I have the 802.1x authentication using Cisco ACS using XP/2000 clients scenario. What I read in Cisco docs says that with Cisco Secure ACS 3.1, it cannot be integrated with Active directory for EAP-MD5. Since Microsoft has their own CHAP thing. This may be supported in the next version.
I haven't tried this with MS IAS in the radius front. I think youhave done this. Please answer me the following queries.
1) Can i get authenticated for 802.1x client in windows 2000 /Xp before i getting windows login window or with the windows login window.
2) With Cisco ACS I have to login to my cache first. When i login into my cache windows profile since my port is not open my login script wont work , any other way to get this thing done
3) Will i get all my domain security policy once i am logged in withn cache profile
4) After getting autheciation by 802.1x client will i get IP address form my DHCP server.
5) what difference it makes when I change radius authentication to MS IAS.
I will address your questions with the best of my ability as I haven't personally triesd this out.
1) AFAIK, this is not possible. Its the Microsoft 2000/XP client so I guess consulting with Microsoft may guide to the right direction. I think it can be an enhancement request to Microsoft but, please consult with their support first.
2) No, again, if Microsoft XP/2000 has capability to integrate the 802.1x client authentication with the machine login transparently, then only its possible. Again, consulting with Microsoft will guide to the right direction.
3) Yes, you should
5) Will not make any difference, as that piece comes later.
Regarding chap and ms-chap issue with NT/2K domain, one thing for sure is with microsoft domain controller, its not possible at all to use anything other than MS-CHAP. ACS cannot control that behavior. Now, its the client responsibility to decide to use CHAP or MS-CHAP, so I think it makes sense to have this option on XP. Again, talking to Microsoft will lead to the right direction. Could be an enhancement request for Microsoft. So, please consult with Microsoft support. Thanks,
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :