802.1x & windows Authentication

Unanswered Question
Aug 10th, 2009

Hi There, Any body has implemented 802.1x port authentication with ACS & windows AD. which authentication is supported in this kind of setup ms-chap or MD5 or PEAP (on the clients).

and what are the challenges if windows user accounts password changed frequently..

can any body explain adv & dis adv of 802.1x before I deploy it in network..

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Robert.N.Barrett_2 Mon, 08/10/2009 - 18:02

Works great, depending on what you're after. If certificates are not in the picture, stick with PEAP/MSChapV2. If you do machine authentication over PEAP, instead of user auth, then you can avoid some issues:

- The machine needs to be on the network for domain authentication to take place (domain logon scripts, drive mappings, etc.)

- PEAP machine auth against AD helps ensure that only YOUR computers are connecting to the network

- The user doesn't have to worry about logon credentials

This doesn't work well for Macs or Linux boxes, though.

jain.nitin Tue, 08/11/2009 - 21:21

Thanks for your reply. How can I do the machine authentication. and also I want to know if I use mac-auth-bypass along with guest vlan is there any problem in it..

Robert.N.Barrett_2 Fri, 08/14/2009 - 10:20

There's a decent guide in the ACS 4.2 documentation on enabling machine access (chapter 12). Basically, you just enable it on the client and the ACS server, and POOF! On the client side, you should have a "Authenticate as computer..." option on your wireless networks tab. Wired is the same, unless you are running XP SP3, Vista, or Windows 7 where machine auth is enabled when you enable user auth.

MAB with Guest VLAN *should* work, but I have not configured/tested it. Just be aware that MAF on the ACS side is just another form of auth where the user id and password is the MAC address of the client. For this reason, I recommend you put the MAC "users" in your ACS database, not in AD. Otherwise, you'll probably need to create an AD password group policy object for the user group holding your "mac address user accounts" so that they can have a password that matches their user name.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/ACSug.pdf

Actions

This Discussion