Wired PC's with PEAP and RADIUS - how to join to a domain?

Unanswered Question
Jan 27th, 2009
User Badges:

I realize this seems like a 'chicken vs. egg' question, but I'm wondering if there is an answer.

<br />

<br />We're in the process of implementing RADIUS authentication using PEAP and IAS on our network.

<br />

<br />(Server 2003, WinXP Pro, and Cisco hardware)

<br />

<br />My test network is working well, however the one glitch that we've come across is joining new PC's to the domain. Because the switch will not authenticate the machine or the user - we can't get access to join the machine to the domain controller.

<br />

<br />Is there a simple workaround for this, or do we have to disable AAA on the switch temporarily, every time we want to join/rejoin and machine?

<br />

<br />Thanks in advance!

<br />Rob

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Fella Mon, 02/02/2009 - 19:27
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

If you are running 802.1x on your switches for wired users, then you either need to stage the machines first by having them join the domain and then pushing out the appropriate certificates to the machine. You can always have ports that don't have 802.1x configured to get this working.

jafrazie Tue, 02/03/2009 - 05:29
User Badges:
  • Cisco Employee,

Other options include the Guest-VLAN or Auth-Fail-VLAN and allowing access to a domain controller from there. Another option is open mode to always allow access to a domain controller and control access with ACLs.


This Discussion



Trending Topics - Security & Network