Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
399
Views
0
Helpful
2
Replies

802.1x

volyashevsky
Level 1
Level 1

‎12-01-2002 09:45 AM - edited ‎03-09-2019 01:15 AM

Is it possible to implement port security with the following components:

Windows XP (eap-md5) --- Catalyst 4006(7.2.1) --- ACS(3.1) --- Extrernal DB Windows AD or Windows SAM

Thank you.

Labels:
0 Helpful
2 Replies 2

jekrauss
Level 1
Level 1

‎12-01-2002 10:46 AM

Short question, quick quick negative answer, but possible option buried in longer discussion :)

Nope. EAP-MD5 is not compatible with the AD or NT Sam. Only supported to ACS DB.

Other options include:

1) using the local ACS db (I know, you lose the advantage of the integrated DB, but that's not a characteristic of ACS, but rather of AD and SAM)

2) you can use EAP-TLS, but it requires that the client have a certificate installed, and that a cert server be installed on the NT/AD DC. In my opinion, difficult to achieve if you have lots of supplicants (clients) to install the certs on.

3) you may be able to do PEAP (server-side authentication ) to the NT DB for catalyst switches, which doesn't require a certificate on the client. Although I haven't personally tested this on a catalyst switch, I've tested PEAP on wireless and I've tested EAP-MD5 on the switch, so between the two.....

I think it should work. The reason is, PEAP support is just tunneled EAP, so to the switch, it should just be EAP - it's the authenticator (ACS) and the supplicant (XP) that really matter. If you pursue it and it works, I'd like to know.

Here's some references that may be helpful:

1) PEAP Limitations (external db's only - local ACCS db will be supported in future version of ACS)

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs31/rnacs311.htm#xtocid16

2) Some helpful descriptions of PEAP support, including supported external DB's (although this references wireless, most of this applies to PEAP in general)

http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/1942_pp.htm

3) Discussion of EAP and configuration of EAP on catalyst switches

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/rel7_2/config/authent.htm#xtocid9

4) White Paper: Guidelines for the Deployment of

Cisco Secure ACS for Windows NT/2000 Servers in a Cisco Catalyst Switch Environment

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/deacs_wp.htm

HTH

Jeff

0 Helpful

volyashevsky
Level 1
Level 1
In response to jekrauss

‎12-02-2002 06:54 AM

Thank you very much for the information.

I was afraid of that.

My goal is to proceed with the following scenario:

Win XP SP1 or Win2KSP3802.1x fix (PEAP)--Catalyst--ACS3.1--External DB(AD or SAM)

I have recently downloaded the fix for Win2K, but I can not seem to find the place to configure the settings. Could you please point me in the right direction.

Thank you.

0 Helpful
Customers Also Viewed These Support Documents