school division would like to use radius 4.2 ACS for the AD users to access the network wired or wirelss.
For rogue users they want them to go to guest default vlan with only Internet.
Reading some of the information I see that by loading remote agent on windows server I can setup AD users very easy,But I have not found alot of information on unauthorized users,I've seen NAR and NAF and looks like they would work just not sure I understand the attributes needed.
Why don't you make two SSIDs (two different VLANs).
On for GUESTs and the other for regular users. Enable more stringent security measures on the REGULAR VLAN e.g. PEAP. For regular users only allow DNS and internet traffic (preferably via a proxy that requires authentication). Of course you need a mechanism to generate temporary passwords for the guest users.
Giving them free access to the internet does not seem to be a good idea, what if someone uses the connection malicously? The Internet is going to see it coming from your public ip!
I guess I should have indicated that all AD users, wired and wireless go to authenticate to AD radius and rogue wired and wireless authenticate to internal ACS db then go to guest vlan. Is this possible for the rogue users?
I was questioning the internet access as well,
I will be going to see this customer in the near future as I have a few other questions as well.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...