07-19-2013 07:21 AM
We have an existing vap that does 802.1x auth'd against radius servers. There are over 15k users that hit against this daily.
I've been asked to provide machine auth for about 50 Windows PCs in a PC lab.The preference is to use our existing SSID. Our campus does not auth wireless against AD - we auth NetIDs against radius/ldap/kerberos. The desire is that the machnes would auth against an AD server but the users who use these machines would auth against our radius servers
Is this possible? I assume I need to add an AD server to the AAA profile. Should I put the AD server at the bottom of the list in the server group and use failt hrough? Would the "machine" fail through the radius servers and eventually be picked up by the AD server?
Another question is, how does the AD server know which machines it wants to allow? There are hundreds (thousands?) of windows PCs on campus that are configured for the campus AD domain but we don;t wish to machine these. Is there a MAC table that gets created on the AD server?
Is this possible?
I've gotten good feedback from fellow Airheads but wanted to hear your opinion. Thanks for any advice or tips!
07-19-2013 07:41 AM
I am not sure of the existing configuration which you have got on the controller like "Termination" etc. to support this.
For Eg. Termination should not be enabled on the controller to support Machine Auth.
Not sure of the Radius server being used for User Auth.
Yes, if fail through is enabled we would try all the servers in the server group.
In the AD, you would need to classify the users who want to perform machine auth under a group/tree.
AD should be integrated to Radius.
Radius should be added to Server Group.
Connection request policy should be configured on the Radius server to lookup for the users under the specific Group in AD.
This should ideally work, however have not had an oppuritunity to work on this specifcations (Seperate server for Machine & user Auth).
Feel free to open a TAC case if any issues.
07-19-2013 07:47 AM
I think you're pretty much set and had good advice.
The other solution is to use your RADIUS server to authenticate the machine. Are you using Clearpass? If you are, this can be done more easily and more efficiently.
Otherwise, this is a good solution I would do the same and put multiple auth servers with fail-throught.
As for making sure only those computers and be allowed in, you can set those computer in groups and only allow those groups onto the network. MAC Auth is not a good solution in this instance.
ACMX, ACDX, CISSP, B. Eng.