Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
395
Views
6
Helpful
3
Replies

AD credential during de 802.1x wireless SSID connection

yakp
Level 1
Level 1

‎05-03-2024 03:08 AM - edited ‎05-03-2024 03:41 AM

Dear Community.

I configured a SSID for employees to use, then selected the security type of this SSID as 802.1x. I made the necessary configurations on WLC and ISE. Currently, an employee can authenticate and connect to the wireless network through the certificate installed on the computer during Uitrol. In this process, when the employee clicks on the SSID, he does not enter any username or password, he just says trust the certificate and connects to the network.


My question is this: If someone wants to connect to this SSID with an external device that is not in AD, a screen appears asking for username and password. Here, this network may become vulnerable to attacks such as bruteforce attacks. Is there an effective way to prevent this? When an external device wants to connect to this SSID, is it possible to reject the direct connection request if it does not have a certificate?

Labels:
0 Helpful
3 Replies 3

marce1000
VIP
VIP

‎05-03-2024 05:32 AM

 

         >... is it possible to reject the direct connection request if it does not have a certificate?
  - Essentially not because connecting to  an SSID is just like connecting a cable to an outlet , you could probably configure the ISE policy as such that both machine certificate and user authentication is required if the latter is tried , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

yakp
Level 1
Level 1
In response to marce1000

‎05-15-2024 02:50 AM

Thanks for your comment Marce. How can i both configure. I have already machine certiciate configured. For user authentication What should i choose in ISE policy?

0 Helpful

Karsten Iwen
VIP
VIP

‎05-03-2024 05:50 AM

If your users are prompted to trust a certificate, the rest of the security mechanisms are basically useless because this is the number one attack surface for 802.1X. Always make sure that the machine is already trusting your root cert through GPOs or MDM.

For the rest of the question, @marce1000 gave an important hint. Use client certificates. With them, only a user or device with a certificate can connect, and the user password is not used in the authentication process. Using certificates and setting up a CA is one of the most challenging parts of the wireless security setup. Better get someone to help you with that.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card