Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
331
Views
0
Helpful
2
Replies

problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN c

bbxie
Level 3
Level 3

‎05-12-2008 10:05 PM - edited ‎07-03-2021 03:51 PM

I met a problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN clients:

1. Background:

We have two WLAN: staff and student, both of them will use PEAP-MSCHAPv2, ACSE will be the Radius server, it will use Windows AD's user database. In AD, they create two groups: staff and student. The testing account for staff is staff1, the testing account for student is student1.

2. Problem:

If student1 try to associate to staff WLAN, since both staff and student WLAN using the same authentication method, the auth request will be send to AD user database, since student1 is a valid user account in AD, then it will pass the authentication, then it will join the staff WLAN. How to prevent this happen?

3. Potential solution and its limitation:

1) Use group mapping in ACSE(Dynamic VLAN Assignment with WLCs based on ACS to Active Directory Group Mapping), but ACS can only support group mapping for those groups that have no more than 500 users. But the student group will definitely exceed 500 users, how to solve it?

2) Use methods like “Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS”: Configure DNIS with ssid name in NAR of ACSE, but since DNIS/NAR is only configurable in ACSE, don't know if AD support it or not, is there any options in AD like DNIS/NAR in ACSE?

Thanks for any suggestions!

Labels:
0 Helpful
2 Replies 2

taelon_x7
Level 1
Level 1

‎05-14-2008 11:30 AM

I think the documentation for ACS states:

ACS can only support group mapping for users who belong to 500 or fewer Windows groups

I read that as, If a user belongs to >500 Windows Group, ACS can't map it. The group can have over 500 users, its just those users can't belong to more than 500 groups.

0 Helpful

bbxie
Level 3
Level 3
In response to taelon_x7

‎05-14-2008 06:39 PM

you are right, I mis-understood it previously, so this problem can be solved by group-mapping

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card