cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2965
Views
5
Helpful
4
Replies

802.1x certificate based authentication on Cisco 3850.

Folks,

We are looking at some help on certificate based authentication on our Cisco 3850 for LAN based authentication. The authentication feature is planned to be rolled out only on ports which are in the user VLAN and for other ports we would use MAC based authentication. We are going to authenticate against ACS 5.5.

 

Any suggestions on proceeding with this. I had received some solutions initially but all we see on the ACS is some MAC address trying to authenticate. The does not succeed.

 

Please provide me with some suggestions on getting this going.

 

 

Regards,

N!!

4 Replies 4

hslai
Cisco Employee
Cisco Employee

ACS 5.5 has reached its last date of support, per End-of-Sale and End-of-Life Announcement for the Cisco Secure Access Control System 5.5. ACS 5.8 has reached End of Sale and is only a couple of months away until the end of software maintenance. Thus, please plan on migrating to ISE by reviewing the info @ http://cs.co/acstoise

 

In order for an endpoint to perform certificate-based 802.1X, the endpoint needs an identity/personal certificate suitable for EAP-TLS client authentication and the 802.1X supplicant on the endpoint OS configured to do so. Certificates / Private Key Infrastructure (PKI) has several materials for reference.

 

Yes, we are aware on the EoL for the Cisco ACS. However, the replacement plans are futuristic. As an immediate need I actually need to get in some security on my existing infrastructure so looking at help in that.

 

Could someone please provide some guidelines on 802.1x security with use of certificates on Cisco 3850 switches with the ACS please?

The configuration on the client side is the same for ISE and ACS. For ACS configuration, please check out the following:

 

Solved: 802.1x EAP-TLS for wired users with ACS... - Cisco Support Community

Lab Minutes has several videos on ACS —> Video: Security - ACS | Lab Minutes

Hi,

 

May i knw whether "aaa authorization network" cmd will affect anything currently in the switch like telnet, ssh,etc? Do i really need these 2 cmd below for 802.1x authentication with radius server? or "aaa authentication 802.1x..." is sufficient?

 

awitch(Config)# aaa authorization network default group radius
Switch(Config)# aaa accounting dot1x default start-stop group radius