Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

802.1x and Authentication Methods

Hi,

I have ACS 5.2, Cisco 4507 switches and AD domain environment.
Planning on performing only machine authentication and not user authentication.
I have the following type of devices:

1. Windows XP SP3 and higher on the AD Domain
2. Devices to be with installed with third-party supplicants as they natively don't
support 802.1x.


If I ignore device type 2, and only consider device type 1, am I able to simply configure
802.1x for authentication based on machine against AD, without having to use any
certificates at all?


Taken device type 2 into account, given the devices are not on the domain and I don't
want to manually enter details into ACS, will I need to use certificate for authentication?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: 802.1x and Authentication Methods

Hi,

> Using PEAP wouldn't I need certificate installed on the ACS? Or can it work without any certificate at all.

[ANS] Yes, you always need certificate on the ACS but it can be a self signed certificate that you can do with 2 clicks on the ACS itself. oc the client machines you have only to make sure that you have the supplicant configured to not "Validate server certificate" so that you do not have any further complication with certs.

> I was thinking for devices that not on the domain, to load certificate on the machine.

If I were to have both type 1 and 2 devices, would it possible to have domain devices to be authentication using machine authentication against AD and the non domain devices autheticated using certificate installed on each device?

[ANS] Yes, you can. Non domain devices could be authenticated simply by trusting the CA that issued the device certificate. Imagine you have CA "JEDI" issuing the device's certs. You can configure the ACS to validate authentications only by trusting CA "JEDI". When a device tries to connect, it will send the certificate, the ACS simply checks the CA that issued the cert and if it is trusted, it will accept the authentication.

In this scenario, you will need to use an authnetication method which uses clients certs for authneitcation like EAP-TLS.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

3 REPLIES
Cisco Employee

Re: 802.1x and Authentication Methods

Hi,

Answering inline:


If I ignore device type 2, and only consider device type 1, am I able to simply configure
802.1x for authentication based on machine against AD, without having to use any
certificates at all?

[Ans] Yes, you can use PEAP which does not require certificate on the user, but the traffic is still encrypted.

Windows XP default supplicant has the option to "Use machine credentials...". If you check that box the PC will do machine authentication and send the machine credentials in the format host\machine.domain.


Taken device type 2 into account, given the devices are not on the domain and I don't
want to manually enter details into ACS, will I need to use certificate for authentication?

[Ans] Well, if you want to do machine authentication, you need to create the machine entries in some Database...can you please clarify exactly how you want to authenticate the devices type 2.

Thanks,

Tiago

New Member

Re: 802.1x and Authentication Methods

Hi Tiago,

Thanks for your reply. Some more questions.

>If I ignore device type 2, and only consider device type 1, am I able to simply configure
>802.1x for authentication based on machine against AD, without having to use any
>certificates at all?

>[Ans] Yes, you can use PEAP which does not require certificate on the user, but the traffic is still encrypted.

>Windows XP default supplicant has the option to "Use machine credentials...". If you check that box the PC will do machine authentication and send the >machine credentials in the format host\machine.domain.

Using PEAP wouldn't I need certificate installed on the ACS? Or can it work without any certificate at all.


>Taken device type 2 into account, given the devices are not on the domain and I don't
>want to manually enter details into ACS, will I need to use certificate for authentication?

>[Ans] Well, if you want to do machine authentication, you need to create the machine entries in some Database...can you please clarify exactly how you >want to authenticate the devices type 2.

I was thinking for devices that not on the domain, to load certificate on the machine.

If I were to have both type 1 and 2 devices, would it possible to have domain devices to be authentication using machine authentication against AD and the non domain devices autheticated using certificate installed on each device?

Thanks

Cisco Employee

Re: 802.1x and Authentication Methods

Hi,

> Using PEAP wouldn't I need certificate installed on the ACS? Or can it work without any certificate at all.

[ANS] Yes, you always need certificate on the ACS but it can be a self signed certificate that you can do with 2 clicks on the ACS itself. oc the client machines you have only to make sure that you have the supplicant configured to not "Validate server certificate" so that you do not have any further complication with certs.

> I was thinking for devices that not on the domain, to load certificate on the machine.

If I were to have both type 1 and 2 devices, would it possible to have domain devices to be authentication using machine authentication against AD and the non domain devices autheticated using certificate installed on each device?

[ANS] Yes, you can. Non domain devices could be authenticated simply by trusting the CA that issued the device certificate. Imagine you have CA "JEDI" issuing the device's certs. You can configure the ACS to validate authentications only by trusting CA "JEDI". When a device tries to connect, it will send the certificate, the ACS simply checks the CA that issued the cert and if it is trusted, it will accept the authentication.

In this scenario, you will need to use an authnetication method which uses clients certs for authneitcation like EAP-TLS.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

809
Views
5
Helpful
3
Replies
CreatePlease login to create content