Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2099
Views
0
Helpful
5
Replies

CDA Radius Accounting

Oliver Laue
Level 4
Level 4

‎06-29-2012 08:29 AM - edited ‎03-10-2019 07:15 PM

Hi all,

I got a Question to the context directory agent.

We are using windows 2008r2 nap for 802.1x authentication on switch ports.

Would it be possible to use the radius accounting for the CDA to assign the user ip mapping?

Or is the radius authorisation already a user ip mapping?

My thoughts are if a non AD joined client authenticates at the network that he would automatically receives the correct user identity authorisation for the network and all vpn's. Without using something like ctp

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
5 Replies 5

Erick Delgado
Level 1
Level 1

‎07-04-2012 06:39 AM

Hello,

If you doing 802.1x authentication and if the computer don't have a supplicant the switch is the one who takes the decision to either leave it unauthenticated or use guest vlan everything depends on what you have configure.

If you want to provide different vlans to different groups of users that is dynamic vlan assigment. Please let me know if this is what you want so I can share configuration.

Regards,

0 Helpful

Oliver Laue
Level 4
Level 4
In response to Erick Delgado

‎07-04-2012 10:26 PM

Hi,

I try to explain what I want to do.

We have a separated company network where customer vpn's are terminated. This network is secured with 802.1x authentication.

We are planing now to rebuild this network and grant more people access to it and the customer vpn's.

The dot1x implementation is now working with windows radius and dynamic vlan assignment based on active directory group membership.

What I want to do is.

Use of the user identity feature of the ASA to permit or deny access to vpn's or internal infrastructure based on active directory groups.

And now my question.

If a user is successfully authenticated to the network with 802.1x will the cda get notice of it and do the user-ip-mapping?

Or is there a possibility to combine 802.1x implementations with the cda to get the user identity working based on network authentication.

As I mentioned in my first post. The clients are not active directory members so there is no Kerberos authentication from them with the AD.

And I did not want that the user have to authenticate twice to get access to the VPN or internal infrastructure.

Sent from Cisco Technical Support iPad App

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Oliver Laue

‎07-05-2012 10:00 PM

Oliver,

I wanted to confirm the following, lets say company A uses dot1x and company B uses vpn:

Company A -

  • is currently using dot1x against windows radius using dynamic vlan assignment based on domain groups
  • company B is not a member of Company A's domain
    • Does company B currently use a radius server? If so does the windows server have a radius proxy capability? You can always proxy radius requests from one site to another, Cisco ACS and ISE has these features but I am not sure if windows radius does.

If you are trying to get the user to ip mappings from Company A's dot1x authentications there is only one way to confirm

login to the machine that has the cda installed and run the following command through the cli:

cd C:\IBF\CLI

adacfg cache list

That should return the results of the user to ip mapping.

As I mentioned in my first post. The clients are not active directory  members so there is no Kerberos authentication from them with the AD. If you are using windows radius then your users will have to be a member of the domain.

And I did not want that the user have to authenticate twice to get access to the VPN or internal infrastructure.

You do not have to authenticate twice if you are coming from outside the network and in, once you authorize the vpn connection then you take a different entry into the network, which is the vpn. Dot1x is used to authenticate clients and endpoints behind switchports or wireless APs. However you will have to authenticate twice if your users are inside a dot1x enabled network and trying to establish a vpn connection to another site with different credentials.

As far as the CDA is concerned, it is primarily used for IDFW, and transparent user identification for the WSA, I havent seen any references recently for any vpn authentication. If you are looking for a design to merge these two authentication pieces together you can use Cisco ACS or Cisco ISE, you can stand each one of them up at each site and enable radius proxy so that the authenticaions are seemless.

Let me know if that helps,

Tarik Admani


0 Helpful

Oliver Laue
Level 4
Level 4
In response to Tarik Admani

‎07-05-2012 10:21 PM

I take your example.

Company A (my company)

Company B (customer site)

Company A

     - dot1x with dynamic vlan assignment on windows radius

     - for the moment it is possible for everyone who has access to the network to access every customer network over vpn

     - restrict vpn access to limited users based on AD group memebership

Company B

     - limitations are set on Company A (ruleset, NAT)

     - no use of radius

Windows radius is capable of radius proxy setting

As I mentioned in my first post. The clients are not active directory  members so there is no Kerberos authentication from them with the AD. If you are using windows radius then your users will have to be a member of the domain.
the Users are Members of the AD but not the client Computers
And I did not want that the user have to authenticate twice to get access to the VPN or internal infrastructure.
You do not have to authenticate twice if you are coming from outside the network and in, once you authorize the vpn connection then you take a different entry into the network, which is the vpn. Dot1x is used to authenticate clients and endpoints behind switchports or wireless APs. However you will have to authenticate twice if your users are inside a dot1x enabled network and trying to establish a vpn connection to another site with different credentials.
The whole Traffic i'm talking about is from the Inside
0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Oliver Laue

‎07-06-2012 04:25 AM

Oliver,

The dot1x authentication is seamless for the internal users and is done automatically from the supplicant. The supplicant runs as a service and in most common scenario uses peap as the authentication protocol.

Your best bet is to consider ISE, you can can redirect clients to a centralized web portal if they do not exist on the domain, they can self register or you can create guest accounts for them and have them expire within a set amount of time. You can also use the internal database and group the clients in order to build specific dot1x/VPN profiles.

Keep in mind the Cisco switch ports can authorize ports if the user is a guest or not a member of the domain, you can assign a guest vlan for these scenarios.

Sent from Cisco Technical Support iPad App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents