Solved

Configure Cisco 3560 with 2008R2 NAP for guest and internal VLANs

Posted on 2012-04-12
1
1,869 Views
Last Modified: 2012-06-27
All - I am trying to get the following scenario set up in our environment:

Hosts and users should be authenticated by a Radius Server. According to the user or machine group, when someone connects, the port on the Switch should be changed to an internal authorized VLAN. Users / PCs not in an AD security group should be placed in an "internet only" guest VLAN. .

Radius Server: MS Server 2008 R2
Client: MS Windows 7
Switch: Cisco Catalyst 3560
Routing is done from the Core switch
DHCP is on a 2008R2 Server

I have ports on the switch configured as:

interface FastEthernet0/11
 description ports for radius
 switchport mode access
 switchport voice vlan 800
 switchport priority extend trust
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape  10  0  0  0
 mls qos trust device cisco-phone
 mls qos trust cos
 auto qos voip cisco-phone
 dot1x pae authenticator
 dot1x port-control auto
 dot1x host-mode multi-domain
 dot1x timeout reauth-period 60
 dot1x reauthentication
 dot1x guest-vlan 50
 dot1x auth-fail vlan 30
 dot1x auth-fail max-attempts 2
 spanning-tree portfast
 spanning-tree bpduguard enable
end

As for the Radius server, I'm not too familiar with NAP and Radius, so I could really use some guidance there as to how to set it up. Any help would be greatly appreciated.
Thanks in advance!
0
Comment
Question by:eporteni
1 Comment
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 500 total points
ID: 37844780
Your NPS Server needs to have a certificate trusted by the workstations. This can mean a certificate you buy, or one from an internal certificate authority that has been installed as a trusted CA by your workstations.

Checklist: Configure NPS for 802.1X Authenticating Switch Access
http://technet.microsoft.com/en-us/library/cc732256(v=ws.10).aspx

focusing on the NPS policy

Use the 802.1X Wizard to Configure NPS Network Policies
http://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx

Don't forget the RADIUS portion of your switch config

aaa new-model
!
!
aaa group server radius rad_eap
 server name YOURNPSSERVERNAME1
 server name YOURNPSSERVERNAME2
!
aaa authentication dot1x default group rad_eap
aaa authorization network default group rad_eap local
!
radius-server attribute 32 include-in-access-req format %h
radius-server retransmit 2
radius-server timeout 3
radius-server deadtime 1
radius-server key your-shared-key-for NPS-servers
radius-server vsa send authentication
!
radius server YOURNPSSERVERNAME1
 address ipv4 10.0.0.10 auth-port 1645 acct-port 1646
!
radius server YOURNPSSERVERNAME2
 address ipv4 10.0.0.11 auth-port 1645 acct-port 1646
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
tsadmin.msc on WIndows 2012 R2 4 216
How to Disable screen lock using group policy 10 45
question about running backups 3 68
creating SVI on layer 3 switch 1 28
In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question