Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

802.1x

Is it possible to implement port security with the following components:

Windows XP (eap-md5) --- Catalyst 4006(7.2.1) --- ACS(3.1) --- Extrernal DB Windows AD or Windows SAM

Thank you.

2 REPLIES
New Member

Re: 802.1x

Short question, quick quick negative answer, but possible option buried in longer discussion :)

Nope. EAP-MD5 is not compatible with the AD or NT Sam. Only supported to ACS DB.

Other options include:

1) using the local ACS db (I know, you lose the advantage of the integrated DB, but that's not a characteristic of ACS, but rather of AD and SAM)

2) you can use EAP-TLS, but it requires that the client have a certificate installed, and that a cert server be installed on the NT/AD DC. In my opinion, difficult to achieve if you have lots of supplicants (clients) to install the certs on.

3) you may be able to do PEAP (server-side authentication ) to the NT DB for catalyst switches, which doesn't require a certificate on the client. Although I haven't personally tested this on a catalyst switch, I've tested PEAP on wireless and I've tested EAP-MD5 on the switch, so between the two.....

I think it should work. The reason is, PEAP support is just tunneled EAP, so to the switch, it should just be EAP - it's the authenticator (ACS) and the supplicant (XP) that really matter. If you pursue it and it works, I'd like to know.

Here's some references that may be helpful:

1) PEAP Limitations (external db's only - local ACCS db will be supported in future version of ACS)

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs31/rnacs311.htm#xtocid16

2) Some helpful descriptions of PEAP support, including supported external DB's (although this references wireless, most of this applies to PEAP in general)

http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/1942_pp.htm

3) Discussion of EAP and configuration of EAP on catalyst switches

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/rel7_2/config/authent.htm#xtocid9

4) White Paper: Guidelines for the Deployment of

Cisco Secure ACS for Windows NT/2000 Servers in a Cisco Catalyst Switch Environment

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/deacs_wp.htm

HTH

Jeff

New Member

Re: 802.1x

Thank you very much for the information.

I was afraid of that.

My goal is to proceed with the following scenario:

Win XP SP1 or Win2KSP3802.1x fix (PEAP)--Catalyst--ACS3.1--External DB(AD or SAM)

I have recently downloaded the fix for Win2K, but I can not seem to find the place to configure the settings. Could you please point me in the right direction.

Thank you.

87
Views
0
Helpful
2
Replies