?
Solved

Configure Cisco 3560 with 2008R2 NAP for guest and internal VLANs

Posted on 2012-04-12
1
Medium Priority
?
1,889 Views
Last Modified: 2012-06-27
All - I am trying to get the following scenario set up in our environment:

Hosts and users should be authenticated by a Radius Server. According to the user or machine group, when someone connects, the port on the Switch should be changed to an internal authorized VLAN. Users / PCs not in an AD security group should be placed in an "internet only" guest VLAN. .

Radius Server: MS Server 2008 R2
Client: MS Windows 7
Switch: Cisco Catalyst 3560
Routing is done from the Core switch
DHCP is on a 2008R2 Server

I have ports on the switch configured as:

interface FastEthernet0/11
 description ports for radius
 switchport mode access
 switchport voice vlan 800
 switchport priority extend trust
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape  10  0  0  0
 mls qos trust device cisco-phone
 mls qos trust cos
 auto qos voip cisco-phone
 dot1x pae authenticator
 dot1x port-control auto
 dot1x host-mode multi-domain
 dot1x timeout reauth-period 60
 dot1x reauthentication
 dot1x guest-vlan 50
 dot1x auth-fail vlan 30
 dot1x auth-fail max-attempts 2
 spanning-tree portfast
 spanning-tree bpduguard enable
end

As for the Radius server, I'm not too familiar with NAP and Radius, so I could really use some guidance there as to how to set it up. Any help would be greatly appreciated.
Thanks in advance!
0
Comment
Question by:eporteni
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 2000 total points
ID: 37844780
Your NPS Server needs to have a certificate trusted by the workstations. This can mean a certificate you buy, or one from an internal certificate authority that has been installed as a trusted CA by your workstations.

Checklist: Configure NPS for 802.1X Authenticating Switch Access
http://technet.microsoft.com/en-us/library/cc732256(v=ws.10).aspx

focusing on the NPS policy

Use the 802.1X Wizard to Configure NPS Network Policies
http://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx

Don't forget the RADIUS portion of your switch config

aaa new-model
!
!
aaa group server radius rad_eap
 server name YOURNPSSERVERNAME1
 server name YOURNPSSERVERNAME2
!
aaa authentication dot1x default group rad_eap
aaa authorization network default group rad_eap local
!
radius-server attribute 32 include-in-access-req format %h
radius-server retransmit 2
radius-server timeout 3
radius-server deadtime 1
radius-server key your-shared-key-for NPS-servers
radius-server vsa send authentication
!
radius server YOURNPSSERVERNAME1
 address ipv4 10.0.0.10 auth-port 1645 acct-port 1646
!
radius server YOURNPSSERVERNAME2
 address ipv4 10.0.0.11 auth-port 1645 acct-port 1646
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question