07-14-2013 04:35 AM - edited 07-04-2021 12:25 AM
Hi,
Corrently, I'm working with a WLC 5508, and our comapany has wild card certificats. The autenticaton for emplyee is done with Active directory, so my question is:
Is there any way to trust all compay asset's because if it's possible how ? I want that the employee will enter only the first time his AD login and then the MAC address will be recoreded.
Regards,
07-14-2013 05:18 AM
Well it seems like you should know about the various ways before you decide on what you should do. Mac recording... Doesn't really help here. What you want is a way to only trust company assets using active directory.
First off, to be able to look up AD credentials and it computer info, you need a radius server. Research 802.1x....
Now since you have AD, Microsoft has its own radius servers. 2003 is IAS and 2008 is NPS. I will not go over other radius servers for now.
Usually the best way is to use EAP-TLS. EAP-TLS requires a certificate on the radius server and on the client device. This way, only devices that have this certificate will be able to authenticate. EAP-PEAP only requires a certificate on the radius server and you can either user AD credentials and or machine authentication. Now with AD credentials, you really can't prevent a user from knowing how to setup another non company device to access the wireless. Machine authentication only works for windows machines also. So you really have to think what will be on the wireless and how can you control that.
Cisco ISE can profile devices and is the big brother to Cisco's radius server ACS. You can place a certificate or registry entry or something else and decide what devices will have access and what will not. This will also keep a list of MAC address and sort them by device profiles or you can manually sort or put them in a category you wish.
Either way you look at it, ISE is probably the best way and only way you can reach the requirement you want, but when it comes to wireless, you must know what devices you have and what type of encryption and authentication they can use. For example, if you have scanners, some can't do 802.1x. If you have Apple TV, you can't do 802.1x and that has to be pre shared keys.
Hope this helps
Sent from Cisco Technical Support iPhone App
07-14-2013 08:11 AM
Thank you Scott, very useful explanation!
To begin we havn't ISE, I think that's the best solution but for now I've to work without it.
I've some qustions:
1- Which kind of certificat may I use? because I want to use those delivrate by my company
2- My aim is to facilitate access to employee so they have not to enter their login evrery day to have wireless network. then, could you please help me to make choise between the two protocols (EAP-PEAP /EAP-TLS)? I read some documents but they are so complicate, I could not make my choice.
3- I want to let a certain categorie of emplyee to have access to LAN network, is it possible?
4- Our radius is a linux server, then it's not necessary to use the NPS?
07-14-2013 08:24 AM
With radius you can set a policy to only allow certain OU's to have access. If you want to use username and password, then you use PEAP. This requires a certificate on the radius server only. It's tough to tell you what you need without knowing all the devices, what can each do, etc. do you have a PKI infrastructure or not. Are you just using a trusted root CA for your certificates. There is sooooo much info that it would be best to consult with your local Cisco SE or your Cisco vendor if you are using one. EAP-TLS is more work but
Very secure since all the clients need a certificate. PEAP just requires a cert on the radius server.
Sent from Cisco Technical Support iPhone App
07-15-2013 12:39 AM
Hi,
Have you any suggestion of a simply documentation which explain the integration of EAP-PEAP to the design?
07-15-2013 04:35 AM
You can just search for WLC EAP-PEAP configuration or WLC PEAP configuration.
Here are some.
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml
http://wirelessccie.blogspot.com/2009/10/eap-tls-and-peap-configurations.html?m=1
Sent from Cisco Technical Support iPhone App
07-15-2013 08:07 AM
use mac filtering, and import your client mac into your radius server like acs or ise.
the problem will be that during first time you need a method to import your corporate asset mac address.
haven't tested 802.1x on mac filtering fail should work or not... may someone give a hint?
Sent from Cisco Technical Support iPad App
07-17-2013 02:21 AM
this way seems the best, some help on this?
07-15-2013 03:44 PM
Hello,
As per your query i can suggest you the following solution-
You need to create a pem file that contains the full chain of certificates. The full chain includes:
1 – Your SSL certificate (webserver)
2 - The Entrust cross certificate (L1C)
3 – The Entrust Root certificate (Entrust 2048 root)
Hope this will help you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide