Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1289
Views
0
Helpful
5
Replies

How to setup Wireless Clients MAC+Active Directory based acess

netadmindha
Level 1
Level 1

‎10-31-2012 04:06 AM - edited ‎07-03-2021 10:57 PM

Dear Gents,

I want to setup Wireless Clients MAC+Active Directory based acess on AP 1242 standalone Wireless series .

Steps i have configured :

1) SSID manger  under Open authentication : Selected with EAP.

2) under advacned Radius : s

MAC Address  Authentication
MAC Addresses Authenticated by:

Authentication Server Only

3) Server Manger : Current server list

added the radius ip address 10.1.200.x

EAP  Authentication

MAC  Authentication

Accounting

Priority  1: 
Priority  1:
Priority  1:
Priority  2: 
Priority  2: 
Priority  2: 
Priority  3: 
Priority  3: 
Priority  3:

From ACS - Radius  we have choose a Group x( named as Mac-address group )

All the wireless Client ( laptops ) mac-address are added as add username option and enter username

as mac-address & enter the mac-address as pwd second option of password TAB.

I want to see that my wireless client to get authenicated with mac & AD user sequently ..however it is not happening
Request you to let me know if i am missing config either in  AP or in radius 3.3 ver.

Regards,

Akber Mirza.

Labels:
0 Helpful
5 Replies 5

kcnajaf
Level 7
Level 7

‎10-31-2012 04:19 AM

Hi Akber,

As far as i know you can not have users authenticated from ACS internal database and external database at the same time. What will happen is that when the authentication request comes to the ACS it checks its internal database and it find a valid username and password it will respond back to authenticator saying authentication is sucessfull. It does not go and look at external database once it find a match on the internal database. But if ACS does not find a match on internal database it query external database to check the credentials.

In short if ACS internal database is matched for a request (whether passed or failed) it does not query external database and hence your requirement will not work to my knowledge.

Hope this helps

Regards

Najaf

0 Helpful

netadmindha
Level 1
Level 1
In response to kcnajaf

‎10-31-2012 11:17 AM

Dear Najaf,

Thanks for your Inputs!

I want my wireless users to get authenticated  by the ACS3.3 radius server  mac database+AD user authentication method for which i have put the radius server ip details on eaach Wireless AP .

1) SSID manger  under Open authentication : Selected with EAP

However they are getting authenticated only with the help of AD users , but i want to add doouble secuirty by restricting them mac+ AD-user method.

Note : ON all wireless AP there is not MAC database created and it is created in Radius server .

Hence i am looking forward to know how to achiev this.

Regards,

Akber Mirza.

0 Helpful

kcnajaf
Level 7
Level 7
In response to netadmindha

‎10-31-2012 06:26 PM

Hi Akber,

I think you didnt understood what i was trying to say here :-( No problem..I will explain my theory again.Your requirment is to autheticate user from ACS internal database (you have already added the MAC address as the username on your ACS internal database) as well as from ACS external database (in your case this is AD).

What i was saying is when when authetication request comes to raidus server it checks its internal database and if it find a valid username and password (here it will the MAC address and password which you have entered to the ACS database) the ACS will not query the external database (in your case the AD) for authetication.

You can not have ACS to look in to both MAC and AD database at the same time.

Hope this clears your doubt.

Regards

Najaf

0 Helpful

netadmindha
Level 1
Level 1
In response to kcnajaf

‎10-31-2012 11:03 PM

Dear Najaf,

Thanks for your comments!

I believe Radius server  will do both Internal ( mac-database auth) & external ( AD user database) if it is properly configured On Wireless AP .

However i donot know how to do configure Wirelss AP such that i will take request from MAC-address first and if it successful and then it should verify AD user authentication.

Regards,

Akber Mirza

0 Helpful

kcnajaf
Level 7
Level 7
In response to netadmindha

‎10-31-2012 11:23 PM

Hi Akber,

I agree that ACS will check internal and external database to validate the credentials. But my point was that ACS will check external database only if it does not find the user credentials on the internal database. But if ACS find user credentials on internal database (even if credentials are wrong) it does not go and look in the external database. It will look only external database if the username does not exist in the internal database.

Anyways this is my understanding how this works. I'm sure that there would be ACS experts looking at this forum and we will wait for the final verdict from them:-)

Regards

Najaf

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card