I want to setup Wireless Clients MAC+Active Directory based acess on AP 1242 standalone Wireless series .
Steps i have configured :
1) SSID manger under Open authentication : Selected with EAP.
2) under advacned Radius : s
|MAC Address Authentication|
Authentication Server Only
3) Server Manger : Current server list
added the radius ip address 10.1.200.x
From ACS - Radius we have choose a Group x( named as Mac-address group )
All the wireless Client ( laptops ) mac-address are added as add username option and enter username
as mac-address & enter the mac-address as pwd second option of password TAB.
As far as i know you can not have users authenticated from ACS internal database and external database at the same time. What will happen is that when the authentication request comes to the ACS it checks its internal database and it find a valid username and password it will respond back to authenticator saying authentication is sucessfull. It does not go and look at external database once it find a match on the internal database. But if ACS does not find a match on internal database it query external database to check the credentials.
In short if ACS internal database is matched for a request (whether passed or failed) it does not query external database and hence your requirement will not work to my knowledge.
Hope this helps
Thanks for your Inputs!
I want my wireless users to get authenticated by the ACS3.3 radius server mac database+AD user authentication method for which i have put the radius server ip details on eaach Wireless AP .
1) SSID manger under Open authentication : Selected with EAP
However they are getting authenticated only with the help of AD users , but i want to add doouble secuirty by restricting them mac+ AD-user method.
Note : ON all wireless AP there is not MAC database created and it is created in Radius server .
Hence i am looking forward to know how to achiev this.
I think you didnt understood what i was trying to say here :-( No problem..I will explain my theory again.Your requirment is to autheticate user from ACS internal database (you have already added the MAC address as the username on your ACS internal database) as well as from ACS external database (in your case this is AD).
What i was saying is when when authetication request comes to raidus server it checks its internal database and if it find a valid username and password (here it will the MAC address and password which you have entered to the ACS database) the ACS will not query the external database (in your case the AD) for authetication.
You can not have ACS to look in to both MAC and AD database at the same time.
Hope this clears your doubt.
Thanks for your comments!
I believe Radius server will do both Internal ( mac-database auth) & external ( AD user database) if it is properly configured On Wireless AP .
However i donot know how to do configure Wirelss AP such that i will take request from MAC-address first and if it successful and then it should verify AD user authentication.
I agree that ACS will check internal and external database to validate the credentials. But my point was that ACS will check external database only if it does not find the user credentials on the internal database. But if ACS find user credentials on internal database (even if credentials are wrong) it does not go and look in the external database. It will look only external database if the username does not exist in the internal database.
Anyways this is my understanding how this works. I'm sure that there would be ACS experts looking at this forum and we will wait for the final verdict from them:-)