Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1637
Views
0
Helpful
8
Replies

802.1x

Go to solution
zorge1982
Level 1
Level 1

‎02-24-2015 02:49 AM - edited ‎03-07-2019 10:49 PM

Hi everyone. I have some missunderstood issues and want to ask your advices. In my lab network i have some VM with AD/DNS/NPS/ server roles (hyper v env/ external NIC for each PCs), also have switch 2960 (12.2) with dot1x enable function on one port for testing AD member .Vlan assignment with NPS rules. Well, it working . But when i try logging with some account than hasnt connect to AD yet, cisco port awaiting authentification and i cant enter credentials cause cant log in domain controller. How to get  DC accessibe before 802.1x handshake? All addresses static for simplify.Thanks     

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
amikat
Spotlight
Spotlight
In response to zorge1982

‎02-24-2015 09:26 AM

Hi,

You can surely configure 802.1X authentication with MS NPS and Cisco Cat 2960. While I am not sure I understand what exactly your problem is I would like to point you to the Open1x authentication option using "authentication open" interface command. This was introduced since 12.2(50):

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_50_se/configuration/guide/scg/sw8021x.html#wp1431587

Nevertheless I shoul say I have never been forced to use this option when configuring 802.1X using MS AD with 2008, 2008R2, 2012 and 2012R2 servers as DCs including VMware environment.

Good luck!

Best regards,

Antonin

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-24-2015 03:36 AM

I'm not sure follow.

The 802.1x authentication comes before any authentication to the windows domain.

If you want to tie the two together then you tell your ACS (if that is what you are using) to use AD for the user credentials.

Then when the user authenticates to the network they are also authenticated into the domain.

See this link for details -

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113571-acs5-ad-int-config-00.html

Jon

0 Helpful

Go to solution
zorge1982
Level 1
Level 1
In response to Jon Marshall

‎02-24-2015 03:53 AM

Thx for answer,unfort i dont use cisco ACS. 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to zorge1982

‎02-24-2015 04:33 AM

What do you use ?

It may be possible to do the same thing.

Jon

0 Helpful

Go to solution
zorge1982
Level 1
Level 1
In response to Jon Marshall

‎02-24-2015 05:41 AM

 Thank Jon! 

I have three Cisco switches and windows enviroment for services. Its all i have. Is possible assign swith port for some vlan (guest vlan i suppose) with DC access before authentification 802.1x? Could you advice more different solution for my issue?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to zorge1982

‎02-24-2015 05:47 AM

I don't think you can do this.

802.1x authentication determines whether the user (or machine) is allowed access to the network.

So you would never be able to access the DC before you had successfully authenticated.

Are you asking if you can use AD direct ie. have the Cisco switches talk directly to AD without the need of ACS ?

If so the short answer is I don't know.

How are you doing dynamic vlan assignment at the moment ie. where are the rules setup and how is it working ?

Jon

0 Helpful

Go to solution
zorge1982
Level 1
Level 1
In response to Jon Marshall

‎02-24-2015 09:26 AM

I use dynamic Vlan assignment with MS NPS server based on membership in AD group.Cisco config is simple as dot1x port-control auto on port.

Well. I guess i cant do it without ACS. Many thanks Jon!  

Upd

Finally i`ve been install ACS server for testing and join AD. Whats next steps for intergrate AD authentificatior throuth ACS and NPS? Thanks

0 Helpful

Go to solution
amikat
Spotlight
Spotlight
In response to zorge1982

‎02-24-2015 09:26 AM

Hi,

You can surely configure 802.1X authentication with MS NPS and Cisco Cat 2960. While I am not sure I understand what exactly your problem is I would like to point you to the Open1x authentication option using "authentication open" interface command. This was introduced since 12.2(50):

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_50_se/configuration/guide/scg/sw8021x.html#wp1431587

Nevertheless I shoul say I have never been forced to use this option when configuring 802.1X using MS AD with 2008, 2008R2, 2012 and 2012R2 servers as DCs including VMware environment.

Good luck!

Best regards,

Antonin

0 Helpful

Go to solution
zorge1982
Level 1
Level 1
In response to amikat

‎02-24-2015 02:50 PM

Hi Amikat. Thanks for advice really. After enable port open features and installing MS KB (which fix restart and logoff bug W7) its working! Before 802.1 authentification process , port is assign to VLAN 1 with DC and PC could logiing in domain. After that process check credentials and NPS return to Cisco swith VLAN assignment options. Good luck! 

0 Helpful
Customers Also Viewed These Support Documents