12-14-2009 09:28 PM - edited 03-06-2019 08:57 AM
we want to deploy dot1x in our LAN
i want to know if it is possible to let dot1x client uses automaticallly windows username/password and send them to the switch without prompting the user to enter them manually?
if yes, how ? any good document ?
note: ACS will be integrated with windows domain. all users are joigned to the domain.
Solved! Go to Solution.
12-18-2009 11:33 AM
If using Windows built-in Supplicant, you could try:
To enable single sign-on, check the option for Automatically use my Windows logon name and password (and domain if any). Click OK to accept this setting, and then click OK again to return to the network properties window.
ACS should be installed on a Member Server of the Domain in order to query AD:
This doc is for a wireless client and using ACS 3.X, but it is all the same concept:
The Unknown User Policy enables ACS to use a variety of external databases to attempt authentication of unknown users. This feature provides the foundation for a basic single sign-on capability through ACS. Because external user databases handle the incoming authentication requests, you do not have to maintain the credentials of users within ACS, such as passwords. This eliminates the necessity of entering every user multiple times and prevents data-entry errors inherent to manual procedures.
HTH
12-18-2009 11:33 AM
If using Windows built-in Supplicant, you could try:
To enable single sign-on, check the option for Automatically use my Windows logon name and password (and domain if any). Click OK to accept this setting, and then click OK again to return to the network properties window.
ACS should be installed on a Member Server of the Domain in order to query AD:
This doc is for a wireless client and using ACS 3.X, but it is all the same concept:
The Unknown User Policy enables ACS to use a variety of external databases to attempt authentication of unknown users. This feature provides the foundation for a basic single sign-on capability through ACS. Because external user databases handle the incoming authentication requests, you do not have to maintain the credentials of users within ACS, such as passwords. This eliminates the necessity of entering every user multiple times and prevents data-entry errors inherent to manual procedures.
HTH
12-20-2009 01:36 AM
thank you for your help.
now i can dot1q authenticate users using windows credentiels and assign dynamically ports to their vlan
12-21-2009 06:40 AM
The RADIUS server must return these attributes to the switch:
–[64] Tunnel-Type = VLAN
–[65] Tunnel-Medium-Type = 802
–[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the 802.1x-authenticated user.
Note: For attributes to show up in the Group and User sections, they first have to be configured as required in the Interface Configuration section.
This talks about how to assign a VLAN to a user:
You can also do group mapping to associate the Active Directory Users to ACS Groups, then assign the proper VLAN profile to the ACS Groups:
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c9bd1.shtml#c4
HTH
12-21-2009 08:19 PM
this is exactly what i did.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide