We have 3600 controllers running 6.1.3.1, no ClearPass. My goal here is to create an SSID that is for medical equipment which does not belong to our AD domain and this equipment may not support methods such as certificates for machine authentication, so it needs to also support MAC authentication. So far I have built the Virtual AP that uses this new SSID profile and a MAC based AAA profile that uses the internal DB where I have placed my test machines MAC into. It also uses WPA2-PSK for network authentication and AES for encryption. So far this works just fine. I only want to use MAC authentication for those devices that don’t support certs, so now I want to add a cert to the list of authentication methods before MAC. What I am hoping to do here is that if a cert is on the machine it will authenticate and skip the MAC portion. If a cert is not on the machine it will fall through to the MAC portion to authenticate. If neither one matches then it is not allowed on. Is this possible or perhaps there is a better way to do this instead of a PSK? The machines will not be part of the AD domain, but the users do have accounts so perhaps it can be designed to use their AD account?
Thanks for your input!
#3600