cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1052
Views
0
Helpful
2
Replies

How to change vlan after successful dot1x authentication (ACS4.1)

paulkeestra
Level 1
Level 1

Hi,

I?m setting up 802.1x for security reasons with ACS4.1 At this point I have configured a guest-vlan, which has access-lists configured so only access between client <-> PXE server is allowed. So far it is functioning perfectly. When the client boots to Windows, the machine is checked by ACS (Active Directory) en the authentication is passed (passed authentication). Only problem is that the switchport is not set to the normal vlan configured on the switch, but stays in the guest vlan.

How can i accomplish that the port is set to the correct vlan after successful authentication?

I cannot configure ACS to set the vlan to a specific number, because every switch has a separate vlan and the vlan should not spread over different switches.

Thanks in advance!

2 Replies 2

a-vazquez
Level 6
Level 6

As far as I understand, you are trying to setup 802.1x port-based authentication.

First of all, here is a configuration guide:

http://www.cisco.com/en/US/products/ps6406/products_configuration_guide_chapter09186a00805a76b5.html

Refer to chapter "Configure IEEE 802.1x Port-Based Authentication.

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x timeout reauth-period server

dot1x reauthentication

dot1x guest-vlan 140

dot1x auth-fail vlan 104

Based on this if a user gets successful authenticated, the vlan

assignment is done via radius.

Regarding ACS setup, which authentication methods are you intend to use?

Do you also do machine authentication?

What kind of supplicant (client) are you using (Version/Build/SP)?

For troubleshooting, I need some further information.

Yes, i'm trying to set up 802.1x. The configuration you mention is configured on the switch and the switch is configured (radius IETF) in ACS. Authentication is based on machine authentication.

The configuration works as it should. The only problem is PXE boot for imaging. By adjusting the timers i mangaged to boot the workstation, at PXE boot, the switchport is set to guest-vlan and when Windows boots, the machine is checked and the port is set to normal vlan. Only problem is that the timers are machine specific.

Back to the questions:

which authetication: PEAP

Machine: YES

Supplicant: Standard Windows XP (PEAP) supplicant

Is is possible to keep the PXE boot funtionality with 802.1x and guest-vlan?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco