NAP- Settings required on Cisco switches- 802.1X

rramlal · ‎01-16-2014

Hi All,

We have to provide access control for users using NAP and Cisco 2960s switches.

The request is to have only domain users authenticate to the operations vlan, non domain users will be assigned to a guest network.

What would be the configs on the switch to allow this config to work? What will force the switch port to assign to the operations vlan when authenticated to the domain?

Thanks much

Amjad Abdullah · ‎01-19-2014

Hi,

I suppsoe you are using ACS 4.x version.

you need to config dot1x under the switchport. use the default VLAN as the guest VLAN.

You need to configure the ACS to allow access to domain users only (by forcing MACHINE authentication with PEAP for example).

In the NAP, you need to match the NAP selection on the NAS-IP-Address of the switch so that this NAP is only selected if this switch sends the request.

Now, inside the NAP you have to allow only PEAP-MSCHAPv2. (you already forced machine authenticaiton with PEAP from under external DB config already as per earlier step).

When auth works, from under the user/or group, send the attributes to assign a specific VLAN to the user.

Otherwise, if the user auth is not successful it will be put in the default vlan which is the guest vlan.

with ACS 5.x version, doing this is more flexible.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

rramlal · ‎01-20-2014

HI Amjad,

Thanks for the information.

I am not using the ACS. Just the NAP and cisco switches. Will this work?

I have read this port authentication for the switch with radius authentication but not sure whats the difference with the NAP.

Can you explain a scenario for NAP and switches to achieve this scenario.

Amjad Abdullah · ‎01-20-2014

Hi,

what do you mean by NAP?
I know that NAP: Network Access Profile, is part of the ACS 4.x

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"