Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Trust company assets

Hi,

Corrently, I'm working with a WLC 5508,  and our comapany has wild card certificats. The autenticaton for emplyee is done with Active directory, so my question is:

Is there any way to trust all compay asset's because if it's possible how ? I want that the employee will enter only the first time his AD login and then the MAC address will be recoreded. 

Regards,

8 REPLIES
Hall of Fame Super Silver

Re: Trust company assets

Well it seems like you should know about the various ways before you decide on what you should do. Mac recording... Doesn't really help here. What you want is a way to only trust company assets using active directory.

First off, to be able to look up AD credentials and it computer info, you need a radius server. Research 802.1x....

Now since you have AD, Microsoft has its own radius servers. 2003 is IAS and 2008 is NPS. I will not go over other radius servers for now.

Usually the best way is to use EAP-TLS. EAP-TLS requires a certificate on the radius server and on the client device. This way, only devices that have this certificate will be able to authenticate. EAP-PEAP only requires a certificate on the radius server and you can either user AD credentials and or machine authentication. Now with AD credentials, you really can't prevent a user from knowing how to setup another non company device to access the wireless. Machine authentication only works for windows machines also. So you really have to think what will be on the wireless and how can you control that.

Cisco ISE can profile devices and is the big brother to Cisco's radius server ACS. You can place a certificate or registry entry or something else and decide what devices will have access and what will not. This will also keep a list of MAC address and sort them by device profiles or you can manually sort or put them in a category you wish.

Either way you look at it, ISE is probably the best way and only way you can reach the requirement you want, but when it comes to wireless, you must know what devices you have and what type of encryption and authentication they can use. For example, if you have scanners, some can't do 802.1x. If you have Apple TV, you can't do 802.1x and that has to be pre shared keys.

Hope this helps

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Trust company assets

Thank you Scott, very useful explanation!

To begin we havn't ISE, I think that's the best solution but for now I've to work without it.

I've some qustions:

1- Which kind of certificat may I use? because I want to use those delivrate by my company

2- My aim is to facilitate access to employee so they have not to enter their login evrery day to have wireless network. then, could you please help me to make choise between the two protocols (EAP-PEAP /EAP-TLS)? I read some documents but they are so complicate, I could not make my choice.

3- I want to let a certain categorie of emplyee to have access to LAN network, is it possible?

4- Our radius is a linux server, then it's not necessary to use the NPS?

Hall of Fame Super Silver

Re: Trust company assets

With radius you can set a policy to only allow certain OU's to have access. If you want to use username and password, then you use PEAP. This requires a certificate on the radius server only. It's tough to tell you what you need without knowing all the devices, what can each do, etc. do you have a PKI infrastructure or not. Are you just using a trusted root CA for your certificates. There is sooooo much info that it would be best to consult with your local Cisco SE or your Cisco vendor if you are using one. EAP-TLS is more work but
Very secure since all the clients need a certificate. PEAP just requires a cert on the radius server.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Trust company assets

Hi,

Have you any suggestion of a simply documentation which explain the integration of  EAP-PEAP to the design?

Hall of Fame Super Silver

Re: Trust company assets

You can just search for WLC EAP-PEAP configuration or WLC PEAP configuration.

Here are some.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml

http://wirelessccie.blogspot.com/2009/10/eap-tls-and-peap-configurations.html?m=1

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Bronze

Re: Trust company assets

use mac filtering, and import your client mac into your radius server like acs or ise.

the problem will be that during first time you need a method to import your corporate asset mac address.

haven't tested 802.1x on mac filtering fail should work or not... may someone give a hint?

Sent from Cisco Technical Support iPad App

New Member

Re: Trust company assets

this way seems the best, some help on this?

Re: Trust company assets

Hello,

As per your query i can suggest you the following solution-

You need to create a pem file that contains the full chain of certificates. The full chain includes:

1 – Your SSL certificate (webserver)

2 - The Entrust cross certificate (L1C)

3 – The Entrust Root certificate (Entrust 2048 root)

Hope this will help you.

291
Views
15
Helpful
8
Replies
CreatePlease to create content