Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Authenticating wireless users through Active Directory

We currently have a Cisco 2504 WLC running two WLANs, corporate (full-access) and guest (internet only). Both WLANs are currently using a [WPA+WPA2][Auth(PSK)] security policy. I would like to move the corporate WLAN from PSK to 802.1x so that wireless users attempting to use the corporate WLAN must first authenticate through Active Directory by supplying their AD username and password.

I currently have a Server 2008 R2 Standard machine that is running the NPS role and authenticating remote-access VPN requests (from our ASA 5510) through Active Directory. This server is a domain member but not a domain controller and is not running the AD Certificate Services role, only NPS.

What is the best way to accomplish this? Keep in mind that we will need both domain PCs and non-domain devices to be able to authenticate through Active Directory by the user supplying his/her AD username and password.

Any assistance would be greatly appreciated.

Thank you,

John Woods

8 REPLIES
VIP Purple

Authenticating wireless users through Active Directory

You can use this but I will suggest to ISE as radius server and connect this ISE server to AD.

Cisco Identity Services Engine (ISE) is a security policy management and control platform. It automates and simplifies access control and security compliance for wired, wireless, and VPN connectivity. Cisco ISE is primarily used to provide secure access and guest access.

http://www.cisco.com/c/dam/en/us/td/docs/solutions/SBA/February2013/Cisco_SBA_SLN_BYOD_AdvancedGuestWirelessAccessDeploymentGuide-Feb2013.pdf

Regards

Dont forget to rate helpful posts

Re: Authenticating wireless users through Active Directory

I would love to use ISE, but current budget constraints prevents this. I must find another way.

Thank you,

John Woods

Hall of Fame Super Silver

Re: Authenticating wireless users through Active Directory

NPS has to have a server certificate either from your internal CA or 3rd party CA. The NPS has to be joined to the domain and in NPS, make sure that it's registered to Active directory. Now the tricky part is that you are using this NPS server for other things, so you need to define another policy that will not break what you have. NPS does have a wizard that can help create both your connection and network policies. NPS when successfully registered to AD, you will be able to see the groups in AD when creating policies. You will also be able to see the valid certificate when creating the wireless policies, all which is required to use NPS and wireless 802.1x.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Re: Authenticating wireless users through Active Directory

Thank you Scott for the quick reply. I suspected NPS requiring a certificate. Can I enable the AD Certificate Services role on my NPS server? It is joined to the domain, registered in AD, but is not a DC. Also, you are quite correct with the testing I have done so far on NPS. While attemting to get this working, I managed to break the policy authenticating our VPN requests from the ASA.

Hall of Fame Super Silver

Re: Authenticating wireless users through Active Directory

You can enable the CA role on the NPS server. I would read the guides, make sure you understand the CA roles because every device including AD and your other servers will get a certificate from this CA. The NPS will trust the CA because both roles are on the same server, but you need AD to trust the CA and push out the certificate to all domain computers. The guides are quick how to's but understand the CA part or maybe ask your Microsoft engineer about it.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: Authenticating wireless users through Active Directory

Move the wireless policy down in the priority order so you don't break the VPN. Then when testing, look at the logs and see if it's hitting your VPN policy or your wireless policy. If it's hitting your VPN, then you need to add more lookups on the VPN. Maybe NAS-ID which is the IP address of your VPN appliance. This way if you also use NAS-ID for the wireless, then NOS knows it's not from the VPN and goes to the next profile.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: Authenticating wireless users through Active Directory

John,

Here is a support doc that can help

https://supportforums.cisco.com/docs/DOC-32752

You can find other out there by searching

"WLC Microsoft NPS 802.1x example"

http://networklessons.com/wireless/peap-and-eap-tls-on-server-2008-and-cisco-wlc/

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Re: Authenticating wireless users through Active Directory

Thanks Scott, I will read through this documentation, test it and post the outcome.

John Woods

691
Views
0
Helpful
8
Replies