Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Restricting Access to Wireless based on Username/password and machine type

Hey All,

I am sure this is a easy one but I have been having a problem figuring it out.  I have ACS 5.2, I want to allow users to access a certain vlan on wireless via 802.1x vlan override with username / password authentication.  I want to redirect any devices that use the same login but on a device that is not registered in AD to a different vlan.  Essentially allowing people with registered computers to access a more secure network then those that do not.

I have been messing around a bit, got machine auth going but it seems with Windows it is user auth or machine auth and you have to wait a few seconds for machine auth to occur, then I could use the option of "If Machine Authenticated" but it is qwerky at best.  The next option was to use TLS but that does not seem to be sure fire either since mobile devices can chose to accept any cert.

What would do the trick is to have ACS lookup the MAC address of the machine in AD, if it is there then allow onto the more secure network.  It seems simple but it as alluded me so far.



Restricting Access to Wireless based on Username/password and ma

Creating Hosts in Identity Stores

To create, duplicate, or edit a MAC address and assign identity groups to internal hosts:

Step 1 Select Users and Identity Stores > Internal Identity Stores > Hosts.

The Internal Hosts page appears, listing any configured internal hosts.

Step 2 Click Create. You can also:

• Check the check box next to the MAC address you want to duplicate, then click Duplicate.

• Click the MAC address that you want to modify, or check the check box next to the MAC address and click Edit.

• Click File Operations to perform bulk operations. See Viewing and Performing Bulk Operations for Internal Identity Store Hosts for more information on the import process.

• Click Export to export a list of hosts to your local hard drive.

The Internal Hosts General page appears when you click the Create, Duplicate, or Edit options.

Please Check the below link which may helpful for you in configuration:



Community Member

Restricting Access to Wireless based on Username/password and ma

Thanks Ageel,

That seems like a very static and manual approach.

That  being said, I may have found the solution.  I set the Machine  Authentication time out for a few days then set the if Machine  authenticated control to true for the various user policies, then a  default policy below with if Machine authenticated = false.

If Machine aunthentication stays valid for a few days that is a good enough option.


CreatePlease to create content