Solved

Configure Cisco 3560 with 2008R2 NAP for guest and internal VLANs

Posted on 2012-04-12
1
1,875 Views
Last Modified: 2012-06-27
All - I am trying to get the following scenario set up in our environment:

Hosts and users should be authenticated by a Radius Server. According to the user or machine group, when someone connects, the port on the Switch should be changed to an internal authorized VLAN. Users / PCs not in an AD security group should be placed in an "internet only" guest VLAN. .

Radius Server: MS Server 2008 R2
Client: MS Windows 7
Switch: Cisco Catalyst 3560
Routing is done from the Core switch
DHCP is on a 2008R2 Server

I have ports on the switch configured as:

interface FastEthernet0/11
 description ports for radius
 switchport mode access
 switchport voice vlan 800
 switchport priority extend trust
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape  10  0  0  0
 mls qos trust device cisco-phone
 mls qos trust cos
 auto qos voip cisco-phone
 dot1x pae authenticator
 dot1x port-control auto
 dot1x host-mode multi-domain
 dot1x timeout reauth-period 60
 dot1x reauthentication
 dot1x guest-vlan 50
 dot1x auth-fail vlan 30
 dot1x auth-fail max-attempts 2
 spanning-tree portfast
 spanning-tree bpduguard enable
end

As for the Radius server, I'm not too familiar with NAP and Radius, so I could really use some guidance there as to how to set it up. Any help would be greatly appreciated.
Thanks in advance!
0
Comment
Question by:eporteni
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 500 total points
ID: 37844780
Your NPS Server needs to have a certificate trusted by the workstations. This can mean a certificate you buy, or one from an internal certificate authority that has been installed as a trusted CA by your workstations.

Checklist: Configure NPS for 802.1X Authenticating Switch Access
http://technet.microsoft.com/en-us/library/cc732256(v=ws.10).aspx

focusing on the NPS policy

Use the 802.1X Wizard to Configure NPS Network Policies
http://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx

Don't forget the RADIUS portion of your switch config

aaa new-model
!
!
aaa group server radius rad_eap
 server name YOURNPSSERVERNAME1
 server name YOURNPSSERVERNAME2
!
aaa authentication dot1x default group rad_eap
aaa authorization network default group rad_eap local
!
radius-server attribute 32 include-in-access-req format %h
radius-server retransmit 2
radius-server timeout 3
radius-server deadtime 1
radius-server key your-shared-key-for NPS-servers
radius-server vsa send authentication
!
radius server YOURNPSSERVERNAME1
 address ipv4 10.0.0.10 auth-port 1645 acct-port 1646
!
radius server YOURNPSSERVERNAME2
 address ipv4 10.0.0.11 auth-port 1645 acct-port 1646
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question