11-03-2013 04:52 PM - edited 07-04-2021 01:12 AM
Hi,
I would like to have user based certificate authentication for my wireless networks. We have a wireless network for corporate laptops and one for mobile devices like iPads/Phones. I don't want corporate devices to be able to connect to the mobile wireless network and vice versa.
The problem I'm facing is once I implement user based certificate authentication, both iPads and corporate laptops can connect to both mobile and corporate wireless networks. Is there a way to restrict mobile devices from connecting to corporate wireless networks and corporate laptops from connecting to mobile device wireless networks?
Thanks
Solved! Go to Solution.
11-03-2013 06:05 PM
What you would do is for the domain machines use machine authentication and the mobile either PEAP or EAP-TLS. The domain machines can also use ESP-TLS if you want. Then you would have two policies on ACS and you would use the called station id attribute to distinguish between the SSID's. Your AD group would need to be different. That is why machine authentication can use the computer group and the mobile can use PEAP or EAP-TLS. If your ssid was Domain and Mobile,then you would add to your policy a called-station-id with a value of *.Domain for the domain computers and *.Mobile for mobile devices.
Sent from Cisco Technical Support iPhone App
11-03-2013 05:11 PM
Bit more information. I'm using Cisco ACS and don't currently have ISE.
11-03-2013 06:05 PM
What you would do is for the domain machines use machine authentication and the mobile either PEAP or EAP-TLS. The domain machines can also use ESP-TLS if you want. Then you would have two policies on ACS and you would use the called station id attribute to distinguish between the SSID's. Your AD group would need to be different. That is why machine authentication can use the computer group and the mobile can use PEAP or EAP-TLS. If your ssid was Domain and Mobile,then you would add to your policy a called-station-id with a value of *.Domain for the domain computers and *.Mobile for mobile devices.
Sent from Cisco Technical Support iPhone App
11-03-2013 08:03 PM
Thanks Scott
11-04-2013 05:13 AM
No problem.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide