03-19-2013 06:21 AM - edited 07-03-2021 11:45 PM
Our company is going to have some contractors on site for a long term project. They are bringing their own laptops and will not be on our domain. We want to set up a separate SSID for this group of people. Our IT Security department wants us to have certificate authentication. We currently do this with our Corporate users using EAP-TLS with user and machine certs via ACS and Active Directory.
The contractors will only have user accounts/certs, no machine certs. I tried testing a new group in ACS but wasn't able to get that working. We have also tried LDAP auth without interaction with ACS unsuccesfully.
I've been testing these on a test SSID on our corporate WiSM but in the end, this network will live on a 5508 guest controller.
In our environment we have the following:
Two WiSM controllers in separate data centers
4402 guest controller (in production now)
5508 guest controller (being installed now)
All controllers running 7.0.235.3
ACS 4.2
NCS 1.1.1.24
03-19-2013 06:28 AM
Joe: you have configured the clients to use only user authentication?
What is the failure reason you see under the failed attemtps logs?
What you can do is configure a group to which users fail machine auth will fail to.
Or
you can excempt specific groups from passing machine auth.
This is configurable under
External User Databases -> Database configuration -> Windows Database -> press configure button -> Windows Auth configuration.
Go to (Windows EAP Settings) area.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"
03-19-2013 06:42 AM
Ok, if we are to use ACS for this do you know how I can get the users dynamically mapped to a new group? Corporate users are put into the default group right now. Is there an attribute in Active Directory or something we need to specify to put these contractors into their own dynamic group?
03-19-2013 06:49 AM
Joe:
If only those contractors use user auth only (and all others use machine and user auth) then you can map those who do only a user auth (not machine auth) to specific AD group.
Those users are on the AD?? You mentnioned that they are not before? or they are?
Rating useful replies is more useful than saying "Thank you"
03-19-2013 06:50 AM
The users are in AD but not the machines.
03-19-2013 06:52 AM
this is even easier. If they are in same AD gropu you can map the AD group to a specific local ACS group.
External User DB -> DB group mapping.
Rating useful replies is more useful than saying "Thank you"
03-19-2013 06:56 AM
That's what I tried before but with no luck. Right now, the mapping that appears to work for our corporate users is "All other combinations" under NT Groups. Can you tell me how I would get these contractors to match up to another mapping?
I do not have access to Active Directory, that is another group here. So if something needs to be added/changed for these users I will have to let them know.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide