Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
725
Views
0
Helpful
4
Replies

dot1x and sso

Go to solution
ohassairi
Level 5
Level 5

‎12-14-2009 09:28 PM - edited ‎03-06-2019 08:57 AM

we want to deploy dot1x in our LAN

i want to know if it is possible to let dot1x client uses automaticallly windows username/password and send them to the switch without prompting the user to enter them manually?

if yes, how ? any good document ?

note: ACS will be integrated with windows domain. all users are joigned to the domain.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ansalaza
Level 1
Level 1

‎12-18-2009 11:33 AM

If using Windows built-in Supplicant, you could try:

To enable single sign-on, check the option for Automatically use my Windows logon name and password (and domain if any). Click OK to accept this setting, and then click OK again to return to the network properties window.

https://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml#wc-2

ACS should be installed on a Member Server of the Domain in order to query AD:

https://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml#acs-6

This doc is for a wireless client and using ACS 3.X, but it is all the same concept:

The Unknown User Policy enables ACS to use a variety of external databases to attempt authentication of unknown users. This feature provides the foundation for a basic single sign-on capability through ACS. Because external user databases handle the incoming authentication requests, you do not have to maintain the credentials of users within ACS, such as passwords. This eliminates the necessity of entering every user multiple times and prevents data-entry errors inherent to manual procedures.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UnknUsr.html#wp277232

HTH

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ansalaza
Level 1
Level 1

‎12-18-2009 11:33 AM

If using Windows built-in Supplicant, you could try:

To enable single sign-on, check the option for Automatically use my Windows logon name and password (and domain if any). Click OK to accept this setting, and then click OK again to return to the network properties window.

https://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml#wc-2

ACS should be installed on a Member Server of the Domain in order to query AD:

https://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml#acs-6

This doc is for a wireless client and using ACS 3.X, but it is all the same concept:

The Unknown User Policy enables ACS to use a variety of external databases to attempt authentication of unknown users. This feature provides the foundation for a basic single sign-on capability through ACS. Because external user databases handle the incoming authentication requests, you do not have to maintain the credentials of users within ACS, such as passwords. This eliminates the necessity of entering every user multiple times and prevents data-entry errors inherent to manual procedures.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UnknUsr.html#wp277232

HTH

0 Helpful

Go to solution
ohassairi
Level 5
Level 5
In response to ansalaza

‎12-20-2009 01:36 AM

thank you for your help.

now i can dot1q authenticate users using windows credentiels and assign dynamically ports to their vlan

0 Helpful

Go to solution
ansalaza
Level 1
Level 1
In response to ohassairi

‎12-21-2009 06:40 AM

The RADIUS server must return these attributes to the switch:

[64] Tunnel-Type = VLAN

[65] Tunnel-Medium-Type = 802

[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID

Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the  802.1x-authenticated user.

Note: For attributes to show up in the Group and User sections, they first have to be configured as required in the Interface Configuration section.

This talks about how to assign a VLAN to a user:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1289244

You can also do group mapping to associate the Active Directory Users to ACS Groups, then assign the proper VLAN profile to the ACS Groups:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c9bd1.shtml#c4

HTH

0 Helpful

Go to solution
ohassairi
Level 5
Level 5
In response to ansalaza

‎12-21-2009 08:19 PM

this is exactly what i did.

thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card