Deploy 802.1x in a big organization

amady3381 · ‎11-04-2007

Hi all

I need to deploy 802.1x with mac-authentication in the network.

Network Specificatios:

> The network diagram is attached.

> The connection between the branches are 10 Gbps and are operating through OSPF routing protocol.

> The ACS (4.1)appliance is residing in the HO branch only.( I have 2 ACS in replication mode, only one active all the time and the other is standby).

> My access switches are Catalyst 3560 with 12.0 IOS version.

> PCs are Vista operating system.

I need to know is there any problem if I deployed the 802.1x with mac-authentication for the whole network i.e the 5000 users must be authenticated through the ACS that resides in the HO.

Is the ACS processor will able to manage all the users authentication, if not what is the soluation?

Is there any latency will happen because of the authentication procees for these huge no. of users?

What is the IOS versions needed to support the 802.1x with my switches.

Finally, in many cisco documents I can see that before the user authenticated he can send only EAPOL, CDP and STP traffic, but in others you will see only EAPOL.. What is the right one?

I am waiting for any help.

Thanks and Best Regards

amady

vkapoor5 · ‎11-09-2007

A good thing to know about PEAP is that there are two different implementations of PEAP:

PEAP w/ CHAP Used by Cisco and requires the Cisco ACU and CiscoSecure ACS

PEAP w/ MS-CHAP v2 Used by Microsoft and Incompatible with Cisco's ACU.

amady3381 · ‎11-10-2007

Hi Vkapoor5

Thanks for reply..

What do you mean by Cisco ACU.

Thanks

yjdabear · ‎11-13-2007

ACU stands for Aironet Client Utility, a piece of Cisco software for configuring Aironet wireless cards.

ozan.ocal · ‎12-05-2007

Hello Everyone,

We are using Cisco Secure 4.0 for AAA and we would like to deploy 802.1x for authenticating the MAC addresses connecting to the switch.

Is it possible to use the same username and password for 802.1x and as well as for the normal user authentication ? Any pointers ?

xcz504d1114 · ‎11-09-2007

I'm also going thorugh the process of testing my dot1x for a large scale deployment.

The handshake process happens almost immediately in my test network, the port is authenticated as quickly as portfast can bring it up. Again, this is in my test network without traffic shaping and user traffic, although I don't expect it to be an issue.

On the 3500's I've tested so far I have been running 12.2(25) IOS, and the same with the 3750's. I haven't found any documentation (or needed to find any) regarding specific IOS versions. I imagine as long as the switch supports aaa commands and dot1x commands you should be fine. Although I have read about problems with radius server authentication on 3500's and certain IOS versions.

As far as the Cisco documentation goes on the data allowed before the port is authenticated, it is correct when it says EAPOL and STP are passed. But CDP is not.

Although it is interesting to note that with wireshark running on my test machines the STP packets are listed as EAP protocol on ports with dot1x authentication enabled. So both of your documents are technically correct minus the CDP.

The traffic was seen on a 3750 series switch running IOS 12.2(25), I did not verify this information is correct for other switches.

jafrazie · ‎11-29-2007

BPDUs don't leak out of a switchport that has 1X enabled.

As for Wireshark, you may need to upgrade it. 802.1X falls into the BPDU-range defined by 802.1d (it's MAC address does anyway) but later versions are able to decode it specifically as EAPOL.

Hope this helps,

alois.heilmaier · ‎12-08-2007

I need to know is there any problem if I deployed the 802.1x with mac-authentication for the whole network i.e the 5000 users must be authenticated through the ACS that resides in the HO.

==> Be aware of timing issues (e.g. DHCP timeout...), because mac-authentication comes into the game when the client does not respond to eapol.

==> Be aware of default Windows settings. I do only know WinXP, by default dot1x with smartcard is enabled.

What is the IOS versions needed to support the 802.1x with my switches.

==> 12.2(25)SEE for mac-auth-bypass

Be also aware of mac-address-list administration on the ACS-appliance. To maintain 5000 mac-addresses could be a timeconsuming job.

I would check for ACS-Software on Win2003 Server (in MS-AD) and e.g. PEAP-authentication as the EAP authentication methode.