06-29-2012 08:29 AM - edited 03-10-2019 07:15 PM
Hi all,
I got a Question to the context directory agent.
We are using windows 2008r2 nap for 802.1x authentication on switch ports.
Would it be possible to use the radius accounting for the CDA to assign the user ip mapping?
Or is the radius authorisation already a user ip mapping?
My thoughts are if a non AD joined client authenticates at the network that he would automatically receives the correct user identity authorisation for the network and all vpn's. Without using something like ctp
Sent from Cisco Technical Support iPad App
07-04-2012 06:39 AM
Hello,
If you doing 802.1x authentication and if the computer don't have a supplicant the switch is the one who takes the decision to either leave it unauthenticated or use guest vlan everything depends on what you have configure.
If you want to provide different vlans to different groups of users that is dynamic vlan assigment. Please let me know if this is what you want so I can share configuration.
Regards,
07-04-2012 10:26 PM
Hi,
I try to explain what I want to do.
We have a separated company network where customer vpn's are terminated. This network is secured with 802.1x authentication.
We are planing now to rebuild this network and grant more people access to it and the customer vpn's.
The dot1x implementation is now working with windows radius and dynamic vlan assignment based on active directory group membership.
What I want to do is.
Use of the user identity feature of the ASA to permit or deny access to vpn's or internal infrastructure based on active directory groups.
And now my question.
If a user is successfully authenticated to the network with 802.1x will the cda get notice of it and do the user-ip-mapping?
Or is there a possibility to combine 802.1x implementations with the cda to get the user identity working based on network authentication.
As I mentioned in my first post. The clients are not active directory members so there is no Kerberos authentication from them with the AD.
And I did not want that the user have to authenticate twice to get access to the VPN or internal infrastructure.
Sent from Cisco Technical Support iPad App
07-05-2012 10:00 PM
Oliver,
I wanted to confirm the following, lets say company A uses dot1x and company B uses vpn:
Company A -
If you are trying to get the user to ip mappings from Company A's dot1x authentications there is only one way to confirm
login to the machine that has the cda installed and run the following command through the cli:
cd C:\IBF\CLI
adacfg cache list
That should return the results of the user to ip mapping.
As I mentioned in my first post. The clients are not active directory members so there is no Kerberos authentication from them with the AD. If you are using windows radius then your users will have to be a member of the domain.
And I did not want that the user have to authenticate twice to get access to the VPN or internal infrastructure.
You do not have to authenticate twice if you are coming from outside the network and in, once you authorize the vpn connection then you take a different entry into the network, which is the vpn. Dot1x is used to authenticate clients and endpoints behind switchports or wireless APs. However you will have to authenticate twice if your users are inside a dot1x enabled network and trying to establish a vpn connection to another site with different credentials.
As far as the CDA is concerned, it is primarily used for IDFW, and transparent user identification for the WSA, I havent seen any references recently for any vpn authentication. If you are looking for a design to merge these two authentication pieces together you can use Cisco ACS or Cisco ISE, you can stand each one of them up at each site and enable radius proxy so that the authenticaions are seemless.
Let me know if that helps,
Tarik Admani
07-05-2012 10:21 PM
I take your example.
Company A (my company)
Company B (customer site)
Company A
- dot1x with dynamic vlan assignment on windows radius
- for the moment it is possible for everyone who has access to the network to access every customer network over vpn
- restrict vpn access to limited users based on AD group memebership
Company B
- limitations are set on Company A (ruleset, NAT)
- no use of radius
Windows radius is capable of radius proxy setting
As I mentioned in my first post. The clients are not active directory members so there is no Kerberos authentication from them with the AD. If you are using windows radius then your users will have to be a member of the domain.
the Users are Members of the AD but not the client Computers
And I did not want that the user have to authenticate twice to get access to the VPN or internal infrastructure.
You do not have to authenticate twice if you are coming from outside the network and in, once you authorize the vpn connection then you take a different entry into the network, which is the vpn. Dot1x is used to authenticate clients and endpoints behind switchports or wireless APs. However you will have to authenticate twice if your users are inside a dot1x enabled network and trying to establish a vpn connection to another site with different credentials.
The whole Traffic i'm talking about is from the Inside
07-06-2012 04:25 AM
Oliver,
The dot1x authentication is seamless for the internal users and is done automatically from the supplicant. The supplicant runs as a service and in most common scenario uses peap as the authentication protocol.
Your best bet is to consider ISE, you can can redirect clients to a centralized web portal if they do not exist on the domain, they can self register or you can create guest accounts for them and have them expire within a set amount of time. You can also use the internal database and group the clients in order to build specific dot1x/VPN profiles.
Keep in mind the Cisco switch ports can authorize ports if the user is a guest or not a member of the domain, you can assign a guest vlan for these scenarios.
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide