06-01-2007 05:05 PM - edited 03-05-2019 04:27 PM
I am trying to setup 802.1x PEAP in my home lab. I have:
a windows 2003 enterprise server with SP2 and latest patches running as
Active Directory, DHCP, DNS, WINS. The AD domain name is LAB.
The windows 2003 is also running Cisco ACS 4.0.1 with a self-signed
certififcate. I can log into the box https://PEAP8021x:2002 so the cert
works. I also configure the ACS so that I can also talk to the
Cisco Catalyst 2960 running IOS version flash:c2960-lanbase-mz.122-25.SEE2.bin.
This version supports 802.1x
A couple of WindowsXP with Service Pack 2 and latest patches that will act as
clients for the domain LAB
Everything is connected to the Catalyst switch 2960 via CAT-5 cables.
I would like to accomplish something very simple, I think:
Before
06-01-2007 05:06 PM
repost:
I am trying to setup 802.1x PEAP in my home lab. I have:
a windows 2003 enterprise server with SP2 and latest patches running as
Active Directory, DHCP, DNS, WINS. The AD domain name is LAB.
The windows 2003 is also running Cisco ACS 4.0.1 with a self-signed
certififcate. I can log into the box https://PEAP8021x:2002 so the cert
works. I also configure the ACS so that it can also use AD accounts for
authentication
Cisco Catalyst 2960 running IOS version flash:c2960-lanbase-mz.122-25.SEE2.bin.
This version supports 802.1x
A couple of WindowsXP with Service Pack 2 and latest patches that will act as
clients for the domain LAB.
Everything is connected to the Catalyst switch 2960 via CAT-5 cables.
I would like to accomplish something very simple. Before user(s) on
WinXP can even access the domain LAB, the winXP machine must be
authenticated with Cisco ACS with username/password on the AD Server
so that the machine can be placed in the correct VLAN(s). If this is just
a visitor and their machine is plugged into my network, authentication will
fail and they will be put in a guest VLAN where the only connection they have
will be acess to the Internet and that will be it. All the information will be pushed
out to the catalyst from the Cisco ACS
Can someone help me out on how to get this done? Thanks.
06-03-2007 07:42 AM
Hi,
This is a simple setup.
Initially, you must configure ACS External Database to use the Windows Domain database for unknown users.
Configure ACS (network configuration) to define the switch as a network client with the shared key.
Configure the switch with the radius server's ip and shared key.
Then configure the switchport access vlan to be the "protected" vlan, and configure a dot1x guest vlan. Then set dot1x port-control auto.
Then configure the client's ethernet port to use 802.1x authentication, EAP type set to PEAP (rather than smart card or other certificate), MS-CHAP V2 (optionally set to authenticate using machine account when user account is unavailable in order for the machine to authenticate if a user is not logged in - this allows the machine to get an IP and be "on the domain" by the time the user is prompted to login at the ctrl-alt-del screen). Optionally configure PEAP to automatically use windows logon name and password - this way authentication is transparent to the user as the 802.1x supplicant uses the same account the user logs in to the machine with - avoiding pop-up promptings to log in.
* NOTE: if system is configured with "Wake on LAN" then often the switch sees the network connection as soon as the system powers on, but by the time the OS is up and able to send supplicant username/password, the EAPoL timer has expired and the switchport is placed into guest VLAN. Suggest to disable Wake on LAN for wired 802.1x clients.
If you need additional detail on any of the above steps, post a reply.
Thanks,
Curtis H.
06-07-2007 04:15 PM
Hi Curtis,
"Initially, you must configure ACS External Database to use the Windows Domain database for unknown users."
this part is done. I can authenticate user
who ssh into Pix firewall with microsoft
Active Directory via ACS so it works.
"Configure the switch with the radius server's ip and shared key."
It's done.
"Then configure the switchport access vlan to be the "protected" vlan, and configure a dot1x guest vlan. Then set dot1x port-control auto."
dot1x system-auth-control
interface GigabitEthernet0/6
switchport access vlan 2
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 3
When I setup md5-challenge on the WindowsXP
machine, I can login but only if I create
an account with ACS internal database. In
other words, it only works with ACS
internally created account and not accounts
from Microsoft Active Directory Server. If
I use the account on the MS AD server, I get
the following message:
Auth type not supported by External DB
Why am I getting message? Obviously, my AD
works because I can ssh into a pix firewall
connfiguring for AAA with my Active Directory
account.
The question I have for you is that does
the XP machine have to be part of the domain "LAB" first before I can implement
PEAP?
Thanks.
David
07-28-2010 11:36 AM
I have the same problem anyone got a solution?
Thanks
07-28-2010 11:48 AM
Hi David ,
The following error occur when your authentication protocol mismatch.
Configure you ACS & Windows Machine to use same authenticaiton protocol.
"Auth type not supported by External DB"
Configure ACS to user PEAP & MS-CHAP authentication protocol & in windown NIC select PEAP or EAP protocol.
Please refer the below link
Regards
Chetan Kumar
07-28-2010 12:37 PM
Hi Chetan,
I have already configured ACS to use PEAP & MS-CHAP authentication protocol & in windows NIC select PEAP or EAP protocol but I always have this error.
Regards,
Nicolas.
07-28-2010 01:10 PM
Hi Nicolas
Might be issue with your certificate that you installed in user machine.
Can you check the log in ACS for that particular user which you are using to log in.
Or generate new certificate in ACS and installed in user machine selecting PEAP & MSCHAP authentication protocol.
Regards
Chetan Kumar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide