denying unauthorized devices ACS

Unanswered Question
Nov 24th, 2009
User Badges:

Hi

Really new at ACS

I was wondering if this is possible.

For a school division using AD,

school division would like to use radius 4.2 ACS  for the AD users to access the network wired or wirelss.

For rogue users they want them to go to guest default vlan with only Internet.


Reading some of the information I see that by loading remote agent on windows server I can setup AD users very easy,But I have not found alot of information on unauthorized users,I've seen NAR and NAF and looks like they would work just not sure I understand the attributes needed.

Any help is appreciated 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Wed, 11/25/2009 - 04:51
User Badges:
  • Red, 2250 points or more

Why don't you make two SSIDs (two different VLANs).


On for GUESTs and the other for regular users. Enable more stringent security measures on the REGULAR VLAN e.g. PEAP. For regular users only allow DNS and internet traffic (preferably via a proxy that requires authentication). Of course you need a mechanism to generate temporary passwords for the guest users.


Giving them free access to the internet does not seem to be a good idea, what if someone uses the connection malicously? The Internet is going to see it coming from your public ip!


These are a few  PEAP configuration examples:


http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml


Regards


Farrukh

bmarlin Wed, 11/25/2009 - 05:46
User Badges:


Good Morning Farrukh

Thanks for the reply,


I guess I should have indicated that all  AD users, wired and wireless go to authenticate to AD radius and rogue wired and wireless authenticate to internal ACS db then go to guest vlan. Is this possible for the rogue users?

I was questioning the internet access as well,

I will be going to see this customer in the near future as I have a few other questions as well.

Thanks again

Actions

This Discussion