10-04-2012 10:18 AM - edited 07-03-2021 10:46 PM
Hi Experts,
I have 2 questions regarding authentication of wireless users.
1. We have 2 SSID (Executive and Employee), and using Certificate Authority as authentication.
Here is simple topology like below.
AP - WLC - ACS - AD - CA
WLC is configured ACS as Radius server for both of SSIDs.
Here is my question. Is there anyway we can only allow Executive to access Executive SSID ?
The issue is employees can access Executive SSID as long as the laptop has valid certificate.
2. Another question is, is there anyway we can use "Certificate and window credential together only" to access the SSID ?
I could not find the option on the ACS allow using "Certificate and window credential together only" I have a client who used autonomous AP before. And he mentioned that both credentials (Certificate and window credential together) are needed to join WLAN before.
Thank you for your answers in advance.
Roger
"Carpe Diem"
10-04-2012 11:04 AM
For question one, you would want to use NAR.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
For teh second, I'm not sure it is possible, if you are using TLS for machine authentication, and then PEAP for user, the user auth would supercede the machine auth, IIRC.
Maybe Scott will have a different opinion on it.
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
10-04-2012 11:32 AM
Thank you Steve !
Could you tell me a bit more detail regarding configuration on ACS ? The white paper is a bit blurry though.
Thanks,
Roger
"Carpe Diem"
10-04-2012 11:42 AM
Basically you use the called station ID setting (DNIS) of the 'executive' WLAN, and apply the policy to the 'employee' profile and deny access.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml
that link is a guide, but no pictures.
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide