Wired PC's with PEAP and RADIUS - how to join to a domain?

Unanswered Question
Jan 27th, 2009

I realize this seems like a 'chicken vs. egg' question, but I'm wondering if there is an answer.

<br />

<br />We're in the process of implementing RADIUS authentication using PEAP and IAS on our network.

<br />

<br />(Server 2003, WinXP Pro, and Cisco hardware)

<br />

<br />My test network is working well, however the one glitch that we've come across is joining new PC's to the domain. Because the switch will not authenticate the machine or the user - we can't get access to join the machine to the domain controller.

<br />

<br />Is there a simple workaround for this, or do we have to disable AAA on the switch temporarily, every time we want to join/rejoin and machine?

<br />

<br />Thanks in advance!

<br />Rob

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Fella Mon, 02/02/2009 - 19:27

If you are running 802.1x on your switches for wired users, then you either need to stage the machines first by having them join the domain and then pushing out the appropriate certificates to the machine. You can always have ports that don't have 802.1x configured to get this working.

jafrazie Tue, 02/03/2009 - 05:29

Other options include the Guest-VLAN or Auth-Fail-VLAN and allowing access to a domain controller from there. Another option is open mode to always allow access to a domain controller and control access with ACLs.


This Discussion



Trending Topics - Security & Network