Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
622
Views
0
Helpful
3
Replies

802.1x & windows Authentication

jain.nitin
Level 3
Level 3

‎08-10-2009 07:03 AM - edited ‎03-10-2019 04:38 PM

Hi There, Any body has implemented 802.1x port authentication with ACS & windows AD. which authentication is supported in this kind of setup ms-chap or MD5 or PEAP (on the clients).

and what are the challenges if windows user accounts password changed frequently..

can any body explain adv & dis adv of 802.1x before I deploy it in network..

Labels:
0 Helpful
3 Replies 3

Robert.N.Barrett_2
Level 4
Level 4

‎08-10-2009 06:02 PM

Works great, depending on what you're after. If certificates are not in the picture, stick with PEAP/MSChapV2. If you do machine authentication over PEAP, instead of user auth, then you can avoid some issues:

- The machine needs to be on the network for domain authentication to take place (domain logon scripts, drive mappings, etc.)

- PEAP machine auth against AD helps ensure that only YOUR computers are connecting to the network

- The user doesn't have to worry about logon credentials

This doesn't work well for Macs or Linux boxes, though.

0 Helpful

jain.nitin
Level 3
Level 3
In response to Robert.N.Barrett_2

‎08-11-2009 09:21 PM

Thanks for your reply. How can I do the machine authentication. and also I want to know if I use mac-auth-bypass along with guest vlan is there any problem in it..

0 Helpful

Robert.N.Barrett_2
Level 4
Level 4
In response to jain.nitin

‎08-14-2009 10:20 AM

There's a decent guide in the ACS 4.2 documentation on enabling machine access (chapter 12). Basically, you just enable it on the client and the ACS server, and POOF! On the client side, you should have a "Authenticate as computer..." option on your wireless networks tab. Wired is the same, unless you are running XP SP3, Vista, or Windows 7 where machine auth is enabled when you enable user auth.

MAB with Guest VLAN *should* work, but I have not configured/tested it. Just be aware that MAF on the ACS side is just another form of auth where the user id and password is the MAC address of the client. For this reason, I recommend you put the MAC "users" in your ACS database, not in AD. Otherwise, you'll probably need to create an AD password group policy object for the user group holding your "mac address user accounts" so that they can have a password that matches their user name.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/ACSug.pdf

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents