Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Configure Cisco 3560 with 2008R2 NAP for guest and internal VLANs

Posted on 2012-04-12
1
Medium Priority
?
1,908 Views
Last Modified: 2012-06-27
All - I am trying to get the following scenario set up in our environment:

Hosts and users should be authenticated by a Radius Server. According to the user or machine group, when someone connects, the port on the Switch should be changed to an internal authorized VLAN. Users / PCs not in an AD security group should be placed in an "internet only" guest VLAN. .

Radius Server: MS Server 2008 R2
Client: MS Windows 7
Switch: Cisco Catalyst 3560
Routing is done from the Core switch
DHCP is on a 2008R2 Server

I have ports on the switch configured as:

interface FastEthernet0/11
 description ports for radius
 switchport mode access
 switchport voice vlan 800
 switchport priority extend trust
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape  10  0  0  0
 mls qos trust device cisco-phone
 mls qos trust cos
 auto qos voip cisco-phone
 dot1x pae authenticator
 dot1x port-control auto
 dot1x host-mode multi-domain
 dot1x timeout reauth-period 60
 dot1x reauthentication
 dot1x guest-vlan 50
 dot1x auth-fail vlan 30
 dot1x auth-fail max-attempts 2
 spanning-tree portfast
 spanning-tree bpduguard enable
end

As for the Radius server, I'm not too familiar with NAP and Radius, so I could really use some guidance there as to how to set it up. Any help would be greatly appreciated.
Thanks in advance!
0
Comment
Question by:eporteni
1 Comment
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 2000 total points
ID: 37844780
Your NPS Server needs to have a certificate trusted by the workstations. This can mean a certificate you buy, or one from an internal certificate authority that has been installed as a trusted CA by your workstations.

Checklist: Configure NPS for 802.1X Authenticating Switch Access
http://technet.microsoft.com/en-us/library/cc732256(v=ws.10).aspx

focusing on the NPS policy

Use the 802.1X Wizard to Configure NPS Network Policies
http://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx

Don't forget the RADIUS portion of your switch config

aaa new-model
!
!
aaa group server radius rad_eap
 server name YOURNPSSERVERNAME1
 server name YOURNPSSERVERNAME2
!
aaa authentication dot1x default group rad_eap
aaa authorization network default group rad_eap local
!
radius-server attribute 32 include-in-access-req format %h
radius-server retransmit 2
radius-server timeout 3
radius-server deadtime 1
radius-server key your-shared-key-for NPS-servers
radius-server vsa send authentication
!
radius server YOURNPSSERVERNAME1
 address ipv4 10.0.0.10 auth-port 1645 acct-port 1646
!
radius server YOURNPSSERVERNAME2
 address ipv4 10.0.0.11 auth-port 1645 acct-port 1646
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
2017 was a scary year for cyber security.  Hear what our security experts say that hackers have in store for us in 2018.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question