Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

802.1x & windows Authentication

Hi There, Any body has implemented 802.1x port authentication with ACS & windows AD. which authentication is supported in this kind of setup ms-chap or MD5 or PEAP (on the clients).

and what are the challenges if windows user accounts password changed frequently..

can any body explain adv & dis adv of 802.1x before I deploy it in network..


Re: 802.1x & windows Authentication

Works great, depending on what you're after. If certificates are not in the picture, stick with PEAP/MSChapV2. If you do machine authentication over PEAP, instead of user auth, then you can avoid some issues:

- The machine needs to be on the network for domain authentication to take place (domain logon scripts, drive mappings, etc.)

- PEAP machine auth against AD helps ensure that only YOUR computers are connecting to the network

- The user doesn't have to worry about logon credentials

This doesn't work well for Macs or Linux boxes, though.

New Member

Re: 802.1x & windows Authentication

Thanks for your reply. How can I do the machine authentication. and also I want to know if I use mac-auth-bypass along with guest vlan is there any problem in it..

Re: 802.1x & windows Authentication

There's a decent guide in the ACS 4.2 documentation on enabling machine access (chapter 12). Basically, you just enable it on the client and the ACS server, and POOF! On the client side, you should have a "Authenticate as computer..." option on your wireless networks tab. Wired is the same, unless you are running XP SP3, Vista, or Windows 7 where machine auth is enabled when you enable user auth.

MAB with Guest VLAN *should* work, but I have not configured/tested it. Just be aware that MAF on the ACS side is just another form of auth where the user id and password is the MAC address of the client. For this reason, I recommend you put the MAC "users" in your ACS database, not in AD. Otherwise, you'll probably need to create an AD password group policy object for the user group holding your "mac address user accounts" so that they can have a password that matches their user name.