• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1922
  • Last Modified:

Configure Cisco 3560 with 2008R2 NAP for guest and internal VLANs

All - I am trying to get the following scenario set up in our environment:

Hosts and users should be authenticated by a Radius Server. According to the user or machine group, when someone connects, the port on the Switch should be changed to an internal authorized VLAN. Users / PCs not in an AD security group should be placed in an "internet only" guest VLAN. .

Radius Server: MS Server 2008 R2
Client: MS Windows 7
Switch: Cisco Catalyst 3560
Routing is done from the Core switch
DHCP is on a 2008R2 Server

I have ports on the switch configured as:

interface FastEthernet0/11
 description ports for radius
 switchport mode access
 switchport voice vlan 800
 switchport priority extend trust
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape  10  0  0  0
 mls qos trust device cisco-phone
 mls qos trust cos
 auto qos voip cisco-phone
 dot1x pae authenticator
 dot1x port-control auto
 dot1x host-mode multi-domain
 dot1x timeout reauth-period 60
 dot1x reauthentication
 dot1x guest-vlan 50
 dot1x auth-fail vlan 30
 dot1x auth-fail max-attempts 2
 spanning-tree portfast
 spanning-tree bpduguard enable

As for the Radius server, I'm not too familiar with NAP and Radius, so I could really use some guidance there as to how to set it up. Any help would be greatly appreciated.
Thanks in advance!
1 Solution
Your NPS Server needs to have a certificate trusted by the workstations. This can mean a certificate you buy, or one from an internal certificate authority that has been installed as a trusted CA by your workstations.

Checklist: Configure NPS for 802.1X Authenticating Switch Access

focusing on the NPS policy

Use the 802.1X Wizard to Configure NPS Network Policies

Don't forget the RADIUS portion of your switch config

aaa new-model
aaa group server radius rad_eap
aaa authentication dot1x default group rad_eap
aaa authorization network default group rad_eap local
radius-server attribute 32 include-in-access-req format %h
radius-server retransmit 2
radius-server timeout 3
radius-server deadtime 1
radius-server key your-shared-key-for NPS-servers
radius-server vsa send authentication
 address ipv4 auth-port 1645 acct-port 1646
 address ipv4 auth-port 1645 acct-port 1646
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now