ACS 5.1 authentication methods


I would like some inoput on this, I am implementing a cisco 5.1 ACS server for wire based port security.

I can get it working but the trouble is that the computers try to reauthenticare when ever a user logs on. but I only want them to authenticare to insure the machine is authenticed. I don't care about the user..

One thing I have not done is set up certificates, but I am thinking this might be the way.

Does any one know how I go about doing this. I have 1500+ PC's (windoes 2000, and various service packed XP)and the aim is stright forward.

If the PC belongs to us then it gets authenticated, if it is not ours then it does not.

I know you can set up machine only authentication but this would be a pain for all the various systems.

Any one have any ideas? I also want as little user intervention as possible.
LVL 16
Aaron StreetTechnical Infrastructure Architecture and Global Network ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Then why do you jsut used port security instead of dot1x?

config t
interface X
switchport mode access
switchport port-security
switchport port-security mac-address sticky
wr mem

harbor235 ;}
Aaron StreetTechnical Infrastructure Architecture and Global Network ManagerAuthor Commented:
because port security is too static. we have people who move around with there PC's and plug in to spare wall sockets.

and you have to make the assumption that the pc's connected are the ones you want connected.

and you can't do role based authentication. I am also using mac address bypass to authenticate Printers and putting them in the correct vlans. I will also be using ACS for this with the client pc's as well.

Port security done and dusted, moving on to phase 2 now. ;)

Machine only authentication is mac address authentication via port security and perhaps "ip sourceguard" for a mac and IP. Dot1x is based on user authentication providing logon credentials via certificates or user/password combo.

As far as mobility, Dot1X does have the guest vlan feature that is pretty nice for those transient users.
Sounds like you may need to look over the features of both and pick the one that is best suited for your needs.

harbor235 ;}
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Aaron StreetTechnical Infrastructure Architecture and Global Network ManagerAuthor Commented:
no you can set up a machine only authentication using either the xml profile (xp servce pack 3 and above) or a reg edit in earlier service packs and wiondows 2000.

what I wasnt sure about is if I use certificate based authentication, does this still relly on the compute / users own account details, Or can it be certificate only authenication, so as long at the PC has a certifiicate it will get authorisied, with no interaction between the users log in credentials and the dot1x system.

when I say mobility I need people to stay in the same subnet/vlans as the move around buildings, (they use docking stations to hot desk), so dotx can pick up there credentials and assign them to the correct network where ever on site they move to. Something I can't easly do with mac address / port security. I know you can build up mac address databases and do it, but thats very fiddely to keep on top of.


gotcha, good luck

harbor235 ;}
Aaron StreetTechnical Infrastructure Architecture and Global Network ManagerAuthor Commented:
I worked this out eventualy.

you can export the 802.1x rofile on a windows XP machine, edit he XML file to machine only authentication and then reimport it.

or for pre xp service pack 2 and windows 200 machines there is a reg edit to set it to machine only authentication.

This makes no difference to the certificate authentication. if you ahve is set to machine only only the machine needs a certificate, if you have it set to both user and machine then both require a certificate.

In the end we decided to go the edit the xml file route as it is easly scripted.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.