I'm using Ciscosecure ACS ver. 3.2 as my radius server. The setup of the 802.1x on the switches is easy. I was curious if anyone has used Ciscosecure as their radius server and how did you set it up? MAC Filtering? Dynamic VLANS? Thanks!
I'm trying to setup CiscoSecure(as a test environment) as well at the moment. 802.1x is already working good with peap. Am looking forward to implement eap-tls this week or next week(when I have the time).
What is your exact question?
I've not done dynamic VLAN assignment because it won't do any benefit at our place so I can't help you there.
There should be lots of documentation on cisco.com like:
Thanks for the reply. I guess my main question is where do you configure 802.1x authentication within the Ciscosecure web interface? I also notice that there are different types of EAP (certificate based, etc.)...in your experience, has peap worked out the best for you? I'm starting this from scratch and picking up piece by piece as I go along, so my knowledge on this whole subject is very limited. Can you somehow enact mac filtering using 802.1x and Ciscosecure Radius? Sorry for the general confusion...like I said in my original post, I've got the information from Cisco on how to set up the client and the switch....now it's configuring the Ciscosecure Radius service...which doesn't seem to be too straight forward in it's documentation on how this way of authenticating should be set up. I appreciate the help.
There should be an option where you can configure one of the different possible authentication methods. You also need to add the switch you are using for authentication with the same shared secret you used in the switch config. I can give you more detailled information about that later on when I get back into the testlab but maybe you will find it without that.
Yes there are different eap types(you will have to configure the client for the authentication method you want to use):
Peap seems to be quite easy to implement(with cisco equipment) and seems to be also quite save. It uses server side authentication with certifcates and can use clientside authentication with different password types(I think it can also use certificates but in that case you could also use eap tls). You will need a certification authority.
One more important thing. PEAP is not a standard. THere is a new internet draft since 3-4 weeks but it is not even a RFC yet.
Another solution is eap tls. It seems to be the solution that is most safe. You use mutual authentication with server side and client side certificates. It might be harder to implement and you will need certificates on all of you clients. I'm looking forward to test eaptls in the future but haven't gotten that far yet.
Other solutions are EAP-Fast(Cisco solution), LEAP (Cisco solution) and EAP MD5. You will need to get more information to decide which solution fits best for you.
My opinion is: Big LAN's in big companies: go for eap-tls or peap. For small solutions EAP-Fast might be a good solution.
To the question about MAC Filtering: I'm not quite sure about that. Usually you would use port security to restrict MACS. Do you really need it when you use 802.1x. In case of using eap-tls for eyample no pc would be able to access your LAN if he has no useful certificate.
-------------------------------------------------
Create an user
Authentication will be done By ACS
If done then Switch will open the connection on assigned port of the switch.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.