Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2437
Views
0
Helpful
8
Replies

Authenticating wireless users through Active Directory

johnwoodssoundeklin
Level 1
Level 1

‎02-13-2014 01:58 AM - edited ‎07-05-2021 12:11 AM

We currently have a Cisco 2504 WLC running two WLANs, corporate (full-access) and guest (internet only). Both WLANs are currently using a [WPA+WPA2][Auth(PSK)] security policy. I would like to move the corporate WLAN from PSK to 802.1x so that wireless users attempting to use the corporate WLAN must first authenticate through Active Directory by supplying their AD username and password.

I currently have a Server 2008 R2 Standard machine that is running the NPS role and authenticating remote-access VPN requests (from our ASA 5510) through Active Directory. This server is a domain member but not a domain controller and is not running the AD Certificate Services role, only NPS.

What is the best way to accomplish this? Keep in mind that we will need both domain PCs and non-domain devices to be able to authenticate through Active Directory by the user supplying his/her AD username and password.

Any assistance would be greatly appreciated.

Thank you,

John Woods

Labels:
0 Helpful
8 Replies 8

Sandeep Choudhary
VIP Alumni
VIP Alumni

‎02-13-2014 02:03 AM

You can use this but I will suggest to ISE as radius server and connect this ISE server to AD.

Cisco Identity Services Engine (ISE) is a security policy management and control platform. It automates and simplifies access control and security compliance for wired, wireless, and VPN connectivity. Cisco ISE is primarily used to provide secure access and guest access.

http://www.cisco.com/c/dam/en/us/td/docs/solutions/SBA/February2013/Cisco_SBA_SLN_BYOD_AdvancedGuestWirelessAccessDeploymentGuide-Feb2013.pdf

Regards

Dont forget to rate helpful posts

0 Helpful

johnwoodssoundeklin
Level 1
Level 1
In response to Sandeep Choudhary

‎02-13-2014 02:10 AM

I would love to use ISE, but current budget constraints prevents this. I must find another way.

Thank you,

John Woods

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎02-13-2014 02:04 AM

NPS has to have a server certificate either from your internal CA or 3rd party CA. The NPS has to be joined to the domain and in NPS, make sure that it's registered to Active directory. Now the tricky part is that you are using this NPS server for other things, so you need to define another policy that will not break what you have. NPS does have a wizard that can help create both your connection and network policies. NPS when successfully registered to AD, you will be able to see the groups in AD when creating policies. You will also be able to see the valid certificate when creating the wireless policies, all which is required to use NPS and wireless 802.1x.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

johnwoodssoundeklin
Level 1
Level 1
In response to Scott Fella

‎02-13-2014 02:20 AM

Thank you Scott for the quick reply. I suspected NPS requiring a certificate. Can I enable the AD Certificate Services role on my NPS server? It is joined to the domain, registered in AD, but is not a DC. Also, you are quite correct with the testing I have done so far on NPS. While attemting to get this working, I managed to break the policy authenticating our VPN requests from the ASA.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to johnwoodssoundeklin

‎02-13-2014 04:56 AM

You can enable the CA role on the NPS server. I would read the guides, make sure you understand the CA roles because every device including AD and your other servers will get a certificate from this CA. The NPS will trust the CA because both roles are on the same server, but you need AD to trust the CA and push out the certificate to all domain computers. The guides are quick how to's but understand the CA part or maybe ask your Microsoft engineer about it.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to johnwoodssoundeklin

‎02-13-2014 05:00 AM

Move the wireless policy down in the priority order so you don't break the VPN. Then when testing, look at the logs and see if it's hitting your VPN policy or your wireless policy. If it's hitting your VPN, then you need to add more lookups on the VPN. Maybe NAS-ID which is the IP address of your VPN appliance. This way if you also use NAS-ID for the wireless, then NOS knows it's not from the VPN and goes to the next profile.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎02-13-2014 02:07 AM

John,

Here is a support doc that can help

https://supportforums.cisco.com/docs/DOC-32752

You can find other out there by searching

"WLC Microsoft NPS 802.1x example"

http://networklessons.com/wireless/peap-and-eap-tls-on-server-2008-and-cisco-wlc/

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

johnwoodssoundeklin
Level 1
Level 1
In response to Scott Fella

‎02-13-2014 02:22 AM

Thanks Scott, I will read through this documentation, test it and post the outcome.

John Woods

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card