802.1x Single Login

jcosgrove · ‎05-01-2003

Is there a way to have a single login when using Win2k or XP clients connecting to a 3550 switch set up with 802.1x port authentication to a ACS server version 3.1? I have been beating myself up trying to get to a single login that when the person puts in their Windows Login info that passes on to the 802.1x authentication to bring up the ethernet port.

IF not does anyone know when these features will be linked together? I am trying to deploy port based security on the network but I am trying to do it so the users do not know and don't need to be involved.

j.vila · ‎05-06-2003

Yes, it's possible.

You must use PEAP as a EAP type in the Win Xp Authentication tab. When you choose this option, click properties, select EAP-MSCHAPv2 and click configure, then select this option.

you must use certificates for this config.

jcosgrove · ‎05-06-2003

I have been working with this using Win2k with the 802.1x hotfix and I don't seem to be able to get it to work. I have the Certs setup and loaded and the requests are hitting the ACS server but there seems to be a problem when it goes to authenticate with the NT database. I can authenticate against the NT database when I use other then an 802.1x request. I don't understand what is different. I will try a WinXP client to see if that will work.

j.vila · ‎05-06-2003

I'm tested this config, and works:

Hp procurve switch 5308xl

IAS RADIUS SERVER w/ dinamic VLAN config

Win2K Active Directory database

Win2K Client with HotFix, or WinXP Pro.

MS CA

Aladdin eToken Pro 32K

It seams that there are something wrong with ACS and MS PEAP.....I found this message from icosgrove:

Feb 12, 2003, 6:30am PST

I have been working on this as well. It turns out that Microsofts implementation changed from when cisco first set up the ACS 3.1 and now it will not work till ACS 3.2 comes out. There is not very much documentation on the Cisco website reguarding these problems but I ended up opening a case with TAC and found out I was doing everything right but the ACS and Microsoft were incompatable. From what I understand you can wait for ACS 3.2 (around May) or get an advanced copy of Windows 2003 server and run the Microsoft radius server and this should work. I have not tried the MS radius server. I am waiting for ACS 3.2. If you want to do some testing load the Cisco Aironet Client utility on your Client computer(I know you are not doing wireless). This will overwrite the MS parts of PEAP with the cisco peap and will work with ACS 3.1. The only drawback is you will have a 2 step login. This solution does not hook into the MS login so you have to login twice

jcosgrove · ‎05-06-2003

That was my message. I am currently working with a pre-release version of ACS 3.2 and not having any more luck with it. What version of IAS Radius server are you using. Does it need to be Win3002 or will the regular Win2k IAS radius work okay?

j.vila · ‎05-06-2003

Windows 2000 server english sp3 IAS works good, I don't need W2003 server.

I'm working in a lab config with ACS 3.1.1 and Cisco Aironet Client Utility....If works, I tell you.

jcosgrove · ‎05-06-2003

I did get the Aironet 802.1x over ethernet to work but it is not single sign-in. You will get a second authentication box because it dose not hook into the windows login information.