Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco WLC + ACS + AD for Machine AND User auth...

So I am trying to implement an SSID that requires a machine to be a domain member, AND require the user to provide username/password credentials before being allowed on that SSID.

I am reading that it is possible, but can't find a clear config on how it is supposed to be setup... read about Machine Access Restrictions as being part of the config.

Any help here?

WLC 7.6 and ACS 5.5


Cisco Employee

Please refer the link for WLC

Please refer the link for WLC, ACS, AD integration, radius authentication:

New Member

I would recommend to do this

I would recommend to do this via ISE+AnyConnect and EAP-Chaining, if there is a chance.

According to our experiences Machine Access Restrictions have a lot of limitations and it's confusing to end users.


We are testing ISE with EAP

We are testing ISE with EAP chaining. It allows you to validate the company device (laptop) is joined to the domain and then the user credentials. However this requires EAP-FAST and the Cisco Anyconnect client. There is a group set up to look at EAP-TEAP. This will allow for standardize "chaining"



__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
CreatePlease to create content