802.1x/PEAP over Ethernet

Unanswered Question
Jun 1st, 2007

I am trying to setup 802.1x PEAP in my home lab. I have:

a windows 2003 enterprise server with SP2 and latest patches running as

Active Directory, DHCP, DNS, WINS. The AD domain name is LAB.

The windows 2003 is also running Cisco ACS 4.0.1 with a self-signed

certififcate. I can log into the box https://PEAP8021x:2002 so the cert

works. I also configure the ACS so that it can also use AD accounts for

authentication

Cisco Catalyst 2960 running IOS version flash:c2960-lanbase-mz.122-25.SEE2.bin.

This version supports 802.1x

A couple of WindowsXP with Service Pack 2 and latest patches that will act as

clients for the domain LAB.

Everything is connected to the Catalyst switch 2960 via CAT-5 cables.

I would like to accomplish something very simple. Before user(s) on

WinXP can even access the domain LAB, the winXP machine must be

authenticated with Cisco ACS with username/password on the AD Server

so that the machine can be placed in the correct VLAN(s). If this is just

a visitor and their machine is plugged into my network, authentication will

fail and they will be put in a guest VLAN where the only connection they have

will be acess to the Internet and that will be it. All the information will be pushed

out to the catalyst from the Cisco ACS

Can someone help me out on how to get this done? Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jafrazie Sun, 06/03/2007 - 19:21

Enable machine-authentication. Enabled the Auth-Fail-VLAN on your switchport. Configure security around this VLAN such that it only has access to the Internet via path isolation technique.

These guides might help:

<http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor7>

<http://www.microsoft.com/downloads/details.aspx?familyid=05951071-6b20-4cef-9939-47c397ffd3dd&displaylang=en>

Premdeep Banga Sun, 06/03/2007 - 21:11

Hi,

You would need to do following :

- Machine authentication with user authentication( This part is tricky on WinXP, you may get intermittent results)

Something to help you:

-----------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]

"SupplicantMode"=dword:00000003

"AuthMode"=dword:00000001

------------------

- Machine Access Restriction (MAR)(its on ACS)

- guest vlan or auth-fail-vlan

Wired 802.1x:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml

Configuring IEEE 802.1x Port-Based Authentication:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea7/scg/sw8021x.htm

Regards,

Prem

Actions

This Discussion