Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Silver

dot1x and sso

we want to deploy dot1x in our LAN

i want to know if it is possible to let dot1x client uses automaticallly windows username/password and send them to the switch without prompting the user to enter them manually?

if yes, how ? any good document ?

note: ACS will be integrated with windows domain. all users are joigned to the domain.

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: dot1x and sso

If using Windows built-in Supplicant, you could try:

To enable single sign-on, check the option for Automatically use my Windows logon name and password (and domain if any). Click OK to accept this setting, and then click OK again to return to the network properties window.

https://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml#wc-2

ACS should be installed on a Member Server of the Domain in order to query AD:

https://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml#acs-6

This doc is for a wireless client and using ACS 3.X, but it is all the same concept:

The Unknown User Policy enables ACS to use a variety of external databases to attempt authentication of unknown users. This feature provides the foundation for a basic single sign-on capability through ACS. Because external user databases handle the incoming authentication requests, you do not have to maintain the credentials of users within ACS, such as passwords. This eliminates the necessity of entering every user multiple times and prevents data-entry errors inherent to manual procedures.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UnknUsr.html#wp277232

HTH

4 REPLIES
Bronze

Re: dot1x and sso

If using Windows built-in Supplicant, you could try:

To enable single sign-on, check the option for Automatically use my Windows logon name and password (and domain if any). Click OK to accept this setting, and then click OK again to return to the network properties window.

https://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml#wc-2

ACS should be installed on a Member Server of the Domain in order to query AD:

https://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml#acs-6

This doc is for a wireless client and using ACS 3.X, but it is all the same concept:

The Unknown User Policy enables ACS to use a variety of external databases to attempt authentication of unknown users. This feature provides the foundation for a basic single sign-on capability through ACS. Because external user databases handle the incoming authentication requests, you do not have to maintain the credentials of users within ACS, such as passwords. This eliminates the necessity of entering every user multiple times and prevents data-entry errors inherent to manual procedures.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UnknUsr.html#wp277232

HTH

Silver

Re: dot1x and sso

thank you for your help.

now i can dot1q authenticate users using windows credentiels and assign dynamically ports to their vlan

Bronze

Re: dot1x and sso

The RADIUS server must return these attributes to the switch:

[64] Tunnel-Type = VLAN

[65] Tunnel-Medium-Type = 802

[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID

Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the  802.1x-authenticated user.

Note: For attributes to show up in the Group and User sections, they first have to be configured as required in the Interface Configuration section.

This talks about how to assign a VLAN to a user:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1289244

You can also do group mapping to associate the Active Directory Users to ACS Groups, then assign the proper VLAN profile to the ACS Groups:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c9bd1.shtml#c4

HTH

Silver

Re: dot1x and sso

this is exactly what i did.

thanks

349
Views
0
Helpful
4
Replies
CreatePlease to create content