Starting with 802.1X in a running environment

Unanswered Question
Mar 9th, 2009
User Badges:

I'm looking for a solution for starting with 802.1X for wired and wireless network in a live environment. During the migration I have to turn on port based authentication. But at that moment, the machine must have a valid user / computer certificate. Else there will be no connection to the network. Do I have to deal with the fact that all computers do have the certificates before turning on port based authentication ? Is there another method ?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sahmedshahcsd Mon, 03/09/2009 - 04:58
User Badges:

Using PEAP and self generating certificate option under ACS server side and no client certificate is required and you can deploy Dot1x authentication and hope the attached document will help you implementing 802.1x

Kindly rate the useful posts



remco.gussen Mon, 03/09/2009 - 05:09
User Badges:

Yes you are right. But I want to use EAP-TLS with user and computer certificates...

jafrazie Mon, 03/09/2009 - 06:51
User Badges:
  • Cisco Employee,

Then you need client certificates. Would not recommend recommend self-signed certs.

remco.gussen Mon, 03/09/2009 - 07:17
User Badges:

I know I need client certificates. But all the certificates need to be installed before 802.1X can be implemented on the switch. If there is no certificate, the client cannot get access to the network and autoenrollement of certificates will not work..

sahmedshahcsd Mon, 03/09/2009 - 12:20
User Badges:

In that case I suggest you to use Microsoft CA Server,Let the user download the user certificate during the process of 802.1x authentication.

Assuming EAPoL will help retrieving user or computer certificate from CA server during the authentication process.



remco.gussen Tue, 03/10/2009 - 01:50
User Badges:

During 802.1x authentication there is no connection to the rest of the network so certificates cannot be obtained..

jafrazie Tue, 03/10/2009 - 05:02
User Badges:
  • Cisco Employee,

If you run machine-auth, this enabled the network connection. If you then run user-auth, you can automatically download a cert for the user .. since the network access has been obtained from machine-credentials. So in other words, as long as you at least have a cert on the box for the machine, the user doesn't necessarilly need a cert pre-loaded and auto-enrollment of certs can still work.


remco.gussen Tue, 03/10/2009 - 05:26
User Badges:

At first you use machine authentication with computer certificate. This cert can be obtained after a initial reboot. Ok, then there is a network connection based on computer authentication. At that moment, user logs in. At that moment there will be a re-authentication with user certificate (that is not available on the pc). I think this is going wrong..

jafrazie Tue, 03/10/2009 - 05:37
User Badges:
  • Cisco Employee,

That's all correct. ;-). Essentially what happens it the following:

1) network access granted via machine-auth.

2) EAPOL-Start from PC to switch.

3) EAPOL-Identity-Request from switch to PC.

At this point, the PC sits there since it has no cert to offer. But remember, network access has been granted from step1 above, and the network connection is still open until at least this "new" authentication attempt fails or times out. So you've got until at least it times out to allow auto-enrollment of a cert to work.

Would hope this is a corner case anyway, and that most of your users already have certs, but it's an option for you maybe ...


aadeoye Tue, 03/10/2009 - 16:53
User Badges:

Hello guys,

I apologize for jumping in but I did not want to start a separate thread as this is also a question about 802.1x and EAP on a wired LAN.

My issue is slightly different.....

I already use PEAP for my Wireless LAN and want it to my wired users. The basic idea is this:

1. Upon successful authentication, domain users and computers get access to the network.

2. Guest users (i.e. anyone not part of the domain or with a supplicant that fails authentication) get restricted access.

3. Non-802.1x devices (printers, video conferencing units etc.) will use MAC authentication to access the network.

Here's my dilemma. The building is relatively large so there is one VLAN per floor for each of the groups mentioned above. I need to find a way to get the VLANs assigned on a per floor basis.

Since this is a relatively large deployment, I will like to use AD as the user database. That's what I currently do for wireless. My thinking is that I could probably group the RADIUS clients (switches) per floor and configure the attributes to assign the VLANs based on group.

Is this possible? How can this be done using Cisco ACS? If possible, I prefer not to use dedicated user groups

remco.gussen Fri, 03/13/2009 - 00:47
User Badges:

You have to do this with AD User Groups. You can connect those AD groups to ACS groups. You can configure attributes to those ACS groups to do dynamic VLAN assignment based on user id.

aadeoye Fri, 03/13/2009 - 04:44
User Badges:

That is my exact problem. I can not pin the VLAN to the User ID since there is no way to predetermine how many users belong to a group. There are over 5000 users in AD. The VLANs have always been assigned based on location (not department or OU) and they would like to keep it that way.


This Discussion