802.1x/PEAP over Ethernet

Unanswered Question
Jun 1st, 2007
User Badges:

I am trying to setup 802.1x PEAP in my home lab. I have:


a windows 2003 enterprise server with SP2 and latest patches running as

Active Directory, DHCP, DNS, WINS. The AD domain name is LAB.

The windows 2003 is also running Cisco ACS 4.0.1 with a self-signed

certififcate. I can log into the box https://PEAP8021x:2002 so the cert

works. I also configure the ACS so that it can also use AD accounts for

authentication


Cisco Catalyst 2960 running IOS version flash:c2960-lanbase-mz.122-25.SEE2.bin.

This version supports 802.1x


A couple of WindowsXP with Service Pack 2 and latest patches that will act as

clients for the domain LAB.


Everything is connected to the Catalyst switch 2960 via CAT-5 cables.


I would like to accomplish something very simple. Before user(s) on

WinXP can even access the domain LAB, the winXP machine must be

authenticated with Cisco ACS with username/password on the AD Server

so that the machine can be placed in the correct VLAN(s). If this is just

a visitor and their machine is plugged into my network, authentication will

fail and they will be put in a guest VLAN where the only connection they have

will be acess to the Internet and that will be it. All the information will be pushed

out to the catalyst from the Cisco ACS


Can someone help me out on how to get this done? Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jafrazie Sun, 06/03/2007 - 19:21
User Badges:
  • Cisco Employee,

Enable machine-authentication. Enabled the Auth-Fail-VLAN on your switchport. Configure security around this VLAN such that it only has access to the Internet via path isolation technique.


These guides might help:

<http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor7>


<http://www.microsoft.com/downloads/details.aspx?familyid=05951071-6b20-4cef-9939-47c397ffd3dd&displaylang=en>

Premdeep Banga Sun, 06/03/2007 - 21:11
User Badges:
  • Gold, 750 points or more

Hi,


You would need to do following :


- Machine authentication with user authentication( This part is tricky on WinXP, you may get intermittent results)


Something to help you:

-----------------

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]

"SupplicantMode"=dword:00000003

"AuthMode"=dword:00000001

------------------

- Machine Access Restriction (MAR)(its on ACS)

- guest vlan or auth-fail-vlan


Wired 802.1x:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml


Configuring IEEE 802.1x Port-Based Authentication:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea7/scg/sw8021x.htm


Regards,

Prem

Actions

This Discussion