Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Starting with 802.1X in a running environment

I'm looking for a solution for starting with 802.1X for wired and wireless network in a live environment. During the migration I have to turn on port based authentication. But at that moment, the machine must have a valid user / computer certificate. Else there will be no connection to the network. Do I have to deal with the fact that all computers do have the certificates before turning on port based authentication ? Is there another method ?

Regards

Remco

  • AAA Identity and NAC
12 REPLIES
New Member

Re: Starting with 802.1X in a running environment

Using PEAP and self generating certificate option under ACS server side and no client certificate is required and you can deploy Dot1x authentication and hope the attached document will help you implementing 802.1x

Kindly rate the useful posts

Regards,

Ahmed

New Member

Re: Starting with 802.1X in a running environment

Yes you are right. But I want to use EAP-TLS with user and computer certificates...

Cisco Employee

Re: Starting with 802.1X in a running environment

Then you need client certificates. Would not recommend recommend self-signed certs.

New Member

Re: Starting with 802.1X in a running environment

I know I need client certificates. But all the certificates need to be installed before 802.1X can be implemented on the switch. If there is no certificate, the client cannot get access to the network and autoenrollement of certificates will not work..

New Member

Re: Starting with 802.1X in a running environment

In that case I suggest you to use Microsoft CA Server,Let the user download the user certificate during the process of 802.1x authentication.

Assuming EAPoL will help retrieving user or computer certificate from CA server during the authentication process.

HTH

Ahmed

New Member

Re: Starting with 802.1X in a running environment

During 802.1x authentication there is no connection to the rest of the network so certificates cannot be obtained..

Cisco Employee

Re: Starting with 802.1X in a running environment

If you run machine-auth, this enabled the network connection. If you then run user-auth, you can automatically download a cert for the user .. since the network access has been obtained from machine-credentials. So in other words, as long as you at least have a cert on the box for the machine, the user doesn't necessarilly need a cert pre-loaded and auto-enrollment of certs can still work.

HTH,

New Member

Re: Starting with 802.1X in a running environment

At first you use machine authentication with computer certificate. This cert can be obtained after a initial reboot. Ok, then there is a network connection based on computer authentication. At that moment, user logs in. At that moment there will be a re-authentication with user certificate (that is not available on the pc). I think this is going wrong..

Cisco Employee

Re: Starting with 802.1X in a running environment

That's all correct. ;-). Essentially what happens it the following:

1) network access granted via machine-auth.

2) EAPOL-Start from PC to switch.

3) EAPOL-Identity-Request from switch to PC.

At this point, the PC sits there since it has no cert to offer. But remember, network access has been granted from step1 above, and the network connection is still open until at least this "new" authentication attempt fails or times out. So you've got until at least it times out to allow auto-enrollment of a cert to work.

Would hope this is a corner case anyway, and that most of your users already have certs, but it's an option for you maybe ...

HTH,

252
Views
0
Helpful
12
Replies
This widget could not be displayed.