cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
343
Views
0
Helpful
3
Replies

User authentication using Active Directory

carlosmadriz
Level 1
Level 1

Hi,

A client ask me the following:

"I have a problem, I need to authenticate employees to our wireless network using their domain user and password, but they all have portable computers that doesn't belong to my domain".

I have one SSID using PEAP to authenticate a diferent level of users (they all have their laptops registered to the domain), I'm using ACS 3.3.3 to authenticate them.

Now I need find a way to use the second SSID to give Wireless access to all the other users (the ones who doesn't have their computer inside the domain, but have a valid user and password of the domain).

If someone have an idea, please let me know

3 Replies 3

beth-martin
Level 5
Level 5

If I have understood your problem correctly, there is one called Guest SSID which can be used for users who doesn;t belong to your domain.

scottmac
Level 10
Level 10

You could define a different group in ACS for the guests, and authenticate them against the "local database" using a common or on-demand ID & password.

You could implement a "Captive Portal:" users get a GUI sign-on that will set up their access depending on their login (also permits some filtering and a "Terms of Use" acknowledgement)

Cisco has BBSM ($$), there are also some open source Captive Portals, most are Linux based (like "nocat"). Google on "Captive Portals" and pick one that suits your need.

You might be able to set up a VPN for the non-AD personnel (using Microsoft PPTP/L2TP VPN). It's something most folks are likely to have (Macs and *nix would work but require a little more setup) and would prevent/reduce/discourage drive-by bandwidth thiefs.

Good Luck

Scott

Vivek Santuka
Cisco Employee
Cisco Employee

Hi,

Even if the machines do not belong to the domain but can connect to the SSID, ACS can authenticate the users to Active Directory. AD will be configured as an external database.

This does not require the machine to be a part of the domain.

Review Cisco Networking for a $25 gift card