OS-X - 802.1x and machine authentication

Similar Messages

• 802.1x Wireless - Enforce user AND machine authentication

  I am using ACS v5.6 and I'd like to confirm that it is not possible to enforce both user and machine authentication against AD before allowing wireless access to Windows 7 clients, using PEAP/MSCHAPv2 and the built-in 802.1x supplicant.
  The only workaround seems to involve MAR (Machine Access Restrictions), which has pretty significant drawbacks.
  I'd rather not have to deploy user and machine certificates.
  All I want to do is allow access to the wireless network only if the device and the user are in AD.
  It's such a simple scenario that I must be missing something.
  Any suggestions are welcome. Thanks in advance for your comments.
  Lucas

  In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.
  Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.

• ACS 5.4 and machine authentication

  Hi,
  I am installing ACS 5.4 for WiFI user and using EAP-TLS/ certificate based authentication.
  I have Authorization profile created as shown in attachement.
  Under authorization profile i have selcted "Was Machine Authenticated=True"Condition.
  Somehow clients are not able to connect. When I looked at logs on ACS it shows that the requests are not matching this rule bu default rule.
  As soon as I disable this condition, user gets connected
  I have already selected "Enable Machine Authentication" under AD & "Process host Lookup" in allowed protocol.
  Any Suggesions?
  Regards,
  Shivaji

  Shivaji,
  The purpose of the "wasmachineauthenticated" attribute is for user authentication, this is your typical "chicken or the egg" scenario since machine authentication needs to be performed without this attribute for successful authentication.
  When successful machine authentication occurs there is a MAR cache within ACS uses to track the mac address of the device. In your case you are forcing ACS to look for a "WasMachineAuthenticated" during the initial machine authentication which will not succeed.
  In my experience it is best to set this in environments where users' can only authenticate through registered workstations (typically machines that are joined to AD), so when a user attempts to use their 802.1x credentials on a smart phone or non-registered asset, they get denied since the device does not have machine credentials to join the network.
  I hope this bring some clarification to Edward's recommendation.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• 802.1x PEAP Machine Authentication with MS Active Directory

  802.1x PEAP Machine and User Authentication with MS Active Directory:
  I have a simple pilot-text environment, with
  - Microsoft XP Client,
  - Cisco 2960 Switch,
  - ACS Solution Engine (4.1.4)
  - MS Active Directory on Win 2003 Server
  The Remote Agent (at 4.1.4) is on the same server as the MS AD.
  User Authentication works correctly, but Machine Authentication fails.
  Failed machine authenticaton is reported in the "Failed Attempts" log of the ACS SE.
  The Remote Agent shows an error:
  See Attachment.
  Without Port-Security the XP workstation is able to log on to the domain.
  Many thanks for any indication.
  Regards,
  Stephan Imhof

  Is host/TestClientMan.Test.local the name of the machine? What does the AAA tell for you the reason it fails?

• 802.1x Implementation - Machine Authentication

  Hello friends...
  I am trying to implement 802.1x in my network, but I have a problem.
  I have an environment with Cisco ACS appliance 4.1.2.12, switches 3560 12.2(37)SE1 and clients Microsoft Windows XP and 2000.
  My problem is: I want to implement Machine Authentication with PEAP. When I use MS-PEAP (native Windows) the ACS don`t log and the access is not permitted, but when I use Cisco-PEAP (SCC) every works perfectly.
  Could you help me? I need that 802.1x works with MS-PEAP...
  Regards,
  Cris

  Following links can help you with the configuration:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml#t21
  Hope this helps
  ~Rohit

• ISE and machine authentication

  Hi
  I have ISE 1.1  : user authentication is working fine
  Now I need to implement machine authentication
  But I have 2 requirement
  1- User must remove and plug his network cable as he want (without close windows session or restart his computer) and his computer should be authenticated evry time as with user authentication
  2- I must not install any software or client applicatin on the computer
  Is there any method of machine authentication that respect thise 2 requirements above
  Regards

  I guess you need to review the below listed thread as we are discussing the same thing. You have to create an authorization rule highlighted in the screen shot.
  https://supportforums.cisco.com/message/4044276#4044276
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• EAP-TLS User and machine authentication question

  Hello,
  i have a question regarding EAP TLS authentication in a wireless environment. We use Cisco AnyConnect NAM client and an ACS 5.1 to do EAP-TLS authentification. The Laptop and the user can be successfully authenticated using a certificate from our internal CA. i can also check the in our corporate AD if the user and machine are member of a certain group and based on the membership a can grant access to the network.
  i can see in the ACS when the laptops after a reboot logs on to the network, but i don't see a log when the laptop comes back from hibernate mode, i guess this is normal because the laptop sends only the autentication equest after rebooting.
  What i'd like to achive is, when a user logs on the it should always be checked if the machine was authenticated prior the user can get access to the network. Is there a way to do this with EAP-TLS and a LDAP connection to Active Directory.
  thanks in advanced
  alex

  Sounds like you rather want to use PEAP/MSChapV2

• Enabling 802.1x and MAC Authentication Bypass on ACS 4.2

  Hi experts,
  I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
  i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
  Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
  ii. If it is possible, any reference that I can check on how to configure this?
  The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
  Hope anyone here could help me on this.
  Thanks very much,
  Daniel

  With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
  Specific info is here:
  <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
  Hope this helps,

• 802.1x and eDir Authentication

  We are purchasing the Enterasys 802.1x NetSight policy manager (running on SLES 9 with OES) along with new Matrix N3 and C2 switches. We plan on utilizing 802.1x authentication on both our wired and wireless networks. We currently use NW 6.5 with BM 3.8 and NMAS RADIUS for wireless MAC authentication and it works well. I understand that BM/NMAS RADIUS does not work with 802.1x authentication.
  I have read the previous two posts "How to implement a secure wireless solution (PEAP/EAP-TTLS)" and "eDirectory and 802.1x wireless authentication" Thank you Jim and others for your ideas and information.
  My question is, has Novell gotten off their hands and provided a solution yet? Will they? I will look into the Funk Odyssey / Steel Belted Radius software, freeRadius, and Radiator.
  Are there any other suggestions? Any changes since the above postings in January / February?
  I just wish Novell were more leading edge with the new technologies. It has been quite disappointing.
  Thanks,
  OZ
  Owen Zorge
  IT Specialist III
  AZ Department of Emergency and Military Affairs
  602-392-7507
  [email protected]

  Thank you for the info and link Jim. I seem to remember a session at BrainShare this year that discussed this issue. I'll also look up that presentation on the CD I just received.
  I have already contacted Funk to get some information on their 802.1x client. Any idea when Novell will integrate 802.1x authentication into the NetWare Client?
  Thanks again,
  OZ
  Owen Zorge
  IT Specialist III
  AZ Department of Emergency and Military Affairs
  602-392-7507
  [email protected]
  >>> Jim Michael<[email protected]> 5/24/2005 1:55:03 PM >>>
  Owen Zorge wrote:
  > My question is, has Novell gotten off their hands and provided a
  > solution yet? Will they?
  Yes, they have. You still cannot use the NetWare RADIUS server (it's
  dead), but Novell contributed code to the freeRADIUS project that lets
  you do 802.1x a wee bit easier than what I had to go through.
  I suggest you start here
  http://www.novell.com/documentation/...ius/index.html
  > I will look into the Funk Odyssey / Steel
  > Belted Radius software, freeRadius, and Radiator.
  Understand that you will most likely need at least the Odyssey *client*
  (supplicant) for your Windows boxes. The 802.1x supplicant that ships in
  WindowsXP works, but doesn't have enough features for most shops. This
  has nothing to do with Novell and is purely a client-side issue.
  Jim
  NSC SYsop

• Urgent 802.1x and MAC-Authentication Problem

  Hi all
  I want to deploy the mac- authentication in my network. and I have 3000 users. In the lab the authenticatoion for the machine takes:
  Vista : 15 - 20 seconds
  XP : 30 - 35 seconds
  Is there any way to reduce this time less than 10 seconds. My users count are 3000 will the time go bigger because of this.
  Please help me.
  Thanks and Best Regards
  amady

  With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
  Specific info is here:
  <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
  Hope this helps,

• ISE 1.1 - 24492 Machine authentication against AD has failed

  We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
  Authentication Summary
  Logged At:
  March 11,2015 7:00:13.374 AM
  RADIUS Status:
  RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
  NAS Failure:
  Username:
  [email protected]
  MAC/IP Address:
  00:26:82:F1:E6:32
  Network Device:
  WLC : 192.168.1.225 :  
  Allowed Protocol:
  TDS-PEAP-TLS
  Identity Store:
  AD1
  Authorization Profiles:
  SGA Security Group:
  Authentication Protocol :
  EAP-TLS
   Authentication Result
  RadiusPacketType=Drop
   AuthenticationResult=Error
   Related Events
   Authentication Details
  Logged At:
  March 11,2015 7:00:13.374 AM
  Occurred At:
  March 11,2015 7:00:13.374 AM
  Server:
  ISE-TDS
  Authentication Method:
  dot1x
  EAP Authentication Method :
  EAP-TLS
  EAP Tunnel Method :
  Username:
  [email protected]
  RADIUS Username :
  host/LENOVO-PC.tdsouth.com
  Calling Station ID:
  00:26:82:F1:E6:32
  Framed IP Address:
  Use Case:
  Network Device:
  WLC
  Network Device Groups:
  Device Type#All Device Types,Location#All Locations
  NAS IP Address:
  192.168.1.225
  NAS Identifier:
  WLC-TDS
  NAS Port:
  4
  NAS Port ID:
  NAS Port Type:
  Wireless - IEEE 802.11
  Allowed Protocol:
  TDS-PEAP-TLS
  Service Type:
  Framed
  Identity Store:
  AD1
  Authorization Profiles:
  Active Directory Domain:
  tdsouth.com
  Identity Group:
  Allowed Protocol Selection Matched Rule:
  TDS-WLAN-DOT1X-EAP-TLS
  Identity Policy Matched Rule:
  Default
  Selected Identity Stores:
  Authorization Policy Matched Rule:
  SGA Security Group:
  AAA Session ID:
  ISE-TDS/215430381/40
  Audit Session ID:
  c0a801e10000007f54ffe828
  Tunnel Details:
  Cisco-AVPairs:
  audit-session-id=c0a801e10000007f54ffe828
  Other Attributes:
  ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
  Posture Status:
  EPS Status:
   Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12806  Prepared TLS ServerHello message
  12807  Prepared TLS Certificate message
  12809  Prepared TLS CertificateRequest message
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12571  ISE will continue to CRL verification if it is configured for specific CA
  12571  ISE will continue to CRL verification if it is configured for specific CA
  12811  Extracted TLS Certificate message containing client certificate
  12812  Extracted TLS ClientKeyExchange message
  12813  Extracted TLS CertificateVerify message
  12804  Extracted TLS Finished message
  12801  Prepared TLS ChangeCipherSpec message
  12802  Prepared TLS Finished message
  12816  TLS handshake succeeded
  12509  EAP-TLS full handshake finished successfully
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  Evaluating Identity Policy
  15006  Matched Default Rule
  24433  Looking up machine/host in Active Directory - [email protected]
  24492  Machine authentication against Active Directory has failed
  22059  The advanced option that is configured for process failure is used
  22062  The 'Drop' advanced option is configured in case of a failed authentication request
  But the user can authenticated by EAP-TLS
  AAA Protocol > RADIUS Authentication Detail
  RADIUS Audit Session ID : 
  c0a801e10000007f54ffe828
  AAA session ID : 
  ISE-TDS/215430381/59
  Date : 
  March     11,2015
  Generated on March 11, 2015 2:48:43 PM ICT
  Actions
  Troubleshoot Authentication 
  View Diagnostic MessagesAudit Network Device Configuration 
  View Network Device Configuration 
  View Server Configuration Changes
  Authentication Summary
  Logged At:
  March 11,2015 7:27:32.475 AM
  RADIUS Status:
  Authentication succeeded
  NAS Failure:
  Username:
  [email protected]
  MAC/IP Address:
  00:26:82:F1:E6:32
  Network Device:
  WLC : 192.168.1.225 :  
  Allowed Protocol:
  TDS-PEAP-TLS
  Identity Store:
  AD1
  Authorization Profiles:
  TDS-WLAN-PERMIT-ALL
  SGA Security Group:
  Authentication Protocol :
  EAP-TLS
   Authentication Result
  [email protected]
   State=ReauthSession:c0a801e10000007f54ffe828
   Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
   Termination-Action=RADIUS-Request
   cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
   MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
   MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
   Airespace-Wlan-Id=1
   Related Events
   Authentication Details
  Logged At:
  March 11,2015 7:27:32.475 AM
  Occurred At:
  March 11,2015 7:27:32.474 AM
  Server:
  ISE-TDS
  Authentication Method:
  dot1x
  EAP Authentication Method :
  EAP-TLS
  EAP Tunnel Method :
  Username:
  [email protected]
  RADIUS Username :
  [email protected]
  Calling Station ID:
  00:26:82:F1:E6:32
  Framed IP Address:
  Use Case:
  Network Device:
  WLC
  Network Device Groups:
  Device Type#All Device Types,Location#All Locations
  NAS IP Address:
  192.168.1.225
  NAS Identifier:
  WLC-TDS
  NAS Port:
  4
  NAS Port ID:
  NAS Port Type:
  Wireless - IEEE 802.11
  Allowed Protocol:

  Hello,
  I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
  Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network.

• Is it possible to do machine and user authentication in same Authorization profile?

  Hi,
  I want to know is it possible to do machine authenticaiton and user authentication happen at the same time? Some thing like this...
  Condition
  IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
  Permissions
  then Vlan x
  Basically i am trying to check a machine is part of domain and user is valid only then he should be able to have full access.
  Any help will be of great value.

  Hi,
  IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
  - Not possible
  As user and machine authentication occur at different contexts.
  ACS cannot verify the both at the same time.
  Using MAR, you can, though club the both together and achieve:
  "machine is part of domain and user is valid only then he should be able to have full access"
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978
  Tips for configuring MAR:
  1) Set the client to perform user or computer authentication.
  2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).
  3) Enable MAR under the AD configuration page on ACS and set the aging time.
  4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.
  Rate if useful

• Machine authentication with Windows 7

  Version: ISE 1.2p12
  Hello,
  I'm doing user and machine authentication with ISE.
  I use a first authorization rule to authenticate the machine against the AD. If it's part computers of the domain.
  Then I use an authorization rule to check if the user's group in AD with the credential he used to open the session + "Network Access:WasMachineAuthenticated = True"
  Things seems to be working and I see my switch port is "Authz Success" but shortly after the Windows 7 machine is behaving like 802.1X authentication fails. The little computer on the bottom right has a cross on it.
  If I disable and enable again the network card of that windows machine it works.
  Does any one of you have an idea about this problem ? something to tweak on Windows 7 like timers...
  Thank you

  Hi Mika. My comments below:
  a) You told me that MAR ("Network Access:WasMachineAuthenticated = True") has some drawbacks. When hibernation is used it can cause problems since the MAC address could have been removed from the cache when the user un-hibernate its computer. Then why not increasing the MAR cache to a value of 7 days then ? Regarding the roaming between wire and wireless it's a problem indeed.
  NS: I don't believe that the MAR cache would be affected by a machine hibernating or going to sleep. There are some dot1x related bug fixes that Massimo outlined in his first pos that you should look into. But yes, you can increase the MAR timer to a value that fits your environent
  b) You suggest to use one authorization rule for the device which should be part of the AD and one authorization rule for the user with the extra result "IdentityAccessRestricted = False". By the was, are we really talking about authorization rules here ? I will try this but it's difficult for me to imagine how it would really work.
  NS: Perhaps there is some confusion here but let me try to explain this again. The "IdentityAccessRestricted" is a check that can be done against a machine or a user account in AD. It is an optional attribute and you don't have to have it. I use it so I can prevent terminated users from gaining access to the network by simply disabling their AD account. Again, that account can be either for a "user" or for a "machine"
  z) One question I was asking myself for a long time. All of us want to do machine+user authentication but Windows write Machine OR User Authentication. This "OR" is very confusing.
  NS: At the moment, the only way you can accomplish a true machine+user authentication is to use the Cisco AnyConnect supplicant. The process is also known as "EAP-Chaining" and/or "EAP-TEAP." In fact there is an official RFC (RFC 7170 - See link below). Now the question is when and if Microsoft, Apple, Linux, etc will start supporting it:
  https://tools.ietf.org/html/rfc7170
  Thank you for rating helpful posts!

• ISE machine authentication timeout

  Hi all,
  We have a ISE infrastructure and we have enabled user and machine authentication through EAP-TLS.
  Everything is working fine except that every 1 hour user must log off and login again because machine authentication has, I think, expired!
  As you can imagine this is unacceptable. I saw that the machine restriction age is only 1 hour and changed it to 8 hours.
  My question is if machine restarts at 7 hours past first successful authentication will the timer reset or after an hour will be kicked and have to log off and in again?
  How have you bypassed the timeout of mar cache?
  My ISE version is 1.2 with 2 patches installed
  Thank you
  Sent from Cisco Technical Support iPad App

  Hi
  Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine authentication of the computer used to access the Cisco ISE network. For every successful machine authentication, Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful machine authentication.
  Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the "Time to Live" parameter in the Active Directory Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache.
  When a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that requests authentication in the following ways:
  • If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a successful authorization is assigned.
  • If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a successful user authentication without machine authentication is assigned.

• 802.1X and CAT Express 500

  Hi guys,
  I want to know if the Cat Express 500 support dynamic vlan assigment through 802.1X.

  Hi,
  You can do the vlan arrisgnment using 802.1x on CE500. The configuration for 802.1X and Radius authentication server can be done with the help of Cisco Network Assistant (CNA). In the menu Network Security Settings you have to put the
  security level on high. There is the possibility to configure the IP address of the RADIUS server and the RADIUS key.
  In case you don?t have the CNA, you can download it for free from:
  http://www.cisco.com/cgi-bin/tablebuild.pl/NetworkAssistant
  HTH, Please rate if it does.
  -amit singh