802.1x question

I'm investigating implementing 802.1X for authenication on our network. Our primary access switch for users is the 3550. It appears straight forward however I have a question. How do you deal with software pushes to devices on the network where the users are logged off and the port is in an un-authorized state? If you try to access a device on the network will it automatically authenticate?

Catalyst switches offer configurable behavior in this regard. By default, switches offer a bidrectional controlled port. This means nothing should come into or out of the network until authorized by 1X. But this would not inter-operate with the above use case, and it is written into the 1X spec as well as a guideline for how to deal with this. It is a unidirectional controlled port. This means traffic can exit the network (like to wake a machine up for patches, etc.) but traffic is still disallowed inbound until authorized by 1X. Thus, the expectation here is that any machine that uses this must authenticate itself for network access .. which typcially means machine-auth as pointed out above.
Hope this helps,

Similar Messages

  • Extremely basic 802.11n questions

    I just replaced an older AirPort hub with a Time Capsule, and I'm puzzled about the status of 802.11n networking.
    I only connect wirelessly to the Time Capsule with two core2duo machines (a MacBook and a MacBook Pro). The one older machine in the house with a pre-extreme AirPort card, a G5 iMac, is connected directly via ethernet. I had been under the impression that the MacBooks needed to be enabled for 802.11n use, but the Time Capsule disk does not appear to contain the 802.11n enabler (although this IS referenced in the opening ReadMe). Is there an enabler somewhere that I need to apply to these two machines? Is this automatically part of Leopard (as some things I've read have implied) or of something else? How can I determine that the machines really are enabled for 802.11n use?
    And then, how do I determine whether the network is actually running at 802.11n speed (and range)? My understanding is that connecting any non-n device (presumably including my iPhone) to the network will cause it to revert to b/g; how do I determine that this has happened? And does it revert back to n immediately after the non-n device disconnects?
    Thanks for any information, or for pointers to something more comprehensive on this than what I've found so far.

    James A. Weston wrote:
    I don't know how to test the so-called "speed" of a wireless network other than to use a stopwatch, but my understanding is that a mixed n/g/b network is only slowed down when a b or g client is actually using the network.
    And one g client using the network would slow down n-client users but not all the way down to g speeds. In other words, the n network does not revert to a g network.
    Assuming your understanding is correct, that answers the basic question I was asking. It also suggests that there's no reason for me to carefully turn off wireless networking on my iPhone whenever I'm home: it won't slow down network backups to Time Capsule unless I'm actually doing something significant on it.
    Thanks.

  • AEBS 802.11n questions..

    Hi
    I just bought an Airport Extreme Base Station. Pleased to say set was a doddle - connected my external HD and all is fine. Just a couple of questions:
    1. how do I know the data transfer is at 802.11n? I have an imac that i need to upgrade to n with an adapter - my MacBook should be fine but how do I find out what speed data is transferring on which?
    2. I had trouble setting up my Airport Express as a repeater. I configured this using WDS but two separate wifi signals were being detected and the AEBS stopped responding and refused to be recognised in Airport Utility. Can the AEx operate 802.11n?
    3 What is the airport disk utility that was installed for? My ext HD works fine but nothing appears in this utility.
    4 Finally, On my IMac two icons appear for my ext HD (its got 2 partitions) one has an airport signal icon and the other a network icon also can't get any icons to appear on my MacBook desktop, why these differences?
    many thanks
    Nick

    If the Base Station radio is configured to n-only mode, then suffice it to say your wireless network will be running at n-speeds.
    However, if you want to use an Airport Express with it, you will need to configure the Base Station for n with b/g compatibility. The Airport Express does not support n speeds.
    There are several different ways a Mac can mount an Airport disk. Your questions will probably be answered in this article: AirPort: How to mount an AirPort Extreme USB hard disk volume in Mac OS X and Windows

  • About ISE 802.1X question!

    Today my colleagues and I deploy ISE found the following question.
    Sometimes, can have the user authentication and authorization success under the same interface, user authentication and authorization is not successful.If restart ISE will be normal.
    Why is that?
    Two ise ,Distributed Deployment,
    I test redundancy。I closed the main equipment,The following error:
    LOG:==============================================
    The normal time:
    6509-vss#show authentication sessions interface g1/9/36
                Interface:  GigabitEthernet1/9/36
              MAC Address:  0021.cc68.a63e
               IP Address:  172.30.60.11
                User-Name:  daiyue
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
                  ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1E3C02000000410155DA40
          Acct Session ID:  0x0000006C
                   Handle:  0x73000041
    Runnable methods list:
           Method   State
           mab      Failed over
           dot1x    Authc Success
                Interface:  GigabitEthernet1/9/36
              MAC Address:  0026.2df8.a25f
               IP Address:  172.30.60.10
                User-Name:  daiyue
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
                  ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-51ef7db1
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1E3C02000000400154E52C
          Acct Session ID:  0x0000006D
                   Handle:  0x91000040
    Runnable methods list:
           Method   State
           mab      Failed over
           dot1x    Authc Success
    When there is a problem:
    6509-vss#
    Feb 27 2014 17:43:11: %DOT1X-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:43:11: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:43:11: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:43:11: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:43:11: %AUTHMGR-5-FAIL: Authorization failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:47:52: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:47:52: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %DOT1X-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:02: %AUTHMGR-5-FAIL: Authorization failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:48:20: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:48:20: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:48:25: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:48:25: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:48:29: %DOT1X-5-SUCCESS: Authentication successful for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:48:29: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:48:29: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.2df8.a25f| AuditSessionID AC1E3C020000004D01CCB640| AUTHTYPE DOT1X| EVENT APPLY
    Feb 27 2014 17:48:29: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.2df8.a25f| AuditSessionID AC1E3C020000004D01CCB640| AUTHTYPE DOT1X| EVENT IP-WAIT
    Feb 27 2014 17:48:30: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.2df8.a25f) on Interface Gi1/9/36
    Feb 27 2014 17:48:34: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:48:34: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    6509-vss(config-if)#
    6509-vss(config-if)#
    Feb 27 2014 17:48:49: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:48:49: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:49:02: %AUTHMGR-5-START: Starting 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:13: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:49:13: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:49:18: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:49:18: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    Feb 27 2014 17:49:21: %MAB-5-FAIL: Authentication failed for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:21: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:21: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:21: %AUTHMGR-5-START: Starting 'dot1x' for client (0021.cc68.a63e) on Interface Gi1/9/36
    Feb 27 2014 17:49:23: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:49:23: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.
    6509-vss(config-if)#end
    6509-vss#show
    Feb 27 2014 17:49:27: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.30.60.54:1812,1813 is not responding.
    Feb 27 2014 17:49:27: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.30.60.54:1812,1813 has returned.authen
    6509-vss#show authentication
    Feb 27 2014 17:49:28: %SYS-5-CONFIG_I: Configured from console by consolese
    6509-vss#show authentication sessions int
    6509-vss#show authentication sessions interface g1/9/36
                Interface:  GigabitEthernet1/9/36
              MAC Address:  0021.cc68.a63e
               IP Address:  Unknown
                User-Name:  0021cc68a63e
                   Status:  Running
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1E3C020000004E01CCCA18
          Acct Session ID:  0x00000086
                   Handle:  0x7300004E
    Runnable methods list:
           Method   State
           mab      Failed over
           dot1x    Running
                Interface:  GigabitEthernet1/9/36
              MAC Address:  0026.2df8.a25f
               IP Address:  Unknown
                User-Name:  shenshu
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1E3C020000004D01CCB640
          Acct Session ID:  0x00000089
                   Handle:  0xB400004D
    Runnable methods list:
           Method   State
           mab      Not run
           dot1x    Authc Success
    LOG:============================================

    Please consider the order of authnetication method fail from here
    http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html#wp9000028

  • 802.1x question with ACS

    I have ACS 4.2 configured to authenticate Windows clients using PEAP. ACS is setup to check Active Directory to make sure the user and machine are valid.
    This process works fine but I want to be able to login as local admin (not part of active directory) but ACS does not have this user account and "authentication fails". I can create the user account as a local user but I have to create the account with machine account name, which means if I have 100 machines, then I have to create 100 machine account local admins.
    Is there an easier way to do this? How can I easily authenticate or bypass the local admin account?

    Hi,
    I am not sure if this is a dot1x question...
    It looks you are having some dificulty with the user account creation...
    The Administrator account credentials need to be created in a database, either the ACS internal or the AD, or even another one.
    Where have you created the Administrator cedentials account?
    Why do you say you have to create the account with machine account name?
    When you boot your PC, what is exactly happening? Are you able to enter the administrator account credentials on the login prompt for the dot1x authentication?
    Thanks,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • AEBS 802.11n question about bridging

    using AEBS 802.11n and connecting to an existing network which is using DHCP...
    internet button chosen
    internet connection panel chosen
    connect using : ethernet
    configure ipv4 : using dhcp
    ethernet wan port : automatic (default)
    connection sharing : share a public ip address
    is the AEBS acting as a bridge here? so, now the AEBS can pass out ip addresses that are different (local) network addresses than what the AEBS is receiving from the established network, which it is joining?? the established network 192.168.1 the AEBS DHCP network 10.0.1
    internet button chosen
    internet connection panel
    connect using : ethernet
    configure ipv4 : using dhcp
    ethernet wan port : automatic (default)
    connection sharing : Off (bridge mode)
    or...
    the AEBS is acting as a bridge here? (off (bridge mode)) can the AEBS pass out ip address using a different network address here? and if it does so there will be no NAT functionality?
    what does it mean to have DHCP functionality and no NAT. does using DHCP and no NAT mean that each computer, on the local network connected to the AEBS, that segment, must have a static address?

    In your first configuration, where connection sharing = share a public IP address, the AEBSn is still acting as a wireless router and, effectively, has created a second wireless subnet.
    In the second configuration, where connection sharing = Off (bridge mode), the AEBSn is "passing thru" the NAT/DHCP services from the router it's connected to so any devices connected to the AEBSn will still be on the same network as the upstream router.

  • 802.11n question

    I just got my macbook pro hooked up to the airport extreme base station. I checked my settings for the hardware and says it is 802.11n enabled. Do I also have to install the aiport utility software that came on the cd as well? Also, how do I check for stronger range and/or signal? Thanks

    If you have already set up the extreme from another mac, there is no need to install the software on your new MBP, although if you are using an airdisk this would be wise.
    So far as judging range and signal, my opinion: (although I'll no doubt get flamed)
    Walk around with the MBP, watch the signal strength and see how far you can go. In my opinion, far better to do a real test than rely on any fancy software which is no more than an estimate.

  • Cisco IP 7841 802.1x Configuration

    Hello Team,
    I am working with a customer that requires 802.1x configured on their environment. Based on my research so far, I believe this is only way to make this work. Have any of you done this differently? Any feedback is greatly appreciated.
    CUCM
    Run the CTL Client to install the e-token so the CUCM Publisher can run the CAPF service
    Export the Cisco_Root_CA cert and upload it to a Radius server (preferably Cisco ACS if possible) so the phones can authenticate with
    Assign the cert to each phone that requires 802.1x authentication
    LAN Switches
    Stage the LAN switches without 802.1x so phones can retrieve the cert and complete the authentication before turning on 802.1x
    Questions
    Can phones be authenticated with its own MIC and the PCs with their own? Do phones and PCs have to run the same cert?
    Is the MAB the only method to bypass the 802.1x phone authentication so only the PC can be authenticate via 802.1x without requiring the phone to do the 802.1x authentication?
    Thanks in advance for your feedback,
    Gerson

    Jaime,
    Thanks for pointing me to the correct area. By the way, do you have experience enabling 802.1x in CUCM? If so, do you think I am going in the right direction? Could you also provide some feedback on my questions?
    Thanks,
    Gerson

  • Third Party Certificate, 802.1X and Intermediate Certificate

    Hi Guys,
    Quick question:
    Have 802.1x setup with Windows Radius Server - Installed a Godaddy certificate which came with an intermediate root certificate. 
    I would like clients to validate the certificate to connect to the 802.1x, - 
    Question: Do i need to rollout the intermediate root certificate to all windows devices - laptops to validate the godaddy certificate thats presented to the wireless clients? The trusted root on the intermediate root certificate is already installed on windows
    desktops.
    THanks

    Hi,
    1. When you deploy 802.1X authenticated wired access that uses smart cards or other digital certificates for client authentication, you must deploy a private CA on your network
    by using AD CS.
    2. Purchasing certificates from a public CA, such as VeriSign, that is already trusted by Windows-based clients. This option is typically recommended for smaller networks.
    Advantages:
    Installing purchased certificates does not require as much specialized knowledge as deploying a private CA on your network, and can be easier to deploy in networks that have
    only a few NPS servers.
    Using purchased certificates can prevent specific security vulnerabilities that can exist if the proper precautions are not taken when deploying a private CA on your network.
    Disadvantages:
    This solution does not scale as well as deploying a private CA on your network. Because you must purchase a certificate for each NPS server, your deployment costs increase
    with each NPS server you deploy.
    Purchased certificates have recurring costs, because you must renew certificates prior to their expiration date.
    The related KB:
    PEAP-MS-CHAP v2-based Authenticated Wireless Access Design
    http://technet.microsoft.com/zh-cn/library/dd348500(v=ws.10).aspx
    EAP-TLS-based Authenticated Wired Access Design
    http://technet.microsoft.com/zh-cn/library/dd378869(v=ws.10).aspx
    Hope this helps.
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Certificate on acs

    Hello Folks
    wifi users are authenticated via single sign on on ms AD  using acs(802.1X)
    question is. is it mandatory to generates a certificate in the acs than export it to the contoller in order to let the authentication works

    Hi Ibrahim,
    How are you?
    First, what 802.1X EAP are you using?What ACS rev are you on?
    I will assume PEAP.
    1) ACS Cert is requried. You have 2 options for a certifciate.
         a. You can do a self generated certifciate which is  created on and by the ACS server. This cert last 12 months from the time  you create      it. Here is further reading on the ACS self cert.
         Personally, Im not a fan of the self signed ACS  certiciate. Becuase if you vaildate the cert on the client you will need  to push this cert to      each client. I will explain that later.
    Self-signed Certificate Setup (only if you do not use an external CA)
    Note: When you test in the lab with self-signed certificates,  it results in a longer authentication time the first time a client  authenticates with the Microsoft supplicant. All subsequent  authentications are fine.
    Complete these steps:
    On the Cisco Secure ACS server, click System Configuration.
    Click ACS Certificate Setup.
    Click Generate Self-signed Certificate.
    Type something into the Certificate subject field preceded by cn=, for example, cn=ACS33.
    Type the full path and name of the certificate that you want to create, for example, c:\acscert \acs33.cer.
    Type the full path and name of the private key file that you want to create, for example, c:\acscert \acs33.pvk.
    Enter and confirm the private key password.
    Choose 1024 from the key length drop-down menu.
    Note: While Cisco Secure ACS can generate key sizes greater  than 1024, the use of a key larger than 1024 does not work with PEAP.  Authentication might appear to pass in ACS, but the client hangs while  authentication is attempted.
    Check Install generated certificate.
    Click Submit.
         b. You can get a CA signed certifciate. If you are  using 4.x ACS you can generate what is called a CSR. Certifciate Signing  Request. You           then send the CSR to a CA and they generate a cert for you.
    Here is a link to read up on the CA certifciate.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml#t14
    How and where to install the certs and how it works...
    1) The cert is installed on the ACS server and the  client IF a) you are vaildating the cert on the client b) you are using  an acs self signed cert
    So the ACS server has a cert  installed on it. This cert is used to building a secure tunnel between  the ACS server and the wireless client so that when the wireless client  passes its credentials they can not be seen as they are passed in the  tunnel created by the cerifciate (think HTTPS).
    When a  wireless client connects. The WLC / WLAN is configured with 802.1X. So  the WLC passes all the authentication traffic directly to the ACS. So  the WLC DOESNT NEED TO KNOW ABOUT THE CERT. This chatter is just between  the ACS and the wireless client and the WLC acts as the middle man.
    So  the wireless client connects. The ACS server sends the cert (the one  you added) to the wireless client. The wireless client has 2  configurable options. 1) Vaildate the certifciate 2) Not Vaildate the  certifciate. If you Vaildate the certifciate then that cert needs to be  on the client, becuase the client is going to look at the cert presented  by the acs server and see if it has it in its root store, thus  vaildating it. Or you can not vaildate it. If you dont vaildate it, it a  BIG security boo boo.
    Make sense?

  • Scjp 1.5 exam details

    I am planing to take scjp 1.5 exam. Can someone tell me the details about the exam. How many questions will be there , what is the time allowed & what is the pass mark of the exam.
    Please let me know from where I can get any further details, example questions.
    Thank you...

    Interested in taking the Cisco [642-901 exam |http://www.pass-guaranteed.com/642-901.htm] our [642-901 practice exams |http://www.pass-guaranteed.com/642-901.htm] and study questions are composed by experts, who use their experience in preparing you for your future in Cisco.
    Pass-Guaranteed is the one of the best site for passing the Cisco exam.
    Pass-Guaranteed also offers you [642-642 test exam|http://www.pass-guaranteed.com/642-642.htm], [640-802 exam question|http://www.pass-guaranteed.com/640-802.htm], [640-816 practice exam|http://www.pass-guaranteed.com/640-816.htm], [642-812 dumps |http://www.pass-guaranteed.com/642-812.htm]

  • 802.1x for user authentication setup questions

    Hi,
    I am fairly new to the 802.1x realm, I have read several documents on how the setup is accomplished and I was hoping someone could validate the setup I have in mind to make sure I am on the right page.  Any comments or assistance would be greatly appreciated, I do not have the infrastructure to test everything before hand.
    I have a remote site with a switch and router.  I want to authenticate users using their AD credentials. At the datacenter I will have ACS 5.2, a Windows 2008 enterprise server for AD service and CS service. I do not have the option to install an additional client on the PC like anyconnect, I need to use Windows OS supplicant without installing physcial certificates on the machine.
    - Within the CS service I will generate a certificate that will be imported by ACS.
    - I will activate ACS to integrate with AD
    - I do not want to insall certificates on the client machines so I will use PEAP w/ MSCHAPv2
    - The authenticating clients will be XP w/ SP3, I am hoping that a group policy can be created to enabed the wired service to start automatically and I will also need to add my CS/CA server as a trusted authority unless I purhcase a verisign certificate to be used. Correct? or will this need to be done when the desktop image is installed on the pc?
    Additional Questions:
    - With the setup I described above using MSCHAPv2 when the user boots the computer in the morning, hits ctrl+alt+delete and provides their AD credentials will this act as a single sign on? first authenticating them through 802.1x so the port is authorized and then authenticating them to the AD server? or will there be some type of pop up window that will appear before the ctrl+alt+delete window? making the user provide credentials twice (annoying)
    - Once the user is autheticated can I push an ACL down to the switch to enforce a set policy? or does this happen on the router?
    - Most of the documents I have read are related to L2 802.1x is there a  L3 option that includes the router that I should be looking at to  provide more features?
    - can anyone speak to their experience with the Windows OS supplicants? is the functionality flaky/clunky or if the backend is setup properly it works seamlessly?
    Sorry for the long winded post but I am kind of shooting in the dark without having the equipment to test with. Any help is appreciated!
    Thanks

    Thanks too you both for the responses.
    I have a few followup questions which I have added inline.
    Q:
    - With the setup I described above using MSCHAPv2 when the  user boots  the computer in the morning, hits ctrl+alt+delete and  provides their AD  credentials will this act as a single sign on? first  authenticating them  through 802.1x so the port is authorized and then  authenticating them  to the AD server? or will there be some type of pop  up window that will  appear before the ctrl+alt+delete window? making  the user provide  credentials twice (annoying)
    A:  If you select "Use windows credentials" it won't prompt you for credentials. so All automatic.
    However  note that it will only login AFTER you entered the credentials on the  logon page. So you won't have network connectivity for the initial  logon, so no login scripts this way.
    With your comments I am rethinking my approach, I am considering that if the company security policy will allow it I will do machine authentication only instead of user auth.   Obviously this is not as secure since a rogue user could change the local admin password and have access to the network.  But interms of simplicity and ease of use machine authentication provides a transparent authentication mechanism that should suffice.  I would just have to sell the solution to security. 
    There a few things I need to understand before persuing this.
    - will the machine be 802.1x authenticated and on the network before the  ctrl+alt+delete? so when user logs in the machine has passed 802.1x  already and has received ip from dhcp? this is my hope.
    - is peap/mschap still the supported protocol so no physical cert is required per machine? no EAP-TLS
    - is the machine profile on the AD server used for 802.1x verification/authentication? meaning ACS will pass off to AD to verify the machine is part of the domain? or do you have to create machine profiles in ACS?
    - I have read a few articles out there about issues with machine auth with clients using XP, perhaps this was related to previous serivce packs before SP3? there was mention of registery changes required etc.
    - is there a different supplicant offered by cisco that is more robust that would provide more stability or is the cisco supplicant cost money per user license or other etc.
    Again your feedback is invaluable as I do not have the physical equipment to test with.  Unfortunatly I have to propose a solution before actually testing something which I am not particularly fond of.
    Regards,
    Eric

  • Some questions on 802.1x?

    Hello Everyone
    I have few questions regarding 802.1x authetication in wierd enviornment and with VLAN assignment by ACS. Please help me with these
    1. How do I use 802.1x authentication in Windows enviornment with domain authentication? Is that the PC first needs to have authenticated and then the user? If thats the case how do I configure windows for that?
    2. Is it possible to have access-control based on roles? I have read about this on blogs but how do I configure? Any resources?
    3.  I have 3-4 offices at different locations and one data center where RADIUS server and other intranet application are hosted. All sites are having MPLS connectivity and using same Radius server.  A user is configured in ACS for dynamic VLAN assignment to VLAN 25. From Office A ( user's primary office) he would not have any problems in authentication. What if user is going to Office B and tries to authenticate?  Will he assigned to VLAN 25? What if VLAN 25 is not present in Office B? How do we deal with this situation?
    I know I have asked a lot in this post but I will be very greatful if you can help me with this.
    Thanks in advance
    Deepak Khemani

    Deepak ,
    1) You can setup either way (machine or user authentication). Machine or user needs to be authenticated and then Radius server assigns the appropriate vlan.
    2) Yes, that is what dynamic vlan assignment is all about.
    This doc will give you heads up about dot1x. 
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/Sw8021x.html
    3) If user logs in from office B you can assign different vlan that allows access as per user profile (incase vlan25 is not present at remote office). I'm not sure about your setup but this is very much achievable.
    Regards,
    ~JG
    Do rate helpful posts!

  • 802.1X Port Authentication\ACS Question

    Hello,
    I"m troubleshooting a 3560 port authentication issue. From what I was told from other members of my team when we upgraded to windows 7 at this site authentication no longer works. I compared an old config to a recent one and noticed there was no command dot1x system-auth-control.
    I have only been dealing with 802.1x for a short time and my other configs have this command. My question is without this command could there still have been port authentication working? On a inteface for ex. they do have the following which are inligned with my other configs. FYI, I didn't set this site up and it has the rest of the config correct like radius and aaa.  When I went onsite to test I shut down the service on my laptop for 802.1x which should of blocked me so I thought. When I checked the ACS server for the log it showed my username and my correct IP address along with the correct switch but it showed I connected using PAP_ASCII, I"m not sure how this protocol got used since we don't use that.  Thanks for any suggestions you might have.
    dot1x pae authenticator
    dot1x port-control auto
    dot1x host-mode multi-host
    dot1x violation-mode protect
    dot1x reauthentication
    aaa new-model
    aaa authentication password-prompt PASSCODE---->
    aaa authentication login default group radius local
    aaa authorization exec default group radius local
    aaa session-id common

    I have a little more to add. I was looking in the ACS and did find PAP_ASCII checked so at my home office which I know port security to be working at least that's what I thought. I turned off wired auto config and could still get on and when I looked at the ACS logs I saw my name with this protocol again. Not sure how this got turned on but my questionbecomes if 802.1x is setup on the switch but ACS allows this protocol and my laptop isn't running any 802.1x settings I can still get on the network, is this the correct behavior for this setup?
    Thanks,

  • 802.1x Dynamic VLAN Switching Question

    Trying to set up 802.1x dynamic VLAN switching, and have a question. I think I've gotten it working except for one part. The VLAN on a protected interface is never getting switched. I can see an entry in the ACS stating that it applied the appropriate VLAN via RADIUS response, but it never changes on the switch.
    Environment:
    ACS Express 5.0.1
    C3550 running c3550-ipbasek9-mz.122-44.SE6.bin
    Switch config:
    aaa new-model
    aaa group server radius dot1x
    server-private 10.10.1.4 auth-port 1645 acct-port 1646 key 7 071C244F5C0C0D544541
    aaa authentication dot1x default group dot1x
    dot1x system-auth-control
    dot1x guest-vlan supplicant
    interface FastEthernet0/3
    switchport access vlan 3
    switchport mode access
    speed 100
    duplex full
    dot1x pae authenticator
    dot1x port-control auto
    dot1x violation-mode protect
    dot1x timeout tx-period 5
    dot1x timeout supp-timeout 5
    spanning-tree portfast
    ip radius source-interface FastEthernet0/1 vrf default!
    radius-server host 10.10.1.4 auth-port 1645 acct-port 1646 key 7 01000307490E125E731F
    Am I missing something easy?

    It looks like "aaa authorization network default group dot1x" was the missing command I needed to get this working.
    The only issue I'm having now is that if the client fails to meet the authentication requirements, the line status gets set as "down"

Maybe you are looking for

  • How do I save photos in iPhoto to a USB?

    I'm in iphoto how can I save these photos onto a USB or external hard drive?

  • Midi in using Alesis IO Doc for Garage Band

    I have audio in GB on iPad2 and the Alesis IO dock and would like to use the midi in to at least start and stop my song.  Will GB understand a midi clock in?  If so how can it be told to recognize it.  I'm told it supports core midi but it wont do mi

  • Photoshop CC Sketch Filter Gallery's whiting out - help!

    In my filter gallery sketch settings, only chalk & charcoal, conte crayon, note paper and water paper seem to be working. With any other of the sketch gallery filters the entire image becomes a plain white background. Anyone have any idea what/why is

  • Users not showing in Terminal Server Under Remote desktop services manager and Task Manager

    Hi All, I have a problem here in Terminal Server. I can not see the users logged in to Server but i know users are accessing the files and currently working. 1. From the Task Manager-- Show processes from all users displayed all the processes accessi

  • Problem in Recording(SHDB) for Txn: FBRA

    Hi, I am facing a problem in the Transaction - FBRA while doing a Recording through SHDB. I am not getting a sub-screen with Title : Reversal of clearing document, which has got 3 buttons : 1) Only Resetting 2) Resetting and Revers 3) Cancel. This sc