07-30-2013 04:30 AM - edited 03-10-2019 08:42 PM
Hello All,
we have in our network ACS Server 5.3 and we use cisco port based authentication
we store all MAC Address in our ACS Server we user Per Host Authentication
So If any PC or Laptop Connected to any Switch the Switch ask the ACS Server for his MAC if he find the MAC Address in ACS this PC connected to inside VLAN if he does not find this MAC in ACS Server Database, the Switch Connected this Host to Guest vlan
---------
our Switch Config is :
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
!
!
aaa session-id common
clock timezone CET 2
system mtu routing 1500
ip subnet-zero
dot1x system-auth-control
interface GigabitEthernet0/1
switchport mode access
authentication event no-response action authorize vlan 20
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
no cdp enable
spanning-tree portfast
adius-server host 192.168.10.10 auth-port 1645 acct-port 1646 key xxxxxx
----------------------
Know I need to ask:
we need to make this Authentication via Active Directory
but we the same processing
Mean the user need to access any PC in Domain with Username and PW
if the ACS find this user in AD Database the user have access to inside VLAN
if ACS does not find than the Switch or ACS send this User to Guest vlan
can I make this Authentication per username
thank you for help
AHA
07-31-2013 11:20 PM
Please did anyone have any idea !!!
08-01-2013 04:17 AM
Since there is no order/priority set so by-default it attempts dot1x first and then mab. The workstation that requests access to the LAN, and responds to requests from the switch. The workstation must be running 802.1X-compliant client software.
Could you please share the 802.1x settings from your pc connected behind the switch port.
I'd also like see debugs from the switch:
debug dot1x all
debug radius
show authen session interface GigabitEthernet0/1
~BR
Jatin Katyal
**Do rate helpful posts**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide