Wireless clients limit authentications by AD username
We are in the early stages of implementing a BYOD wireless network but want to limit the number of devices an individual can authenticate using the ACS. Currently we are using MAC address filtering on a limited scale (On the WLC) to give access to a few select users however this is not a scaleable solution.
The devices that are authenticating are a mixture Apple, Android and Windows and we are using an AD account and group membership to authenticate the user however if we remove the MAC address filtering each user can authenticate multple devices which unfortunatly some of our user take advantage of.
We have looked at implementing the Max user sessions on the ACS however this does not seem to work for out scenario. Currently the ACS is configured
Service selection rule : match Radius -ANY- RADIUS-IETF:Called-Station-ID contains BYOD 802.1X_BYOD
802.1X_BYOD Authorisation : (System:EapTunnel match PEAP And AD-AD1:ExternalGroups contains any TestDomain/Users/BYOD TEST)
Is there a way of implementing this as the devices are only authenticating against AD so limiting the logon's there has no impact as the devices are not actually logging on to the domain.
Any suggestions or advice would be greatly appreciated.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...