Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

Limiting RADIUS authentication to a specific AD group

I have a basic PEAP configuration using a WLC 4402 with Secure ACS 5.4.  ACS is using Active Directory as the identity source. One issue I've found is that any valid AD user can authenticate, including service accounts.  I don't want this, since service account passwords are never changed and anyone with knowledge of those accounts can gain access to the Wifi Network.

How can I limit access to a certain group, say "Users"?  Can this be done with AD as the source, or do I have to switch to LDAP?

1 REPLY
Community Member

Limiting RADIUS authentication to a specific AD group

Hi,

yes, this can definately be achieved using AD as the identity store.

In the access service processing the wireless 802.1x authentications, include the compound condition or AD1 external group condition using the customized button on the right bottom corner.(bring the condition from available to selected portion).

Now, go to the rule responsible to process the authentication process, or create a new rule and call out the group(s) for which you want the authentication to pass and at the bottom on the default rule select deny access authorization profile as a resultant.

Let me know if you get stuck somewhere.

Thanks,

Prateek

479
Views
0
Helpful
1
Replies
CreatePlease to create content