802.1x over Ethernet implementation assistance needed

cisco24x7 · ‎12-30-2007

Can someone help me with this?

I have a Catalyst 2960 configure for 802.1x over Ethernet?

Cisco 2621 F1/0 has ip address of 192.168.0.1/25

RSA SecurID has ip address of 192.168.0.2/25

Win2k3 AD Server has ip address of 192.168.0.3/25

Cisco Catalyst 2960 has ip address of 192.168.0.5/25

On Cisco 2621 I have the following dhcp scope:

ip dhcp excluded-address 192.168.0.1 192.168.0.80

ip dhcp ping packets 3

ip dhcp binding cleanup interval 300

!

ip dhcp pool dhcp_pool

network 192.168.0.0 255.255.255.128

subnet prefix-length 25

dns-server 4.2.2.2 1.2.3.4 2..4.5

netbios-name-server 4.2.2.2 1.2.3.4 2..4.5

netbios-node-type h-node

default-router 192.168.0.1

domain-name lcs.com

I have the following configuration on the Catalyst 2960:

interface GigabitEthernet0/14

description WinXP Dell Laptop

switchport access vlan 2

switchport mode access

speed 100

duplex full

dot1x pae authenticator

dot1x port-control auto

dot1x guest-vlan 3

spanning-tree portfast

end

C2960#

I configure the WinXP w/ Service Pack 2 for PEAP

authentication. I have the following configured:

1- Under the "Authentication" tab of the LAN Connection Properties,

I select "Enable IEEE 802.1x authentication for this network",

2- Under "EAP type", I choose "PEAP",

3- Select "Properties", I uncheck the Valid Server Certificate,

4- Under "Select Authentication Method", I select "Secure Password

(EAP-MSCHAP v2),

On the Steelbelt Radius Server, I have successfully integrated

both SecurID and Windows Domain Accounts with steelbelt radius

so that they can use either SecurID account or Active

Directory Accounts. I have two AD accounts, lcs1 and lcs2.

Finnally, when I bootup windows XP machine, under the network

icon, it asks me to enter credential. When I enter "lcs1" and

then the password, steelbelt radius looks at the account and

confirm that this is the correct account and I am connected

to the network with an ip address assign to me by the DHCP

server. The windows XP machine now has an ip address of

192.168.0.81/25. Everything is fine at this point.

Now, when I shutdown the WinXP machine and goes home. The

next day, when I boot the WinXP machine backup again, I would

think that it will ask me to authenticate again and this time

I would like to try something by using another account "lcs2".

However, the XP machine cache my the "lcs1" credential and also

the password as well and that it connects me back to the network

without asking me to retype the password again. The other

bizzare thing is that it neither asks me to enter my credentials

or allows me to switch to another account.

The question I have is:

1- how can I remove the credential from the WinXP machine

after I shutdown or logoff from the machine?

2- how can I make peap work with Steelbelt radius and SecurID

integration?

Thanks in advance.

P.S. I can confirm that I have Steelbelt radius and RSA

SecurID integration working properly when I telnet to the

Catalyst 2960 with an account from the RSA SecurID and

the Radius server configured on the Catalyst 2960 point

to the Steelbelt radius server.

farkascsgy · ‎01-02-2008

Hello,

If you uncheck the Automatically use windows logon option under the PEAP configuration, after you shutdown the PC or logoff you have to retype your username password. Also you can removed cached credentials manually: http://support.microsoft.com/kb/823731

Anyway the dot1x timeout option forces the reauthentication for your client.

What I don't see in your config is the

aaa new-model

aaa authentication dot1x ...

aaa authorization network ....

dot1x guest-vlan supplicant

(probably these are there)

bye

FCS

Please rate me if I helped.