Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Limiting RADIUS authentication to a specific AD group

Unanswered Question
Nov 14th, 2013
User Badges:
  • Bronze, 100 points or more

I have a basic PEAP configuration using a WLC 4402 with Secure ACS 5.4.  ACS is using Active Directory as the identity source. One issue I've found is that any valid AD user can authenticate, including service accounts.  I don't want this, since service account passwords are never changed and anyone with knowledge of those accounts can gain access to the Wifi Network.

How can I limit access to a certain group, say "Users"?  Can this be done with AD as the source, or do I have to switch to LDAP?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
prswami Sat, 11/16/2013 - 00:17
User Badges:


yes, this can definately be achieved using AD as the identity store.

In the access service processing the wireless 802.1x authentications, include the compound condition or AD1 external group condition using the customized button on the right bottom corner.(bring the condition from available to selected portion).

Now, go to the rule responsible to process the authentication process, or create a new rule and call out the group(s) for which you want the authentication to pass and at the bottom on the default rule select deny access authorization profile as a resultant.

Let me know if you get stuck somewhere.




This Discussion

Related Content