Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

WPA+WPA2+802.1x

Dear Friends,

I appreciate if anyone answer my question. we have a domain more than 10k users, and we are providing corporate wireless access to our employees. currently employees are using their AD credential for authentication via ACS 5.4. We want to add additional security in the wireless that only particular MAC address devices along with right AD credential to gain the wireless access. How could I do this in the ACS 5.4?

Can anyone help me on this?

Regards

Kumar

4 REPLIES
Community Member

WPA+WPA2+802.1x

Hi Kumar,

You can do this by adding the MAC address of the Computers in the internal database of ACS.

And it can also be done by adding the prefix of the MAC address also.

And your Access policy has to be configured to verify with ad credentials as well as MAC address

HTH,

Selva

Community Member

WPA+WPA2+802.1x

Hi Selva,

Thanks for your reply. I added the MAC address in the host Identity store. But I couldnt make it work in the access policy. It seems cannot able to match host identity store and AD credential in the Identity policy or in the authorization policy. I am not sure what I am missing, can you give any example?

Regards

Kumar 

Cisco Employee

WPA+WPA2+802.1x

Community Member

WPA+WPA2+802.1x

Hello Kumar,

Machine Authentication

Machine  authentication provides access to network services to only these  computers that are listed in Active Directory. This becomes very  important for wireless networks because unauthorized users can try to  access your wireless access points from outside your office building.

Machine  authentication happens while starting up a computer or while logging in  to a computer. Supplicants, such as Funk Odyssey perform machine  authentication periodically while the supplicant is running.

If  you enable machine authentication, ACS authenticates the computer  before a user authentication request comes in. ACS checks the  credentials provided by the computer against the Windows user database.  If the credentials match, the computer is given access to the network.

Attribute Retrieval for Authorization

You can configure ACS to  retrieve user or machine AD attributes to be used in authorization and  group mapping rules. The attributes are mapped to the ACS policy results  and determine the authorization level for the user or machine.

ACS  retrieves user and machine AD attributes after a successful user or  machine authentication and can also retrieve the attributes for  authorization and group mapping purposes independent of authentication.

Please also check the below link,

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170404

360
Views
0
Helpful
4
Replies
CreatePlease to create content