Some questions on 802.1x?

Deepak Khemani · ‎04-09-2012

Hello Everyone

I have few questions regarding 802.1x authetication in wierd enviornment and with VLAN assignment by ACS. Please help me with these

1. How do I use 802.1x authentication in Windows enviornment with domain authentication? Is that the PC first needs to have authenticated and then the user? If thats the case how do I configure windows for that?

2. Is it possible to have access-control based on roles? I have read about this on blogs but how do I configure? Any resources?

3. I have 3-4 offices at different locations and one data center where RADIUS server and other intranet application are hosted. All sites are having MPLS connectivity and using same Radius server. A user is configured in ACS for dynamic VLAN assignment to VLAN 25. From Office A ( user's primary office) he would not have any problems in authentication. What if user is going to Office B and tries to authenticate? Will he assigned to VLAN 25? What if VLAN 25 is not present in Office B? How do we deal with this situation?

I know I have asked a lot in this post but I will be very greatful if you can help me with this.

Thanks in advance

Deepak Khemani

Jagdeep Gambhir · ‎04-10-2012

Deepak ,

1) You can setup either way (machine or user authentication). Machine or user needs to be authenticated and then Radius server assigns the appropriate vlan.

2) Yes, that is what dynamic vlan assignment is all about.

This doc will give you heads up about dot1x.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/Sw8021x.html

3) If user logs in from office B you can assign different vlan that allows access as per user profile (incase vlan25 is not present at remote office). I'm not sure about your setup but this is very much achievable.

Regards,

~JG

Do rate helpful posts!