05-04-2007 08:46 AM - edited 03-05-2019 03:52 PM
I am in the middle of investigating the possibilities of using 802.1x authentication for users who wish to access a physical switch port through out our organization.
I would like some insight to whether this is a viable solution and how others are currently implementing this solution.
I would like for users current Active Directory credentials to grant access to a switch port or certain VLANs based upon correct authentication.
I have ACS 3.3 already in place and could use dynamic vlans to place authorized users in a certain vlan with other go into the unsecure/guest vlan.
Please direct me in the right direction on how to implement this or why I shouldn't.
Thank you,
Jake
Solved! Go to Solution.
05-04-2007 09:16 AM
Jake,
No to " shouldnot", you should configure the 802.1x for using IBNS (identity based networking services) for your users.This will give you another security layer on the network and will allow your to control the network access only to the allowed users on the network. You can intergrate the Windows AD for the user authentication Via AD. You have to use dynamic Vlan assignment with ACS to move the authenticated user to prodcution Vlan, Guest users to guest vlan and failed authenticated users to a " dummy vlan ".
Let us know the switces and the IOS that you are running on them.
Please see the link below for 802.1x configuration on Cisco switches:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_book09186a00802335e2.html
HTH,Please rate if it does.
-amit singh
05-04-2007 09:16 AM
Jake,
No to " shouldnot", you should configure the 802.1x for using IBNS (identity based networking services) for your users.This will give you another security layer on the network and will allow your to control the network access only to the allowed users on the network. You can intergrate the Windows AD for the user authentication Via AD. You have to use dynamic Vlan assignment with ACS to move the authenticated user to prodcution Vlan, Guest users to guest vlan and failed authenticated users to a " dummy vlan ".
Let us know the switces and the IOS that you are running on them.
Please see the link below for 802.1x configuration on Cisco switches:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_book09186a00802335e2.html
HTH,Please rate if it does.
-amit singh
05-04-2007 10:13 AM
Thanks for the timely responds Amit. I have 4506 with IOS 12.2.25EWA1 at the edges and the cores are running 6500 with CatOS currently (Getting IOS upgrade in 2 weeks to newest IOS). I am in the process of reading over the links you provided.
I am concerned however in the configuration of actual client machines. For our secure users an AD policy could set the network interface for 802.1x and for guest with or without 802.1x enabled that would just put them either in the guest network or dummy vlan?
05-04-2007 10:30 AM
Basically for 802.1x to need a Client supplicant on the users desktop. Windows XP has a client supplicant which support basic EAP or 802.1x authentication.Cisco has a 802.1x client that you can use on the uers desktop for EAPoL autenctication.
If you dont have users with 802.1x enabled client, they will not be able to acuthencticate on the network and you can sinple place them in the authentication failled vlan or dummy vlan. This authentication failed vlan can be the same as your guest vlan or you can keep the guest vlan different for your guest with limited internet connectivity.
You need to upgrade your switches to atleast 12.2.25SG release for " Authentication" failed vlan support.
HTH,Please rate if it does.
-amit singh
05-29-2007 11:56 AM
I'm also investigating 802.1x for wired authentication. I got it working well on a Cisco 3750, and would like to pilot it to a small group of users if possible.
But I'm really curious to hear feedback from people who have implemented wired 802.1x! How did you roll it out, and how well is it working? Have users noticed any difference?
We plan on using the Microsoft XP supplicant instead of buying a third party supplicant, and I'm also wondering how well that has worked for other companies. Right our next step is figuring out how to configure users' wired 802.1x profiles, without them having to config it themselves.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: