PEAP MSCHAP restriccion to block connections from Iphone
Good day my name is Ivan
I have a problem about my wireless network.
I have a Cisco WLC 5508 in which I have configured two SSID's. An SSID is working on my corporate network users, which uses 802.1X PEAP MSCHAP v2 session to authenticate user and computer in the wireless network.
Computers are validated as part of the domain objects
Everything works great but when I use a mobile device like an iPhone, iPad, or other similar, the iPhone asks me to write the domain user account (username and password) and below asks me inherit ACS certificate v5 .4 (Security server). I give a click to accept the certificate and admission to corporative wireless network.
That is a security hole, since from the IPhone any person who knows the credentials of a corporate user, may enter the corporate network by the SSID set.
What I can do in the ACS v5.4 for the IPhone not automatically inherit the user certificate. Any restrictions or configuration to support PEAP MSCHP V2 in Cisco ACS?.
My ACS v5.4 is integrated to Active Directory with Machine authentication.
My other solution is to use EAP TLS. But I would like to exhaust all MSCHAPV2 PEAP.
I understand that PEAP user certificate valid only, not machine.
Re: PEAP MSCHAP restriccion to block connections from Iphone
Well you need to define the policy in ACS to point to just the computer group and not any user group. This way you are using machine authentication, which I'm guessing all you corporate machines are on the domain. You can also use EAP-TLS, but that will require certificates on all the domain computers. ISE works better since your trying to define personal devices, but again, it cost more than ACS:). So either look into machine authentication only or EAP-TLS.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...