How to change vlan after successful dot1x authentication (ACS4.1)

Unanswered Question
Aug 24th, 2007

Hi,

I?m setting up 802.1x for security reasons with ACS4.1 At this point I have configured a guest-vlan, which has access-lists configured so only access between client <-> PXE server is allowed. So far it is functioning perfectly. When the client boots to Windows, the machine is checked by ACS (Active Directory) en the authentication is passed (passed authentication). Only problem is that the switchport is not set to the normal vlan configured on the switch, but stays in the guest vlan.

How can i accomplish that the port is set to the correct vlan after successful authentication?

I cannot configure ACS to set the vlan to a specific number, because every switch has a separate vlan and the vlan should not spread over different switches.

Thanks in advance!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a-vazquez Thu, 08/30/2007 - 06:45

As far as I understand, you are trying to setup 802.1x port-based authentication.

First of all, here is a configuration guide:

http://www.cisco.com/en/US/products/ps6406/products_configuration_guide_chapter09186a00805a76b5.html

Refer to chapter "Configure IEEE 802.1x Port-Based Authentication.

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x timeout reauth-period server

dot1x reauthentication

dot1x guest-vlan 140

dot1x auth-fail vlan 104

Based on this if a user gets successful authenticated, the vlan

assignment is done via radius.

Regarding ACS setup, which authentication methods are you intend to use?

Do you also do machine authentication?

What kind of supplicant (client) are you using (Version/Build/SP)?

For troubleshooting, I need some further information.

paulkeestra Thu, 08/30/2007 - 22:13

Yes, i'm trying to set up 802.1x. The configuration you mention is configured on the switch and the switch is configured (radius IETF) in ACS. Authentication is based on machine authentication.

The configuration works as it should. The only problem is PXE boot for imaging. By adjusting the timers i mangaged to boot the workstation, at PXE boot, the switchport is set to guest-vlan and when Windows boots, the machine is checked and the port is set to normal vlan. Only problem is that the timers are machine specific.

Back to the questions:

which authetication: PEAP

Machine: YES

Supplicant: Standard Windows XP (PEAP) supplicant

Is is possible to keep the PXE boot funtionality with 802.1x and guest-vlan?

Actions

This Discussion