Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1433
Views
0
Helpful
7
Replies

Transparent Authentication

kowalm
Level 1
Level 1

‎02-03-2004 10:43 AM - edited ‎02-21-2020 10:09 AM

I'm looking for a way to transparently authenticate NT/2000/XP users to Active Dir. or Domain Controller (via LDAP). I heard you can setup a cisco switch to authenticate this way; a user hits Ctrl-Alt-Del, enters NT login info, the switch sees this login and sees if the user authenticates with the DC or AD.

Are there any variations to this? Does cisco sell an appliance that does?

I know of MAC based security, but this isn't what i'm looking for. Basically, transparent authetication without adding MACs etc.

Labels:
0 Helpful
7 Replies 7

mostiguy
Level 6
Level 6

‎02-03-2004 11:57 AM

If the user is hitting ctrl+alt+del and entering authentication info, what the heck are they authenticating against if it is not active directory?

0 Helpful

kowalm
Level 1
Level 1
In response to mostiguy

‎02-03-2004 01:29 PM

A NT 4.0 Domain controller in a mixed mode setting.

0 Helpful

mostiguy
Level 6
Level 6
In response to kowalm

‎02-04-2004 06:41 AM

You can set up a trust between the nt 4 domain and the win2k AD domain

0 Helpful

kowalm
Level 1
Level 1
In response to mostiguy

‎02-04-2004 09:29 AM

No, this isn't what I'm asking.

Basically, when you plug into a switch, you should get no internet access unless you authenticate. When you plug into the switch, you're in a dead VLAN. When log-in to the domain, the switch forwards the request to the auth server, checks reply, and if valid, switches the vlan on that particular port.

0 Helpful

bfl1
Level 1
Level 1
In response to kowalm

‎02-04-2004 01:37 PM

This sounds like you're referring to AAA (authentication, authorization, and accounting)... I know this works for traversing a PIX, but don't know if you can set it up to traverse a switch. The only options I see for AAA on a switch is console|telnet|both.

0 Helpful

shannong
Level 4
Level 4
In response to bfl1

‎02-04-2004 02:26 PM

What you're looking for is 802.1x authentication at the switch port level. Newer Cisco switches do support this at different levels. You must be using an 802.1x capable OS (XP SP1 or 2k with MS add-on) or load URT (user registration something other)

The feature set in general is referred to as IBNS. (identity based networking services) It can be done at the machine level using a certificate or at the user level utilizing the logged in credentials.

You'll need a ACS server to accomplish this. In addition to authentication, you can hand out other things per-group/user such as ACLs and VLAN. There's also guest support so that unidentified users can be given access to specific things.

The Pix can use AAA to authenticate users as they go through to the Internet and use ACS to determine what access they should have. This is not transparent as a browser challenge occurs.

0 Helpful

vinodmorsa
Level 1
Level 1

‎02-26-2004 03:52 PM

Hi,

Cisco has a device which is called URT(secure user reg tool), this can do exactly what you need but you need to configure switches to do this.

0 Helpful
Customers Also Viewed These Support Documents