Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Wireless Authentication (Searching for a better way)

We set up a wireless network several years ago.  We have upgraded all of our hardware but never how we authenticate users.  The bulk of our users authenticate to an 802.1x SSID through an ACS (5.0) We have both machine and user authentication to the domain with mac filtering on top of that.  It's overkill and not foolproof this I do know.  We also have another SSID with WPA2-PSK and Mac Filtering for things like iPads and Macs. 

I am looking into certificate based authentication but I am not finding exactly what I want.  For example, if I set up PEAP with certificates is that a secure solution?  From what I understand I need to have the ACS server trust the domain certificate.  Can I then have the pc's auto enroll for a certificate? 

The end result would be this.  A pc/Mac on the domain would authenticate to the network when it first boots via a certificate.  Then a user can walk up and log into the pc just as they do wired.  If a pc that is not on our domain tries to join then the domain will know it does not have a cert and deny access.

Sorry if some of my terminology seems off.  The cert thing is very new to me and I am having a hard time getting my head around it.

Thanks!                  

Everyone's tags (3)
3 REPLIES
Hall of Fame Super Silver

Re: Wireless Authentication (Searching for a better way)

What you need to look at is EAP-TLS which is only for domain computers and works well in a shared environment. ACS does have to have a certificate from your PKI infrastructure and has to be on the domain which it is already. Then you can push out via GPO auto enrollment of computer certificates. This way a computer that is on your domain and has a valid certificate can access the network and doesn't have to depend on username and password like PEAP.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Wireless Authentication (Searching for a better way)

From what I have found it I understand where the certs need to be install such as the ACS and the pc from the domain.  How does this STOP anyone without a cert for authenticating?  Does the PC send the cert to the ACS and the ACS checks with the domain every time?

Hall of Fame Super Silver

Re: Wireless Authentication (Searching for a better way)

Well the ACS will only trust the domain certificate since you will configure the domain CA as a trusted CA. Then the computer must be part of the domain computer group to be allowed access. Now it can be something other than the domain computer group, but that is default location for all domain computers.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
346
Views
0
Helpful
3
Replies
CreatePlease to create content