Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3906
Views
0
Helpful
2
Replies

Cisco WLC 5508 controllers, Microsoft NPS with 802.1x and PEAP

Go to solution
hvangruijthuijsen
Level 1
Level 1

‎06-07-2012 10:15 PM - edited ‎07-03-2021 10:16 PM

We are using Cisco WLC 5508 controllers, NCS and Microsoft NPS for Radius. I know it's possible with PEAP to check if user is member of an AD  group, but is it also possible to check if the user is using a Domain  machine? So an AND operation. I tried it with a NPS policy to check if  the machine is member of AD group domain machines, but it is not  working.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎06-09-2012 03:55 AM

Hello,

I am not sure about NPS but some radius vendors have it available to check the domain membership.

Cisco ACS for example has the feature to do "machine authentication" which authenticates machines against the AD.

I found this doc while searching, hope you find it useful:

http://technet.microsoft.com/en-us/library/dd283093(WS.10).aspx

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

View solution in original post

0 Helpful

Go to solution
SHANNON WYATT
Level 1
Level 1

‎07-12-2012 12:15 PM

If you need to validate that the PC is a member of the domain and you are using NPS you should do machine authentication for your windows PCs and use EAP-TLS. If you use PEAP you will run into problems when the PCs decide to change their passwords for the domain. You can do condition based policies, so you can have your first policy be EAP-TLS for domain PCs, then you can do PEAP for other things if necessary. Deploying certs to the workstations is pretty easy with windows PCs that are in the domain.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎06-09-2012 03:55 AM

Hello,

I am not sure about NPS but some radius vendors have it available to check the domain membership.

Cisco ACS for example has the feature to do "machine authentication" which authenticates machines against the AD.

I found this doc while searching, hope you find it useful:

http://technet.microsoft.com/en-us/library/dd283093(WS.10).aspx

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
SHANNON WYATT
Level 1
Level 1

‎07-12-2012 12:15 PM

If you need to validate that the PC is a member of the domain and you are using NPS you should do machine authentication for your windows PCs and use EAP-TLS. If you use PEAP you will run into problems when the PCs decide to change their passwords for the domain. You can do condition based policies, so you can have your first policy be EAP-TLS for domain PCs, then you can do PEAP for other things if necessary. Deploying certs to the workstations is pretty easy with windows PCs that are in the domain.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card