12-30-2007 07:46 PM - edited 03-05-2019 08:13 PM
Can someone help me with this?
I have a Catalyst 2960 configure for 802.1x over Ethernet?
Cisco 2621 F1/0 has ip address of 192.168.0.1/25
RSA SecurID has ip address of 192.168.0.2/25
Win2k3 AD Server has ip address of 192.168.0.3/25
Cisco Catalyst 2960 has ip address of 192.168.0.5/25
On Cisco 2621 I have the following dhcp scope:
ip dhcp excluded-address 192.168.0.1 192.168.0.80
ip dhcp ping packets 3
ip dhcp binding cleanup interval 300
!
ip dhcp pool dhcp_pool
network 192.168.0.0 255.255.255.128
subnet prefix-length 25
dns-server 4.2.2.2 1.2.3.4 2..4.5
netbios-name-server 4.2.2.2 1.2.3.4 2..4.5
netbios-node-type h-node
default-router 192.168.0.1
domain-name lcs.com
I have the following configuration on the Catalyst 2960:
interface GigabitEthernet0/14
description WinXP Dell Laptop
switchport access vlan 2
switchport mode access
speed 100
duplex full
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 3
spanning-tree portfast
end
C2960#
I configure the WinXP w/ Service Pack 2 for PEAP
authentication. I have the following configured:
1- Under the "Authentication" tab of the LAN Connection Properties,
I select "Enable IEEE 802.1x authentication for this network",
2- Under "EAP type", I choose "PEAP",
3- Select "Properties", I uncheck the Valid Server Certificate,
4- Under "Select Authentication Method", I select "Secure Password
(EAP-MSCHAP v2),
On the Steelbelt Radius Server, I have successfully integrated
both SecurID and Windows Domain Accounts with steelbelt radius
so that they can use either SecurID account or Active
Directory Accounts. I have two AD accounts, lcs1 and lcs2.
Finnally, when I bootup windows XP machine, under the network
icon, it asks me to enter credential. When I enter "lcs1" and
then the password, steelbelt radius looks at the account and
confirm that this is the correct account and I am connected
to the network with an ip address assign to me by the DHCP
server. The windows XP machine now has an ip address of
192.168.0.81/25. Everything is fine at this point.
Now, when I shutdown the WinXP machine and goes home. The
next day, when I boot the WinXP machine backup again, I would
think that it will ask me to authenticate again and this time
I would like to try something by using another account "lcs2".
However, the XP machine cache my the "lcs1" credential and also
the password as well and that it connects me back to the network
without asking me to retype the password again. The other
bizzare thing is that it neither asks me to enter my credentials
or allows me to switch to another account.
The question I have is:
1- how can I remove the credential from the WinXP machine
after I shutdown or logoff from the machine?
2- how can I make peap work with Steelbelt radius and SecurID
integration?
Thanks in advance.
P.S. I can confirm that I have Steelbelt radius and RSA
SecurID integration working properly when I telnet to the
Catalyst 2960 with an account from the RSA SecurID and
the Radius server configured on the Catalyst 2960 point
to the Steelbelt radius server.
01-02-2008 07:03 AM
Hello,
If you uncheck the Automatically use windows logon option under the PEAP configuration, after you shutdown the PC or logoff you have to retype your username password. Also you can removed cached credentials manually: http://support.microsoft.com/kb/823731
Anyway the dot1x timeout option forces the reauthentication for your client.
What I don't see in your config is the
aaa new-model
aaa authentication dot1x ...
aaa authorization network ....
dot1x guest-vlan supplicant
(probably these are there)
bye
FCS
Please rate me if I helped.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide