Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 5.2 Access policy

Hello,

could you recommend me how i can accomplish the following task, I need to configure ACS 5.2 to authenticate WIFI users.

There is two types of users: domain users and not domain users.  i want to authenticate the domain users with PEAP-MSCHAPv2.

And not domain users i want to authenticate by host lookup(MAC).

The question is how correctly organize access policy? Do I need several access services or one access service will be enough.

Thanks in advance.

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions

ACS 5.2 Access policy

Hi,

Your understanding is quite close but however for MAB to work to work with wireless users, you will have to turn on the option for mac filtering for the SSID. This setting is global and will always be triggered unlike port based authentication where you can set an authentication sequence.

You can create one service policy and within that you can multiple authorization polices. For the identity settings of this policy you will have to create an identity store sequence so that either AD is used first then internal hosts is used second or vice versa. For the identity setting you will have to set the flag for user not found to continue.

Let me know if that works.

Thanks,

Tarik Admani

Please rate if helpful!

Tarik Admani *Please rate helpful posts*
2 REPLIES

ACS 5.2 Access policy

Hi,

Your understanding is quite close but however for MAB to work to work with wireless users, you will have to turn on the option for mac filtering for the SSID. This setting is global and will always be triggered unlike port based authentication where you can set an authentication sequence.

You can create one service policy and within that you can multiple authorization polices. For the identity settings of this policy you will have to create an identity store sequence so that either AD is used first then internal hosts is used second or vice versa. For the identity setting you will have to set the flag for user not found to continue.

Let me know if that works.

Thanks,

Tarik Admani

Please rate if helpful!

Tarik Admani *Please rate helpful posts*

ACS 5.2 Access policy

Anatoly Fedchik wrote:

Hello,

could you recommend me how i can accomplish the following task, I need to configure ACS 5.2 to authenticate WIFI users.

There is two types of users: domain users and not domain users.  i want to authenticate the domain users with PEAP-MSCHAPv2.

And not domain users i want to authenticate by host lookup(MAC).

The question is how correctly organize access policy? Do I need several access services or one access service will be enough.

Thanks in advance.

Hello,

Check out the below link for wirless authentication with use of Cisco ACS

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml

Hope to Help !!

Ganesh

Rate if it Help

592
Views
2
Helpful
2
Replies