02-03-2004 10:43 AM - edited 02-21-2020 10:09 AM
I'm looking for a way to transparently authenticate NT/2000/XP users to Active Dir. or Domain Controller (via LDAP). I heard you can setup a cisco switch to authenticate this way; a user hits Ctrl-Alt-Del, enters NT login info, the switch sees this login and sees if the user authenticates with the DC or AD.
Are there any variations to this? Does cisco sell an appliance that does?
I know of MAC based security, but this isn't what i'm looking for. Basically, transparent authetication without adding MACs etc.
02-03-2004 11:57 AM
If the user is hitting ctrl+alt+del and entering authentication info, what the heck are they authenticating against if it is not active directory?
02-03-2004 01:29 PM
A NT 4.0 Domain controller in a mixed mode setting.
02-04-2004 06:41 AM
You can set up a trust between the nt 4 domain and the win2k AD domain
02-04-2004 09:29 AM
No, this isn't what I'm asking.
Basically, when you plug into a switch, you should get no internet access unless you authenticate. When you plug into the switch, you're in a dead VLAN. When log-in to the domain, the switch forwards the request to the auth server, checks reply, and if valid, switches the vlan on that particular port.
02-04-2004 01:37 PM
This sounds like you're referring to AAA (authentication, authorization, and accounting)... I know this works for traversing a PIX, but don't know if you can set it up to traverse a switch. The only options I see for AAA on a switch is console|telnet|both.
02-04-2004 02:26 PM
What you're looking for is 802.1x authentication at the switch port level. Newer Cisco switches do support this at different levels. You must be using an 802.1x capable OS (XP SP1 or 2k with MS add-on) or load URT (user registration something other)
The feature set in general is referred to as IBNS. (identity based networking services) It can be done at the machine level using a certificate or at the user level utilizing the logged in credentials.
You'll need a ACS server to accomplish this. In addition to authentication, you can hand out other things per-group/user such as ACLs and VLAN. There's also guest support so that unidentified users can be given access to specific things.
The Pix can use AAA to authenticate users as they go through to the Internet and use ACS to determine what access they should have. This is not transparent as a browser challenge occurs.
02-26-2004 03:52 PM
Hi,
Cisco has a device which is called URT(secure user reg tool), this can do exactly what you need but you need to configure switches to do this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide