Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
553
Views
0
Helpful
2
Replies

24/7 wireless?

mscherting
Level 1
Level 1

‎10-11-2012 03:25 PM - edited ‎07-03-2021 10:48 PM

A query,

I have a "customer" who wants to use 802.1x wireless exclusively for after hours patching, etc.  RADIUS authentication and user idle timeouts, etc. are an unnecessary nuisance in the customer's eyes.

Is this doable?

Background:

SSID-1:  802.1x WPA2/AES with MS machine authentication against AD enforced by ACS5.  User authentication requests are ignored.  (PEAP MS-CHAPv2)

All their LWAPs are joined to one of my WiSMs which also serve several other WLANs.  All are H-REAP.

SSID-2. (deprecated)

SSID-2:  802.1x WPA2/AES with user authentication against AD enforced by ACS4.

Customer uses a 3rd party connection manager/supplicant incapable of authenticating the machine against AD.  So, as the client laptop boots it authentictes the device via SSID-1.  Once booted, the connection manager tears down the connection to SSID-1 and associated to SSID-2 to authenticate the user.  As long as the initial machine authentication is valid and user idle timeout doesn't interfere, the device stays connected.

SSID-1 & SSID-2 map to the same VLAN(s), but utilize different RADIUS (ACS) servers.

Other cert based EAP methods aren't in the cards yet, and as network provider, we mandate machine authentication against AD.

Assuming we convince them to pony up for their own controller, and get the ACS guys to create policies that allow user authentication to grant access if machine is authenticated (thus removing SSID-2/ACS4 from the equation), but only fot this NAS, can wireless be used 24/7 without timeouts requiring reboots to re-authenticate?  Is there a Wake-on-WLAN?

Thanks!

Labels:
0 Helpful
2 Replies 2

Scott Fella
Hall of Fame
Hall of Fame

‎10-11-2012 08:35 PM

I don't understand what your trying to accomplish. Can you explain in detail how you want devices to authenticate?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

mscherting
Level 1
Level 1
In response to Scott Fella

‎10-15-2012 09:41 AM

I'm not sure if this will be detailed enough, but I want the machines to authenticate as machines, utilizing the native Microsoft supplicant and their AD credentials as machines joined to AD.

In general this works fine, but this customer's insistence on utilizing a 3rd party supplicant negates the machine auth because the supplicant can't pass the machine credentials to AD.

They've come up with this convoluted solution utilizing two SSIDs, each of which utilizes a different ACS version, which in turn enforce different authentication policies; machine vs. user.

Utilizing this solution, machine authentication only happens during boot.  If/when the machine's authentication times out it must reboot which interferes with the desired 24/7 connectivity.  User Idle Timeout probably doesn't help.  I have it set to 12 hours, but that's a global setting I'm hesitant to adjust further without a dedicated controller.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card