Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Transparent Authentication

I'm looking for a way to transparently authenticate NT/2000/XP users to Active Dir. or Domain Controller (via LDAP). I heard you can setup a cisco switch to authenticate this way; a user hits Ctrl-Alt-Del, enters NT login info, the switch sees this login and sees if the user authenticates with the DC or AD.

Are there any variations to this? Does cisco sell an appliance that does?

I know of MAC based security, but this isn't what i'm looking for. Basically, transparent authetication without adding MACs etc.

7 REPLIES
Silver

Re: Transparent Authentication

If the user is hitting ctrl+alt+del and entering authentication info, what the heck are they authenticating against if it is not active directory?

New Member

Re: Transparent Authentication

A NT 4.0 Domain controller in a mixed mode setting.

Silver

Re: Transparent Authentication

You can set up a trust between the nt 4 domain and the win2k AD domain

New Member

Re: Transparent Authentication

No, this isn't what I'm asking.

Basically, when you plug into a switch, you should get no internet access unless you authenticate. When you plug into the switch, you're in a dead VLAN. When log-in to the domain, the switch forwards the request to the auth server, checks reply, and if valid, switches the vlan on that particular port.

New Member

Re: Transparent Authentication

This sounds like you're referring to AAA (authentication, authorization, and accounting)... I know this works for traversing a PIX, but don't know if you can set it up to traverse a switch. The only options I see for AAA on a switch is console|telnet|both.

Silver

Re: Transparent Authentication

What you're looking for is 802.1x authentication at the switch port level. Newer Cisco switches do support this at different levels. You must be using an 802.1x capable OS (XP SP1 or 2k with MS add-on) or load URT (user registration something other)

The feature set in general is referred to as IBNS. (identity based networking services) It can be done at the machine level using a certificate or at the user level utilizing the logged in credentials.

You'll need a ACS server to accomplish this. In addition to authentication, you can hand out other things per-group/user such as ACLs and VLAN. There's also guest support so that unidentified users can be given access to specific things.

The Pix can use AAA to authenticate users as they go through to the Internet and use ACS to determine what access they should have. This is not transparent as a browser challenge occurs.

New Member

Re: Transparent Authentication

Hi,

Cisco has a device which is called URT(secure user reg tool), this can do exactly what you need but you need to configure switches to do this.

152
Views
0
Helpful
7
Replies
CreatePlease login to create content