Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6541
Views
0
Helpful
3
Replies

802.1x with AD authentication in a wired environment

Go to solution
jspichalla
Level 1
Level 1

‎02-22-2006 03:31 AM - edited ‎03-03-2019 01:57 AM

Hello,

I have a question about 802.1x authentication. I want use a combination from 802.1x and a domain authentication on a AD from microsoft. I think the first login request is the domain login, but the port on the switch is always blocked. After the PC is already up, then I can login with 802.1x authentication. Please let me know what is the best solution for this scenario. The customer need a domain login and he want use the 802.1x authentication.

Give it a solution with only 1 login request???

thanks

Jens

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.butterworth
Level 7
Level 7
In response to jspichalla

‎02-23-2006 06:34 AM

You can enable Machine Authentication with Windows 2000/XP/2003 clients. For this to work you need to use either PEAP or EAP-TLS. PEAP requires only a certifacate on the RADIUS Server. EAP-TLS requires a client certificate installed in the machine store on the 2000/XP/2003 client. With Machine Authentication the switchport authenticates the PC using 802.1x prior to user logon.

You can push certificates down to Machines & Users via Active Directory Group Policy (you can't push user certificates down with a 2000 AD or 2000 Clients). You need to also enable Remote Access privileges for Machines as well.

http://support.microsoft.com/kb/318750/EN-US/

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

I have this deployed in a test environment at the moment using Microsoft IAS (Radius). Due to the way the IAS policies are created you need to plan things out carefully. Each switch has to be added individually to the IAS Server so it can look ugly (no more so than a DHCP server though).

HTH

Andy

View solution in original post

0 Helpful
3 Replies 3

Go to solution
jarathbu
Level 1
Level 1

‎02-22-2006 03:35 AM

Hello,

With an ACS Server you can configure authentication via Windows.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00802335f9.html#wp792699

Hope this helps.

Regards,

James

0 Helpful

Go to solution
jspichalla
Level 1
Level 1
In response to jarathbu

‎02-23-2006 05:53 AM

Hello,

thanks for the reply, but my question is this:

Give it a solution that combined a domain request and a 802.1x request. The user must login in a domain and the switch is configured with 802.1x.

regards

Jens

0 Helpful

Go to solution
andrew.butterworth
Level 7
Level 7
In response to jspichalla

‎02-23-2006 06:34 AM

You can enable Machine Authentication with Windows 2000/XP/2003 clients. For this to work you need to use either PEAP or EAP-TLS. PEAP requires only a certifacate on the RADIUS Server. EAP-TLS requires a client certificate installed in the machine store on the 2000/XP/2003 client. With Machine Authentication the switchport authenticates the PC using 802.1x prior to user logon.

You can push certificates down to Machines & Users via Active Directory Group Policy (you can't push user certificates down with a 2000 AD or 2000 Clients). You need to also enable Remote Access privileges for Machines as well.

http://support.microsoft.com/kb/318750/EN-US/

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

I have this deployed in a test environment at the moment using Microsoft IAS (Radius). Due to the way the IAS policies are created you need to plan things out carefully. Each switch has to be added individually to the IAS Server so it can look ugly (no more so than a DHCP server though).

HTH

Andy

0 Helpful
Customers Also Viewed These Support Documents