I am going in circles here. First off, I apologize for posting this question if it has been covered in the past (if you have another thread to suggest, I invite you to point me to it!) I have done quite a bit of searching on several forums and articles and support sites. But I am missing something.
I am working with HP Procurve 420 wireless access points (they purchased these before I started.) I have setup Cisco Secure ACS 4.2 for windows. I have configured external database group mappings to active directory and dynamic vlan assignement per group. I setup the ACS certificate, and the certificate authority is our own ca server on our network. Users can successfully authenticate and connect to the appropriate vlan right now. This is where I am stumped. I only want our computers to be able to connect.
1. How/What/Where do I go from here if I only want to allow computers on our domain to connect to the enterprise wireless connection? Do I setup some sort of other certificate that gets distributed by GPO or something? And/or is there something in ACS that I can change?
2. What is the ACS certificate I already have installed on the ACS server doing? Is it encrypting the authentication process that takes place when a user is establishing a connection?
3. How have you guys done this on your own networks? Am I going about this the wrong way? What do you suggest?
The end goal is that I want a user with a company laptop to be able to connect to the wireless network, and authenticate and be placed in the appropriate vlan (which is working now,) but I don't want them to be able to do this with just any device, I want to some how manage and restrict which computers can connect. Please Help!!!!
If you have ACS why don't you just use MAR (machine access restrictions)? If the user doesn't pass machine authentication the ACS won't pass his user authentication.
1 - I think you can use the group mapping (see page 603 of the ACS 4.2 user guide) to utilize the domain computers group. Deny access to any other group (via the No Access Group)
2 - At the begininng of each EAP conversation, the ACS server will offer the certificate as proof of who it is. If the client trusts the cert, then the client will continue with the authenticatin process. This is how you help ensure that your clients only connect to your network. If you configure the clients to ignore the cert, and someone else pops up a network with your SSID, your clients might try to connect.
3 - Lots of companies complain about not being able to contol which devices connect to their network. This is one way to do that. By just using PEAP with user accounts, any iPhone/iPad/personal laptop/whatever can connect to your wireless network if the user knows how to set it up.
If you move forward with this, please post back and let us know how it works out.