Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1223
Views
0
Helpful
5
Replies

802.1x machine authentication

dhellmuth
Level 1
Level 1

‎10-22-2004 11:05 AM - edited ‎02-21-2020 10:11 AM

Hi,

in an environment where we have a catalyst Switch, an ACS Server and a Win2000 or XP Client, is it possible to set up 802.1x machine authentication without client being part of a ADS ?

is it possible to do machine authentication only with certificates (EAP TLS) ?

Regards

Dirk

Labels:
0 Helpful
5 Replies 5

pcomeaux
Cisco Employee
Cisco Employee

‎10-27-2004 06:50 PM

Hey Dirk -

I've done machine authentication with 802.1x with ACS only. The switch determined the computer's name and sent it to the ACS server and the ACS server accepted the machine name and placed the port in the correct vlan.

I can't help with your 2nd question; hopefully someone else can address it.

thanks

peter

0 Helpful

concue
Level 1
Level 1
In response to pcomeaux

‎10-28-2004 04:30 AM

Would you share your config.

Thanks,

Bo

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to pcomeaux

‎10-28-2004 06:09 AM

I believe you're talking Active Directory, right?

Machine-Authentication is only achievable with an Active Directory backend.

Machine-Authentication is available fron EAP-TLS and PEAP with EAP-MSCHAPv2.

Hope this helps.

0 Helpful

dhellmuth
Level 1
Level 1
In response to jafrazie

‎10-28-2004 10:00 PM

Hi,

we've done some tests yesterday. For ACS without ADS machine authentication is just like a user authentication, someone provides his name and password/certificate. We created an user account on ACS named "host/" and ACS matched it when machine authentication was provides by the windows client.

But there were 2 problems:

- if we're using EAP-TLS, the certificate matching failed because ACS takes the machine name with a leading "host/" as the username and in the CN field of the certificate there is only the machine name.

- if we're using PEAP, we need a password for the ACS user account. The client provides a password that the ADS gave him. Where can i find that password ?

Any comments welcome

Regards

Dirk Hellmuth (CCSP)

CONET AG, Germany

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to dhellmuth

‎10-28-2004 10:34 PM

Right:

That's why I was assuming you were using AD ;-). As for the password PEAP is using for machine-auth, it's the local system password from AD.

This should help further:

<http://download.microsoft.com/download/b/0/e/b0e2a363-0044-4327-8f17-020818f57234/Wired_depl.doc>

Hope this helps.

0 Helpful
Customers Also Viewed These Support Documents