10-20-2008 09:50 PM - edited 03-10-2019 04:08 PM
I am creating a lab environment to test 802.1x prior to implementing it into production.
I wanted to know what is the pros and cons of this security feature at layer 2?
How does it really work behind the scenes?
The reason why i want to implement this feature/function is becuase I'm just one of two network administrators who manage well over 800 networking device (totally cisco shop) and 62 remote sites, and we struggle with the moves, adds, and changes, port vlan assignment (management), users moving there workstations, users moving there voip phones, etc. If anyone can speak on implementing 802.1x wired in a medium to large large network i will be happy to hear about the real life pros and cons
10-20-2008 11:32 PM
We implemented 802.1x in my previous company (similar size as yours)
You are right it can brings lot of problems.
Before we deployed management solution Cisco LMS 3.0... It really helped us with configuration, config backup, network overview, discrepancy reports, user tracking, troubleshooting (get rid of fake hubs etc..) ... It cleaned our network and saved lot of time .. I suggest to have good management solution before you move to 802.1x
We also separated devices what are not able to authenticate via 802.1x (printers, faxes) to separate VLAN
Than we started in one segment (vlan) which was most stable (no changes, no moves)...
It worked fine.. Than we smoothly moved to other vlans step by step..
The true is that it took lot of time (one of my colleagues was working only on this project for some time).. But we managed it and it works fine.. It would also asked your cisco vendor for consultancy and help
Hope that helps
M.
10-21-2008 06:52 AM
Hi M.SIR
Thanks for the feedback, it helps to chat with someone who has actually been through this.
The management solution you used was LMS 3.0?
How did you handle legacy pc (windows 2000, 98) if there were any?
What about RDP (Remote Desktop), do you encounter problems trying to manage desktops remotely?
10-21-2008 01:20 PM
m.sir
Is there any tips that you can give me, prior to deployment that ended up being gotcha during deployment.
10-23-2008 09:19 PM
Yes, most of the issues you'll have will be on the Windows side and not on the Cisco side. A few come to mind:
- Windows XP (even SP3) has issues with executing logon scripts while the network is being changed (VLAN assignments) on boot.
- Use machine authentication to support environments that need logon scripts.
- Consider MAC authentication as well to support environments that need remote boot/management.
- Start small, fail open at first: even if user "fails" 1x auth, put them on the production VLAN while you test the entire environment.
I'm doing an 802.1x rollout for about 500 PCs (plus 500 devices that are not 1x capable) right now and these are some of the issues we've seen.
10-24-2008 07:07 AM
Hi fsmontenegro,
So for windows logon scripts issues, how did you resolve that issue?
When you say machine authentication are speaking Active Directory or local machine logon?
10-21-2008 01:43 PM
Yes LMS 3.0.. We were lucky , only win XP, RDP worked fine
M.
10-24-2008 06:57 AM
Thanks for the tips.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide