Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
904
Views
2
Helpful
2
Replies

ACS 5.2 Access policy

Go to solution
Anatoly Fedchik
Level 1
Level 1

‎07-11-2012 03:26 AM - edited ‎03-10-2019 07:17 PM

Hello,

could you recommend me how i can accomplish the following task, I need to configure ACS 5.2 to authenticate WIFI users.

There is two types of users: domain users and not domain users.  i want to authenticate the domain users with PEAP-MSCHAPv2.

And not domain users i want to authenticate by host lookup(MAC).

The question is how correctly organize access policy? Do I need several access services or one access service will be enough.

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎07-11-2012 04:24 AM

Hi,

Your understanding is quite close but however for MAB to work to work with wireless users, you will have to turn on the option for mac filtering for the SSID. This setting is global and will always be triggered unlike port based authentication where you can set an authentication sequence.

You can create one service policy and within that you can multiple authorization polices. For the identity settings of this policy you will have to create an identity store sequence so that either AD is used first then internal hosts is used second or vice versa. For the identity setting you will have to set the flag for user not found to continue.

Let me know if that works.

Thanks,

Tarik Admani

Please rate if helpful!

View solution in original post

2 Replies 2

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎07-11-2012 04:24 AM

Hi,

Your understanding is quite close but however for MAB to work to work with wireless users, you will have to turn on the option for mac filtering for the SSID. This setting is global and will always be triggered unlike port based authentication where you can set an authentication sequence.

You can create one service policy and within that you can multiple authorization polices. For the identity settings of this policy you will have to create an identity store sequence so that either AD is used first then internal hosts is used second or vice versa. For the identity setting you will have to set the flag for user not found to continue.

Let me know if that works.

Thanks,

Tarik Admani

Please rate if helpful!

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni

‎07-12-2012 02:57 AM 

Anatoly Fedchik wrote:
Hello,
could you recommend me how i can accomplish the following task, I need to configure ACS 5.2 to authenticate WIFI users.
There is two types of users: domain users and not domain users.  i want to authenticate the domain users with PEAP-MSCHAPv2. 
And not domain users i want to authenticate by host lookup(MAC). 
The question is how correctly organize access policy? Do I need several access services or one access service will be enough. 
Thanks in advance.

Hello,

Check out the below link for wirless authentication with use of Cisco ACS

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml

Hope to Help !!

Ganesh

Rate if it Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents