cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
679
Views
0
Helpful
3
Replies

Authentication with ACS combined with AD + CA

d.heo
Level 1
Level 1

Hi Experts,

I have 2 questions regarding authentication of wireless users.

1. We have 2 SSID (Executive and Employee), and using Certificate Authority as authentication.

Here is simple topology like below.

AP - WLC - ACS - AD - CA

WLC is configured ACS as Radius server for both of SSIDs.

Here is my question. Is there anyway we can only allow Executive to access Executive SSID ?

The issue is employees can access Executive SSID as long as the laptop has valid certificate.

2. Another question is, is there anyway we can use "Certificate and window credential together only" to access the SSID ?

I could not find the option on the ACS allow using "Certificate and window credential together only" I have a client who used autonomous AP before. And he mentioned that both credentials (Certificate and window credential together) are needed to join WLAN before.

Thank you for your answers in advance.

Roger

"Carpe Diem"

3 Replies 3

Stephen Rodriguez
Cisco Employee
Cisco Employee

For question one, you would want to use NAR.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

For teh second, I'm not sure it is possible, if you are using TLS for machine authentication, and then PEAP for user, the user auth would supercede the machine auth, IIRC.

Maybe Scott will have a different opinion on it.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Thank you Steve !

Could you tell me a bit more detail regarding configuration on ACS ? The white paper is a bit blurry though.

Thanks,

Roger

"Carpe Diem"

Basically you use the called station ID setting (DNIS) of the 'executive' WLAN, and apply the policy to the 'employee' profile and deny access.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

that link is a guide, but no pictures.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
Review Cisco Networking for a $25 gift card