Cisco Support Community
Community Member

definitive answer on 802.1x

After reading most of the docs and related postings, I have concluded that inorder to do 802.1x with a single logon (the user is put into the correct vlan and the logged onto the domain) so that it as seamless to the user as possible, I need to use PEAP, which requires a CA, and ACS 3.2 so that it understands MS CHAP.

My clients are W2K, I would rather not use certificates if possible, i.e. using md5, but don't mind if required for single login.

Also, I noticed in ACS 3.2 docs that the machine could log in independently of the user, so multiple users could use the same machine. This isn't what I need, I have multiple people using the same machine, I want it so that whenever a new user logs in, he is reauthenticated and placed in correct vlan.

Is this possible?

Community Member

Re: definitive answer on 802.1x


Yes this is possible, even if you are using EAP-MD5, it will assign different vlans based on different userid you login with , even from the same machine.



Community Member

Re: definitive answer on 802.1x

have to disagree a little. With md5 required second logon and wouldn't authenticate against nt database, acs returned error "authentication type not supported by external database"

single logon works with peap, also with multiple users on same machine, however, have to reboot when user logs off and new user logs on. Microsoft peap client doesn't seem to be sending eapol logoff to switch according to switch debugs.

any thoughts

CreatePlease to create content