Wireless authentication network design questions... best practices... etc...

gvb · ‎01-16-2014

Working on a wireless deployment for a client... wanted to get updated on what the latest best practices are for enterprise wireless.

Right now, I've got the corporate SSID integeatred with AD authentication on the back end via RADIUS.

Would like to implement certificates in addition to the user based authentcation so we have some level of dual factor authentcation.

If a machine is lost, I don't want a certificate to allow an unauthorized user access to a wireless network. I also don't want poorly managed AD credentials (written on a sticky note, for example) opening up the network to an unathorized user either... is it possible to do an AND condition, so that both are required to get access to a wireless network?

Scott Fella · ‎01-16-2014

There really isn't a true two factor authentication you can just do with radius unless its ISE and your doing EAP Chaining. One way that is a workaround and works with ACS or ISE is to use "Was machine authenticated". This again only works for Domain Computers. How Microsoft works:) is you have a setting for user or computer... this does not mean user AND computer. So when a windows machine boots up, it will sen its system name first and then the user credentials. System name or machine authentication only happens once and that is during the boot up. User happens every time there is a full authentication that has to happen.

Check out these threads and it explains it pretty well.

https://supportforums.cisco.com/message/3525085#3525085

https://supportforums.cisco.com/thread/2166573

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***