Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

802.1x, catalyst, ACS & active directory external DB!

Hi,

I'm working with 802.1x over catalyst switch, ACS 3.1 as Radius and external DB users authentication on Ms Active Directory with LDAP.

My questions are:

1) Are the only EAP's version supported by catalyst, MD5-EAP and EAP-TLS (not PEAP and LEAP);

2) The only supported method to authenticate users from ACS to AD is EAP-TLS? is EAP-MD5 not supported over LDAP access protocol?

3) Can I import the users from Active Directory to Internal ACS data base? (like a RDBMS...)

thanks,

Graz.

9 REPLIES
New Member

Re: 802.1x, catalyst, ACS & active directory external DB!

The following document gives some idea on importing users from RDBMS to internal ACS Data base

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008010217d.html#565

New Member

Re: 802.1x, catalyst, ACS & active directory external DB!

EAP-MD5 is supported with IAS over ActiveDirectory. I tested it ! It worked fine.

New Member

Re: 802.1x, catalyst, ACS & active directory external DB!

EAP-PEAP-MSCHAP v2 is working fine too !!

Very simple to implement and to use compared to EAP-TLS ...

New Member

Re: 802.1x, catalyst, ACS & active directory external DB!

Are you workin with catalyst switches an EAP-PEAP-MSCHAP v2. How do you import connect Microsoft Database with Cisco ACS?

New Member

Re: 802.1x, catalyst, ACS & active directory external DB!

it works fine as long as you don't run login scripts, roaming profilse, etc. You should probably upgrade to acs 3.2, and good luck on the rest. If you want to use it in a live environment with login scripts, different users/vlans, etc, you will have to implement certificates, add a registry value called supplicant mode, and get the latest hotfix from microsoft that allows the client to re dhcp after the client authenticates and changes vlans

New Member

Re: 802.1x, catalyst, ACS & active directory external DB!

I am in a installation with 802.1x.

I have install a Cisco ACS and cisco 2950 Switch and I am authorizating users via MS-CHAPv2 against the Cisco ACS

ACS is validating users against a Microsoft Active directory.

I have the following problem: When user logs in, it takes between 45 to 90 seg to log the user and change the vlan.

I have install Windows XP Service Pack 2 and patches:

xp-kb817778-x86-esn

xp-kb826942-x86-esn

I have change the switch software to the latest release.

How can I reduce this delay? Any idea?

Cisco Employee

Re: 802.1x, catalyst, ACS & active directory external DB!

It takes 45 to 90 sec to:

Authenticate the user?

Change the IP Address after changing the VLAN?

New Member

Re: 802.1x, catalyst, ACS & active directory external DB!

Jafrazie,it takes 45 to 90 sec since I log in with the username and password till the port is in green.

Cisco Employee

Re: 802.1x, catalyst, ACS & active directory external DB!

OK, port turns green as soon as it is put into forwarding, or when it send an EAP-Success frame to the supplicant. Need code/switch rev to determine more to rule it out, but a sniff from the PCs port will let you know what's going on.

It looks like standard auth is taking too long.

713
Views
2
Helpful
9
Replies
CreatePlease login to create content