cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
505
Views
5
Helpful
3
Replies
Highlighted
Participant

802.1x and Port Security

Hi all,

I would like to ask about 802.1x.It is very simple question for you but i can't understand easily.

i would like to deploy 802.1x wired authentication.

  1.  i am applied static vlan and ACL rule is already applied on the switches.Can i deploy 802.1x configuration on existing production switches for authentication only to pass traffic ? Do not use for dACL function,DHCP functions and dynamic VLAN assign .is it ok ? i want to use static ACl and VLAN.
  2. i want to join My workgroup PCs (no domain joined) to my network and want to use 802.1x wired authentication with certificate.i don't want to type username and password.Any computer which is installed our certificate can connect to my network.Can it be or not ?

 

 

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: 802.1x and Port Security

Hi,
1. Yes you can still authenticate the users/computers.

2. Yes you can, but how are you going to get the certificates on those devices? It's not so easy on a non-domain joined computer. If you are using ISE you could use the certificate enrollment portal to acquire a certificate, however this cannot be automated/transparent to the user. If the computer was domain joined, the GPO could automate the provisioning of certificates and renewals, without interaction from the user. Another option could be to use MAB for those devices, find out their MAC addresses and permit only those devices. This is less secure than dot1x however, but possibly easier for you to manage.

HTH
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: 802.1x and Port Security

Ok. Yes, you can manually create a CSR on the non-domain joined computer, get it signed and import the signed certificate on the computer.

HTH
3 REPLIES 3
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: 802.1x and Port Security

Hi,
1. Yes you can still authenticate the users/computers.

2. Yes you can, but how are you going to get the certificates on those devices? It's not so easy on a non-domain joined computer. If you are using ISE you could use the certificate enrollment portal to acquire a certificate, however this cannot be automated/transparent to the user. If the computer was domain joined, the GPO could automate the provisioning of certificates and renewals, without interaction from the user. Another option could be to use MAB for those devices, find out their MAC addresses and permit only those devices. This is less secure than dot1x however, but possibly easier for you to manage.

HTH
Participant

Re: 802.1x and Port Security

Hi ,

thank for explain.

i consider manually create cert request file for all clients and manually install and renews .is it possible ? I already tested on Domain Joined PC scenario .I want to know work group PC can handle with 802.1x by using certificate or not ?

Everyone's tags (1)
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: 802.1x and Port Security

Ok. Yes, you can manually create a CSR on the non-domain joined computer, get it signed and import the signed certificate on the computer.

HTH