Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1841
Views
0
Helpful
3
Replies

How users able to login to domain

Go to solution
getaway51
Level 2
Level 2

‎05-06-2019 03:55 AM

Hi,

 

I was wondering how end-users workstation able to reach ACS. Does it has anything to do with ip helper config in the switches?

802.1X is currently not enable. All policy now control by ISE & ACS. But in the first place, without 802.1x config, how the traffic from all branches can reach AD domain in HQ? Can someone enlighten me?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-06-2019 06:09 AM

So the IP helper config does not come into play for the 8021x process. The helper will be used to ensure that you can dynamically pull an IP from DHCP. Here is a somewhat brief overview of the 8021x process:

Three main components are used:
1. Supplicant -->port authentication entity seeking network access (workstation)
2. Authenticator-->Network Access Device(switch)
3. Authentication server-->ISE/ACS

EAPoL which is used between your workstation and the switch. Radius is then used between the switch and AAA server. It looks like this:

eapol.png

 

With that information note that the NAD will manage the communication to your AAA server and the actual workstations will not talk to the AAA server.  I hope this clears up the process for you!

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-06-2019 06:09 AM

So the IP helper config does not come into play for the 8021x process. The helper will be used to ensure that you can dynamically pull an IP from DHCP. Here is a somewhat brief overview of the 8021x process:

Three main components are used:
1. Supplicant -->port authentication entity seeking network access (workstation)
2. Authenticator-->Network Access Device(switch)
3. Authentication server-->ISE/ACS

EAPoL which is used between your workstation and the switch. Radius is then used between the switch and AAA server. It looks like this:

eapol.png

 

With that information note that the NAD will manage the communication to your AAA server and the actual workstations will not talk to the AAA server.  I hope this clears up the process for you!

 

0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to Mike.Cifelli

‎05-06-2019 07:55 AM

i mean currently no 802.1x. How user able to reach ACS  (i.e they login everytime PC boots up)? There is no 802.1X now, i wondering how the process like "login to domain" works? 

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to getaway51

‎05-06-2019 08:36 AM

I am not quite sure I am following.

All policy now control by ISE & ACS. But in the first place, without 802.1x config, how the traffic from all branches can reach AD domain in HQ? Can someone enlighten me?

How are you pushing policy if 8021x is not enabled? From a routing perspective you need to ensure your hosts can reach AD.
0 Helpful
Customers Also Viewed These Support Documents