Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

denying unauthorized devices ACS


Really new at ACS

I was wondering if this is possible.

For a school division using AD,

school division would like to use radius 4.2 ACS  for the AD users to access the network wired or wirelss.

For rogue users they want them to go to guest default vlan with only Internet.

Reading some of the information I see that by loading remote agent on windows server I can setup AD users very easy,But I have not found alot of information on unauthorized users,I've seen NAR and NAF and looks like they would work just not sure I understand the attributes needed.

Any help is appreciated 


Re: denying unauthorized devices ACS

Why don't you make two SSIDs (two different VLANs).

On for GUESTs and the other for regular users. Enable more stringent security measures on the REGULAR VLAN e.g. PEAP. For regular users only allow DNS and internet traffic (preferably via a proxy that requires authentication). Of course you need a mechanism to generate temporary passwords for the guest users.

Giving them free access to the internet does not seem to be a good idea, what if someone uses the connection malicously? The Internet is going to see it coming from your public ip!

These are a few  PEAP configuration examples:



New Member

Re: denying unauthorized devices ACS

Good Morning Farrukh

Thanks for the reply,

I guess I should have indicated that all  AD users, wired and wireless go to authenticate to AD radius and rogue wired and wireless authenticate to internal ACS db then go to guest vlan. Is this possible for the rogue users?

I was questioning the internet access as well,

I will be going to see this customer in the near future as I have a few other questions as well.

Thanks again