Is there a way to have a single login when using Win2k or XP clients connecting to a 3550 switch set up with 802.1x port authentication to a ACS server version 3.1? I have been beating myself up trying to get to a single login that when the person puts in their Windows Login info that passes on to the 802.1x authentication to bring up the ethernet port.
IF not does anyone know when these features will be linked together? I am trying to deploy port based security on the network but I am trying to do it so the users do not know and don't need to be involved.
I have been working with this using Win2k with the 802.1x hotfix and I don't seem to be able to get it to work. I have the Certs setup and loaded and the requests are hitting the ACS server but there seems to be a problem when it goes to authenticate with the NT database. I can authenticate against the NT database when I use other then an 802.1x request. I don't understand what is different. I will try a WinXP client to see if that will work.
It seams that there are something wrong with ACS and MS PEAP.....I found this message from icosgrove:
Feb 12, 2003, 6:30am PST
I have been working on this as well. It turns out that Microsofts implementation changed from when cisco first set up the ACS 3.1 and now it will not work till ACS 3.2 comes out. There is not very much documentation on the Cisco website reguarding these problems but I ended up opening a case with TAC and found out I was doing everything right but the ACS and Microsoft were incompatable. From what I understand you can wait for ACS 3.2 (around May) or get an advanced copy of Windows 2003 server and run the Microsoft radius server and this should work. I have not tried the MS radius server. I am waiting for ACS 3.2. If you want to do some testing load the Cisco Aironet Client utility on your Client computer(I know you are not doing wireless). This will overwrite the MS parts of PEAP with the cisco peap and will work with ACS 3.1. The only drawback is you will have a 2 step login. This solution does not hook into the MS login so you have to login twice
That was my message. I am currently working with a pre-release version of ACS 3.2 and not having any more luck with it. What version of IAS Radius server are you using. Does it need to be Win3002 or will the regular Win2k IAS radius work okay?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...