heo

‎10-04-2012 11:42 AM

Basically you use the called station ID setting (DNIS) of the 'executive' WLAN, and apply the policy to the 'employee' profile and deny access.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

that link is a guide, but no pictures.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card