• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1666
  • Last Modified:

ACS 5.1 authentication methods

Hi,

I would like some inoput on this, I am implementing a cisco 5.1 ACS server for wire based port security.

I can get it working but the trouble is that the computers try to reauthenticare when ever a user logs on. but I only want them to authenticare to insure the machine is authenticed. I don't care about the user..

One thing I have not done is set up certificates, but I am thinking this might be the way.

Does any one know how I go about doing this. I have 1500+ PC's (windoes 2000, and various service packed XP)and the aim is stright forward.

If the PC belongs to us then it gets authenticated, if it is not ours then it does not.

I know you can set up machine only authentication but this would be a pain for all the various systems.

Any one have any ideas? I also want as little user intervention as possible.
0
Aaron Street
Asked:
Aaron Street
  • 3
  • 3
1 Solution
 
harbor235Commented:


Then why do you jsut used port security instead of dot1x?

config t
interface X
switchport mode access
switchport port-security
switchport port-security mac-address sticky
exit
wr mem

harbor235 ;}
0
 
Aaron StreetInfrastructure ManagerAuthor Commented:
because port security is too static. we have people who move around with there PC's and plug in to spare wall sockets.

and you have to make the assumption that the pc's connected are the ones you want connected.

and you can't do role based authentication. I am also using mac address bypass to authenticate Printers and putting them in the correct vlans. I will also be using ACS for this with the client pc's as well.

Port security done and dusted, moving on to phase 2 now. ;)
0
 
harbor235Commented:


Machine only authentication is mac address authentication via port security and perhaps "ip sourceguard" for a mac and IP. Dot1x is based on user authentication providing logon credentials via certificates or user/password combo.

As far as mobility, Dot1X does have the guest vlan feature that is pretty nice for those transient users.
Sounds like you may need to look over the features of both and pick the one that is best suited for your needs.

harbor235 ;}
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
Aaron StreetInfrastructure ManagerAuthor Commented:
no you can set up a machine only authentication using either the xml profile (xp servce pack 3 and above) or a reg edit in earlier service packs and wiondows 2000.

what I wasnt sure about is if I use certificate based authentication, does this still relly on the compute / users own account details, Or can it be certificate only authenication, so as long at the PC has a certifiicate it will get authorisied, with no interaction between the users log in credentials and the dot1x system.

when I say mobility I need people to stay in the same subnet/vlans as the move around buildings, (they use docking stations to hot desk), so dotx can pick up there credentials and assign them to the correct network where ever on site they move to. Something I can't easly do with mac address / port security. I know you can build up mac address databases and do it, but thats very fiddely to keep on top of.

0
 
harbor235Commented:


gotcha, good luck

harbor235 ;}
0
 
Aaron StreetInfrastructure ManagerAuthor Commented:
I worked this out eventualy.

you can export the 802.1x rofile on a windows XP machine, edit he XML file to machine only authentication and then reimport it.

or for pre xp service pack 2 and windows 200 machines there is a reg edit to set it to machine only authentication.

This makes no difference to the certificate authentication. if you ahve is set to machine only only the machine needs a certificate, if you have it set to both user and machine then both require a certificate.

In the end we decided to go the edit the xml file route as it is easly scripted.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now