Allowing wireless access to only company-issued devices

Unanswered Question
Jun 21st, 2010
User Badges:

We're preparing to roll out a secure WLAN across a relatively large enterprise network (2000+ users).  The original plan was for new client connections to be kicked back to ACS (ver 4.2), which is configured for PEAP and references AD for username authentication.  In this scenario, any device that supports WPA2-Enterprise w/ PEAP MS-CHAPv2 can connect to our internal network wirelessly so long as the submitted username/password passes AD authentication.  This has been raised as a big security concern, so we're now looking into options for allowing access to only company-issued devices.

Machine Authentication initially seemed the way to go, but we have a fair number of employees with company-issued Macs, as well as PCs running Linux, and those must be allowed as well.  We've considered EAP-TLS, but we're being told that deploying certificates for so many clients is not considered a “supportable” solution due to infrastructure requirements and administrative overhead.  Earlier today, someone suggested installing the Quest Authentication Services (formerly Vintela) client on non-Windows devices, which would enable them to use AD services, but getting budget to buy licenses will likely set us back a long time.

Would it be possible and sensible to configure ACS so that if a client can't do machine authentication, it would switch to certificate-based authentication with EAP-TLS instead?  If only non-Windows devices require certs, then the CA administration ought to be manageable.

Is anyone aware of any other alternative solutions for this?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Leo Laohoo Mon, 06/21/2010 - 15:19
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Sounds like 802.1x is a perfect fit for you.

rsreeves1 Mon, 06/21/2010 - 15:30
User Badges:

Thanks for the response.  When you have time, would you mind elaborating some on where/how I could utilize 802.1x to accomplish this?


rsreeves1 Tue, 06/22/2010 - 06:30
User Badges:

Thanks again for the quick response.  I should clarify, I am already familiar with the 802.1x standard, and I understand how it works.  I'm hoping someone could share some more specific ideas or possibly even reasonable compromises for accomplishing the goals that I've explained above.  We don't have anyone with a strong ACS background, so I'm really just reaching out for anyone I can brainstorm with to find a solution.



This Discussion

Related Content



Trending Topics - Security & Network