problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN c

Unanswered Question
May 12th, 2008
User Badges:
  • Silver, 250 points or more

I met a problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN clients:


1. Background:


We have two WLAN: staff and student, both of them will use PEAP-MSCHAPv2, ACSE will be the Radius server, it will use Windows AD's user database. In AD, they create two groups: staff and student. The testing account for staff is staff1, the testing account for student is student1.


2. Problem:


If student1 try to associate to staff WLAN, since both staff and student WLAN using the same authentication method, the auth request will be send to AD user database, since student1 is a valid user account in AD, then it will pass the authentication, then it will join the staff WLAN. How to prevent this happen?


3. Potential solution and its limitation:


1) Use group mapping in ACSE(Dynamic VLAN Assignment with WLCs based on ACS to Active Directory Group Mapping), but ACS can only support group mapping for those groups that have no more than 500 users. But the student group will definitely exceed 500 users, how to solve it?


2) Use methods like “Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS”: Configure DNIS with ssid name in NAR of ACSE, but since DNIS/NAR is only configurable in ACSE, don't know if AD support it or not, is there any options in AD like DNIS/NAR in ACSE?


Thanks for any suggestions!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
taelon_x7 Wed, 05/14/2008 - 11:30
User Badges:

I think the documentation for ACS states:


ACS can only support group mapping for users who belong to 500 or fewer Windows groups


I read that as, If a user belongs to >500 Windows Group, ACS can't map it. The group can have over 500 users, its just those users can't belong to more than 500 groups.

bbxie Wed, 05/14/2008 - 18:39
User Badges:
  • Silver, 250 points or more

you are right, I mis-understood it previously, so this problem can be solved by group-mapping

Actions

This Discussion

 

 

Trending Topics - Security & Network