Can someone help me with this?
I have a Catalyst 2960 configure for 802.1x over Ethernet?
Cisco 2621 F1/0 has ip address of 192.168.0.1/25
RSA SecurID has ip address of 192.168.0.2/25
Win2k3 AD Server has ip address of 192.168.0.3/25
Cisco Catalyst 2960 has ip address of 192.168.0.5/25
On Cisco 2621 I have the following dhcp scope:
ip dhcp excluded-address 192.168.0.1 192.168.0.80
ip dhcp ping packets 3
ip dhcp binding cleanup interval 300
ip dhcp pool dhcp_pool
network 192.168.0.0 255.255.255.128
subnet prefix-length 25
dns-server 220.127.116.11 18.104.22.168 2..4.5
netbios-name-server 22.214.171.124 126.96.36.199 2..4.5
I have the following configuration on the Catalyst 2960:
description WinXP Dell Laptop
switchport access vlan 2
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 3
I configure the WinXP w/ Service Pack 2 for PEAP
authentication. I have the following configured:
1- Under the "Authentication" tab of the LAN Connection Properties,
I select "Enable IEEE 802.1x authentication for this network",
2- Under "EAP type", I choose "PEAP",
3- Select "Properties", I uncheck the Valid Server Certificate,
4- Under "Select Authentication Method", I select "Secure Password
On the Steelbelt Radius Server, I have successfully integrated
both SecurID and Windows Domain Accounts with steelbelt radius
so that they can use either SecurID account or Active
Directory Accounts. I have two AD accounts, lcs1 and lcs2.
Finnally, when I bootup windows XP machine, under the network
icon, it asks me to enter credential. When I enter "lcs1" and
then the password, steelbelt radius looks at the account and
confirm that this is the correct account and I am connected
to the network with an ip address assign to me by the DHCP
server. The windows XP machine now has an ip address of
192.168.0.81/25. Everything is fine at this point.
Now, when I shutdown the WinXP machine and goes home. The
next day, when I boot the WinXP machine backup again, I would
think that it will ask me to authenticate again and this time
I would like to try something by using another account "lcs2".
However, the XP machine cache my the "lcs1" credential and also
the password as well and that it connects me back to the network
without asking me to retype the password again. The other
bizzare thing is that it neither asks me to enter my credentials
or allows me to switch to another account.
The question I have is:
1- how can I remove the credential from the WinXP machine
after I shutdown or logoff from the machine?
2- how can I make peap work with Steelbelt radius and SecurID
Thanks in advance.
P.S. I can confirm that I have Steelbelt radius and RSA
SecurID integration working properly when I telnet to the
Catalyst 2960 with an account from the RSA SecurID and
the Radius server configured on the Catalyst 2960 point
to the Steelbelt radius server.