Allowing wireless access to only company-issued devices
We're preparing to roll out a secure WLAN across a relatively large enterprise network (2000+ users). The original plan was for new client connections to be kicked back to ACS (ver 4.2), which is configured for PEAP and references AD for username authentication. In this scenario, any device that supports WPA2-Enterprise w/ PEAP MS-CHAPv2 can connect to our internal network wirelessly so long as the submitted username/password passes AD authentication. This has been raised as a big security concern, so we're now looking into options for allowing access to only company-issued devices.
Machine Authentication initially seemed the way to go, but we have a fair number of employees with company-issued Macs, as well as PCs running Linux, and those must be allowed as well. We've considered EAP-TLS, but we're being told that deploying certificates for so many clients is not considered a “supportable” solution due to infrastructure requirements and administrative overhead. Earlier today, someone suggested installing the Quest Authentication Services (formerly Vintela) client on non-Windows devices, which would enable them to use AD services, but getting budget to buy licenses will likely set us back a long time.
Would it be possible and sensible to configure ACS so that if a client can't do machine authentication, it would switch to certificate-based authentication with EAP-TLS instead? If only non-Windows devices require certs, then the CA administration ought to be manageable.
Is anyone aware of any other alternative solutions for this?
Re: Allowing wireless access to only company-issued devices
Thanks again for the quick response. I should clarify, I am already familiar with the 802.1x standard, and I understand how it works. I'm hoping someone could share some more specific ideas or possibly even reasonable compromises for accomplishing the goals that I've explained above. We don't have anyone with a strong ACS background, so I'm really just reaching out for anyone I can brainstorm with to find a solution.
IntroductionHow to use the Wireless LAN Controller Configuration Analyzer (WLCCA)
Javier Contreras is a Senior Tech Lead for the Wireless Business Unit in Cisco, with over 2 decades of experi...
< PRE >
(#)For this reason being that : - application that doesn't use multicast, sends one copy of each packet ( data unit of traffic at layer 3 ) to each client (" who seeks the traffic ).- application that does use multicast, sends ...
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...