Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1498
Views
2
Helpful
9
Replies

802.1x, catalyst, ACS & active directory external DB!

g.rodegari
Level 1
Level 1

‎03-12-2003 11:26 AM - edited ‎03-10-2019 07:12 AM

Hi,

I'm working with 802.1x over catalyst switch, ACS 3.1 as Radius and external DB users authentication on Ms Active Directory with LDAP.

My questions are:

1) Are the only EAP's version supported by catalyst, MD5-EAP and EAP-TLS (not PEAP and LEAP);

2) The only supported method to authenticate users from ACS to AD is EAP-TLS? is EAP-MD5 not supported over LDAP access protocol?

3) Can I import the users from Active Directory to Internal ACS data base? (like a RDBMS...)

thanks,

Graz.

Labels:
0 Helpful
9 Replies 9

mmellet
Level 3
Level 3

‎03-18-2003 12:59 PM

The following document gives some idea on importing users from RDBMS to internal ACS Data base

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008010217d.html#565

0 Helpful

BABARCHE
Level 1
Level 1

‎04-15-2003 01:15 PM

EAP-MD5 is supported with IAS over ActiveDirectory. I tested it ! It worked fine.

0 Helpful

BABARCHE
Level 1
Level 1
In response to BABARCHE

‎04-24-2003 12:40 PM

EAP-PEAP-MSCHAP v2 is working fine too !!

Very simple to implement and to use compared to EAP-TLS ...

0 Helpful

ignacios
Level 1
Level 1
In response to BABARCHE

‎10-09-2003 03:23 AM

Are you workin with catalyst switches an EAP-PEAP-MSCHAP v2. How do you import connect Microsoft Database with Cisco ACS?

0 Helpful

mschooley
Level 1
Level 1
In response to ignacios

‎10-09-2003 06:52 AM

it works fine as long as you don't run login scripts, roaming profilse, etc. You should probably upgrade to acs 3.2, and good luck on the rest. If you want to use it in a live environment with login scripts, different users/vlans, etc, you will have to implement certificates, add a registry value called supplicant mode, and get the latest hotfix from microsoft that allows the client to re dhcp after the client authenticates and changes vlans

ignacios
Level 1
Level 1
In response to mschooley

‎11-19-2004 03:14 AM

I am in a installation with 802.1x.

I have install a Cisco ACS and cisco 2950 Switch and I am authorizating users via MS-CHAPv2 against the Cisco ACS

ACS is validating users against a Microsoft Active directory.

I have the following problem: When user logs in, it takes between 45 to 90 seg to log the user and change the vlan.

I have install Windows XP Service Pack 2 and patches:

xp-kb817778-x86-esn

xp-kb826942-x86-esn

I have change the switch software to the latest release.

How can I reduce this delay? Any idea?

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to ignacios

‎11-21-2004 04:58 PM

It takes 45 to 90 sec to:

Authenticate the user?

Change the IP Address after changing the VLAN?

0 Helpful

ignacios
Level 1
Level 1
In response to jafrazie

‎11-22-2004 12:02 AM

Jafrazie,it takes 45 to 90 sec since I log in with the username and password till the port is in green.

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to ignacios

‎11-22-2004 06:15 AM

OK, port turns green as soon as it is put into forwarding, or when it send an EAP-Success frame to the supplicant. Need code/switch rev to determine more to rule it out, but a sniff from the PCs port will let you know what's going on.

It looks like standard auth is taking too long.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents