Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco WLC 5508 controllers, Microsoft NPS with 802.1x and PEAP

We are using Cisco WLC 5508 controllers, NCS and Microsoft NPS for Radius. I know it's possible with PEAP to check if user is member of an AD  group, but is it also possible to check if the user is using a Domain  machine? So an AND operation. I tried it with a NPS policy to check if  the machine is member of AD group domain machines, but it is not  working.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Cisco WLC 5508 controllers, Microsoft NCS with 802.1x and PE

Hello,

I am not sure about NPS but some radius vendors have it available to check the domain membership.

Cisco ACS for example has the feature to do "machine authentication" which authenticates machines against the AD.

I found this doc while searching, hope you find it useful:

http://technet.microsoft.com/en-us/library/dd283093(WS.10).aspx

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
New Member

Cisco WLC 5508 controllers, Microsoft NCS with 802.1x and PEAP

If you need to validate that the PC is a member of the domain and you are using NPS you should do machine authentication for your windows PCs and use EAP-TLS. If you use PEAP you will run into problems when the PCs decide to change their passwords for the domain. You can do condition based policies, so you can have your first policy be EAP-TLS for domain PCs, then you can do PEAP for other things if necessary. Deploying certs to the workstations is pretty easy with windows PCs that are in the domain.

2 REPLIES

Re: Cisco WLC 5508 controllers, Microsoft NCS with 802.1x and PE

Hello,

I am not sure about NPS but some radius vendors have it available to check the domain membership.

Cisco ACS for example has the feature to do "machine authentication" which authenticates machines against the AD.

I found this doc while searching, hope you find it useful:

http://technet.microsoft.com/en-us/library/dd283093(WS.10).aspx

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
New Member

Cisco WLC 5508 controllers, Microsoft NCS with 802.1x and PEAP

If you need to validate that the PC is a member of the domain and you are using NPS you should do machine authentication for your windows PCs and use EAP-TLS. If you use PEAP you will run into problems when the PCs decide to change their passwords for the domain. You can do condition based policies, so you can have your first policy be EAP-TLS for domain PCs, then you can do PEAP for other things if necessary. Deploying certs to the workstations is pretty easy with windows PCs that are in the domain.

2751
Views
0
Helpful
2
Replies
CreatePlease to create content