Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

802.1x with AD authentication in a wired environment

Hello,

I have a question about 802.1x authentication. I want use a combination from 802.1x and a domain authentication on a AD from microsoft. I think the first login request is the domain login, but the port on the switch is always blocked. After the PC is already up, then I can login with 802.1x authentication. Please let me know what is the best solution for this scenario. The customer need a domain login and he want use the 802.1x authentication.

Give it a solution with only 1 login request???

thanks

Jens

  • Other Network Infrastructure Subjects
1 ACCEPTED SOLUTION

Accepted Solutions

Re: 802.1x with AD authentication in a wired environment

You can enable Machine Authentication with Windows 2000/XP/2003 clients. For this to work you need to use either PEAP or EAP-TLS. PEAP requires only a certifacate on the RADIUS Server. EAP-TLS requires a client certificate installed in the machine store on the 2000/XP/2003 client. With Machine Authentication the switchport authenticates the PC using 802.1x prior to user logon.

You can push certificates down to Machines & Users via Active Directory Group Policy (you can't push user certificates down with a 2000 AD or 2000 Clients). You need to also enable Remote Access privileges for Machines as well.

http://support.microsoft.com/kb/318750/EN-US/

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

I have this deployed in a test environment at the moment using Microsoft IAS (Radius). Due to the way the IAS policies are created you need to plan things out carefully. Each switch has to be added individually to the IAS Server so it can look ugly (no more so than a DHCP server though).

HTH

Andy

3 REPLIES
New Member

Re: 802.1x with AD authentication in a wired environment

Hello,

With an ACS Server you can configure authentication via Windows.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00802335f9.html#wp792699

Hope this helps.

Regards,

James

New Member

Re: 802.1x with AD authentication in a wired environment

Hello,

thanks for the reply, but my question is this:

Give it a solution that combined a domain request and a 802.1x request. The user must login in a domain and the switch is configured with 802.1x.

regards

Jens

Re: 802.1x with AD authentication in a wired environment

You can enable Machine Authentication with Windows 2000/XP/2003 clients. For this to work you need to use either PEAP or EAP-TLS. PEAP requires only a certifacate on the RADIUS Server. EAP-TLS requires a client certificate installed in the machine store on the 2000/XP/2003 client. With Machine Authentication the switchport authenticates the PC using 802.1x prior to user logon.

You can push certificates down to Machines & Users via Active Directory Group Policy (you can't push user certificates down with a 2000 AD or 2000 Clients). You need to also enable Remote Access privileges for Machines as well.

http://support.microsoft.com/kb/318750/EN-US/

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

I have this deployed in a test environment at the moment using Microsoft IAS (Radius). Due to the way the IAS policies are created you need to plan things out carefully. Each switch has to be added individually to the IAS Server so it can look ugly (no more so than a DHCP server though).

HTH

Andy

282
Views
0
Helpful
3
Replies