cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
496
Views
0
Helpful
6
Replies

BYOD Wireless authentication help

Joe Clark
Beginner
Beginner

Our company is going to have some contractors on site for a long term project.  They are bringing their own laptops and will not be on our domain.  We want to set up a separate SSID for this group of people.  Our IT Security department wants us to have certificate authentication.  We currently do this with our Corporate users using EAP-TLS with user and machine certs via ACS and Active Directory.

The contractors will only have user accounts/certs, no machine certs.  I tried testing a new group in ACS but wasn't able to get that working.  We have also tried LDAP auth without interaction with ACS unsuccesfully.

I've been testing these on a test SSID on our corporate WiSM but in the end, this network will live on a 5508 guest controller.

In our environment we have the following:

Two WiSM controllers in separate data centers

4402 guest controller (in production now)

5508 guest controller (being installed now)

All controllers running 7.0.235.3

ACS 4.2

NCS 1.1.1.24

6 Replies 6

Amjad Abdullah
Engager
Engager

Joe: you have configured the clients to use only user authentication?

What is the failure reason you see under the failed attemtps logs?

What you can do is configure a group to which users fail machine auth will fail to.

Or

you can excempt specific groups from passing machine auth.

This is configurable under

External User Databases -> Database configuration -> Windows Database -> press configure button -> Windows Auth configuration.

Go to (Windows EAP Settings) area.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

Ok, if we are to use ACS for this do you know how I can get the users dynamically mapped to a new group?  Corporate users are put into the default group right now.  Is there an attribute in Active Directory or something we need to specify to put these contractors into their own dynamic group?

Joe:

If only those contractors use user auth only (and all others use machine and user auth) then you can map those who do only a user auth (not machine auth) to specific AD group.

Those users are on the AD?? You mentnioned that they are not before? or they are?

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

The users are in AD but not the machines.

this is even easier. If they are in same AD gropu you can map the AD group to a specific local ACS group.

External User DB -> DB group mapping.

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

That's what I tried before but with no luck.  Right now, the mapping that appears to work for our corporate users is "All other combinations" under NT Groups.  Can you tell me how I would get these contractors to match up to another mapping?

I do not have access to Active Directory, that is another group here.  So if something needs to be added/changed for these users I will have to let them know.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers