the tutorial you refer to is

Ivan Rivai · ‎05-29-2017

Hello.

I'm using Windows Server 2012 R2 and Cisco Switch Catalyst 2960X.

Firstly, I've deployed 802.1x and NAP. So basically I want to authenticate radius login to the switches,L3s, and routers. For now, i have different radius server using freeradius but i want to place the radius in the windows server, to make it centralize. I've tried following the tutorial here :

https://www.freeccnaworkbook.com/blog/ccna-security/cisco-ios-radius-authentication-with-windows-server-2012-nps

But that's the condition where 802.1X has not been deployed.

So my question is, can the network devices authenticate 2 different authentications?

Thank you.

Best regards,

Ivan

pieterh · ‎05-30-2017

the tutorial you refer to is for management access to the device, (this is not NAC)

Yes for DOT1x authentication you can use a different radius server than for management access.

Try this link (there may be a more recent, this is 2011)

Ivan Rivai · ‎05-30-2017

Hello, thank you for your reply.

Can I actually use 1 radius server for both 802.1x auth and for management access auth?

Thank you.

pieterh · ‎05-31-2017

Yes you can.

The server (group) referenced in
aaa authentication login ...
aaa authentication enable .....
is for management

The server (group) referenced in
aaa authentication dot1x .....
aaa authorization network .....
is for 802.1x

Ivan Rivai · ‎05-31-2017

yeah i've tried using this, but the auth failed.

I tried using another server, which is also a windows server, installed the NPS role, and it works. So i'm assuming the server can not take 2 different authentication requests?

pieterh · ‎05-31-2017

compare the policies you created on the two servers, there must be a difference.

with a single authentication server you need two policies for the same device.

Integrate RADIUS Authentication with Windows Server NPS