thank you i will expect some output from u

hi jon thanks for your reply.

let me go thru the document, and one more thing i need to create 3 vlans seperately in my 6509?

say there are 10 switches in my building 1 so i need to create anything seperately in these switches.

and as i told you when the user tries to login or the moment he connects the traffic should go to ASCengine 4.1 for checking the details,after that only he will enter into active directory.

so how can i do that? initialy how the traffic will flow to acsengine4.1? is there any span port required for this?

in my network where should i place this engine4.1?

Regards

Binoy.

Binoy

I'm running the exact same setup, except the clients connect via aironet WAPs and not via copper switches. however the concept is identical with john's suggestion.

802.1x does map and the cool thing is you DO NOT need ACS. Microsoft IAS component talks RADIUS and in fact you have much better flexibilty in IAS that you would have under ACS. In IAS you can do things like LDAP queries so think about all the posibilities - group membership, most any active directory attribute.

so in summary, it does work but like he said, the vlans have to propagate everywhere which is no big deal - just look at trunking and VTP domain propagation and volia

last point - to make it work one needs a certificate installed on the win2003 server which is running IAS and is configured for 802.1x - that certificate is NOT the usual ssl stuff you buy for $50/year. I found that very few CA houses will seel you what they call an authentication certificate and they broke me for $400/year. I found our what attributes need to be enabled but the cheap CA houses just played dumb

Self issued certificate will do just fine but then you have to import the CA into every client that will be using 802.1x, otherwise they will not authenticate and there is no utility to disable the checking like the litle cert.exe for Mobile windows grrrrr

~Boyan

boyan thnx for your reply,

can you just give me an idea abt how can i design the vlan the switches from buildings are connecting directly to 6509 thru fiber, so can i configure them as acess ports how can i design such vlan.

if you can give such info that will be great

Binoy

well to do VTP, at the central switch you designate one port as trunk for each of the leaf switches, then of course each leaf switch has one port designated as trunk and the trunk ports face each other connected via your fiber. so for example at the central site you have 4 trunk ports, port 1 is connected to port 1 of building one and so on - the point is that both ports are trunks

this will make all vlans propagate so for example if you define vlan 33 at the central switch you can tap into vlan 33 on all leaf switches. how you can tap into vlan 33 - just pick a port and make it a member of vlan 33. the packets are distributed "magically" to all other switches - that is what trunking does

of course this is just the begining of what you want to do. next is to configure all ports on all leaf switches for 802.1x authentication and then map vlan # based on what the outcome of authentication is

this occurs at IAS level, there you can map VLAN # based on active direcotry membship. the whole drama is complex but once you do it you can do it again and again

I cant give you all ths steps on the switch port auth config but I can post screenshots from my win2003 IAS config that shows you how to map vlan # to active directory group memberhip

~B

Boyan very good information from side i appreciate it.

i already have ACS engine 4.1 not implemented its in box only.

in building 1 ive 10 switches and from each switch ive fiber connecting to 6509, so 10 fiber connections.suppose if that is accounts dept i will create vlan 30 in 6509 and the 10 fiber gbic ports i will add in vlan 30 and i need to configure them as trunk ports and 10 ports from 10 access switches.and enabling all the ports for 802.1x.

like this i ve building 2 and building 3 so how can i plan the ip addressing scheme.for each building i need to go for diff subnets or how it is? sorry to bother you if you can share such things that will be great.

if you can share your switch configuration that will be a great help, the core swicth sh run.

and i wil appreciate the active directory screen shots.

Aha well this is where it gets interesting. Yes IP addressing is a good question.

FIrst on the vlan biz - when you add vlan 30 to 6509 then if automatically all other switches will be able to tap into it. this is becuase you have previously setup trunking.

now on the IP addressing. since you have indicated that people travel from building to building then your IP design is no longer based on building premise but on a vlan premise. that means each vlan will have its own dhcp server. you agree that if an accounting staff who lives in building #1 logs into building #2 jack and we have a paper-CCIE setup where each building has its seperate subnet, then we have violated the main concept of <> = subnet

what we want is that the accounting staff gets IP address from the vlan that he/she belongs to NO MATTER where that person is geographically.

to accomplish that I suggested the vlan design. ok so no dhcp per buidling which means each building can have people with totally different net numbers. why? because of their different department.

no how do this? one would think we need dhcp for each vlan, probably living at the 6509 site. yes and no. Microsoft dhcp has proven wonderful. I have one dhcp server for all vlans, how? whatever the device is which is routing between vlans, say RSM may be in your can, you setup a dhcp helper agent on each virtual interface that faces each vlan. that agent forwards the dhcp to your Microsoft DHCP server. Your MS server has multiple scopes.

Now to the million dollar question - how does it know to pick from the correct scope. Well it does because the dhcp forwarding configuration (this is just cisco config on the rsm) ebmeds the net number where that virtual interface lives. Then Microsoft uses it to pick from the correct scope.

Yes, I didnt beliebe this until I saw it working

Lastly, if anyone is just jumping in on this, one will ask - well how does the accountant becomes part of his/her vlan when visiting other buildings - this is exactly what binoy will have to figure out with 802.1x authentication. once authenticated the acountant's port will be dynamically joined into the VLAN # that IAS has returned back to the user. How IAS knows, well its mapped statically (member of group==vlan id) withint IAS config based upon some other criteria such as group memberhip, or some other monkey active directory attribute. user setds 802.1x, radius chats with IAS, user is auth, port is joined to vlan xxx, only then does the user go into dhcp business and finally gets an ip address which the dhcp agent listening to that vlan virtual interface forwards to Microsoft server dhcp and it picks the correct scope. Then the accounting staff is on the accounting vlan - all accounting servers are reachable on the same IP network (doesnt go across routers) although the physicall devices may be in other buildings - this is layer 2 trunking business and not visible to IP.

we have then accomplished the objectives.

~boyan

May you share what did you pay for the 6509 and what guts did it come with, you know super, blades, power, even the plastic cable mgmt plates? I'm planning a mass upgrade but still want to shelter budgeting people from having a hard attack when they see the dollars. Just FYI: I am runing 55xx platform across the bord and all testing described here is based upon this setup.

hello boyan

thanks for your reply.so if one guy from building 1 goes to building 2 and he tries to login (in my setup)initially my ACS box 4.1 will check this user next step is active directory authentication.

so, boyan i will enable 802.1x in all the switches, and in my setup vlans will be like we will be taking say 200 or 300 users of similar category similar job nature and assign them to a vlan.

so in my 6500 i need to create diff SVI's. still i'm not clear abt the ip scheme. im asking bcoz u have the similar set up running in ur office.

if you can advice me that will be great.

and boyan regarding the price i've no clear idea, bcoz i belong to the implementation side and we have premier level partnership with cisco so we are eligible for discnt i think 40% or above.

in our case we have 6509-E chassis and supervisor is 720-3B.

if you want i can give you the exact part numbers for the materials to setup a corporate stuff.

Regards

Binoy

you are correct on #1, 802.1x will check auth and based on that your port will be assigned a vlan. correct - all switch ports have to be enabled for 802.1x. you are not ssigning users to vlans but something easier to manage, say groups. you could assign users to vlans but that is messy. and there is no place in AD to assign vlan to user, IAS makes that decision based upon some other AD atrribute like group memberhisp. so the numeric value of the vlans is entered into IAS config

as for IP, well say we have 4 vlans. 10,20,30,40. vlan 10 will be 192.168.1.x then vlan 20 = 192.168.2.x etc

you then have the default vlan which is 1 and that is where the dhcp server will live. you need layer 3 routing capabiity at your 6509 - that is how you route between vlans. then on that RSM virtual interface you need the dhcp relay agent enabled and pointed to the dhcp server, so each vlan is assigned ip address

i can digup the RSM test config from when I was testing this and post it here. it is really simpe

~B

Here is the RSM config. The address specified by ip helper-address is the IP address of the dhcp server. Note ip forward commands, this is how dhcp packet gets across the vlans. This particular test setup didn't have pcmcia flash card handy so the IOS booted across the network via tftp:

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

no service single-slot-reload-enable

!

hostname Router

!

boot system tftp c5rsm-jsv-mz.122-28a.bin 192.168.166.12

enable password blahblah

!

ip subnet-zero

!

ip cef

!

!

!

interface Vlan1

ip address 192.168.166.201 255.255.255.0

no ip route-cache

no ip mroute-cache

!

interface Vlan2

ip address 192.168.167.1 255.255.255.0

ip helper-address 192.168.166.12

no ip route-cache

no ip mroute-cache

!

interface Vlan3

ip address 192.168.168.1 255.255.255.0

ip helper-address 192.168.166.12

no ip route-cache

no ip mroute-cache

!

interface Vlan4

ip address 192.168.169.1 255.255.255.0

ip helper-address 192.168.166.12

no ip route-cache

no ip mroute-cache

!

router rip

network 192.168.166.0

network 192.168.167.0

network 192.168.168.0

network 192.168.169.0

!

no ip classless

ip forward-protocol udp bootps

ip forward-protocol udp bootpc

ip route 0.0.0.0 0.0.0.0 192.168.166.12

no ip http server

!

!

!

line con 0

line aux 0

line vty 0 4

password blahblah

login

!

end

Boyan thank you

i really appreciate this,

y i'm worried abt this scenario is, there are lot of big guys are sitting so i should be very careful.

so i just need to create diff vlans in my 6500

and the routing entries.

and one route entry pointing to dhcp server.

and the edge switches connecting to fiber module of 6509 that should be trunk rt?

now with this config if the user goes to another building initially he will be authenticated by ACS then to active directory.

is it?

and one more thing boyan in this network where should i place my ACS box, as you know my all edge switches are connecting directly to core, so wher should i place it.

it's the first time i'm going to use this box

and in core side also do we need to enable 802.1x for all the ports?

hello boyan i'm expecting some inputs from you