06-01-2007 05:07 PM - edited 03-09-2019 06:06 PM
I am trying to setup 802.1x PEAP in my home lab. I have:
a windows 2003 enterprise server with SP2 and latest patches running as
Active Directory, DHCP, DNS, WINS. The AD domain name is LAB.
The windows 2003 is also running Cisco ACS 4.0.1 with a self-signed
certififcate. I can log into the box https://PEAP8021x:2002 so the cert
works. I also configure the ACS so that it can also use AD accounts for
authentication
Cisco Catalyst 2960 running IOS version flash:c2960-lanbase-mz.122-25.SEE2.bin.
This version supports 802.1x
A couple of WindowsXP with Service Pack 2 and latest patches that will act as
clients for the domain LAB.
Everything is connected to the Catalyst switch 2960 via CAT-5 cables.
I would like to accomplish something very simple. Before user(s) on
WinXP can even access the domain LAB, the winXP machine must be
authenticated with Cisco ACS with username/password on the AD Server
so that the machine can be placed in the correct VLAN(s). If this is just
a visitor and their machine is plugged into my network, authentication will
fail and they will be put in a guest VLAN where the only connection they have
will be acess to the Internet and that will be it. All the information will be pushed
out to the catalyst from the Cisco ACS
Can someone help me out on how to get this done? Thanks.
06-03-2007 07:21 PM
Enable machine-authentication. Enabled the Auth-Fail-VLAN on your switchport. Configure security around this VLAN such that it only has access to the Internet via path isolation technique.
These guides might help:
<http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor7>
06-03-2007 09:11 PM
Hi,
You would need to do following :
- Machine authentication with user authentication( This part is tricky on WinXP, you may get intermittent results)
Something to help you:
-----------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
"SupplicantMode"=dword:00000003
"AuthMode"=dword:00000001
------------------
- Machine Access Restriction (MAR)(its on ACS)
- guest vlan or auth-fail-vlan
Wired 802.1x:
Configuring IEEE 802.1x Port-Based Authentication:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea7/scg/sw8021x.htm
Regards,
Prem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide