Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

802.1x/PEAP over Ethernet

I am trying to setup 802.1x PEAP in my home lab. I have:

a windows 2003 enterprise server with SP2 and latest patches running as

Active Directory, DHCP, DNS, WINS. The AD domain name is LAB.

The windows 2003 is also running Cisco ACS 4.0.1 with a self-signed

certififcate. I can log into the box https://PEAP8021x:2002 so the cert

works. I also configure the ACS so that it can also use AD accounts for


Cisco Catalyst 2960 running IOS version flash:c2960-lanbase-mz.122-25.SEE2.bin.

This version supports 802.1x

A couple of WindowsXP with Service Pack 2 and latest patches that will act as

clients for the domain LAB.

Everything is connected to the Catalyst switch 2960 via CAT-5 cables.

I would like to accomplish something very simple. Before user(s) on

WinXP can even access the domain LAB, the winXP machine must be

authenticated with Cisco ACS with username/password on the AD Server

so that the machine can be placed in the correct VLAN(s). If this is just

a visitor and their machine is plugged into my network, authentication will

fail and they will be put in a guest VLAN where the only connection they have

will be acess to the Internet and that will be it. All the information will be pushed

out to the catalyst from the Cisco ACS

Can someone help me out on how to get this done? Thanks.

Cisco Employee

Re: 802.1x/PEAP over Ethernet

Enable machine-authentication. Enabled the Auth-Fail-VLAN on your switchport. Configure security around this VLAN such that it only has access to the Internet via path isolation technique.

These guides might help:



Re: 802.1x/PEAP over Ethernet


You would need to do following :

- Machine authentication with user authentication( This part is tricky on WinXP, you may get intermittent results)

Something to help you:


Windows Registry Editor Version 5.00





- Machine Access Restriction (MAR)(its on ACS)

- guest vlan or auth-fail-vlan

Wired 802.1x:

Configuring IEEE 802.1x Port-Based Authentication:



CreatePlease to create content