ACS 5.1 authentication methods
Hi,
I would like some inoput on this, I am implementing a cisco 5.1 ACS server for wire based port security.
I can get it working but the trouble is that the computers try to reauthenticare when ever a user logs on. but I only want them to authenticare to insure the machine is authenticed. I don't care about the user..
One thing I have not done is set up certificates, but I am thinking this might be the way.
Does any one know how I go about doing this. I have 1500+ PC's (windoes 2000, and various service packed XP)and the aim is stright forward.
If the PC belongs to us then it gets authenticated, if it is not ours then it does not.
I know you can set up machine only authentication but this would be a pain for all the various systems.
Any one have any ideas? I also want as little user intervention as possible.
I would like some inoput on this, I am implementing a cisco 5.1 ACS server for wire based port security.
I can get it working but the trouble is that the computers try to reauthenticare when ever a user logs on. but I only want them to authenticare to insure the machine is authenticed. I don't care about the user..
One thing I have not done is set up certificates, but I am thinking this might be the way.
Does any one know how I go about doing this. I have 1500+ PC's (windoes 2000, and various service packed XP)and the aim is stright forward.
If the PC belongs to us then it gets authenticated, if it is not ours then it does not.
I know you can set up machine only authentication but this would be a pain for all the various systems.
Any one have any ideas? I also want as little user intervention as possible.
ASKER
because port security is too static. we have people who move around with there PC's and plug in to spare wall sockets.
and you have to make the assumption that the pc's connected are the ones you want connected.
and you can't do role based authentication. I am also using mac address bypass to authenticate Printers and putting them in the correct vlans. I will also be using ACS for this with the client pc's as well.
Port security done and dusted, moving on to phase 2 now. ;)
and you have to make the assumption that the pc's connected are the ones you want connected.
and you can't do role based authentication. I am also using mac address bypass to authenticate Printers and putting them in the correct vlans. I will also be using ACS for this with the client pc's as well.
Port security done and dusted, moving on to phase 2 now. ;)
Machine only authentication is mac address authentication via port security and perhaps "ip sourceguard" for a mac and IP. Dot1x is based on user authentication providing logon credentials via certificates or user/password combo.
As far as mobility, Dot1X does have the guest vlan feature that is pretty nice for those transient users.
Sounds like you may need to look over the features of both and pick the one that is best suited for your needs.
harbor235 ;}
ASKER
no you can set up a machine only authentication using either the xml profile (xp servce pack 3 and above) or a reg edit in earlier service packs and wiondows 2000.
what I wasnt sure about is if I use certificate based authentication, does this still relly on the compute / users own account details, Or can it be certificate only authenication, so as long at the PC has a certifiicate it will get authorisied, with no interaction between the users log in credentials and the dot1x system.
when I say mobility I need people to stay in the same subnet/vlans as the move around buildings, (they use docking stations to hot desk), so dotx can pick up there credentials and assign them to the correct network where ever on site they move to. Something I can't easly do with mac address / port security. I know you can build up mac address databases and do it, but thats very fiddely to keep on top of.
what I wasnt sure about is if I use certificate based authentication, does this still relly on the compute / users own account details, Or can it be certificate only authenication, so as long at the PC has a certifiicate it will get authorisied, with no interaction between the users log in credentials and the dot1x system.
when I say mobility I need people to stay in the same subnet/vlans as the move around buildings, (they use docking stations to hot desk), so dotx can pick up there credentials and assign them to the correct network where ever on site they move to. Something I can't easly do with mac address / port security. I know you can build up mac address databases and do it, but thats very fiddely to keep on top of.
gotcha, good luck
harbor235 ;}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Then why do you jsut used port security instead of dot1x?
config t
interface X
switchport mode access
switchport port-security
switchport port-security mac-address sticky
exit
wr mem
harbor235 ;}