We have Cisco AP set up around our buiding. We also have a Cisco ACS server set up. Some of our domain users are able to go our customers sites which are on different domains and are thier work laptops to gain access to thier own domains. I know the customers are using RADAIUS and ARUBA.
I have asked if we can allow customers to come to this office and allow then to log onto thier laptops, connect remotly through our wireless and let them connect to thier domain.
I believe this is possible through the ACS server, The ACS server would have the customer domain name configured in user and identity, Radius identity servers. The user would log in and authenticate and would be directed through a different vlan to the cust AD. We would use VRF, Unfortunatly I am not an expert on VRF and could use some info on this.
So let me see if I understand the situations.
You want to let people that work for another company, to be able to use there domain credentials to login to your wireless?
The only way that would work, is if your ACS were able to connect to their domain controller to authenticate the user.
Other than that, you could just put up a 'guest' WLAN, and then they could VPN into their company.
Please remember to rate useful posts, and mark questions as answered
Thanks for your reply.
You are correct in understanding the situation.
I need a user from a different company to be able to access thier home network using our wireless.
The current set up I would like is as follow -
A wireless user from Company A logs onto his laptop with his log in details ( john.smith@CompanyA.co.uk) and this authenticates. Our WAP then forwards it's Authenication details to our WLCand this goes to the ACS. The ACS uses @CompanyA.co.uk part to identify which company the user belongs to and sends this to the relevent DC. Once the ComanyA DC authenticates the user they are accociated with a VLAN that permits them to access their home network.
I will be using separate VLANS for the specific comanies and VRF to forward the traffic
From your above post what i understand is that company A users are able to connect to wireless network at your customer premises using their own domain credentials. Is this correct? If so that means their is a two way trust relationship between two domains (company A and company B) active directories and that would be the reason why company A users are able to connect to the wireless network using their domain credentials at customer premises. Please check with you active directory team regarding the trust relationship between two domains.
If this is the case you can easily allow access vise versa as well.
I have set up a test WAP on our WLC, Logged in with a laptop which is running windows 7 that does not belong to our domain.
The ACS can see this but will not grant access. I believe that this is a certificate problem.
The error showing on our ACS is -
12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate : Authentication failed
Are there any settings that I may have missed or can anyone shed any light or advice on this please.
Based on your post I can conclude that the client might be validating the certificate. The cert that is on your ACS is being presented to your win 7 box and that cert is not in the trusted root store of the box.
is this a local cert and not signed by a CA ?
If this is indeed the case these are some options"
You could publish the cert on the win 7 box
Get a signed CA cert
Not validate the cert
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
Is this a self signed certificate? A certificate that was generated on the ACS? If it is, then you need to import that certificate into the browser of the Windows 7 box. Go under Internet options and to the trusted root store. And import certificate.
Sent from Cisco Technical Support iPhone App