07-31-2014 03:30 PM - edited 07-05-2021 01:18 AM
So I am trying to implement an SSID that requires a machine to be a domain member, AND require the user to provide username/password credentials before being allowed on that SSID.
I am reading that it is possible, but can't find a clear config on how it is supposed to be setup... read about Machine Access Restrictions as being part of the config.
Any help here?
WLC 7.6 and ACS 5.5
-g
08-01-2014 03:33 AM
Please refer the link for WLC, ACS, AD integration, radius authentication:
https://supportforums.cisco.com/discussion/11031266/wlc-acs-ad-integration-radius-authentication
08-04-2014 02:32 PM
I would recommend to do this via ISE+AnyConnect and EAP-Chaining, if there is a chance.
According to our experiences Machine Access Restrictions have a lot of limitations and it's confusing to end users.
K.
08-04-2014 07:20 PM
We are testing ISE with EAP chaining. It allows you to validate the company device (laptop) is joined to the domain and then the user credentials. However this requires EAP-FAST and the Cisco Anyconnect client. There is a group set up to look at EAP-TEAP. This will allow for standardize "chaining"
http://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01#page-5
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: