Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
802.1x Implementation Anyone?
- Thread starter BigJammer
- Start date
Parcival21
Technical User
I'm trying to setup CiscoSecure(as a test environment) as well at the moment. 802.1x is already working good with peap. Am looking forward to implement eap-tls this week or next week(when I have the time).
What is your exact question?
I've not done dynamic VLAN assignment because it won't do any benefit at our place so I can't help you there.
There should be lots of documentation on cisco.com like:
Do you have any specific questions?
bye,
busche
What is your exact question?
I've not done dynamic VLAN assignment because it won't do any benefit at our place so I can't help you there.
There should be lots of documentation on cisco.com like:
Do you have any specific questions?
bye,
busche
- Thread starter
- #3
Thanks for the reply. I guess my main question is where do you configure 802.1x authentication within the Ciscosecure web interface? I also notice that there are different types of EAP (certificate based, etc.)...in your experience, has peap worked out the best for you? I'm starting this from scratch and picking up piece by piece as I go along, so my knowledge on this whole subject is very limited. Can you somehow enact mac filtering using 802.1x and Ciscosecure Radius? Sorry for the general confusion...like I said in my original post, I've got the information from Cisco on how to set up the client and the switch....now it's configuring the Ciscosecure Radius service...which doesn't seem to be too straight forward in it's documentation on how this way of authenticating should be set up. I appreciate the help.
Parcival21
Technical User
There should be an option where you can configure one of the different possible authentication methods. You also need to add the switch you are using for authentication with the same shared secret you used in the switch config. I can give you more detailled information about that later on when I get back into the testlab but maybe you will find it without that.
Yes there are different eap types(you will have to configure the client for the authentication method you want to use):
Peap seems to be quite easy to implement(with cisco equipment) and seems to be also quite save. It uses server side authentication with certifcates and can use clientside authentication with different password types(I think it can also use certificates but in that case you could also use eap tls). You will need a certification authority.
One more important thing. PEAP is not a standard. THere is a new internet draft since 3-4 weeks but it is not even a RFC yet.
Another solution is eap tls. It seems to be the solution that is most safe. You use mutual authentication with server side and client side certificates. It might be harder to implement and you will need certificates on all of you clients. I'm looking forward to test eaptls in the future but haven't gotten that far yet.
Other solutions are EAP-Fast(Cisco solution), LEAP (Cisco solution) and EAP MD5. You will need to get more information to decide which solution fits best for you.
My opinion is: Big LAN's in big companies: go for eap-tls or peap. For small solutions EAP-Fast might be a good solution.
To the question about MAC Filtering: I'm not quite sure about that. Usually you would use port security to restrict MACS. Do you really need it when you use 802.1x. In case of using eap-tls for eyample no pc would be able to access your LAN if he has no useful certificate.
Yes there are different eap types(you will have to configure the client for the authentication method you want to use):
Peap seems to be quite easy to implement(with cisco equipment) and seems to be also quite save. It uses server side authentication with certifcates and can use clientside authentication with different password types(I think it can also use certificates but in that case you could also use eap tls). You will need a certification authority.
One more important thing. PEAP is not a standard. THere is a new internet draft since 3-4 weeks but it is not even a RFC yet.
Another solution is eap tls. It seems to be the solution that is most safe. You use mutual authentication with server side and client side certificates. It might be harder to implement and you will need certificates on all of you clients. I'm looking forward to test eaptls in the future but haven't gotten that far yet.
Other solutions are EAP-Fast(Cisco solution), LEAP (Cisco solution) and EAP MD5. You will need to get more information to decide which solution fits best for you.
My opinion is: Big LAN's in big companies: go for eap-tls or peap. For small solutions EAP-Fast might be a good solution.
To the question about MAC Filtering: I'm not quite sure about that. Usually you would use port security to restrict MACS. Do you really need it when you use 802.1x. In case of using eap-tls for eyample no pc would be able to access your LAN if he has no useful certificate.
Hi,
I'am using CIscoSecure 3.2.
Following is what I could bring up:
1. Your switch should be AAA client with Key and AAA server
IPaddress.
2. On ACS: Network config:
Add AAA Client address (you switch).
Specify Key
Specify IOS/PIX Radius
-------------------------------------------------
Create an user
Authentication will be done By ACS
If done then Switch will open the connection on assigned port of the switch.
I'am using CIscoSecure 3.2.
Following is what I could bring up:
1. Your switch should be AAA client with Key and AAA server
IPaddress.
2. On ACS: Network config:
Add AAA Client address (you switch).
Specify Key
Specify IOS/PIX Radius
-------------------------------------------------
Create an user
Authentication will be done By ACS
If done then Switch will open the connection on assigned port of the switch.
- Status
Similar threads