Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1368
Views
5
Helpful
3
Replies

802.1x and Authentication Methods

Go to solution
s.kho
Level 1
Level 1

‎10-10-2010 09:30 PM - edited ‎02-21-2020 10:25 AM

Hi,

I have ACS 5.2, Cisco 4507 switches and AD domain environment.
Planning on performing only machine authentication and not user authentication.
I have the following type of devices:

1. Windows XP SP3 and higher on the AD Domain
2. Devices to be with installed with third-party supplicants as they natively don't
support 802.1x.


If I ignore device type 2, and only consider device type 1, am I able to simply configure
802.1x for authentication based on machine against AD, without having to use any
certificates at all?


Taken device type 2 into account, given the devices are not on the domain and I don't
want to manually enter details into ACS, will I need to use certificate for authentication?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee
In response to s.kho

‎10-19-2010 11:59 PM

Hi,

> Using PEAP wouldn't I need certificate installed on the ACS? Or can it work without any certificate at all.

[ANS] Yes, you always need certificate on the ACS but it can be a self signed certificate that you can do with 2 clicks on the ACS itself. oc the client machines you have only to make sure that you have the supplicant configured to not "Validate server certificate" so that you do not have any further complication with certs.

> I was thinking for devices that not on the domain, to load certificate on the machine.

If I were to have both type 1 and 2 devices, would it possible to have domain devices to be authentication using machine authentication against AD and the non domain devices autheticated using certificate installed on each device?

[ANS] Yes, you can. Non domain devices could be authenticated simply by trusting the CA that issued the device certificate. Imagine you have CA "JEDI" issuing the device's certs. You can configure the ACS to validate authentications only by trusting CA "JEDI". When a device tries to connect, it will send the certificate, the ACS simply checks the CA that issued the cert and if it is trusted, it will accept the authentication.

In this scenario, you will need to use an authnetication method which uses clients certs for authneitcation like EAP-TLS.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee

‎10-11-2010 06:53 AM

Hi,

Answering inline:


If I ignore device type 2, and only consider device type 1, am I able to simply configure
802.1x for authentication based on machine against AD, without having to use any
certificates at all?

[Ans] Yes, you can use PEAP which does not require certificate on the user, but the traffic is still encrypted.

Windows XP default supplicant has the option to "Use machine credentials...". If you check that box the PC will do machine authentication and send the machine credentials in the format host\machine.domain.


Taken device type 2 into account, given the devices are not on the domain and I don't
want to manually enter details into ACS, will I need to use certificate for authentication?

[Ans] Well, if you want to do machine authentication, you need to create the machine entries in some Database...can you please clarify exactly how you want to authenticate the devices type 2.

Thanks,

Tiago

Go to solution
s.kho
Level 1
Level 1
In response to Tiago Antunes

‎10-19-2010 11:04 PM

Hi Tiago,

Thanks for your reply. Some more questions.

>If I ignore device type 2, and only consider device type 1, am I able to simply configure
>802.1x for authentication based on machine against AD, without having to use any
>certificates at all?

>[Ans] Yes, you can use PEAP which does not require certificate on the user, but the traffic is still encrypted.

>Windows XP default supplicant has the option to "Use machine credentials...". If you check that box the PC will do machine authentication and send the >machine credentials in the format host\machine.domain.

Using PEAP wouldn't I need certificate installed on the ACS? Or can it work without any certificate at all.


>Taken device type 2 into account, given the devices are not on the domain and I don't
>want to manually enter details into ACS, will I need to use certificate for authentication?

>[Ans] Well, if you want to do machine authentication, you need to create the machine entries in some Database...can you please clarify exactly how you >want to authenticate the devices type 2.

I was thinking for devices that not on the domain, to load certificate on the machine.

If I were to have both type 1 and 2 devices, would it possible to have domain devices to be authentication using machine authentication against AD and the non domain devices autheticated using certificate installed on each device?

Thanks

0 Helpful

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee
In response to s.kho

‎10-19-2010 11:59 PM

Hi,

> Using PEAP wouldn't I need certificate installed on the ACS? Or can it work without any certificate at all.

[ANS] Yes, you always need certificate on the ACS but it can be a self signed certificate that you can do with 2 clicks on the ACS itself. oc the client machines you have only to make sure that you have the supplicant configured to not "Validate server certificate" so that you do not have any further complication with certs.

> I was thinking for devices that not on the domain, to load certificate on the machine.

If I were to have both type 1 and 2 devices, would it possible to have domain devices to be authentication using machine authentication against AD and the non domain devices autheticated using certificate installed on each device?

[ANS] Yes, you can. Non domain devices could be authenticated simply by trusting the CA that issued the device certificate. Imagine you have CA "JEDI" issuing the device's certs. You can configure the ACS to validate authentications only by trusting CA "JEDI". When a device tries to connect, it will send the certificate, the ACS simply checks the CA that issued the cert and if it is trusted, it will accept the authentication.

In this scenario, you will need to use an authnetication method which uses clients certs for authneitcation like EAP-TLS.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful
Customers Also Viewed These Support Documents