Dot1x authentication using ACS 4.2 and Active Directory

Unanswered Question
Aug 4th, 2010

Hello all,

I am trying to configure Dot1x authentication using ACS 4.2 and Active Directory but am coming up short on how to configure the ACS for this.  Can anyone point me to a howto or otherwise assist?

From what I understand, when using AD I need to turn on MD5, a certificate is not required on the ACS(?) or the client.

Any help or pointers would be greatly appreciated.  Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cchughes Thu, 08/05/2010 - 07:35

Well I found good information on dot1x and the switch configuration but I'

m still not clear on the ACS config or what the options are.  I'm trying to test for a mac-address match and then assign vlan membership based on a match.

Currently I have the client failing dot1x auth and being assigned to the guest vlan.  Problem is, I dont know how to make them pass authentication.

Also, can anyone describe the user experience when I configure integration with AD... or how that works?  Does the user get prompted with credentials or do I need to configure credentials within the clients dot1x settings?  Ultimately I want to prevent non-domain(AD) pc's from getting an ip address or otherwise quarrantine them to a guest vlan.

Any help aon any aspect of this will be appreciated.  thanks.

cchughes Mon, 08/09/2010 - 05:41

Found the answer.  The ACS was configured co

rrect.  the solution for the ACS involves

enabling 3 attributes on the ACS:

IETF 64 (Tunnel Type)—Set this to VLAN.
IETF 65 (Tunnel Medium Type)—Set this to 802
IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID

There is also the requirement to create a user with the username and password set to the mac address of the device(s) to be authenticated.  In ACS4.2 you need to set up a group whose authentication method is RADIUS and the attributes mentioned above enabled.  Then assign the user you just created to that group.  You can use other RADIUS servers that support all of this, mainly Steel Belted RADIUS and Microsoft RADIUS (under IAS)

The switch config I used is:

aaa new-model
!
!
aaa group server radius radserv
server 10.x.x.5 auth-port 1645 acct-port 1646
!
aaa authentication dot1x default group radius none
aaa authorization network default group radius
!        
!
!
aaa session-id common

!

!

interface Vlan44
ip address 10.x.x.7 255.255.255.0
no ip route-cache
!
interface Vlan666
ip address 10.x.x.1 255.255.255.0
no ip route-cache
!
ip http server
ip http secure-server
radius-server host 10.x.x.5 auth-port 1645 acct-port 1646
radius-server key xxxxxxx

This all is correct but there were a few hurdles to make it work.  First was to get a supported IOS that wasnt buggy for the 2960 switch.  The version I found, surprisingly was not the most current.  I ended up using 12.2(44)SE2.

The next hurdle was DHCP timeouts.  I found that DHCP times out while waiting for dot1x to run.  Without tweaking settings dhcp would succeed but only after the timer cycles converged.  I corrected this behaviour by setting the dot1x timeout tx-period to 5 seconds.  This resulted in the dot1x kicking in before dhcp timed out (15 seconds) which for me is acceptable.

Once this worked and the machine authenticated its mac address, I was able to also configure a vlan attribute and have the port dynamically assigned to a vlan.  Cool stuff but not many folks use dot1x for this so good uick finding too much info on it.

I did find a good doc that pg 13-14 talks about the timeout issue:

http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf

Hope this helps someone.

Actions

This Discussion